Appendix B: Authorization Manager Terminology
Updated: February 4, 2009
Applies To: Windows Server 2008
You use the Authorization Manager Microsoft Management Console (MMC) snap-in (AzMan.msc) to select operations, group them into tasks, and then authorize roles to perform specific tasks. You also use the snap-in to manage tasks, operations, and user roles and permissions. See Using Authorization Manager for Hyper-V Security and Configure Hyper-V for Role-based Access Control for more information about using role-based access control for virtual machines in Hyper-V.
The following terminology is used in the context of Authorization Manager:
Operation. A low-level permission in an application. Operations are the building blocks of your policy for role-based access control. For example, in Hyper-V "Allow Input to a Virtual Machine", "Allow Output from a Virtual Machine," and "Create a Virtual Machine" are operations.
Policy. The data that Authorization Manager uses for role-based access control. This data, configured by a virtualization administrator, describes the relationships between roles, tasks, and operations. The policy is an XML file that you can edit using the Authorization Manager snap-in or with scripting tools. For more information about the elements of a policy, see Checklist: Before you start using Authorization Manager (http://go.microsoft.com/fwlink/?LinkID=134197).
Role. A set of users and/or groups that define a category of user who can perform a set of tasks or operations. For example, the users assigned to the administrator role by default have the ability to perform any task or operation in Hyper-V. The administrator can create any number of other roles.
Authorization store. The repository for the authorization policy. You must create a store to control resource access—you can do this either programmatically or using the snap-in. The default store location in Hyper-V is an XML file located at \ProgramData\Microsoft\Windows\Hyper-V\InitialStore.xml. Both Hyper-V and Authorization Manager support XML files and Active Directory Domain Services for storing a policy. However, Authorization Manager stores for other applications can be created in Active Directory Lightweight Directory Services and Microsoft SQL Server (new for Windows Vista and Windows Server 2008).
Scope. A collection of resources with a common access control policy. In Authorization Manager, the scope can be a folder, an Active Directory container, a file-masked collection of files (for example, *.doc), a URL, or any object that can be accessed by the application and its underlying authorization store. The object can be assigned to only one scope. Any object that is not assigned to a scope takes the access control policy that is defined in the Authorization Manager application (or root) scope. The default scope is “Hyper-V Services”. Hyper-V objects that you can use for scopes include virtual machines, virtual switches, and virtual switch ports.
For example, to grant administrator access to a set of virtual machines to a specific user or group, create a scope for those virtual machines. For more information, see Work with Scopes (http://go.microsoft.com/fwlink/?LinkID=134199).
Task. A logical group of operations for accomplishing a task. Tasks can be categorized by objects and used to control access to the object.
No checks are made for dependent operations when you add tasks to a role definition. For example, the “Connect to a virtual machine” task requires the “Read Service Configuration,” “Allow Output from a Virtual Machine,” and “Allow Input to a Virtual Machine” operations.
Departmental administrator. An administrator who only has permissions to perform the tasks that are outlined in the role description. At a higher organizational level, the virtualization administrator creates and maintains the role definitions and scopes. For example, the virtualization administrator can create a “Human Resources Administrator” departmental administrator role that is scoped only to virtual machines owned by the Human Resources department, and can create a different role (with the same operations and tasks) called “Finance Administrator” that is scoped only to the Finance department virtual machines.
Role definition. The list of operations that a user can perform with the assigned role.
Role assignment. A list of users who can perform the operations that are listed in the role definition.
For example, the default administrator role definition includes all operations and the default role assignment is for all users in the BUILTIN\Administrators group. You can create a “User” role that can only use the “Start Virtual Machine”, “Stop Virtual Machine”, “Allow Input to Virtual Machine” and “Allow Output from Virtual Machine” operations. You can also create roles based on organizational structures. For example, you can create a role called “Virtual Network Administrator” and assign only the operations for virtual networking to that role. For more information, see Manage Groups, Roles, and Tasks (http://go.microsoft.com/fwlink/?LinkId=134517).
Virtualization administrator. An administrator who has local administrator permission on the virtualization server management operating system and controls all other delegated administrator rights and permissions.