Академический Документы
Профессиональный Документы
Культура Документы
Profile
Which actions are permitted Which user interface is accessible How the scope is defined
Profile
Scope
Scope
On which objects a user may take actions
Host groups, Library Servers, VMs
User Role
Role Types
Administrator
Full access to all actions and all objects Use Admin console or PowerShell interface
Delegated Administrator
Full access to most actions Scope can be limited by host groups and Library servers Can use the Admin console or PowerShell interface
Self-Service User
Limited access to a subset of actions Scope can be limited by host groups and Library share Can use the Self-Service Portal or PowerShell interface Can apply quotas, such as on the number of VMs
AzMan needs an Authorization Policy Data Store to define access to Roles, Tasks & Groups
Hyper-V xml file InitialStore.xml for defining access rights
Advanced security auditing policies available under the Group Policy Object Editor
Authorization Policy
Create Task Definitions Select operations for those tasks Authorize Roles to be able to perform those tasks Actions
Operation - Some action the user can perform Task - Grouping of operations Role - A job, position or responsibility
The only default Role that is pre-defined is Administrator
Takeaways
Hyper-V was designed to be secure Apply standard security policies to both host computers and VMs Consider role based security to isolate access Use Authorization Manager to specify operations, tasks, roles and scope