Hello there!
I often get asked if it’s possible to disable VMM users from ‘sharing’ ISO’s from the library when attaching to a VM.
You can do this via applying a pre-configured Capability Profile and the Cloud and Virtual Machines.
Note: Capability Profiles can only be assigned to Clouds, not to Host Groups
Create a Capability Profile
Name that means something to you
Tip: In the capabilities we can scope the settings or range of many items within the profile. Example: Reduce the limit of vCPUs a VM can have from 64 to 32, or enforce all VMs to be HA, etc.
But for this post, the setting we want is Shared image mode
Set this to your desired setting. In this case, we choose Disabled
Open the properties of the target Cloud and enable the newly created Profile.
Choose a existing VM and apply the profile. The same settings can be set on a VM Template
Now try to attach an ISO via the share feature
And if you’ve followed the above correctly, you should get an error.
Done!
Well, sort of…
As you probably guessed, this is not a fool proof process. Any entrepreneurial admin could simply remove the capability profile from the VM and then share the ISO negating the profile settings.
So how do we overcome this?
There are two ways I would achieve this. 1) Using appropriately scoped User Roles, or 2) have your tenants and tenant admins use Windows Azure Pack.
Option 2 is a much longer conversation, so in this post I will give a brief down on a scoped User Role to achieve the above.
Best practice – As a default, I always recommend defining your User Profiles appropriate to your team members roles. The power of SCVMM admin access is great, so you want to be sure protect the admins and support staff as well as your platform from critical mistakes being made..
Using RBAC to define roles.
Create a Tenant Administrator role and scope. Note, any Clouds created after the User Role do not automatically get assigned here so you have to apply the settings to your tenant roles after each new Cloud creation. (I have a PoSH script for this and will hopefully share this one day…)
Example of a scoped User Role
The pertinent settings here are:
‘Author’ option – this controls whether a user can edit VM properties. This also applies during deployment.
‘Deploy (From template only)’ option – this ensure your users can only deploy using your predefined templates.
A member if this User Role trying to remove the capability profile from a VM
Also, once you’ve applied the appropriate profile, a tenant administrator will be prompted with an error at the time of attempting to attach an ISO via the share file function rather than accept the job submission and subsequently fail
So not only are User Roles more secure, in this example they are also more efficient.
The error will also appear in the job log for review at a later stage.
Hope this helps
Cheers!
Dan