Possible Way of: Providing Operators access to the Monitor’s properties in the SCOM Console

 

You may be one of those asking:

Why an Operator can't see the monitor properties so that they can understand what the monitor is doing?

 
 

By default only the Advanced Operator role exposes that (for an Operator type of role), however providing that level of access is more than what SCOM Administrators would like to provide to standard Operators.

 
 

Recently, one of my customers posed me again this question regarding their Operations Manager 2007 Management Group and I managed to find a workaround. 

Now you may ask HOW?

By leveraging the AZMAN store and providing Operator + functionality in order to see Health Monitors properties from within the SCOM Console.

IMPORTANT NOTES:

  • Carefully test in your own LAB as well and make sure you don't break any of the Role Definitions - think about this as like when you are changing many of the things in Registry, if that makes sense. Additionally
  • Although the use of the Authorization Manager is supported the changes you'll be implementing will affect the standard SCOM role definitions hence you need to ensure backups beforehand and make note of all the changes made.
  • If deploying any type of update or upgrade to your Operations Manager infrastructure you'll have to ensure your customized AZMAN settings are still in place and in case they not reapply the necessary custom changes.

Below you can see the steps I captured from on one of my own Operations Manager 2007 LABS.

1.  On the Root Management Server open Authorization Manager by typing azman.msc in Run.

2.  Right click on the Authorization Manager entry found in the left pane and select Open Authorization Store.

3.  In the Open Authorization Store dialog box, choose XML File and then, click on Browse.

4.  Navigate to the System Center Operations Manager Directory which by default is C:\Program Files\System Center Operations Manager 2007.

5.  Open the SDK Service State folder and choose the MomAuth.xml file.

NOTE: Before applying any changes backup
the MomAuth.xml file.

6.  Once the store loads you can find Microsoft Operations Manager in the left pane. Expand it.

7.  You should be able to find a folder under the Microsoft Operations Manager with the name Definitions.

8.  Expand it and open Role Definitions.

 
 

Double-click on the Operator role definition you see under it.

 
 

9.  Click the Definition tab and then click the Add… button.

 
 

10.  On the Add Definition window click Operations.

11.  You will now be able to see the operation definitions to add. Select Template__Get and User_IsAdvancedOperator__Check and click OK.

 
 

12.  Click OK to close the Operator Definition Properties window.

NOTE: Applying the above changes in the Default Operator Role definition means that any other of the Operator Roles will inherit the customized settings.

 
 

TO TEST?

 
 

Create a new custom operator role like the following and add your test Operator account and. In this scenario it is OMDOMAIN\Operator:

 

 

NOTE: Ensure the Operator account does not belong to any other SCOM Role.

 

Login to the Operations Console with the Operator account.

 

You'll notice that now you can see the Authoring Workspace:

 
 

 
 

And yes you can just see, there's not much you can do really:

 
 

 
 

 
 

 
 

 
 

 
 

THE GOODS …

When looking into Health Explorer your Operator will now be able to see any monitor properties:

 
 

All the information will be available, improving the efficiency of the Operator Role and reducing the Mean Time to Resolve (MTTR).

Operators will also be enabled to understand better how the monitor works and even be more capable of contributing to tuning your environment if necessary.

 
 

They can even look into the Overrides:

 
 

 
 

 
 

However they can't store any of them - which is what we really want to prevent as well!

 
 

In case you prefer to not change the standard Operator Role Definition and just apply your custom settings to only one of your Custom Operator Roles you need to expand its ID in the AZMAN store and change it as shown:

 
 

 
 

How about in latest versions of SCOM?

 
 

From System Center 2012 Operations Manager onwards the AZMAN store has been moved to the Operations Manager Database in SQL.

Although you can follow the steps outlined above the AZMAN store can't be loaded from the XML anymore.

 

In the following Kevin's post you should be able to see the steps which explain how to load the store from the database instead:

https://blogs.technet.com/b/kevinholman/archive/2014/03/12/modifying-access-in-scom-user-roles-without-the-console.aspx

 
 

IMPORTANT NOTE:

Bear in mind although the above is still possible up to System Center 2012 R2 Operations Manager, future Update Rollups or Product versions may change this behaviour.

Also, regardless of the SCOM version make sure you check the definitions after deploying any Cumulative Update (in 2007) or any Update Rollup (in 2012 or 2012 R2).

 
 

 
 

Enjoy! And… Hope it helps!

Comments

  • Anonymous
    July 15, 2014
    Excellent Article Sergio. I'll be testing this as i now have a requirement for this.

    thanks