Building a Private Cloud With System Center 2012 (Part 11)

If you would like to read the other parts in this article series please go to:


In the previous article, we confirmed that the private cloud was functional by using it to deploy a test virtual machine. We are almost ready to make the private cloud available to the end users. Before we do, we need to set up some permissions and quotas for the users. In this article, I will show you how it’s done.

Even though there are quite a few different things that need to be done with regard to assigning users the appropriate permissions, Microsoft has built most of the process into a single wizard. You can launch this wizard by opening the Virtual Machine Manager console, selecting the VMs and Servers workspace, selecting the container for your private cloud, and then clicking on the Assign Cloud icon on the ribbon at the top of the screen.

The Assign Cloud wizard’s initial screen asks if you want to use an existing user role or if you would prefer to create a new user role. Since we haven’t created any user roles yet, select the Create a User Role and Assign This Cloud option, as shown in Figure A.

Figure A: Choose the Create a User Role option.

Click OK and Windows will launch the Create User Role Wizard. The wizard’s first screen asks you to assign a name for the role. Typically the name that you use should reflect the role’s purpose. For example, you might name the role after a department. For the sake of demonstration, I will be calling the role that I am creating Self Service Users.

Click Next and you will be asked to select a user role profile to assign to the user role. As you click on the various options, you will see a description of what each role profile is used for. If your only goal is to allow self service VM provisioning then you can probably get away with selecting the Application Administrator role, as shown in Figure B.

Figure B: Select the appropriate role profile and click Next.

Click next and you will be prompted to add members to the role. The users that you add to the role will all have the same capabilities. For example, if you have chosen the Application Administrator profile for the role then all of the users that you add to the role will have virtual machine deployment permissions. You can add users to the role by clicking the Add button, shown in Figure C.

Figure C: Click Add and enter the names of the users that you want to assign to the role.

Click Next and you will be prompted to assign the scope of the permissions for the role. In English this means that you must select the cloud or clouds for which you want the role members to have permission. For our purposes, select the check box corresponding to your private cloud, as shown in Figure D, and click Next.

Figure D: Select your private cloud and click Next.

The next screen that you will see allows you to set some quotas for the role and its members. As you can see in Figure E, the Quotas screen is divided into two areas. The top portion of the screen lets you assign role level quotas. These quotas dictate the amount of resources that all of the role members can use collectively.

Figure E: You can set role level quotas and member level quotas.

The lower section of this screen allows you to set member level quotas. Member level quotas apply to individual role members. For example, if you set a role level storage quota of 1 TB and a member level storage quota of 100 GB then each role member could consume up to 100 GB of storage so long as all of the role members collectively have not exceeded 1 TB of storage. As you can see in Figure E, you can even limit the number of virtual machines that role members are allowed to deploy.

Click Next and you will see a screen prompting you to choose which VM networks the role members can use. Click Add, make your selection, and then click OK, followed by Next.

At this point, you will see the Resources screen. The Resources screen allows you to specify which resources role members are allowed to use. For example, you might grant a role permission to use a generic Windows Server template, but not allow them to use an Exchange Server template.

If you look at Figure F, you can see that I am assigning this particular role group access to the Generic Windows Server 2012 template that I created earlier in this article series. You can grant access to any resources that you want simply by clicking the Add button and selecting the appropriate resource.

Figure F: Pick the resources that you want the users to have access to.

Click Next and you will be taken to the Actions screen. On this screen, you must choose the actions that the role members will be allowed to perform on the virtual machines. For example, you might choose to allow a user to deploy virtual machines, but not to create checkpoints of those virtual machines. You can see what the Actions screen looks like in Figure G.

Figure G: Select the actions that you want for role members to be able to perform.

Click Next and you will be prompted to specify the Run As account that role members will be able to use. Click Next one more time and you will see a summary screen displaying all of the choices that you have made. Carefully review this information to be sure it is correct and then click Finish. When you are done, the role that you have created will appear beneath the Tenants container, as shown in Figure H.

Figure H: The role appears beneath the Tenants container.

The End User Experience

If you are curious as to what the end user experience is like, open a Web browser and navigate to the App Controller Web site that you created in the previous article. Rather than logging in with administrative credentials, log in using the credentials of a user in the role that you just created. As you can see in Figure I, the console screen shows the user exactly what they have access to. There is also a link (under Common Tasks) to deploy a new service or virtual machine. The rest of the end user experience is very similar to what you saw in the previous article, except that users only have access to the resources that you have granted them access to.

Figure I: This is what an authorized user sees when they login.


As you can see, it takes quite a bit of work to set up a private cloud. Even so, your private cloud should decrease your overall workload in the long run because it allows virtual machines to be deployed in a consistent manner.

If you would like to read the other parts in this article series please go to:

About The Author

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top