Set-SCUserRole

Modifies the settings for an existing VMM user role.

Description

The Set-SCUserRole cmdlet modifies the settings for an existing System Center Virtual Machine Manager (VMM) user role. The settings that you can modify depend on the type of VMM user role.

VMM ADMINISTRATOR (Administrator)
---------------------------------
You can add members to or remove members from the Administrator user role, but you cannot limit the scope of objects that members of this role can manage.

DELEGATED ADMINISTRATOR (DelegatedAdmin)
----------------------------------------
You can add members to and remove members from, and you can expand or restrict the scope of a Delegated Administrator user role. You can grant members of this user role permission to manage all of the objects in one or more private clouds and host groups and/or allow users to manage all of the objects stored on one or more library servers. Within that framework, you cannot limit the actions that members of the Delegated Administrator user role can perform.

READ-ONLY ADMINISTRATOR (ReadOnlyAdmin)
-----------------------------------
You can add members to and remove members from, and you can expand or restrict the scope of a Read-Only Administrator User role. However, the members of the user role can only view the properties, status, and job status of the objects within their assigned scope; they cannot modify any of the objects.

SELF-SERVICE USER (SelfServiceUser)
-----------------------------------
You can add members to or remove members from, and you can expand or limit the scope and actions of members of a Self-Service User role. You can grant members of a self-service user role permission to manage all of the objects in one or more private clouds; permission to create virtual machines; permission to store virtual machines in the stored virtual machine path in the cloud that the virtual machine is on; and permission to use one or more template objects to create virtual machines. Within that framework, you can grant members of a Self-Service User role one or more actions that self-service users can take. You can also limit the number of virtual machines that self-service users can create by setting a quota that applies to each user or to all users collectively.

The actions that you can grant a Self-Service user include the following:

Action						Description
---------					 --------------
AllowLocalAdmin		 Grants user local administrator rights on virtual 
										machines
Author						Author virtual machine and service templates
CanShare						Share resources with other Self-Service users
CanReceive					Receive resources from other Self-Service users
Checkpoint					Create and manage virtual machine checkpoints
CheckpointRestoreOnly		 Can only restore a checkpoint
Create						Create virtual machines and services from templates
										only
CreateFromVHDOrTemplate   Create virtual machines and services from VHD 
										files or templates
PauseAndResume		Pause and resume virtual machines and services
RemoteConnect				 Remotely connect to virtual machines
Remove						Remove virtual machines and services
Save							Save virtual machines and services
Shutdown						Shut down virtual machines
Start						 Start virtual machines and services
Stop							Stop virtual machines and services
Store						 Store virtual machines in a library

For more information about Set-SCUserRole, type: "Get-Help Set-SCUserRole -online".

Parameters

Adds one or more members to an object that has the concept of members, such as a group. For example, AddMember adds one or more Active Directory domain users or groups to a user role. 

Example formats:
-AddMember Domain\User
-AddMember User
-AddMember User@Domain
-AddMember Domain\LabGroupAlias
-AddMember LabGroupAlias (an Active Directory security group, not an email alias)

Adds one or more VMM objects to the scope of objects that members of this user role can manage. 

States a description for the specified object.

Specifies an identifier for a series of commands that will run as a set just before the final command that includes the same job group identifier runs. 

Specifies that job progress is tracked and stored in the variable named by this parameter. 

Specifies the name of a VMM object.

Specifies the actions that members of a Self-Service User role can perform on their virtual machines or services. 

Valid values are: AllowLocalAdmin, Author, CanShare, CanReceive, Checkpoint, CheckpointRestoreOnly, Create, CreateFromVHDOrTemplate, PauseAndResume, RemoteConnect, Remove, Save, Shutdown, Start, Stop, Store.

Giving CreateFromVHDOrTemplate permission also gives Create permission. Giving Checkpoint permission also gives CheckpointRestoreOnly permission. 

Example format: -Permission Create,PauseAndResume,Stop 

Specifies the ID of the PRO tip that triggered this action. This allows for auditing of PRO tips.

Clears the user role data path for a self-service user.

Removes a member from a VMM object that has the concept of membership, such as a group. For example, RemoveMember removes one or more Active Directory domain users or groups from a user role.

Example formats:
-RemoveMember Domain\User
-RemoveMember User
-RemoveMember User@Domain
-RemoveMember Domain\LabGroupAlias
-RemoveMember LabGroupAlias (an Active Directory security group, not an email  alias)

Removes one or more VMM objects from the scope of objects that members of this user role can manage.

