Now we are almost ready with the Private Cloud. We have the HyperV cluster ready with fabric configured with VM Networks for each subsidiary group. We have the VM templates, Hardware Profiles and Gust OS Profiles ready. We have the Private cloud for each subsidiary group.
In this part, We will delegate the access for IT Admins of each subsidiary using User Roles.
Create a security group for each cloud.
From SCVMM -> Settings -> User Roles
Create User Roles
On the Profile page, select the appropriate role profile. We have four per-defined roles available.
Fabric Administrator: Members of the Delegated Administrator user role can perform all administrative tasks within their assigned host groups, clouds, and library servers, except for adding XenServer and adding WSUS servers. Delegated Administrators cannot modify VMM settings, and cannot add or remove members of the Administrators user role.
Read-Only Administrator: Read-only administrators can view properties, status, and job status of objects within their assigned host groups, clouds, and library servers, but they cannot modify the objects. Also, the read-only administrator can view Run As accounts that administrators or delegated administrators have specified for that read-only administrator user role.
Tenant Administrator: Members of the Tenant Administrator user role can manage self-service users and VM networks. Tenant administrators can create, deploy, and manage their own virtual machines and services by using the VMM console or a web portal. Tenant administrators can also specify which tasks the self-service users can perform on their virtual machines and services. Tenant administrators can place quotas on computing resources and virtual machines.
Application Administrator: Members of the Self-Service User role can create, deploy, and manage their own virtual machines and services by using the VMM console or a Web portal.
For our requirement, I prefer “Tenant Administrator” role.
In the Members page, add the user/security group which should get access through this role. I am using a security group for this purpose. Members in this security group will get the access through this role.
In the Scope page, we need to define the scope where this user role gets access. Scope is defined through the Cloud.
In the next page, we may define the quota. On the cloud, we have defined a quota which is the maximum a cloud can have. However, it doesnt means that the entire resources should be utilized by a single user role. We can have multiple user role and have different quotas for the user roles, however the quota will be within the total quota allocated for cloud.
In the next page, we will allocate the VM Networks which will be used along with the VM Deployment. As we have dedicated VM networks for each groups, select the appropriate network for S1 IT.
In the resources page, Add the VM template, Hardware profiles and OS Profiles which will be allocated for this group.
In the permission page, we can adjust the available permissions to some extend. However, this is not an RBAC based delegation.
In the next page, select the run as accounts which will be used along with the VM Templates or OS profiles.
On the next screen, review the changes and proceed with the User Role creation.