Share via

How to Add a Permission to a User Role

 

Applies To: System Center 2016 - Service Provider Foundation, System Center Technical Preview

In Service Provider Foundation, sometimes a user cannot accomplish a task because the user is missing a required permission. Permissions can be added to a user as long as the current user can manage permissions by using the UserRoles OData collection.

The way Service Provider Foundation works with user role permissions might be confusing at first. A UserRole entity does not have a property to change permissions directly. Instead, you set the UserRole.PermissionInput property to a collection of UserRolePermission objects. Each UserRolePermission object represents all permissions that the user has on a specific stamp. When the UserRole entity is updated, the UserRole.PermissionInput property is processed. Each UserRolePermission is read and replaces all existing permissions for the associated stamp that the user role has.

You likely want to preserve existing permissions by copying them to the UserRolePermission object, and then add or remove specific permissions.

To add a permission to a user role by using the .NET Framework

  1. Connect to the Service Provider FoundationVMM service.

  2. Obtain the SpfVMM.UserRole to which you want to add a permission.

  3. Create a new instance of the SpfVMM.UserRolePermission class.

  4. Copy the UserRole.Permission to a new list or array of strings.

  5. Add the new permissions to the list or array of permission strings.

  6. Set the UserRolePermission.Permission property to a new instance of the System.Collections.ObjectModel.ObservableCollection``1 class, which provides the array of permission strings.

  7. Set the UserRolePermission.StampId property to the stamp Id to which the user permissions applies.

  8. Add the UserRolePermission that you created to the UserRole.PermissionInput collection.

  9. Call the UpdateObject method on the VMM service object reference and pass in the changed UserRole object.

  10. Call the SaveChanges method on the VMM service object reference.

To add a permission to a user role by using HTTP

  1. Create a new HTTP PUT or MERGE operation.

    Important

    If you supply only the key and changed properties, use a MERGE operation. PUT is used when you want to replace all properties on the entity with new or default values. The MERGE operation updates the existing entity with the supplied properties. PUT updates the existing entity with the supplied properties, but resets all missing properties back to their default values.

  2. Set the URL to a specific user role identifier with the UserRoles collection: https://server:30005/subscription-id/services/systemcenter/vmm/UserRoles/user-role-id.

    Important

    The subscription-id that is used must have permissions to alter the permissions of a user role.

    Tip

    Provide the GUID of the user role on the URL. The previous example uses user-role-id as a placeholder.

  3. Add the HTTP headers.

    Specifically, add the x-ms-principal-id header, which can be set to any value.

  4. Create the HTTP payload that contains the user role entity with at least the ID and PermissionInput properties set.

  5. Submit the HTTP request.

Example

The following code example shows how to add the Checkpoint permission to an existing user role by using the .NET Framework. This code example also preserves all existing permissions that the user role already has. For more information, seeProgramming in Visual Studio with Service Provider Foundation Services.

SpfVMM.VMM vmmService = new SpfVMM.VMM(new Uri("https://wapserver:30005/97FD50F3-1DC0-41B6-A7C0-2B4FF4C3F7E3/services/systemcenter/vmm/"));  
vmmService.Credentials = System.Net.CredentialCache.DefaultNetworkCredentials;  
  
// Get the existing user role  
var userRole = vmmService.UserRoles.Where(ur => ur.Name == "john@contoso.com_97fd50f3-1dc0-41b6-a7c0-2b4ff4c3f7e3").FirstOrDefault();  
  
if (userRole != null)  
{  
    // Create the replacement permission object  
    var permission = new SpfVMM.UserRolePermission();  
  
    // Preserve the existing permissions using System.Linq extensions  
    var perms = userRole.Permission.ToList();  
  
    // Add the new permission  
    perms.Add("Checkpoint");  
  
    // create the new permission object  
    permission.Permission = new System.Collections.ObjectModel.ObservableCollection(perms);  
    permission.StampId = new Guid("ba4146fa-fb41-4f59-a193-ad00c52a138c");  
  
    // Add the permissions to the user role  
    userRole.PermissionInput.Add(permission);  
  
    vmmService.UpdateObject(userRole);  
    vmmService.SaveChanges();  
}

Example

The following code example shows an HTTP request that is sent to the server.

