In SCVMM2012 R2, you define user-manageable objects and administrative actions that users can perform primarily by creating user roles. Microsoft built-in 5 user roles in VMM to manage objects:
A : Administrator: a member of the Administrator user role can perform all administrative operations on all objects that are managed by VMM.
B: Fabric Administrator (delegated administrator):members of the delegated Administrators user role can perform all administrative tasks (except tasks for adding XenServer and adding WSUS servers) within the host group, cloud, and library servers for which they are assigned. Delegated administrators cannot modify VMM settings and cannot add or remove members of the Administrator user role.
C: Read-only administrator: read-Only administrators can view the properties, status, and job status of objects within the host group, cloud, and library servers for which they are assigned, but cannot modify objects. Also, a read-only administrator can view the run as account that the administrator or delegated administrator has specified for the read-only administrator user role.
D: Tenant Administrator:members of the Tenant Administrator user role can manage self-service users and VM networks. Tenant administrators can create, deploy, and manage their own virtual machines and services by using the VMM console or the Web portal. Tenant administrators can also specify which tasks self-service users can perform on their virtual machines and services. Tenant administrators can set quotas on compute resources and virtual machines.
E: Application Administrator (self-service user):members of the self-service user role can create, deploy, and manage their own virtual machines and services by using the VMM console or the Web portal.
1. "Bj-client-01" is a client machine that has the VMM management console installed. It is impossible to always log on to the VMM server for management and maintenance in an enterprise's real world. Installing the VMM Management Console to the client machine is simple, just insert the VMM installation media and tick the VMM management console in the VMM Setup Wizard.
650) this.width=650; "height=" 423 "title=" clip_image002 "style=" margin:0px;border:0px;padding-top:0px; Padding-right:0px;padding-left:0px;background-image:none, "alt=" clip_image002 "src=" http://s3.51cto.com/wyfs02/ M01/5b/7b/wkiom1ujgr3aftb3aagq6_we1pq591.jpg "border=" 0 "/>
2. Double-click the VMM program file, type the VMM Management Server name and the port number, user account, and password to connect to the VMM Management Server.
650) this.width=650; "height=" 499 "title=" clip_image004 "style=" margin:0px;border:0px;padding-top:0px; Padding-right:0px;padding-left:0px;background-image:none, "alt=" clip_image004 "src=" http://s3.51cto.com/wyfs02/ M02/5b/7b/wkiom1ujgthr9kzyaae95diiky0347.jpg "border=" 0 "/>
3. After entering, you can see
650) this.width=650; "height=" 438 "title=" clip_image005 "style=" margin:0px;border:0px;padding-top:0px; Padding-right:0px;padding-left:0px;background-image:none, "alt=" clip_image005 "src=" http://s3.51cto.com/wyfs02/ M02/5b/75/wkiol1ujgn2gip-0aailqk4a3i8946.jpg "border=" 0 "/>
4. Click "Create User Role" in the "Settings" workspace, launch the User Role Creation wizard, enter "Read only" and description, and click "Next"
650) this.width=650; "height=" 410 "title=" clip_image007 "style=" margin:0px;border:0px;padding-top:0px; Padding-right:0px;padding-left:0px;background-image:none, "alt=" clip_image007 "src=" http://s3.51cto.com/wyfs02/ M00/5b/75/wkiol1ujgoac5jabaae1pabne4m525.jpg "border=" 0 "/>
5. Click "Read-only Admin" in the Profile interface and click "Next
650) this.width=650; "height=" 422 "title=" clip_image009 "style=" margin:0px;border:0px;padding-top:0px; Padding-right:0px;padding-left:0px;background-image:none, "alt=" clip_image009 "src=" http://s3.51cto.com/wyfs02/ M01/5b/75/wkiol1ujgplrc3htaagitoqpnfc954.jpg "border=" 0 "/>
6. Click the "Add" button on the Members tab to add the domain user
650) this.width=650; "height=" 499 "title=" clip_image011 "style=" margin:0px;border:0px;padding-top:0px; Padding-right:0px;padding-left:0px;background-image:none, "alt=" clip_image011 "src=" http://s3.51cto.com/wyfs02/ M02/5b/75/wkiol1ujgqlx-5i1aagn-nbhmka032.jpg "border=" 0 "/>
7. Click "Next" on the Scope tab
650) this.width=650; "height=" 414 "title=" clip_image013 "style=" margin:0px;border:0px;padding-top:0px; Padding-right:0px;padding-left:0px;background-image:none, "alt=" clip_image013 "src=" http://s3.51cto.com/wyfs02/ M00/5b/75/wkiol1ujgqmhy6xkaaeb77k2ftq816.jpg "border=" 0 "/>
8. Click "Next" on the Library server tab
650) this.width=650; "height=" 408 "title=" clip_image015 "style=" margin:0px;border:0px;padding-top:0px; Padding-right:0px;padding-left:0px;background-image:none, "alt=" clip_image015 "src=" http://s3.51cto.com/wyfs02/ M01/5b/75/wkiol1ujgrtygdbwaaet9qabezq378.jpg "border=" 0 "/>
