Postings in the same series:
Part I – The Introduction
Part II – How It Works
Part IV – Lets Create a Simple Task
----------------------------------------------------------------------------------
As stated in the previous blog posting, this posting will be about how to scope the Tasks to the correct Group of Operators. The ‘ultimate’ target here is that the Operators for a certain set of servers/services do not only get to see the Tasks related to their field of work and responsibility but also those Tasks they are allowed to run.
For more clarification I will use an example, throughout this posting. For instance, an IT shop has a department which is solely responsible for the SQL servers and the related services and databases. But in that department there are some real guru’s at work who know very much about SQL and are really senior. Besides them also some juniors are working. They assist the guru’s and get training on the job.
Ideally, you do not want to frustrate the guru’s in their work so everything SCOM has to offer about the SQL servers is presented to them in the SCOM Console. But the juniors, you do not want to give too much since some items require a deeper knowledge. So even though the juniors are granted the same Views within the SCOM Console, some tasks are kept out of sight. This way they are not tempted to kick of a Task which is out of their league.
In order to achieve this you have to create two SCOM Operator User Roles: one for the SQL Guru’s and another for the SQL Juniors. Lets start.
SQL Guru’s User Role creation
This is the easiest one.
- Start the SCOM Console with Admin permissions, go to the Administration Wunderbar > Administration > Security > User Roles > Click right on it > select New User Role > select Operator;
- General Properties section: Give the User Role a logical name and a good description so the rest of team knows what this User Role is for. Add the Local Group (AGDLP is the way to go) and click Next;
- Group Scope section: Deselect the name of the MG and select only all SQL related Groups. (In this test environment of mine I do not run clustered SQL servers, but when you do you could add the cluster Views as well when you run clustered SQL servers) and click Next;
- Tasks section: Select Only tasks explicitly added to the ‘Approved tasks’ grid are approved > Add > in the Look for box type sql and hit the Select All button > OK > Next;
- Views section: Select Only the views selected below are approved, select Microsoft SQL Server > OK > Next > OK;
- Summary section: All selections are shown. Notice the list of approved Tasks for this User Role > Create.
- Log on to the SCOM Console with a user account which has been granted this User Role. Notice the available Tasks for this user:
SQL Juniors User Role creation
This is the one where some real scoping is done.
- Start the SCOM Console with Admin permissions, go to the Administration Wunderbar > Administration > Security > User Roles > Click right on it > select New User Role > select Operator;
- General Properties section: Give the User Role a logical name and a good description so the rest of team knows what this User Role is for. Add the Local Group (AGDLP is the way to go) and click Next;
- Group Scope section: Deselect the name of the MG and select only all SQL related Groups. (In this test environment of mine I do not run clustered SQL servers, but when you do you could add the cluster Views as well when you run clustered SQL servers) and click Next;
- Tasks section: Select Only tasks explicitly added to the ‘Approved tasks’ grid are approved > Add > in the Look for box type sql and select only the SQL Tasks which aren’t too explicit like starting a service (but not stopping it!, nor ) > OK > Next;
- Views section: Select Only the views selected below are approved, select Microsoft SQL Server > OK > Next > OK;
- Summary section: All selections are shown. Notice the list of approved Tasks for this User Role, which is considerably shorter compared to the User Role for the SQL Guru’s > Create.
- Log on to the SCOM Console with a user account which has been granted this User Role. Notice the available Tasks for this user:
As you can see, the list of available Tasks can be easily scoped. It takes some time to configure but when you set it properly from the beginning, use some good planning and a valid naming scheme together with some good descriptions, it is like a ‘Set-and-Forget’ configuration.
The next – and last – posting in this series will be about creating a Task all by yourself. A simple one it is but one which is useful. See you all next time.
No comments:
Post a Comment