User rights in SCOM

One thing that I often come across in my projects of implementing SCOM at customers is the ability to assign user rights in SCOM to specific users or groups. As an Operations Manager admin, you have access to all there is and you can completely mess up (or worse) the environment. Do we really want everyone to be an Operations Manager admin with this knowledge? If the answer to that question is yes, think it over a couple more times J. If the answer is no (hopefully it is), then keep reading to find out how it´s done.

Logging on as an administrator

Below, I´m logging into SCOM (from outside the domain) with a user that has administrative rights.

As you can see here I have complete access to all that is monitored meaning I can see all that´s being monitored, install new agents etc. This also includes all tasks for setting a database offline, running defrag on a disk and so on. This is where we want to limit our users to only see what their interested in and match what they see with their role. For example, a person working as a SQL administrator don´t need information about the monitoring of AD FS, IIS or Windows Server Remote Access etc.

To create a new user role, navigate to Settings and then User Roles as seen below.

Choose which role you´d like (read more about the different roles at TechNet).

Set a name for the role, in this case IIS Admin and then pick the user(s) which should be included in the role. You can also choose an AD group instead of the specific users. By using groups, you don´t need to go into SCOM every time you want to add a user to the role when it can be done in the AD instead.

This Operator role has the following opportunities;

“The Operator profile includes a set of privileges designed for users that need access to Alerts, Views and Tasks. A role based on the Operators profile grants members the ability to interact with Alerts, execute Tasks and access Views according to their configured scope.”

This is where you choose what the role users should be able to see. Default is everything but instead I´ve checked the IIS parts as seen below.

Instead of allowing all tasks you can check the ones you´d want them to use. Make a search for Internet Information Services and you´ll see all appropriate tasks.

Now that we´ve created the IIS user role, it´s time to do the same for the SQL admins. This time I´m going to use the Advanced Operator role instead with these rights;

“The Advanced Operator profile includes a set of privileges designed for users that need access to limited tweaking of monitoring configuration in addition to the Operators privileges. A role based on the Advanced Operators profile grants members the ability to override the configuration of rules and monitors for specific targets or groups of targets within the configured scope.”

Picking the SQL parts instead followed by the same process for the tasks.

Trying out the new user roles

Now it´s time to check out how it looks. The first user I choose is John Doe who is an IIS Admin in the Orneling business.

As you can see below, only the IIS components is visible. This makes life a lot easier for our friend John who doesn´t get information on all the SQL alerts etc. This way he can focus on his responsibilities and leave the rest of the problems to the other teams.

Here you can see what tasks are available to John, all of them are IIS related just as it´s supposed to.

The second user I choose for the SQL admin role is Jane Doe. Jane is a SQL administrator in the Orneling business and she really doesn’t care for IIS, AD FS etc. so that´s why I wanted to make life a little bit easier for her.

As you can see below, only SQL related views are available to Jane so that she can concentrate on the things she´s interested in. What´s different here is that Jane also has the Authoring pane in the console meaning she can create rules, monitors, tasks etc. That´s something she´s allowed to since she´s an advanced operator instead of John´s Operator role.

And as expected, only the SQL related tasks is visible to Jane.

Summary

As I´ve shown here, it´s really easy to limit your team members access so that they only see what they should focus on. This is as I mentioned something that a lot of my customers are looking at. For you as an administrator to sleep better at night, shouldn’t you consider looking into the user role assignment instead of having everyone as an administrator? By the way, if you haven’t checked the Administrator role inside SCOM you should probably do it. By default, the local admins on the management server is an administrator and this is one of the first things I edit when SCOM is installed.

Have any questions on this post and how to do it? Leave a comment below.


18 thoughts on “User rights in SCOM Add Yours?

  • What account does scom need in order for it to collect data from servers? Does it have to be a member of domain admins group?

