Export (0) Print
Expand All

How to Add a Permission to a User Role

System Center

Updated: November 1, 2013

Applies To: System Center 2012 R2, System Center 2012 SP1

In Service Provider Foundation, sometimes a user cannot accomplish a task because the user is missing a required permission. Permissions can be added to a user as long as the current user can manage permissions by using the UserRoles OData collection.

The way Service Provider Foundation works with user role permissions might be confusing at first. A UserRole entity does not have a property to change permissions directly. Instead, you set the UserRole.PermissionInput property to a collection of UserRolePermission objects. Each UserRolePermission object represents all permissions that the user has on a specific stamp. When the UserRole entity is updated, the UserRole.PermissionInput property is processed. Each UserRolePermission is read and replaces all existing permissions for the associated stamp that the user role has.

You likely want to preserve existing permissions by copying them to the UserRolePermission object, and then add or remove specific permissions.

To add a permission to a user role by using the .NET Framework

  1. Connect to the Service Provider Foundation VMM service.

  2. Obtain the SpfVMM.UserRole to which you want to add a permission.

  3. Create a new instance of the SpfVMM.UserRolePermission class.

  4. Copy the UserRole.Permission to a new list or array of strings.

  5. Add the new permissions to the list or array of permission strings.

  6. Set the UserRolePermission.Permission property to a new instance of the System.Collections.ObjectModel.ObservableCollection class, which provides the array of permission strings.

  7. Set the UserRolePermission.StampId property to the stamp Id to which the user permissions applies.

  8. Add the UserRolePermission that you created to the UserRole.PermissionInput collection.

  9. Call the UpdateObject method on the VMM service object reference and pass in the changed UserRole object.

  10. Call the SaveChanges method on the VMM service object reference.

To add a permission to a user role by using HTTP

  1. Create a new HTTP PUT or MERGE operation.

    ImportantImportant
    If you supply only the key and changed properties, use a MERGE operation. PUT is used when you want to replace all properties on the entity with new or default values. The MERGE operation updates the existing entity with the supplied properties. PUT updates the existing entity with the supplied properties, but resets all missing properties back to their default values.

  2. Set the URL to a specific user role identifier with the UserRoles collection: https://server:30005/subscription-id/services/systemcenter/vmm/UserRoles/user-role-id.

    ImportantImportant
    The subscription-id that is used must have permissions to alter the permissions of a user role.

    TipTip
    Provide the GUID of the user role on the URL. The previous example uses user-role-id as a placeholder.

  3. Add the HTTP headers.

    Specifically, add the x-ms-principal-id header, which can be set to any value.

  4. Create the HTTP payload that contains the user role entity with at least the ID and PermissionInput properties set.

  5. Submit the HTTP request.

Example

The following code example shows how to add the Checkpoint permission to an existing user role by using the .NET Framework. This code example also preserves all existing permissions that the user role already has. For more information, see Programming in Visual Studio with Service Provider Foundation Services.

SpfVMM.VMM vmmService = new SpfVMM.VMM(new Uri("https://wapserver:30005/97FD50F3-1DC0-41B6-A7C0-2B4FF4C3F7E3/services/systemcenter/vmm/"));
vmmService.Credentials = System.Net.CredentialCache.DefaultNetworkCredentials;

// Get the existing user role
var userRole = vmmService.UserRoles.Where(ur => ur.Name == "john@contoso.com_97fd50f3-1dc0-41b6-a7c0-2b4ff4c3f7e3").FirstOrDefault();

if (userRole != null)
{
    // Create the replacement permission object
    var permission = new SpfVMM.UserRolePermission();

    // Preserve the existing permissions using System.Linq extensions
    var perms = userRole.Permission.ToList();

    // Add the new permission
    perms.Add("Checkpoint");

    // create the new permission object
    permission.Permission = new System.Collections.ObjectModel.ObservableCollection(perms);
    permission.StampId = new Guid("ba4146fa-fb41-4f59-a193-ad00c52a138c");

    // Add the permissions to the user role
    userRole.PermissionInput.Add(permission);

    vmmService.UpdateObject(userRole);
    vmmService.SaveChanges();
}

The following code example shows an HTTP request that is sent to the server.


