The companies I’ve worked with break down SCOM access for various app groups (SQL, SharePoint, FEp/SCEP) for security (and SCOM stability!) reasons. I always automate this via Powershell to ensure my dev/test/prod environments match and for easier rebuilding should *gulp* something go awry.
Here’s an example of the PS1 I created to setup SharePoint admins access. It will create the role if it doesn’t exist or update it if it’s already present.
Note: If you cut/paste this watch the line wraps…
#+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
import-module operationsmanager
#get list of approved tasks. I grant access to core SCOM tasks (to close alerts, etc.) and app specific ones
$mps = @("*center*core*","*sharepoint*","*MOSS*")
$tasks = Get-SCOMManagementPack -DisplayName $mps | Get-SCOMTask -ErrorAction SilentlyContinue
#role members (AD group name)
$members = "SCOM-GlobalSharePoint-Ops"
#Role Name as you want it to appear in the console
$name = "Global SharePoint - Operator Role"
#Set group scope (if all are approved, leave blank)
$scope = @("*sharepoint*","*MOSS*")
$groups = get-scomgroup -displayname $scope
#echo out what we're doing....
write-host "Name = $name"
write-host "Group Scope = $groups (if blank then all servers are in scope)"
write-host "Membership = $members"
#write-host "Tasks = $tasks" (if blank then all tasks in scope)"
write-host
#check to see if role already exists
if (Get-ScomUserRole -name $name)
{
write-host "modifying an existing role - " $name
get-SCOMuserrole -Name $name | set-ScomUserRole -groupscope $groups
get-SCOMuserrole -Name $name | set-ScomUserRole -TaskScope $tasks
get-SCOMuserrole -Name $name | set-ScomUserRole -User $members
}
else
{
write-host 'adding a new role ' $name
#write-host "Add-ScomUserRole -Name $name -Operator $tasks -User $members"
Add-ScomUserRole -Name $name -Operator -groupscope $groups -TaskScope $tasks -User $members
}
SCOM 