Role-based Security in Operations Manager 2007

Applies To: Operations Manager 2007 R2, Operations Manager 2007 SP1

You can access and manipulate Operations Manager 2007 by using the Operations console, the Web console, Windows PowerShell, or custom applications. In all cases, role-based security ensures that the user credentials supplied are members of a user role in Operations Manager.

Operations Manager 2007 can monitor many different types of applications in the enterprise, and these applications can be administered by multiple teams. As the Operations Manager administrator, you can limit access to each team so they access only their monitoring data. Role-based security allows you to grant access to monitoring data, tools, and actions on a team-by-team basis.

Terminology and Concepts

The terminology regarding role-based security is described in the following table.

Term Meaning

Operation/Privilege

A securable action, such as resolving alerts, executing tasks, overriding monitors, creating user roles, viewing alerts, viewing events, and so on. For a list of the available operations, see Appendix A.

Profile

A collection of operations that are granted to a persona; for example, Administrator or Operator.

Operations Manager 2007 contains the following profiles:

  • Administrator

  • Advanced Operator

  • Author

  • Operator

  • Read-Only Operator

  • Report Operator

  • Report Security Administrator

Scope

Defines the boundaries of the running of profile operations, for example, tasks and groups.

User Roles

The combination of a profile and scope.

Role assignment

An association of Windows users and groups to Operations Manager roles.

Scope

All management pack objects, for example, attributes, monitors, object discoveries, rules, tasks, and views, are scoped by targets (also called types or classes). A target as defined in a management pack represents a certain type of object. All objects of this type share some common characteristics. Everywhere objects of this type exist there is a common way of discovering them, a common set of properties that can be discovered, and a common way to monitor them. By default, before any management packs are imported, 163 targets are created in Operations Manager 2007.

Groups are logical collections of objects, such as Windows-based computers, hard disks, or instances of Microsoft SQL Server.

Tasks can either be an agent task or a console task. Agent tasks can run remotely on an agent or a management server, while console tasks can run only on the local computer. In addition, console tasks are not scoped by user roles; they are available to all users. In Operations Manager 2007, you can have a batch file or script run as a task remotely or locally, but if the task is generated by an alert or an event, it can only be run locally.

Views are groups of managed objects that have a commonality, which is defined in the view properties. When you select a view, a query is sent to the Operations Manager database and the results of the query are displayed in the results pane.

User Role

In Operations Manager 2007, a user role is created by defining a union of profile and scope. You create a user role from within one of the five predefined profiles, or one of the seven predefined profiles if Reporting has been installed, and then define an appropriate scope. The following table defines the profile types, and an appropriate scope for each.

Profile type Profile description Role scope

Administrator

Has full privileges to Operations Manager; no scoping of the Administrator profile is supported.

Full access to all Operations Manager data, services, administrative, and authoring tools.

Advanced Operator

Has limited change access to Operations Manager configuration; ability to create overrides to rules; monitors for targets or groups of targets within the configured scope. Advanced Operator also inherits Operator privileges.

Can be scoped against any groups, views, and tasks currently present and those imported in the future.

Author

Has ability to create, edit, and delete tasks, rules, monitors, and views within configured scope. Author also inherits Advanced Operator privileges.

Can be scoped against any target, groups, views, and tasks currently present and those imported in the future. The Author role is unique in that this is the only profile type that can be scoped against the targets.

Operator

Has ability to edit or delete alerts, run tasks, and access views according to configured scope. Operator also inherits Read-Only Operator privileges.

Can be scoped against any groups, views, and tasks currently present and those imported in the future.

Read-Only Operator

Has ability to view alerts and access views according to configured scope.

Can be scoped against any groups and views currently present and those imported in the future.

Report Operator

Has ability to view reports according to configured scope.

Globally scoped.

Report Security Administrator

Enables integration of SQL Reporting Services security with Operations Manager roles.

No scope.

Important

Adding a computer account to a user role member would allow all services on that computer to have SDK access. It is recommended that you do not add a computer account to any user role.

Except for the Administrator role, you can add Active Directory security groups or individual accounts to any of these predefined roles. You can add Active Directory security groups only to the Administrator role.

Adding users or a group to a role means that those individuals will be able to exercise the given role privileges across the scoped objects (including any inherited objects).

Note

The predefined roles are globally scoped, giving them access to all groups, views, targets, and tasks, except for Report Security Administrator.

Operations Manager also allows you to create custom roles based on the Operator, Read-Only Operator, Author, and Advanced Operator profiles. When you create the role, you can further narrow the scope of groups, tasks, and views that the role can access. For example, you can create a role entitled "Exchange Operator" and narrow the scope to only Exchange-related groups, views, and tasks. User accounts assigned to this role will only be able to run Operator-level actions on Exchange-related objects.

Important

Make sure that you create a domain security group for the Operations Manager Administrators role. This group is required to be in place during the first setup run for a management group.

For more information about how to administer security roles, accounts, and profiles in Operations Manager 2007, see the topic How to Administer Security Roles, Accounts, and Profiles in Operations Manager 2007 (https://go.microsoft.com/fwlink/?LinkId=88131).