  
MERGE https://wapserver:30005/BA4146FA-FB41-41B6-A7C0-2B4FF4C3F7E3/services/systemcenter/vmm/UserRoles/97fd50f3-1dc0-41b6-a7c0-2b4ff4c3f7e3 HTTP/1.1  
DataServiceVersion: 3.0;NetFx  
MaxDataServiceVersion: 3.0;NetFx  
Accept: application/json;odata=minimalmetadata  
Accept-Charset: UTF-8  
DataServiceUrlConventions: KeyAsSegment  
User-Agent: Microsoft ADO.NET Data Services  
x-ms-principal-id: user@contoso.com  
Content-Type: application/json;odata=minimalmetadata  
Host: wapserver:30005  
Content-Length: 839  
Expect: 100-continue  
Authorization: Negotiate YIIGXgYGKwYBBQUCoIIGUjCCBk6gMDAuBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICHgYKKwYBBAGCNwICCqKCBhgEggYUYIIGEAYJKoZIhvcSAQICAQBuggX/MIIF+6ADAgEFoQMCAQ6iBwMFACAAAACjggSPYYIEizCCBIegAwIBBaEJGwdDRE0uTEFCoiMwIaADAgECoRowGBsESFRUUBsQc3Bmbi00NTcuY2RtLmxhYqOCBE4wggRKoAMCARKhAwIBC6KCBDwEggQ4T4e4nk0xr5YY8JQ/YNUEs7oIPtf2zX+sn08+M334CpUM75+aH+zZiH/HSzI3+CF9DiGzVza+jRm/UFjbU1FrMpGSlNtCNdOy1taOlSN1jiB1+5kYZx4hEXRfkfQ27/H2g7oh/Z7M/UOsi2VEI8z/ZIqzw72X/JBA47REDCjoc+okvAdH3EfWgsgsAS4BmQIJ58sc6vNEBTtrMNxrx4AIXAk5QPH/JJ7WOYTvXJdQgVm9KkfcHvdFU6jng7P7HNQ2GLDq/sP2AJU1/Uo3CLtrQFnjKTs/d1pvABO09tqOdyokI+mu1DqZ2wIHFpljMSSJmrZKl0aMYYlx6nR4OuOGpaD5+R/l29J3bK22dAdFbHMGJ1JxYG8x5kHlfjNXMJHrsGJ9WxPXqoSAyU2CRoyun9MtyVzeaLhw9mJtF6re+hM1EGd6eDqqqnIOv24fdrBKnEB2HDEJPATYbh94/fC86LPo3KAo3GFL+jIBKk8FHsPnNHiK28pcA7tkI4kUGnTj546oZogJhbvzMP35vnEMZtebiOdIHMYM8KhmEGnNBgfaxSWdpDTyFZxWrTED79abZHRlsGGljw/LfRXeS4qPEwwRkgEfrdL2JU1jcmU845v2vrptYr/visrcExaas35FMCxuxksVDT4d1AlwvNxusLZCssYSA/vVBVJy9qRvrbjAY4rNTtoEq1Am1K5ZpN8OwxmbVaEZQXrhOUIfC5ydp6A+dqA423dTxLEi+7/v77dwkpId0lLakHL8Gm4AaH98Th/OrhB3RNb2ENU+a1FE2jBuaWsVolzmbMwIB5Q8ahxknSDgtNaGZ2ZQxWJcnns20Rj5AZ1e5op2RSffETRhZhQ5QgMF/eMnGdbWeDFPVsoVR5f/bXVmLKS4vhdTKKuYnLuwszpJUdmI7s9F+dCbGYrgjlwifvEuSoAHNlL4PS+zFnR2ITJZZpYCZMvXIQ17zrMGs0C4wB0goF+uY4jEC0W3KRg/bF2GCsimOarMLtbuRz41NakkjZT7rSTJf+DpB7OuzwjLbcF9acDtv1vI/62YJgBFrLbYxGQJpiqa5rhonun9MK88jhhrvU1fcoMU8sw/Zx6NSLqigzTEQtDhF2b9DeyXLOr2GV7wruOjiURmIt4qW1pfCOAMPJQBXnq2rAt03EZoxAdlIB7405PnVF+x+WjgK/TY4b93BsR7afZh1z/uaTjJGuW9xGZkOW23koOCzbC85y5wfNrnJ3a+7sG971CyOnE3/lzYDuOz/RyXoTmYfG8538aQ9PK2Wl6wZO92QhWw5rHdAI/7nOsiuJygK8+kr/MsERoyHynXX/2m0bnixjAHBPjlRJnWL6PIcrqmoFlnsEMAMuqlYi5mPk70FJU8RbPWNQbc+YN5dfc295hsS931UTAkwyDobtq6E1NEpFz26IhSC4bgjThDa9jWdvGjA1jIpIIBUTCCAU2gAwIBEqKCAUQEggFA2B6rC9hN6kHxj6yUJU7ZOrgOt406u8FGUsr7gyvaVWLO8SZRsG3R/EJ6Qvd1u59GNJuwr3+76ND0oqKYAgDBSkrA7sv42a/033flpTs3H3p4oJrKc03oLTnwXAe3+moYSO5ia/Ek3rP522nk/SYXgqXQZRcEZtf0Tmqn4lziRwDWPL4OvpN9Tu8e62CmKhwwB4x7uUykI39WFzMLmWatcVxIZqasl6W6C2r/yQRMnNt91Lu1dNFAsJpsPhbBxHB6Nn9MoslcFrkUDBwTRrQuPXBGjQyZOHUFSf4mz5ZaM5iYBW/w3Yh+W2VwIh3y48aJ31fNrtaJCrrxHMwSPAf67S1uDBdO6ECgNo1m2Iu5UWeJ8kJTbP4TUZnPBkRhTj0BWyORnrPltS3c1S2MJN3J6e1qHLVkkx7zKSurCT5lnZ0=  
  
