segunda-feira, 12 de setembro de 2011 12:26
In the SSP help it states:
"You can connect to any virtual machine that belongs to a service for which your user role has the Remote Desktop/Connect to Virtual Machine permission."
I am trying to lock down access so that user accounts are only able to connect to virtual machines for which they have specifically been granted access. Some users need to only access one virtual machine and all of the other virtual machine that they do not have permissions they should not be able to access.
Is this possible in SSP to granularly control access connecting to virtual machines? Ideally I would like to control access by the membership of Active Directory security groups.
Todas as Respostas
terça-feira, 13 de setembro de 2011 21:01Moderador
Controlling the remote desktop/Connect to virtual Machine permission to specific user or security group is possible in VMMSSP. Please create Virtual Machine is different Services and add the Users or security groups in these Services by selecting the Appropriate user role (Advanced Operator, Business Unit User or Custom User role) from the User roles tab. You can also edit the Virtual Machines actions allowed for particular User role. E.g If you need to just give the Remote desktop/Connect permissions to specific user then follow the below procedure. Lets use Custom user role.
1. Create Custom user role: User Roles->Create custom role->Give appropriate Name to in "Custom Role Name"-> Select the Action "Remote Desktop/Connect to Virtual Machine" So here User role with only "Remote Desktop/Connect" permission is created.
2. Now Add the user/security group in this user role: User Roles->Select user role name created in step#1.> View/edit Members->Select Appropriate Business Unit, Infrastructure and Service-> Add Members->Enter User or Security Group Name->Save->Save and Close. So here you added User or Security Group in the User role which has only remote desktop/connect permission.
3. Now Create one or more Virtual Machine in the Service selected while adding the User in the User role.
Now User or Security group added in step#2 will have only connect/remote desktop permission to the Virtual machine created in Service mentioned in step#3.
Now if you need to create another set of VMs and give different security groups permission to connect, then Just add Users or security group in the new role created by selecting different Service and create Virtual Machines in this Service.