9. On the Run as tab page, click Add to add a run as account.
In System Center Virtual Machine Manager, the credentials that a user enters for any procedure can be provided by the run as account, which is a container for a set of stored credentials. Only administrators and delegated administrators can create and manage run as accounts. Read-Only Administrators can view the account name associated with the run as account in the scope of their user role. The same restrictions on creating, managing, and viewing run as accounts work in both the VMM console and the VMM command-line interface. Delegated Administrators and self-service users can only get objects in the scope of their user roles, and can only perform actions allowed by their user roles.
System Center Virtual Machine Manager uses the Windows data protection API (DPAPI) to provide an operating system-level data protection service during the storage and retrieval of run as account credentials. DPAPI is a password-based data protection service that uses cryptographic routines (strong triple DES algorithms, including strong keys) to counteract the risk of password-based data protection.
650) this.width=650; "height=" 499 "title=" clip_image017 "style=" margin:0px;border:0px;padding-top:0px; Padding-right:0px;padding-left:0px;background-image:none, "alt=" clip_image017 "src=" http://s3.51cto.com/wyfs02/ M02/5b/75/wkiol1ujgr-cefwbaagi01qld1g332.jpg "border=" 0 "/>
10. Select the Run as Account page and click Create Run as Account
650) this.width=650; "height=" 430 "title=" clip_image019 "style=" margin:0px;border:0px;padding-top:0px; Padding-right:0px;padding-left:0px;background-image:none, "alt=" clip_image019 "src=" http://s3.51cto.com/wyfs02/ M00/5b/7b/wkiom1ujgz_zv4kfaafh0bslssk788.jpg "border=" 0 "/>
11. After determining the run as account, click Next
650) this.width=650; "height=" 413 "title=" clip_image021 "style=" margin:0px;border:0px;padding-top:0px; Padding-right:0px;padding-left:0px;background-image:none, "alt=" clip_image021 "src=" http://s3.51cto.com/wyfs02/ M01/5b/7b/wkiom1ujgavhpmvhaaeuovwussa888.jpg "border=" 0 "/>
12. Summary page, confirm the error-set click Finish
13. Click on the user role again to view the created read-only account
650) this.width=650; "height=" 332 "title=" clip_image023 "style=" margin:0px;border:0px;padding-top:0px; Padding-right:0px;padding-left:0px;background-image:none, "alt=" clip_image023 "src=" http://s3.51cto.com/wyfs02/ M02/5b/7b/wkiom1ujgbtar3ykaae25xhpeue743.jpg "border=" 0 "/>
14. Close the VMM Management console and select "Read Only" account login to see the changes
650) this.width=650; "height=" 499 "title=" clip_image025 "style=" margin:0px;border:0px;padding-top:0px; Padding-right:0px;padding-left:0px;background-image:none, "alt=" clip_image025 "src=" http://s3.51cto.com/wyfs02/ M00/5b/7b/wkiom1ujgcohnkw3aae2urix1w8444.jpg "border=" 0 "/>
15. Click VMs and Services and click on the home page, at which point the user cannot choose to create a service, virtual machine, and cloud
650) this.width=650; "height=" 291 "title=" clip_image027 "style=" border:0px;padding-top:0px;padding-right:0px; Padding-left:0px;background-image:none, "alt=" clip_image027 "src=" http://s3.51cto.com/wyfs02/M01/5B/7B/ Wkiom1ujgcyxr-rgaad6twc2wjo701.jpg "border=" 0 "/>
You can operate these operations by logging in as an administrator account
650) this.width=650; "height=" 224 "title=" image "style=" margin:0px;border:0px;padding-top:0px;padding-right:0px; Padding-left:0px;background-image:none; "alt=" image "src=" http://s3.51cto.com/wyfs02/M02/5B/7B/ Wkiom1ujgexxwdosaagasxzwhxg882.jpg "border=" 0 "/>
This article is from "Xu Ting Blog-Microsoft technology Sharing" blog, please be sure to keep this source http://ericxuting.blog.51cto.com/8995534/1622002
VMM role description for VMM series and creating a run as Account