MERGE https://wapserver:30005/BA4146FA-FB41-41B6-A7C0-2B4FF4C3F7E3/services/systemcenter/vmm/UserRoles/97fd50f3-1dc0-41b6-a7c0-2b4ff4c3f7e3 HTTP/1.1
DataServiceVersion: 3.0;NetFx
MaxDataServiceVersion: 3.0;NetFx
Accept: application/json;odata=minimalmetadata
Accept-Charset: UTF-8
DataServiceUrlConventions: KeyAsSegment
User-Agent: Microsoft ADO.NET Data Services
x-ms-principal-id: user@contoso.com
Content-Type: application/json;odata=minimalmetadata
Host: wapserver:30005
Content-Length: 839
Expect: 100-continue
Authorization: Negotiate YIIGXgYGKwYBBQUCoIIGUjCCBk6gMDAuBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICHgYKKwYBBAGCNwICCqKCBhgEggYUYIIGEAYJKoZIhvcSAQICAQBuggX/MIIF+6ADAgEFoQMCAQ6iBwMFACAAAACjggSPYYIEizCCBIegAwIBBaEJGwdDRE0uTEFCoiMwIaADAgECoRowGBsESFRUUBsQc3Bmbi00NTcuY2RtLmxhYqOCBE4wggRKoAMCARKhAwIBC6KCBDwEggQ4T4e4nk0xr5YY8JQ/YNUEs7oIPtf2zX+sn08+M334CpUM75+aH+zZiH/HSzI3+CF9DiGzVza+jRm/UFjbU1FrMpGSlNtCNdOy1taOlSN1jiB1+5kYZx4hEXRfkfQ27/H2g7oh/Z7M/UOsi2VEI8z/ZIqzw72X/JBA47REDCjoc+okvAdH3EfWgsgsAS4BmQIJ58sc6vNEBTtrMNxrx4AIXAk5QPH/JJ7WOYTvXJdQgVm9KkfcHvdFU6jng7P7HNQ2GLDq/sP2AJU1/Uo3CLtrQFnjKTs/d1pvABO09tqOdyokI+mu1DqZ2wIHFpljMSSJmrZKl0aMYYlx6nR4OuOGpaD5+R/l29J3bK22dAdFbHMGJ1JxYG8x5kHlfjNXMJHrsGJ9WxPXqoSAyU2CRoyun9MtyVzeaLhw9mJtF6re+hM1EGd6eDqqqnIOv24fdrBKnEB2HDEJPATYbh94/fC86LPo3KAo3GFL+jIBKk8FHsPnNHiK28pcA7tkI4kUGnTj546oZogJhbvzMP35vnEMZtebiOdIHMYM8KhmEGnNBgfaxSWdpDTyFZxWrTED79abZHRlsGGljw/LfRXeS4qPEwwRkgEfrdL2JU1jcmU845v2vrptYr/visrcExaas35FMCxuxksVDT4d1AlwvNxusLZCssYSA/vVBVJy9qRvrbjAY4rNTtoEq1Am1K5ZpN8OwxmbVaEZQXrhOUIfC5ydp6A+dqA423dTxLEi+7/v77dwkpId0lLakHL8Gm4AaH98Th/OrhB3RNb2ENU+a1FE2jBuaWsVolzmbMwIB5Q8ahxknSDgtNaGZ2ZQxWJcnns20Rj5AZ1e5op2RSffETRhZhQ5QgMF/eMnGdbWeDFPVsoVR5f/bXVmLKS4vhdTKKuYnLuwszpJUdmI7s9F+dCbGYrgjlwifvEuSoAHNlL4PS+zFnR2ITJZZpYCZMvXIQ17zrMGs0C4wB0goF+uY4jEC0W3KRg/bF2GCsimOarMLtbuRz41NakkjZT7rSTJf+DpB7OuzwjLbcF9acDtv1vI/62YJgBFrLbYxGQJpiqa5rhonun9MK88jhhrvU1fcoMU8sw/Zx6NSLqigzTEQtDhF2b9DeyXLOr2GV7wruOjiURmIt4qW1pfCOAMPJQBXnq2rAt03EZoxAdlIB7405PnVF+x+WjgK/TY4b93BsR7afZh1z/uaTjJGuW9xGZkOW23koOCzbC85y5wfNrnJ3a+7sG971CyOnE3/lzYDuOz/RyXoTmYfG8538aQ9PK2Wl6wZO92QhWw5rHdAI/7nOsiuJygK8+kr/MsERoyHynXX/2m0bnixjAHBPjlRJnWL6PIcrqmoFlnsEMAMuqlYi5mPk70FJU8RbPWNQbc+YN5dfc295hsS931UTAkwyDobtq6E1NEpFz26IhSC4bgjThDa9jWdvGjA1jIpIIBUTCCAU2gAwIBEqKCAUQEggFA2B6rC9hN6kHxj6yUJU7ZOrgOt406u8FGUsr7gyvaVWLO8SZRsG3R/EJ6Qvd1u59GNJuwr3+76ND0oqKYAgDBSkrA7sv42a/033flpTs3H3p4oJrKc03oLTnwXAe3+moYSO5ia/Ek3rP522nk/SYXgqXQZRcEZtf0Tmqn4lziRwDWPL4OvpN9Tu8e62CmKhwwB4x7uUykI39WFzMLmWatcVxIZqasl6W6C2r/yQRMnNt91Lu1dNFAsJpsPhbBxHB6Nn9MoslcFrkUDBwTRrQuPXBGjQyZOHUFSf4mz5ZaM5iYBW/w3Yh+W2VwIh3y48aJ31fNrtaJCrrxHMwSPAf67S1uDBdO6ECgNo1m2Iu5UWeJ8kJTbP4TUZnPBkRhTj0BWyORnrPltS3c1S2MJN3J6e1qHLVkkx7zKSurCT5lnZ0=

{
    "ID": "97fd50f3-1dc0-41b6-a7c0-2b4ff4c3f7e3",
    "PermissionInput": [{
        "Permission": ["Create",
                  "PauseAndResume",
                  "Start",
                  "Stop",
                  "AllowLocalAdmin",
                  "Remove",
                  "Shutdown",
                  "Checkpoint",
                  "Author",
                  "CanShare",
                  "CanReceive",
                  "CreateFromVHDOrTemplate",
                  "CheckpointRestoreOnly",
                  "AuthorVMNetwork",
                  "Checkpoint"
        ],
        "Permission@odata.type": "Collection(Edm.String)",
        "StampId": "ba4146fa-fb41-4f59-a193-ad00c52a138c"
    }],
    "PermissionInput@odata.type": "Collection(VMM.UserRolePermission)",
    "odata.type": "VMM.UserRole"
}

The following code example shows an HTTP response from the server.

HTTP/1.1 204 No Content
Cache-Control: no-cache
Server: Microsoft-IIS/8.5
x-ms-request-id: 0b494a73-66e6-4b86-b1cf-90d3a7432622
X-Content-Type-Options: nosniff
request-id: eda9bde6-834a-0000-95d9-aced4a83ce01
DataServiceVersion: 1.0;
X-AspNet-Version: 4.0.30319
Persistent-Auth: true
X-Powered-By: ASP.NET
Date: Mon, 19 Aug 2013 21:59:34 GMT

 
Show:
© 2015 Microsoft