Delegating management in Hyper-V

Delegating management in Hyper-V

Separation of duties is a concept we keep coming back to. One individual (or one group) should not have full authority to complete a process. This goes hand-in-hand with least privilege. Any one individual (or group) should have just enough system privileges to complete their portion of the process, and no more. In the realm of server virtualization, this means dividing up duties between those who manage the hypervisor, those who manage the vms, and those who manage the guest computers.

In Hyper-V, you can delegate permission to manage or monitor the vms separately from managing the hypervisor. To do so, use the Authorization Manager console (AzMan.msc) to edit the \ProgramData\Microsoft\Windows\Hyper-V\InitialStore.xml configuration file. Create a Windows security group first, then use AzMan.msc to create a role, specify tasks, and assign the role to the security group.

For step-by-step instructions, please see Microsoft’s documentation.


Configure Hyper-V for Role-based Access Control


Posted by