Building Private Cloud – Part 6

Now we are almost ready with the Private Cloud. We have the HyperV cluster ready with fabric configured with VM Networks for each subsidiary group. We have the VM templates, Hardware Profiles and Gust OS Profiles ready. We have the Private cloud for each subsidiary group.

In this part, We will delegate the access for IT Admins of each subsidiary using User Roles.

Create a security group for each cloud.

From SCVMM ->  Settings -> User Roles

Create User Roles

Creating User Role - Name

Creating User Role – Name

 

On the Profile page, select the appropriate role profile. We have four per-defined roles available.

Fabric Administrator: Members of the Delegated Administrator user role can perform all administrative tasks within their assigned host groups, clouds, and library servers, except for adding XenServer and adding WSUS servers. Delegated Administrators cannot modify VMM settings, and cannot add or remove members of the Administrators user role.

 

Read-Only Administrator: Read-only administrators can view properties, status, and job status of objects within their assigned host groups, clouds, and library servers, but they cannot modify the objects. Also, the read-only administrator can view Run As accounts that administrators or delegated administrators have specified for that read-only administrator user role.

 

Tenant Administrator:  Members of the Tenant Administrator user role can manage self-service users and VM networks. Tenant administrators can create, deploy, and manage their own virtual machines and services by using the VMM console or a web portal. Tenant administrators can also specify which tasks the self-service users can perform on their virtual machines and services. Tenant administrators can place quotas on computing resources and virtual machines.

 

Application Administrator: Members of the Self-Service User role can create, deploy, and manage their own virtual machines and services by using the VMM console or a Web portal.

 

For our requirement, I prefer “Tenant Administrator” role.

Creating User Role - Setting the delegated Role

Creating User Role – Setting the delegated Role

 

In the Members page, add the user/security group which should get access through this role. I am using a security group for this purpose. Members in this security group will get the access through this role.

Creating User Role - Defining Security Group

Creating User Role – Defining Security Group

 

In the Scope page, we need to define the scope where this user role gets access. Scope is defined through the Cloud.

Creating User Role - Defining Cloud

Creating User Role – Defining Cloud

 

In the next page, we may define the quota. On the cloud, we have defined a  quota which is the maximum a cloud can have. However, it doesnt means that the entire resources should be utilized by a single user role. We can have multiple user role and have different quotas for the user roles, however the quota will be within the total quota allocated for cloud.

 

Creating User Role - Allocating compute resources

Creating User Role – Allocating compute resources

 

In the next page, we will allocate the VM Networks which will be used along with the VM Deployment. As we have dedicated VM networks for each groups, select the appropriate network for S1 IT.

Creating User Role - Allocating VM Networks

Creating User Role – Allocating VM Networks

 

In the resources page, Add the VM template, Hardware profiles and OS Profiles which will be allocated for this group.

 

Creating User Role - Adding Profiles and templates

Creating User Role – Adding Profiles and templates

 

In the permission page, we can adjust the available permissions to some extend. However, this is not an RBAC based delegation.

 

Creating User Role - Delegating the tasks

Creating User Role – Delegating the tasks

 

 

In the next page, select the run as accounts which will be used along with the VM Templates or OS profiles.

Creating User Role - RunAs Accounts

Creating User Role – RunAs Accounts

 

On the next screen, review the changes and proceed with the User Role creation.

 

 

 

Comments

comments