In this series of blog posts about what is new in SCOM 2022 (or different), we discuss here the enhanced RBAC for Admin roles.
What we and several of you found out is that within SCOM there are User Roles and Custom User Roles and you can create custom roles to grant scoped and limited access to views or computer groups or limit access to specific tasks. However, in several cases we come across the need for SCOM Administrator access for one of several reasons.
For example, we sometimes need to give SCOM Admin access to somebody who just needs to add or remove Windows agents to monitoring. Or to adjust notification settings for their group. Or to be able to enter Run As credentials for their application. In some companies this gives problems, due to security concerns, somebody without SCOM knowledge having full access to everything. Or sometimes not wanting to give out these rights, which forces a SCOM Admin to do all these actions. Let’s have a look at what things got added now to help with this story:
SCOM Read-Only Administrators
A new default role got added to the User Roles list, called the Operations Manager Read-Only Administrators.
This is particularly useful for cases where need to provide auditor access to SCOM. In many organizations auditing is needed, due to regulatory requirements, such as stock-exchange registered companies. In order for them to do their work, you could have given them full access to SCOM Admin and let them look at settings etc., or you could login yourself as a SCOM Admin and sit next to the auditor to make sure they do not make changes.
This new role now gives access to every setting in SCOM in every navigation pane. But they will not be able to change anything. Only look.
This role can not be scoped. Just add an account or AD group to it and it gives this access.
This is where we can create a new custom User Role, called Delegated Administrator. So, we can create several of these if we need to, and assign specific rights to fit our needs.
This is where we see options to create a SCOM Admin role, for only managing agents or notifications and such. See further below for the checkboxes available to see where these would fit.
From the SCOM Admin pane – Security – User Roles, we can select the New Use Role task and create a Delegated Administrator.
This brings you the above screen. You can give the role a name. In my case I went for SCOM Agents Administrator as an example.
What we can see here also, if that this role will be given Read-Only access to everything SCOM Admin related (except for SCOM Reporting), and only enable the additional rights to adjust things for the checkboxes you specify in the Profile tab of this wizard.
And of course you can add here users or groups to the role.
Now, this is the place where you define the profile and access this delegated Admin needs. We need to specify a name and description for the profile. I just named it the same as I had before for the role. And next we go into the Permission Categories and select which ones we want. For example, here we want to add the Agent Management items. In my case I selected all options in this main category, but there might be cases where you need to be very specific in this list if that is your need within the organization.
Let us have a quick look at the other categories here and what they mainly give access to in my own words. Keep in mind that some are grouped together in a main category and you may want to only specify a few of the items there and not default a full main category. I think I will make combination/collation of screenshots of multiple roles and add it here.
- Account Management – Working with User Roles – Working with Run As Accounts – Working with Run as profiles. This is a frequent ask in my opinion.
- Agent Management – Deploying/repairing/uninstall agents. Adjusting agent settings. Agent pending actions. This is a frequent ask in my opinion.
- Connector Management – Create/update/delete connectors and connector subscriptions. This is for connecting with other systems.
- Global Settings – This will give access to the Settings tab within the SCOM Admin pane.
- Management Pack Authoring – Working with MPs, working with overrides, author or manage workflows.
- Monitoring Permissions – Execute tasks and diagnostics/recoveries. Working with Maintenance mode. Managing alerts.
- Notification Management – Working with notification Channels. Working with notification subscribers. Working with notification subscriptions. This would also be a regularly asked item.
- Reporting Permissions – Access reporting and work with those.
After you finish selecting the options in the profile, you can further finish the wizard as usually.
There is an option to scope by Groups. (default all groups)
There is an option to limited access to Tasks or specific tasks. (default all tasks)
There is an option to limit what dashboards and views this has access to. (default all views).
Now, you will have an additional User Role and Profile created and you can add relevant Users or Groups to it to assign this access.
Keep in mind, that once you have created this profile, it can not be changed as to which categories were selected. If you need to change that, you can create a new delegated admin and profile which does fit your needs.
These new RBAC roles will give us a number of options to split up access for those who do not need full SCOM Admin access and ability to adjust all things in SCOM, and give out just the rights which are needed!