Security Considerations - Controlling Access & Views with User Roles (Part 2 of 2)

In the second part of this series, I will discuss and demonstrate how to leverage User Roles to control what users can View in the Operations Console. For the purposes of this discussion we will focus on Windows Server subject matter experts, those support staff who are responsible for monitoring and maintaining the health of Windows Servers. Additionally, I will make these Read-Only profiles. The Read-Only Operator profile includes a set of privileges designed for users that need read-only access to Alerts and Views. A role based on the Read-Only Operators profile grants members the ability to view Alerts, and access Views according to their configured scope.

These users will be granted access to the Operations Console and their views will be explicitly controlled by the OpsMgr Administrators. A User Role is comprised of two parts: Profile and Scope therefore User Role = Profile + Scope. So, in this example the Profile is Read-Only and the Scope will be Windows Server. The scope is not a pre-configured template, it is typically the product of an OpsMgr administrator, working in conjunction with a Windows Administrator, in an effort to create a set of Views for maximum effectiveness.  

1. I created a few OUs to make it simpler to administer. On the root, I create an OU named OpsMgr and then 4 sub-OUs: Groups, Service Accounts, User Roles and Users:

2. I created a new Global Security Group in the User Roles OU called ' Windows Server Read-Only Administrators'.

3. In my fictions organization, the person who will be the Windows Server Read-Only Administrator is Olivia Benson. She is a Domain User and a member of the Windows Server Read-Only Administrators Global Security Group. We've simply made it much easier to administer who is and is not a Windows Server Read-Only Administrators. This can be expanded and adapted to pretty much whatever your administration model is or will be. 

4. Launch the Operations Console. You need to be an OpsMgr Administrator to execute these tasks. Go to Administration / Security / User Roles. Right-click User Roles and select New User Role / Read-Only Operator

5. The User Role Name will be Windows Server Read-Only Administrators. Click on Add in User Role Members and add the previously created Global Security Group: Windows Server Read-Only Administrators

6. Next, Next Create. Do not worry about the remaining settings, we will be revisiting in a few steps.

7. So the profile (read-only) is done. Now its time to Author the view (scope).

8. I create individual Management Packs to contain all  Views designated for specific User Roles. It makes it much easier to work with as well as Export if needed. Of course, you can approach in any manner you are most comfortable with.

9. Create a new Management Pack entitled Windows Server Read-Only Administrators. You will notice you have your own folder under Monitoring named Windows Server Read-Only Administrators. This is where your authored views will be stored.

10. This Management Group is a mix of Windows 2003 and 2008 servers. These are the required views I have randomly selected for my Windows Server Read-Only Administrator:

- View all New Alerts generated on Windows 2008 Servers

- View all Services or Drivers Failing to Start

- View all Unexpected Service Terminations

- View Windows Server 2008 State

- Create Windows Server 2008 System Performance Views

11. With Sp1, you can now Copy & Paste views from Sealed MPs and paste into unsealed MPs. Being the lazy person I am, that is what I did. You can, however, customize as you see fit. As an OpsMgr Administrator, this is what it look like in the Monitor pane:

12. Time to create the Scope. Administration / Security / User Roles / Windows Server Read Only Administrators.

13, In the Actions window, click on Properties.

14. Click on the Group Scope tab and deselect all boxes then select Windows Server 2008 Computer Group.

15. Next click on the Views tab and select 'Only the views selected below are approved'

16. Browse down to the Windows Server Read-Only Administrators and select it, click OK:

 

So putting it all together...launch the Operations Console while logged in as Olivia Benson:

Desktop Console:

Web Console too:

Notice the event views are missing. They are not supported in the web console but Dashboards are. I just did not use in this example. At this time I am not sure if Event views will be supported.

My Workspace

The cool thing is My Workspace works. The user is Read-Only but he or she can experiment in their workspace my creating their views