Hyper-V security is based on Authorization Manager API (known as AZMan). Similarly to VMM’s delegated administration model, an administrator can configure a set of role objects and assign Active Directory user and group accounts to those roles. Each role can be granted a set of permissions for virtual machine access and management, and securable objects can be assigned to scopes, which determine the objects against which access checks are performed.
When a Hyper-V host is added to VMM, VMM applies its own authorization layer, defined by the VMM user roles, to determine the actions that VMM administrators and self-service users can perform on the Hyper-V virtual machines while working in VMM. To do this, VMM creates its own AZMan authorization store on the host computer. In VMM 2008 R2, the method for implementing user roles in AZMan was changed to preserve role definitions and role memberships in the root scope of the Hyper-V authorization store while VMM is managing a Hyper-V host. In VMM 2008, the Hyper-V roles are not used while a host is managed by VMM.