Modifies the settings for an existing VMM user role.
Description
The Set-SCUserRole cmdlet modifies the settings for an existing System Center Virtual Machine Manager (VMM) user role. The settings that you can modify depend on the type of VMM user role.
VMM ADMINISTRATOR (Administrator)
---------------------------------
You can add members to or remove members from the Administrator user role, but you cannot limit the scope of objects that members of this role can manage.
DELEGATED ADMINISTRATOR (DelegatedAdmin)
----------------------------------------
You can add members to and remove members from, and you can expand or restrict the scope of a Delegated Administrator user role. You can grant members of this user role permission to manage all of the objects in one or more private clouds and host groups and/or allow users to manage all of the objects stored on one or more library servers. Within that framework, you cannot limit the actions that members of the Delegated Administrator user role can perform.
READ-ONLY ADMINISTRATOR (ReadOnlyAdmin)
-----------------------------------
You can add members to and remove members from, and you can expand or restrict the scope of a Read-Only Administrator User role. However, the members of the user role can only view the properties, status, and job status of the objects within their assigned scope; they cannot modify any of the objects.
SELF-SERVICE USER (SelfServiceUser)
-----------------------------------
You can add members to or remove members from, and you can expand or limit the scope and actions of members of a Self-Service User role. You can grant members of a self-service user role permission to manage all of the objects in one or more private clouds; permission to create virtual machines; permission to store virtual machines in the stored virtual machine path in the cloud that the virtual machine is on; and permission to use one or more template objects to create virtual machines. Within that framework, you can grant members of a Self-Service User role one or more actions that self-service users can take. You can also limit the number of virtual machines that self-service users can create by setting a quota that applies to each user or to all users collectively.
The actions that you can grant a Self-Service user include the following:
Action Description
--------- --------------
AllowLocalAdmin Grants user local administrator rights on virtual
machines
Author Author virtual machine and service templates
CanShare Share resources with other Self-Service users
CanReceive Receive resources from other Self-Service users
Checkpoint Create and manage virtual machine checkpoints
CheckpointRestoreOnly Can only restore a checkpoint
Create Create virtual machines and services from templates
only
CreateFromVHDOrTemplate Create virtual machines and services from VHD
files or templates
PauseAndResume Pause and resume virtual machines and services
RemoteConnect Remotely connect to virtual machines
Remove Remove virtual machines and services
Save Save virtual machines and services
Shutdown Shut down virtual machines
Start Start virtual machines and services
Stop Stop virtual machines and services
Store Store virtual machines in a library
For more information about Set-SCUserRole, type: "Get-Help Set-SCUserRole -online".
Parameters
AddMember
Required?
false
Accept Pipeline Input?
false
Position?
named
Adds one or more members to an object that has the concept of members, such as a group. For example, AddMember adds one or more Active Directory domain users or groups to a user role.
Example formats:
-AddMember Domain\User
-AddMember User
-AddMember User@Domain
-AddMember Domain\LabGroupAlias
-AddMember LabGroupAlias (an Active Directory security group, not an email alias)
AddScope
Required?
false
Accept Pipeline Input?
false
Position?
named
Adds one or more VMM objects to the scope of objects that members of this user role can manage.
Description
Required?
false
Accept Pipeline Input?
false
Position?
named
States a description for the specified object.
JobGroup
Required?
false
Accept Pipeline Input?
false
Position?
named
Specifies an identifier for a series of commands that will run as a set just before the final command that includes the same job group identifier runs.
JobVariable
Required?
false
Accept Pipeline Input?
false
Position?
named
Specifies that job progress is tracked and stored in the variable named by this parameter.
Name
Required?
false
Accept Pipeline Input?
false
Position?
named
Specifies the name of a VMM object.
Permission
Required?
false
Accept Pipeline Input?
false
Position?
named
Specifies the actions that members of a Self-Service User role can perform on their virtual machines or services.
Valid values are: AllowLocalAdmin, Author, CanShare, CanReceive, Checkpoint, CheckpointRestoreOnly, Create, CreateFromVHDOrTemplate, PauseAndResume, RemoteConnect, Remove, Save, Shutdown, Start, Stop, Store.
Giving CreateFromVHDOrTemplate permission also gives Create permission. Giving Checkpoint permission also gives CheckpointRestoreOnly permission.
Example format: -Permission Create,PauseAndResume,Stop
PROTipID
Required?
false
Accept Pipeline Input?
false
Position?
named
Specifies the ID of the PRO tip that triggered this action. This allows for auditing of PRO tips.
