Authoring / SCOM

Automating Role Creation

The companies I’ve worked with break down SCOM access for various app groups (SQL, SharePoint, FEp/SCEP) for security (and SCOM stability!) reasons. I always automate this via Powershell to ensure my dev/test/prod environments match and for easier rebuilding should *gulp* something go awry.

Here’s an example of the PS1 I created to setup SharePoint admins access. It will create the role if it doesn’t exist or update it if it’s already present.

Note: If you cut/paste this watch the line wraps…

#+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
import-module operationsmanager

#get list of approved tasks. I grant access to core SCOM tasks (to close alerts, etc.) and app specific ones
$mps = @("*center*core*","*sharepoint*","*MOSS*")
$tasks = Get-SCOMManagementPack -DisplayName $mps | Get-SCOMTask -ErrorAction SilentlyContinue

#role members (AD group name)
$members = "SCOM-GlobalSharePoint-Ops"

#Role Name as you want it to appear in the console
$name = "Global SharePoint - Operator Role"

#Set group scope (if all are approved, leave blank)
$scope = @("*sharepoint*","*MOSS*")
$groups = get-scomgroup -displayname $scope

#echo out what we're doing....
write-host "Name = $name"
write-host "Group Scope = $groups (if blank then all servers are in scope)"
write-host "Membership = $members"
#write-host "Tasks = $tasks" (if blank then all tasks in scope)"
write-host

#check to see if role already exists
if (Get-ScomUserRole -name $name)
{
write-host "modifying an existing role - " $name
get-SCOMuserrole -Name $name | set-ScomUserRole -groupscope $groups
get-SCOMuserrole -Name $name | set-ScomUserRole -TaskScope $tasks
get-SCOMuserrole -Name $name | set-ScomUserRole -User $members
}
else
{
write-host 'adding a new role ' $name
#write-host "Add-ScomUserRole -Name $name -Operator $tasks -User $members"
Add-ScomUserRole -Name $name -Operator -groupscope $groups -TaskScope $tasks -User $members
}

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s