在 VMM 中管理角色和權限Manage roles and permissions in VMM

重要

已不再支援此版本的 Virtual Machine Manager (VMM),建議升級至 VMM 2019This version of Virtual Machine Manager (VMM) has reached the end of support, we recommend you to upgrade to VMM 2019.

System Center - Virtual Machine Manager (VMM) 可讓您管理角色和權限。System Center - Virtual Machine Manager (VMM) allows you to manage roles and permissions. VMM 提供:VMM provides:

  • 角色型安全性︰角色會指定使用者可以在 VMM 環境中執行的動作。Role-based security: Roles specify what users can do in the VMM environment. 角色包含一個定義一組角色可用操作的設定檔、定義角色可在其中操作之物件組的範圍,以及定義已指派給角色的 Active Directory 使用者帳戶和安全性群組的成員資格清單。Roles consist of a profile that defines a set of available operations for the role, scope which define the set of objects on which the role can operate, and a membership list that defines the Active Directory user accounts and security groups that are assigned to the role.
  • 執行身分帳戶︰執行身分帳戶可做為存放您用來執行 VMM 工作和程序之認證的容器。Run As accounts: Run As accounts act as containers for stored credentials that you use to run VMM tasks and processes.

以角色為基礎的安全性Role based security

下表將摘要說明 VMM 使用者角色。The following table summarizes VMM user roles.

VMM 使用者角色VMM user role 權限Permissions 詳細資料Details
系統管理員角色Administrator role 這個角色的成員可對 VMM 管理的所有物件執行所有系統管理動作。Members of this role can perform all administrative actions on all objects that VMM manages. 只有系統管理員可以透過 VMM,將 WSUS 伺服器新增到 VMM,以啟用 VMM 網狀架構的更新。Only administrators can add a WSUS server to VMM to enable updates of the VMM fabric through VMM.
光纖系統管理員 (委派系統管理員)Fabric Administrator (Delegated Administrator) 這個角色的成員可以在其指派的主機群組、雲端和資源庫伺服器中,執行所有系統管理工作。Members of this role can perform all administrative tasks within their assigned host groups, clouds, and library servers. 委派系統管理員不能修改 VMM 設定,也不能新增或移除系統管理員使用者角色的成員,或新增 WSUS 伺服器。Delegated Administrators cannot modify VMM settings, add or remove members of the Administrators user role, or add WSUS servers.
唯讀系統管理員Read-Only Administrator 這個角色的成員可以在其指派的主機群組、雲端和資源庫伺服器中檢視內容、狀態和物件作業狀態,但他們無法修改這些物件。Members of this role can view properties, status, and job status of objects within their assigned host groups, clouds, and library servers, but they cannot modify the objects. 唯讀系統管理員也可以檢視執行身分帳戶,這些帳戶是系統管理員或委派系統管理員對該唯讀系統管理員使用者角色所指定。The read-only administrator can also view Run As accounts that administrators or delegated administrators have specified for that read-only administrator user role.
租用戶系統管理員Tenant Administrator 這個角色的成員可以管理自助使用者和 VM 網路。Members of this role can manage self-service users and VM networks. 透過 VMM 主控台或入口網站,租用戶系統管理員可以建立、部署、管理自己的虛擬機器和服務。Tenant administrators can create, deploy, and manage their own virtual machines and services by using the VMM console or a web portal.

租用戶系統管理員也可指定自助使用者在其虛擬機器和服務上,能執行哪些工作。Tenant administrators can also specify which tasks the self-service users can perform on their virtual machines and services.

租用戶系統管理員可以對運算資源和虛擬機器設定配額。Tenant administrators can place quotas on computing resources and virtual machines.
應用程式系統管理員 (自助使用者)Application Administrator (Self-Service User) 這個角色的成員可以建立、部署和管理他們自己的虛擬機器和服務。Members of this role can create, deploy, and manage their own virtual machines and services. 他們可以使用 VMM 主控台管理 VMM。They can manage VMM using the VMM console.

執行身分帳戶Run As accounts

有不同類型的執行身分帳戶:There are different types of Run As accounts:

  • 主機電腦帳戶可用來與虛擬化伺服器互動。Host computer accounts are used to interact with virtualization servers.
  • BMC 帳戶可用來與主機上的 BMC 通訊,以進行超出訊號範圍管理或電源最佳化。BMC accounts are used to communicate with the BMC on hosts for out-of-band management or power optimization.
  • 外部帳戶可用來與外部應用程式 (例如 Operations Manager) 通訊。External account are used to communication with external apps such as Operations Manager.
  • 網路裝置帳戶可用來與網路負載平衡器連線。Network device accounts are used to connect with network load balancers.
  • 設定檔帳戶可在部署 VMM 服務或建立設定檔時,用於執行身分設定檔中。Profile accounts are used in Run As profiles when you're deploying a VMM service, or creating profiles.

請注意:Note that:

  • VMM 使用 Windows 資料保護 API (DPAPI),在存放與擷取執行身分帳戶認證期間提供作業系統層級的資料保護服務。VMM uses the Windows Data Protection API (DPAPI) to provide operating system level data protection services during storage and retrieval of the Run As account credentials. DPAPI 是個密碼型資料保護服務,其會使用密碼編譯常式 (增強式 Triple-DES 演算法,具有增強式金鑰),來彌補密碼型資料保護所造成的風險。DPAPI is a password-based data protection service that uses cryptographic routines (the strong Triple-DES algorithm, with strong keys) to offset the risk posed by password-based data protection. 深入了解Learn more.
  • 當您安裝 VMM 時,可以設定 VMM 來使用分散式金鑰管理,將加密金鑰儲存於 Active Directory 中。When you install VMM, you can configure VMM to use Distributed Key Management to store encryption keys in Active Directory.
  • 您可以在開始管理 VMM 之前設定執行身分帳戶,或者,可以在您需要執行身分帳戶來進行特定動作時加以設定。You can set up Run As accounts before you start managing VMM, or you can set up Run As accounts if you need them for specific actions.

接下來的步驟Next steps