Manage roles and permissions in VMM
Important
This version of Virtual Machine Manager (VMM) has reached the end of support, we recommend you to upgrade to VMM 2022.
System Center - Virtual Machine Manager (VMM) allows you to manage roles and permissions. VMM provides:
- Role-based security: Roles specify what users can do in the VMM environment. Roles consist of a profile that defines a set of available operations for the role, scope which define the set of objects on which the role can operate, and a membership list that defines the Active Directory user accounts and security groups that are assigned to the role.
- Run As accounts: Run As accounts act as containers for stored credentials that you use to run VMM tasks and processes.
Role based security
The following table summarizes VMM user roles.
| VMM user role | Permissions | Details |
|---|---|---|
| Administrator role | Members of this role can perform all administrative actions on all objects that VMM manages. | Only administrators can add a WSUS server to VMM to enable updates of the VMM fabric through VMM. |
| Virtual Machine Administrator | Administrators can create the role (applicable for VMM 2019 and later). | Delegated Administrator can create VM administrator role that includes entire scope or a subset of their scope, library servers and Run-As accounts. |
| Fabric Administrator (Delegated Administrator) | Members of this role can perform all administrative tasks within their assigned host groups, clouds, and library servers. | Delegated Administrators cannot modify VMM settings, add or remove members of the Administrators user role, or add WSUS servers. |
| Read-Only Administrator | Members of this role can view properties, status, and job status of objects within their assigned host groups, clouds, and library servers, but they cannot modify the objects. | The read-only administrator can also view Run As accounts that administrators or delegated administrators have specified for that read-only administrator user role. |
| Tenant Administrator | Members of this role can manage self-service users and VM networks. | Tenant administrators can create, deploy, and manage their own virtual machines and services by using the VMM console or a web portal. Tenant administrators can also specify which tasks the self-service users can perform on their virtual machines and services. Tenant administrators can place quotas on computing resources and virtual machines. |
| Application Administrator (Self-Service User) | Members of this role can create, deploy, and manage their own virtual machines and services. | They can manage VMM using the VMM console. |
Run As accounts
There are different types of Run As accounts:
- Host computer accounts are used to interact with virtualization servers.
- BMC accounts are used to communicate with the BMC on hosts for out-of-band management or power optimization.
- External account are used to communication with external apps such as Operations Manager.
- Network device accounts are used to connect with network load balancers.
- Profile accounts are used in Run As profiles when you're deploying a VMM service, or creating profiles.
Note that:
- VMM uses the Windows Data Protection API (DPAPI) to provide operating system level data protection services during storage and retrieval of the Run As account credentials. DPAPI is a password-based data protection service that uses cryptographic routines (the strong Triple-DES algorithm, with strong keys) to offset the risk posed by password-based data protection. Learn more.
- When you install VMM, you can configure VMM to use Distributed Key Management to store encryption keys in Active Directory.
- You can set up Run As accounts before you start managing VMM, or you can set up Run As accounts if you need them for specific actions.