    • Hi Janus,
      If you´re thinking about the agent, then that is most often running under Local System and by that has all rights.
      However, if you want to be able to collect performance data from the servers, then the Management Server Action Account need to be a member of two local groups on the servers: Performance Log Users and Performance Monitor Users.
      I would´nt recommend to be using domain admin rights other than when you´re installing agents, before you run the discovery in the domain just choose other account and specify a domain admin user in that case.

      Regards,
      Daniel

  • Hi,
    is there any way, how to assign right to create/manage groups for users, that are in Author user role? but we don’t want to give them all admin rights.
    Thanks.

  • If you wanted to restrict a user’s access to certain Tasks, based on how they are connecting into the network (VPN, or on-site) that would have to be achieved externally from SCOM wouldn’t it? Any ideas on this with relation to SCOM Role Based Access to Tasks? Thank you in advance 🙂

    • Yes, there is no such opportunities to change the roles based on how you are connected. That would need to be handled based on what subnet you’re on for example. The role access in SCOM is only based on what you should ba ble to do within SCOM.

      /Daniel

  • hi Daniel;
    your article is really simple to understand, thanks for sharing it.
    I have one question, when we log in as scom admin we get Alert monitor on top under Monitoring; which shows all alerts currently available in scom.
    when we restrict admin in this case SQL admin to SQL object, where can he view alert related to SQL only. I am unable to find this option.
    My requirement is specific administrator should be able to view alert related to their own area they managing in alert monitoring.

    • Hi Nilesh,
      Glad to hear the post helps you out. It´s the correct way to assign SQL rights to the users/admins, however just assigning the rights doesn´t present much. You need to assign certain views as well that the admin can see when he or she logs into the SCOM console. This is done in the same wizard as when you create the role. Just assign the views related to SQL server and you will be fine.

      Once this is done you will have access to check out SQL Alerts, DB Engines, DB´s etc. in the console, but will be limited to just SQL Server stuff.

  • Thx for the information.
    My question is, can you also limit access to certain systems.
    for example you have 10 servers, but 2 of them may only be handle with a certain group.
    Actvities and view are the same of all servers in both groups.
    Can SCOM handle this?

    • I don´t really understand your question. Do you want to limit access to management servers or regular servers such as agents?

      /Daniel

      • Well,
        You have serveral servers, which are monitored through SCOM.
        I want that only a part of it are fully visible to a group.
        For example you have 10 servers
        – All servers are visible for a certain group. f.e. SysAdmin team
        – 5 servers are visible to a group A

        Both have access to similare views and tasks, but limited to the allowed systems

        • Aha now I get what you’re trying to do. Peace of cake, create a new role in SCOM, limit the views as you mentioned. But you should also point of which groups they should have access to. Have a look at this post: https://blog.orneling.se/2015/04/user-rights-in-scom/ and you’ll see how you can do it.

          Once this is done, your operators will only see the servers they’re allowed to see.

  • Hi Daniel,
    I have a specific requirement to provide admin access to application team for only few servers, views and dashboards like AD, SharePoint. I am trying it on SCOM 2016 but not working – could you please let me know if I can achieve the same with the procedure given above.

    Regards
    Suresh Kumar.

    • Hi Suresh,
      Correct me if i misread your comment here.
      You can´t give the administrator role for just a few resources, the administrator role gives access to everything in SCOM.

      Instead you should be looking to give the most generous role (without being administrator) to the group of users and for a group of objects.

      Does that answer your question?

      Regards,
      Daniel

  • how can i grant someone permissions to the main “Monitoring Overview” page. User has Operator permissions but when clicking on any tab under “Go to computers” they receive the following error:

    “The view could not be found. Your user role may not have permissions to access the view.”

    • Are you using the built-in Operator role or have you created a new one? The only thing I can see that would cause this issue is if you haven´t approved all groups or dashboards to be visible for the user.
      I just tried both the built-in Operator role and a new custom one and in both cases I could see the “Monitoring Overview” page.

      Go back and look at the permissions delegated to the role and see if you can find any issues there.

  • Hi Daniel,

    How can i grant access to Administration tab for L1/L2 resources who is working on SCOM.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: