70-400 Exam Study Notes: Section 1b - Manage Roles
To make it easier to keep track of all the exam study notes published, we'll link to each post on the 70-400 Exam Study Guide here on the System Center Virtual User Group web site on the 70-400 Exam Study Guide Homepage. Watch the System Center Virtual User Group blog for regular updates
Role-based Security in Operations Manager 2007 allows administrators to delegate the appropriate level of visibility and functionality to the various application specialists and IT support tiers. When considering User Roles in OpsMgr, remember the following equation. You can create a custom user role using by combining a default Profile with a Scope, which you as an OpsMgr administrator define.
To understand a User Role, you must have a good understanding Profiles and Scope.
- User Role = Profile + Scope
- Profile = What actions can be performed
- Scope= Which objects the actions can be performed upon
NOTE: The default user roles in Operations Manager 2007 are globally scoped.
Profiles
The profile determines what actions members of the user role can perform. The more than 150 actions available in the Operations Console are defined in the following default user profiles:
| Profile |
Description |
| Read-only Operator |
The Read-Only Operator profile includes a set of privileges designed for users that need read-only access to Alerts and Views. A role based on the Read-Only Operators profile grants members the ability to view Alerts, and access Views according to their configured scope. |
| Operator |
The Operator profile includes a set of privileges designed for users that need access to Alerts, Views and Tasks. A role based on the Operators profile grants members the ability to interact with Alerts, execute Tasks and access Views according to their configured scope. |
| Advanced Operator |
The Advanced Operator profile includes a set of privileges designed for users that need access to limited tweaking of monitoring configuration in addition to the Operators privileges. A role based on the Advanced Operators profile grants members the ability to override the configuration of rules and monitors for specific targets or groups of targets within the configured scope. |
| Author |
The Author profile includes a set of privileges designed for authoring of monitoring configuration. A role based on the Authors profile grants members the ability to create, edit and delete monitoring configuration (tasks, rules, monitors and views) within the configured scope. For convenience, Authors can also be configured to have Advanced Operator privileges scoped by group. |
| Report Operators |
The Report Operator profile includes a set of privileges designed for users that need access to Reports. A role based on the Report Operators profile grants members the ability to view reports according to their configured scope. |
| Report Security |
The Operations Manager Report Security Administrators user role is designed to enable the integration of SQL Server Reporting Services security with Operations Manager user roles. This gives Operations Manager Administrators the ability to control access to reports. This role cannot be scoped. The DW data reader and data writer accounts supplied during setup are included in this role during installation by default. |
| Administrator |
The Administrator profile includes full privileges to Operations Manager. No scoping of the Administrator profile is supported. |
Scope
The scope determines which monitored objects, or groups of monitored objects, its members can perform. For example, using the Create User Role Wizard you can create a custom role with a scope that narrows the view to only the Exchange 2003 Servers.
Creating Custom Roles
Through the Operations Console, you can only create custom user roles based on the Read-only Operator, Operator, Advanced Operator and Author roles. Through the Command Shell, you can create a custom user role based on the Report Operators profile. The Administrators role is global and cannot be scoped.
Granting Membership in a User Role
You can associate an Active Directory security group with a user role. To grant a user membership to the user role simply by adding the user to the AD security group associated with the user profile.
Additional Reading:
See Role-based Security in Operations Manager 2007 on the Microsoft TechNet website.
To make it easier to keep track of all the exam study notes published, we'll link to each post on the 70-400 Exam Study Guide here on the System Center Virtual User Group web site on the 70-400 Exam Study Guide Homepage. Watch the System Center Virtual User Group blog for regular updates