OpsMgr: Troubleshooting Performance Widget Permissions Issue Post 2012 R2 Upgrade
This is an issue that occurred after upgrading a System Center Operations Manager 2012 SP1 management group to 2012 R2.
What happened was that in the OpsMgr Operations Console, the creation process of a performance widget using the Performance Widget UI template would fail with an error message, when the Add button was clicked on the Scope and Counters page as shown below:
Upon reviewing the error messages, the following line was found, indicating the sdk has insufficient permissions to access an object in the data warehouse database.
Microsoft.EnterpriseManagement.Common.UnknownDatabaseException: The EXECUTE permission was denied on the object ’Microsoft_SystemCenter_Visualization_Library_PerforamcneCounterListByManagedEntityTypeUsingContainerME’ , database ‘OperationsManagerDW’ , schema ‘sdk’.
Further investigation revealed that the Configuration and Data Access Services on the management server were using the Local System account instead of the original domain account used during installation of the management server:
The root cause for the change in the account used by the Configuration and Data Access Services was due to the Local System account being selected (by default) for both services on the Operations Manager Setup/Configuration page when configuring the 2012 SP1 to 2012 R2 upgrade:
Summary Page before starting the upgrade process:
Using the Local System account for the Configuration and the Data Access Services should work and go unnoticed in a lot of cases. However, in cases where the Local System account does not have sufficient permissions to access the database objects, some data access or configuration level issues like this may occurred.
A quick way to address this is to swap the Local System account used by the Configuration and the Data Access Services with the correct domain account as follows:
Note: Remember to restart these services so that the new logon name will take effect.
In this instance, reverting the account used by the Configuration and the Data Access Services to their original domain account fixed the performance widget creation issue on the UI template. Clicking the Add button would open another page for the user to select which performance counters to include and then completing the other pages on the UI template to create a custom performance widget.
