Kevin Holman's System Center Blog

Posts in this blog are provided "AS IS" with no warranties, and confers no rights. Use of included script samples are subject to the terms specified in the Terms of UseAre you interested in having a dedicated engineer that will be your Mic

Modifying access in SCOM user roles – without the console

Modifying access in SCOM user roles – without the console

  • Comments 5
  • Likes

 

In general, the *supported* method to add users and groups to user roles is using the console.  This is article will demonstrate an alternative method, that might be needed in cases where security got totally messed up, our a critical admin group got deleted.

The idea came from Michel Kamp’s article:  http://michelkamp.wordpress.com/2012/05/05/audit-scom-sdk-usage-operations/

Authorization Manager source (AzMan) was moved from a file in SCOM 2007, to a SQL database store in SCOM 2012.  It was possible in SCOM 2007, to accidentall delete the domain group used for SCOM admins, and lock out access.  To read about how to recover this scenario in SCOM 2007 see:  http://support.microsoft.com/kb/2640222

In SCOM 2012, you can load up Authorization Manager from SQL.  Here is how.

On your SCOM management server, open a MMC, and load the Authorization Manager snap in.

image

 

Once you lad that, right click Authorization Manager in the left pane and choose “Open Authorization Store”

image

 

Choose Microsoft SQL and input the properly formatted connect string.  Here is an example:

mssql://Driver={SQL Server};Server={SERVERNAME\INSTANCE};/OperationsManager/AzmanStore

Replace SEVERNAME\INSTANCE with your SCOM SQL server name (and named instance if needed) and change “OperationsManager” to whatever your SCOM OpsDB is named.  Here is mine:

mssql://Driver={SQL Server};Server={DB01};/OperationsManager/AzmanStore

When this opens up – you can see a list of GUIDS.  Each represents a built-in user role or custom scoped user role.  Expand 597f9d98-356f-4186-8712-4f020f2d98b4 and look at the Role Assignments:

image

 

We can see that belongs to The Operations Manager Administrators role.

Right click the top level GUID 597f9d98-356f-4186-8712-4f020f2d98b4 in the left hand side, and choose Properties:

image

On the security tab – you can add new groups here, or even individual users.

image

 

The above should only be used in a recovery scenario, use the console to directly administer membership of user roles.

Comments
  • Since I can't create a new Administrator level role that is scoped via the console, could this be a way to do so? I have developers that would like to be able to work with the APM templates but can't because I don't want to give them Administrator rights. Ok, so they are members of Administrators so they can get into AppDiagnostics (bad design on the part of that PG. IMO) but I keep them away from the full console.

  • "Technically" ? Maybe.
    "Supported" ? No.

  • Thank you Mr. Kevin.

  • Good Post Kevin, Just to add, you need to have full rights on the OperationsManager DB to make any changes(add/remove) in user roles.

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment
Search Blogs