How to Add a Permission to a User Role
Applies To: System Center 2016 - Service Provider Foundation, System Center Technical Preview
In Service Provider Foundation, sometimes a user cannot accomplish a task because the user is missing a required permission. Permissions can be added to a user as long as the current user can manage permissions by using the UserRoles
OData collection.
The way Service Provider Foundation works with user role permissions might be confusing at first. A UserRole
entity does not have a property to change permissions directly. Instead, you set the UserRole.PermissionInput
property to a collection of UserRolePermission
objects. Each UserRolePermission
object represents all permissions that the user has on a specific stamp. When the UserRole
entity is updated, the UserRole.PermissionInput
property is processed. Each UserRolePermission
is read and replaces all existing permissions for the associated stamp that the user role has.
You likely want to preserve existing permissions by copying them to the UserRolePermission
object, and then add or remove specific permissions.
To add a permission to a user role by using the .NET Framework
Connect to the Service Provider Foundation
VMM
service.Obtain the
SpfVMM.UserRole
to which you want to add a permission.Create a new instance of the
SpfVMM.UserRolePermission
class.Copy the
UserRole.Permission
to a new list or array of strings.Add the new permissions to the list or array of permission strings.
Set the
UserRolePermission.Permission
property to a new instance of the System.Collections.ObjectModel.ObservableCollection``1 class, which provides the array of permission strings.Set the
UserRolePermission.StampId
property to the stamp Id to which the user permissions applies.Add the
UserRolePermission
that you created to theUserRole.PermissionInput
collection.Call the
UpdateObject
method on theVMM
service object reference and pass in the changedUserRole
object.Call the
SaveChanges
method on theVMM
service object reference.
To add a permission to a user role by using HTTP
Create a new
HTTP
PUT or MERGE operation.Important
If you supply only the key and changed properties, use a
MERGE
operation.PUT
is used when you want to replace all properties on the entity with new or default values. TheMERGE
operation updates the existing entity with the supplied properties.PUT
updates the existing entity with the supplied properties, but resets all missing properties back to their default values.Set the URL to a specific user role identifier with the
UserRoles
collection: https://server:30005/subscription-id/services/systemcenter/vmm/UserRoles/user-role-id.Important
The subscription-id that is used must have permissions to alter the permissions of a user role.
Tip
Provide the GUID of the user role on the URL. The previous example uses user-role-id as a placeholder.
Add the HTTP headers.
Specifically, add the
x-ms-principal-id
header, which can be set to any value.Create the HTTP payload that contains the user role entity with at least the
ID
andPermissionInput
properties set.Submit the HTTP request.
Example
The following code example shows how to add the Checkpoint
permission to an existing user role by using the .NET Framework. This code example also preserves all existing permissions that the user role already has. For more information, seeProgramming in Visual Studio with Service Provider Foundation Services.
SpfVMM.VMM vmmService = new SpfVMM.VMM(new Uri("https://wapserver:30005/97FD50F3-1DC0-41B6-A7C0-2B4FF4C3F7E3/services/systemcenter/vmm/"));
vmmService.Credentials = System.Net.CredentialCache.DefaultNetworkCredentials;
// Get the existing user role
var userRole = vmmService.UserRoles.Where(ur => ur.Name == "[email protected]_97fd50f3-1dc0-41b6-a7c0-2b4ff4c3f7e3").FirstOrDefault();
if (userRole != null)
{
// Create the replacement permission object
var permission = new SpfVMM.UserRolePermission();
// Preserve the existing permissions using System.Linq extensions
var perms = userRole.Permission.ToList();
// Add the new permission
perms.Add("Checkpoint");
// create the new permission object
permission.Permission = new System.Collections.ObjectModel.ObservableCollection(perms);
permission.StampId = new Guid("ba4146fa-fb41-4f59-a193-ad00c52a138c");
// Add the permissions to the user role
userRole.PermissionInput.Add(permission);
vmmService.UpdateObject(userRole);
vmmService.SaveChanges();
}
Example
The following code example shows an HTTP request that is sent to the server.