{  
    "ID": "97fd50f3-1dc0-41b6-a7c0-2b4ff4c3f7e3",  
    "PermissionInput": [{  
        "Permission": ["Create",  
                  "PauseAndResume",  
                  "Start",  
                  "Stop",  
                  "AllowLocalAdmin",  
                  "Remove",  
                  "Shutdown",  
                  "Checkpoint",  
                  "Author",  
                  "CanShare",  
                  "CanReceive",  
                  "CreateFromVHDOrTemplate",  
                  "CheckpointRestoreOnly",  
                  "AuthorVMNetwork",  
                  "Checkpoint"  
        ],  
        "Permission@odata.type": "Collection(Edm.String)",  
        "StampId": "ba4146fa-fb41-4f59-a193-ad00c52a138c"  
    }],  
    "PermissionInput@odata.type": "Collection(VMM.UserRolePermission)",  
    "odata.type": "VMM.UserRole"  
}

Example

The following code example shows an HTTP response from the server.

HTTP/1.1 204 No Content  
Cache-Control: no-cache  
Server: Microsoft-IIS/8.5  
x-ms-request-id: 0b494a73-66e6-4b86-b1cf-90d3a7432622  
X-Content-Type-Options: nosniff  
request-id: eda9bde6-834a-0000-95d9-aced4a83ce01  
DataServiceVersion: 1.0;  
X-AspNet-Version: 4.0.30319  
Persistent-Auth: true  
X-Powered-By: ASP.NET  
Date: Mon, 19 Aug 2013 21:59:34 GMT