RemoveLibraryStoreSharePath
Required?
false
Accept Pipeline Input?
false
Position?
named
Clears the user role data path for a self-service user.
RemoveMember
Required?
false
Accept Pipeline Input?
false
Position?
named
Removes a member from a VMM object that has the concept of membership, such as a group. For example, RemoveMember removes one or more Active Directory domain users or groups from a user role.
Example formats:
-RemoveMember Domain\User
-RemoveMember User
-RemoveMember User@Domain
-RemoveMember Domain\LabGroupAlias
-RemoveMember LabGroupAlias (an Active Directory security group, not an email alias)
RemoveScope
Required?
false
Accept Pipeline Input?
false
Position?
named
Removes one or more VMM objects from the scope of objects that members of this user role can manage.
RunAsynchronously
Required?
false
Accept Pipeline Input?
false
Position?
named
Indicates that the job runs asynchronously so that control returns to the command shell immediately.
ShowPROTips
Required?
false
Accept Pipeline Input?
false
Position?
named
Indicates whether to show PRO tips. This parameter only applies to Self-Service User roles.
UserRole
Required?
false
Accept Pipeline Input?
true (ByValue)
Position?
named
Specifies a user role object.
UserRoleDataPath
Required?
false
Accept Pipeline Input?
false
Position?
named
Specifies the path to a library share that members of a Self-Service User role can use to upload their data.
Example format: "\\LibraryServerName\LibraryShareName"
VMMServer
Required?
false
Accept Pipeline Input?
false
Position?
named
Specifies a VMM server object.
Examples
1: Add the specified users to the VMM
Administrator user role.
The first command gets the user role object named Administrator and stores the object in the $UserRole variable.
The second command adds User1 and User2, both members of the Contoso.com domain, to the Administrator user role.
2: Add the specified users to the
Administrator role in a single command.
This command gets all user role objects from VMMServer01, selects the user role objects whose profile is Administrator, and then adds User3 to the Administrator user role.
3: Modify an existing self-service
user role by adding a cloud to its scope.
The first command gets the cloud object named Cloud02 and stores the object in the $Cloud variable.
The second command gets the user role object named ContosoSelfServiceUsers and stores the object in the $UserRole profile.
The last command modifies the scope of the user role stored in $UserRole (ContosoSelfServiceUsers) by adding the cloud stored in $Cloud to its scope.
4: Remove the specified user from the
Administrator user role.
The first command gets the user role object named Administrator and stores the object in the $UserRole variable.
The secondt command removes User01, who is a member of the Contoso.com domain, from the Administrator user role.
5: Add a cloud to the scope of a
self-service user role.
The first command gets the cloud object named Cloud03 and stores the object in the $Cloud variable.
The second command gets the user role object named ContosoSelfServiceUsers and then passes the user role object to the Set-SCUserRole cmdlet. The Set-SCUserRole cmdlet adds the cloud stored in $Cloud to the user role.
6. Modify what actions members of a
self-service user role can take on their virtual machines.
The first command gets the user role object on VMMServer01 named ContosoSelfServiceUsers and stores the object in the $UserRole variable.
The second command modifies the permissions for members of the user role stored in $UserRole (ContosoSelfServiceUsers) to allow Creation, PauseAndResume, Stop, AllowLocalAdmin and Store permissions.
To list all available permissions that you can specify for self-service users, type:
PS C:\> [enum]::GetValues([Microsoft.VirtualManager.Remoting.SelfServicePermission])
You can specify the following permissions with the -Permission parameter:
PERMISSION ALLOWED ACTIONS
---------- ---------------
Create Create virtual machines and services from VHDs or Templates
PauseAndResume Pause and resume virtual machines and services
Start Start virtual machines and services
Stop Stop virtual machines and services
AllowLocalAdmin Act as local Administrator on virtual machines
RemoteConnect Access virtual machines remotely
Remove Remove virtual machines and services
Shutdown Shut down virtual machines
Checkpoint Create and manage virtual machine checkpoints
Store Store virtual machines in the library
Save Save virtual machines and services
Author Author virtual machine and service templates
CanShare Share resources with other self-service users
CanReceive Receive resources from other self-service users
CreateFromVHDorTemplate Create virtual machines and services from VHDs or Templates
CheckpointRestoreOnly Restore to but cannot create virtual machine checkpoints