Explaining the Hyper-V authorization model, part six

Hyper-V uses a role based authorisation model for access checks. This series of articles takes a look at the model; defines the available primitives; and walks through a couple of examples. (Oops, a post I meant to publish back in October last year, only just realized I didn't make it live!)

Quick links: Part1; Part 2; Part 3; Part 4; Part 5;

This part examines a solution I use at home to make sure that critical production VMs can’t be ‘snapshotted’. This makes use of the new operation (355) in the R2 release. The approach is simply to group VMs into either “live” or “test” buckets. All operations are permitted for VMs which are in the test bucket. A subset of operations is permitted for VMs which are in the live bucket.

Here’s a screenshot of Hyper-V Manager running one of my servers: I’ve also chosen to name the VMs with a “Live:” or “Test:” prefix.


The first thing I need to do is manipulate the AZMan store to create a new scope called “Test”, and within that, create a role Definition “Administrator (Test VMs)” which is authorized to all operations.


Within that scope, I create a new role assignment “Administrator (Test)”, and link it to the “Administrator (Test VMs)” role definition in the “Test” scope


I then add user accounts as needed to this role assignment that should have full access to test VMs.

Next, back to the default scope, and alter the “Administrator” role definition to remove the “Allow Virtual Machine Snapshot” operation (hit ‘Remove’ at the following dialog). In effect, the default scope is going to become the scope where live VMs reside which can’t be snapshotted.


Almost there – at this stage, all VMs are in the default scope. Let’s verify that snapshots can’t be taken by trying to snapshot one of the VMs I have. I picked a “test” one as that’s one I want to be able to snapshot in the next step.


The last part of the configuration is to move each of the test VMs into the “Test” scope. I’ll use the same SetScope.vbs script from part three of this series. Again, look for the “0” on the last line of output for success.


Let’s try that snapshot operation again on the “Test: R2 Core” VM again:


As you can see, that succeeds. So once all test VMs are moved to the “Test” scope, I’ve achieved the goal: Snapshots cannot be taken of live VMs, but snapshots can be taken of test VMs.