How to Implement OpsMgr Delegation Models (Part 2)
Written by Mark Farrugia, Senior Microsoft Premier Field Engineer. Continuing on from his prior post. System Center Operations Manager (a.k.a. OpsMgr) provides a facility to share out either the rich or web console to your different support groups within your operational organization. In my travels to different customer sites, this is one of the least used or understood features. Most operational groups within organizations have grown up with a mindset of responding to tickets that are generated to address problems. This is a very reactive approach to running your organization. Operations Manager, with all the intelligence built into management packs looks to take a more proactive approach to monitoring.
Unless the service experiences a complete power/hardware failure where it instantly shuts down, usually there are indicators that a service may be experiencing health issues. Operations Manager looks to populate those indicators in the console to give operators an opportunity to proactively schedule maintenance, and/or plan a remediation strategy for the ailing server/service.
This is where OpsMgr’s user roles comes into play, by delegating out only portions of the console that are relevant to that respective operations team, they can monitor and view the health of their service and take a more proactive approach. By doing this, unexpected outages should be reduced, which would better serve the business, and make for a happier end customer.
User Roles
Operations Manager provides five built-in user roles. The product does not allow new user roles to be defined, so what you see is what you get. Each user roles comes defined with a group assigned to it, but an organization can leverage the existing roles to delegate the console out to operators with different levels of permission. The roles and a brief description are provided in the table below.
Role | Description |
Administrator | This role has full control of Operations Manager. An administrator can modify any setting within the management group, create management packs, deploy agents, join other management groups and |
Read Only Operator | This role can be delegated views into the Operations manager console, but cannot perform any changes because of the read only view. |
Operator | This view can acknowledge and close alerts, and put machines into maintenance mode and execute delegated tasks. |
Advanced Operator | This role has all the rights of the Operator role, plus the ability to tune rules and monitors through overrides. This role does not have the ability to create management packs, only an Operations Manager Administrator has that ability. |
Author | This role has the ability to create, edit and delete monitoring configuration (tasks, rules, monitors and views) within the configured scope. |
Delegating Console Access
To actually delegate console access, Operations Manager provides a wizard based role definition, that makes it easier for Administrators to caonfigure views, tasks and group definitions. Additionally, different groups can belong to different delegation profiles. For example, my SQL Admins group will be delegated full Operator access to the SQL Management Pack and read only access to the Windows Operating System Management pack.
To delegate access, navigate as an Operations Manager administrator to Operations Console –> Administration pane –> User Roles, and choose the appropriate role.
On the General Properties page name your new profile, and assign the appropriate Active Directory security groups to your profile. While it is possible to assign individual Active Directory user accounts to each of your administration profiles, I highly recommend you use the existing security groups in your organization, to ensure that employees joining or leaving existing operational teams will be delegated the appropriate console permissions. This will lower operational overhead for administrators by making use of existing infrastructure.
Choose the appropriate groups that this delegated role will be responsible for.
Choose the appropriate tasks that will delegated to this profile. If you do not want to delegate any tasks out at all, choose the “Only tasks explicitly added to the ‘Approved Tasks’ grid are approved” radio button, and leave the list below blank.
Choose the appropriate views in the console that will shown to the operator.
You may encounter a warning message that if any additional views are added to the delegated role, you will have to revisit the wizard to delegate those views out, because Operations manager does not automatically approve new views once explicitly approved.
Finally on the summary screen click on “Create” to finish up the wizard.
You can go through the same steps above to create a Read-Only Operator Role for our SQL Admins team example. The only exception is that on the “Approve Groups” wizard window, I only choose to target the “SQL Computers” group because I am targeting the Windows O/S management pack.
The investment you do into this console delegation will pay off in the next step of configuring alerts for different groups.