MERGE https://wapserver:30005/BA4146FA-FB41-41B6-A7C0-2B4FF4C3F7E3/services/systemcenter/vmm/UserRoles/97fd50f3-1dc0-41b6-a7c0-2b4ff4c3f7e3 HTTP/1.1
DataServiceVersion: 3.0;NetFx
MaxDataServiceVersion: 3.0;NetFx
Accept: application/json;odata=minimalmetadata
Accept-Charset: UTF-8
DataServiceUrlConventions: KeyAsSegment
User-Agent: Microsoft ADO.NET Data Services
x-ms-principal-id: [email protected]
Content-Type: application/json;odata=minimalmetadata
Host: wapserver:30005
Content-Length: 839
Expect: 100-continue
Authorization: Negotiate YIIGXgYGKwYBBQUCoIIGUjCCBk6gMDAuBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICHgYKKwYBBAGCNwICCqKCBhgEggYUYIIGEAYJKoZIhvcSAQICAQBuggX/MIIF+6ADAgEFoQMCAQ6iBwMFACAAAACjggSPYYIEizCCBIegAwIBBaEJGwdDRE0uTEFCoiMwIaADAgECoRowGBsESFRUUBsQc3Bmbi00NTcuY2RtLmxhYqOCBE4wggRKoAMCARKhAwIBC6KCBDwEggQ4T4e4nk0xr5YY8JQ/YNUEs7oIPtf2zX+sn08+M334CpUM75+aH+zZiH/HSzI3+CF9DiGzVza+jRm/UFjbU1FrMpGSlNtCNdOy1taOlSN1jiB1+5kYZx4hEXRfkfQ27/H2g7oh/Z7M/UOsi2VEI8z/ZIqzw72X/JBA47REDCjoc+okvAdH3EfWgsgsAS4BmQIJ58sc6vNEBTtrMNxrx4AIXAk5QPH/JJ7WOYTvXJdQgVm9KkfcHvdFU6jng7P7HNQ2GLDq/sP2AJU1/Uo3CLtrQFnjKTs/d1pvABO09tqOdyokI+mu1DqZ2wIHFpljMSSJmrZKl0aMYYlx6nR4OuOGpaD5+R/l29J3bK22dAdFbHMGJ1JxYG8x5kHlfjNXMJHrsGJ9WxPXqoSAyU2CRoyun9MtyVzeaLhw9mJtF6re+hM1EGd6eDqqqnIOv24fdrBKnEB2HDEJPATYbh94/fC86LPo3KAo3GFL+jIBKk8FHsPnNHiK28pcA7tkI4kUGnTj546oZogJhbvzMP35vnEMZtebiOdIHMYM8KhmEGnNBgfaxSWdpDTyFZxWrTED79abZHRlsGGljw/LfRXeS4qPEwwRkgEfrdL2JU1jcmU845v2vrptYr/visrcExaas35FMCxuxksVDT4d1AlwvNxusLZCssYSA/vVBVJy9qRvrbjAY4rNTtoEq1Am1K5ZpN8OwxmbVaEZQXrhOUIfC5ydp6A+dqA423dTxLEi+7/v77dwkpId0lLakHL8Gm4AaH98Th/OrhB3RNb2ENU+a1FE2jBuaWsVolzmbMwIB5Q8ahxknSDgtNaGZ2ZQxWJcnns20Rj5AZ1e5op2RSffETRhZhQ5QgMF/eMnGdbWeDFPVsoVR5f/bXVmLKS4vhdTKKuYnLuwszpJUdmI7s9F+dCbGYrgjlwifvEuSoAHNlL4PS+zFnR2ITJZZpYCZMvXIQ17zrMGs0C4wB0goF+uY4jEC0W3KRg/bF2GCsimOarMLtbuRz41NakkjZT7rSTJf+DpB7OuzwjLbcF9acDtv1vI/62YJgBFrLbYxGQJpiqa5rhonun9MK88jhhrvU1fcoMU8sw/Zx6NSLqigzTEQtDhF2b9DeyXLOr2GV7wruOjiURmIt4qW1pfCOAMPJQBXnq2rAt03EZoxAdlIB7405PnVF+x+WjgK/TY4b93BsR7afZh1z/uaTjJGuW9xGZkOW23koOCzbC85y5wfNrnJ3a+7sG971CyOnE3/lzYDuOz/RyXoTmYfG8538aQ9PK2Wl6wZO92QhWw5rHdAI/7nOsiuJygK8+kr/MsERoyHynXX/2m0bnixjAHBPjlRJnWL6PIcrqmoFlnsEMAMuqlYi5mPk70FJU8RbPWNQbc+YN5dfc295hsS931UTAkwyDobtq6E1NEpFz26IhSC4bgjThDa9jWdvGjA1jIpIIBUTCCAU2gAwIBEqKCAUQEggFA2B6rC9hN6kHxj6yUJU7ZOrgOt406u8FGUsr7gyvaVWLO8SZRsG3R/EJ6Qvd1u59GNJuwr3+76ND0oqKYAgDBSkrA7sv42a/033flpTs3H3p4oJrKc03oLTnwXAe3+moYSO5ia/Ek3rP522nk/SYXgqXQZRcEZtf0Tmqn4lziRwDWPL4OvpN9Tu8e62CmKhwwB4x7uUykI39WFzMLmWatcVxIZqasl6W6C2r/yQRMnNt91Lu1dNFAsJpsPhbBxHB6Nn9MoslcFrkUDBwTRrQuPXBGjQyZOHUFSf4mz5ZaM5iYBW/w3Yh+W2VwIh3y48aJ31fNrtaJCrrxHMwSPAf67S1uDBdO6ECgNo1m2Iu5UWeJ8kJTbP4TUZnPBkRhTj0BWyORnrPltS3c1S2MJN3J6e1qHLVkkx7zKSurCT5lnZ0=
{
"ID": "97fd50f3-1dc0-41b6-a7c0-2b4ff4c3f7e3",
"PermissionInput": [{
"Permission": ["Create",
"PauseAndResume",
"Start",
"Stop",
"AllowLocalAdmin",
"Remove",
"Shutdown",
"Checkpoint",
"Author",
"CanShare",
"CanReceive",
"CreateFromVHDOrTemplate",
"CheckpointRestoreOnly",
"AuthorVMNetwork",
"Checkpoint"
],
"[email protected]": "Collection(Edm.String)",
"StampId": "ba4146fa-fb41-4f59-a193-ad00c52a138c"
}],
"[email protected]": "Collection(VMM.UserRolePermission)",
"odata.type": "VMM.UserRole"
}
Example
The following code example shows an HTTP response from the server.
HTTP/1.1 204 No Content
Cache-Control: no-cache
Server: Microsoft-IIS/8.5
x-ms-request-id: 0b494a73-66e6-4b86-b1cf-90d3a7432622
X-Content-Type-Options: nosniff
request-id: eda9bde6-834a-0000-95d9-aced4a83ce01
DataServiceVersion: 1.0;
X-AspNet-Version: 4.0.30319
Persistent-Auth: true
X-Powered-By: ASP.NET
Date: Mon, 19 Aug 2013 21:59:34 GMT