Indicates that the job runs asynchronously so that control returns to the command shell immediately. 

Indicates whether to show PRO tips. This parameter only applies to Self-Service User roles.

Specifies a user role object.

Specifies the path to a library share that members of a Self-Service User role can use to upload their data. 

Example format: "\\LibraryServerName\LibraryShareName"

Specifies a VMM server object.

Examples

PS C:\> $UserRole = Get-SCUserRole -Name "Administrator"
PS C:\> Set-SCUserRole -UserRole $UserRole -AddMember Contoso\User1,Contoso\User2

The first command gets the user role object named Administrator and stores the object in the $UserRole variable.

The second command adds User1 and User2, both members of the Contoso.com domain, to the Administrator user role.

PS C:\> Get-SCUserRole -VMMServer "VMMServer01.Contoso.com" | where { $_.Profile -eq "Administrator" } | Set-SCUserRole -AddMember Contoso\User3

This command gets all user role objects from VMMServer01, selects the user role objects whose profile is Administrator, and then adds User3 to the Administrator user role.

PS C:\> $Cloud = Get-SCCloud -Name "Cloud02"
PS C:\> $UserRole = Get-SCUserRole -Name "ContosoSelfServiceUsers"
PS C:\> Set-SCUserRole -UserRole $UserRole -AddScope $Cloud

The first command gets the cloud object named Cloud02 and stores the object in the $Cloud variable.

The second command gets the user role object named ContosoSelfServiceUsers and stores the object in the $UserRole profile.

The last command modifies the scope of the user role stored in $UserRole (ContosoSelfServiceUsers) by adding the cloud stored in $Cloud to its scope.

PS C:\> $UserRole = Get-SCUserRole -Name "Administrator"
PS C:\> Set-SCUserRole -UserRole $UserRole -RemoveMember Contoso\User1

The first command gets the user role object named Administrator and stores the object in the $UserRole variable.

The secondt command removes User01, who is a member of the Contoso.com domain, from the Administrator user role.

PS C:\> $Cloud = Get-SCCloud -Name "Cloud03"
PS C:\> Get-SCUserRole -Name "ContosoSelfServiceUsers" | Set-SCUserRole -AddScope $Cloud

The first command gets the cloud object named Cloud03 and stores the object in the $Cloud variable.

The second command gets the user role object named ContosoSelfServiceUsers and then passes the user role object to the Set-SCUserRole cmdlet. The Set-SCUserRole cmdlet adds the cloud stored in $Cloud to the user role.

PS C:\> $UserRole = Get-SCUserRole -VMMServer "VMMServer01.Contoso.com" -Name "ContosoSelfServiceUsers"
PS C:\> Set-SCUserRole -UserRole $UserRole -Permission "Create,PauseAndResume,Stop,AllowLocalAdmin,Store"

The first command gets the user role object on VMMServer01 named ContosoSelfServiceUsers and stores the object in the $UserRole variable.

The second command modifies the permissions for members of the user role stored in $UserRole (ContosoSelfServiceUsers) to allow Creation, PauseAndResume, Stop, AllowLocalAdmin and Store permissions.

To list all available permissions that you can specify for self-service users, type:

PS C:\> [enum]::GetValues([Microsoft.VirtualManager.Remoting.SelfServicePermission])

You can specify the following permissions with the -Permission parameter:

PERMISSION	ALLOWED ACTIONS
----------	---------------
Create		Create virtual machines and services from VHDs or Templates
PauseAndResume  Pause and resume virtual machines and services
Start		 Start virtual machines and services
Stop			Stop virtual machines and services
AllowLocalAdmin Act as local Administrator on virtual machines
RemoteConnect   Access virtual machines remotely
Remove		Remove virtual machines and services
Shutdown		Shut down virtual machines
Checkpoint	Create and manage virtual machine checkpoints
Store		 Store virtual machines in the library
Save			Save virtual machines and services
Author		Author virtual machine and service templates
CanShare		Share resources with other self-service users
CanReceive	Receive resources from other self-service users
CreateFromVHDorTemplate  Create virtual machines and services from VHDs or Templates
CheckpointRestoreOnly	Restore to but cannot create virtual machine checkpoints

See Also

• VMM 2012 - Cmdlets Help Index
• Get-SCUserRole
• Grant-SCResource
• New-SCUserRole
• Remove-SCUserRole
• Revoke-SCResource