This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(262.40000000000003, 2%, 35%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJP%3C/text%3E%3C/svg%3E)
We are standing up SCOM 2019 and we want to give people the operator role, however; they will also need to install/ uninstall agents from the scom management console.
Is it possible to create a delegated role based access structure to give a group the ability to have the rights of the operator role and the ability to install/ uninstall agents?
I have read the link below and only full administrators have the right to install/ uninstall from the console and that is to much rights for a group that we do not want to have.
Hi @Joseph Patrick ,
Unfortunately you will require SCOM Administrator rights to install, uninstall or delete SCOM agents from the SCOM.
Feedback is however always welcome, you may submit feedback over at the SCOM uservoice page over here:
https://systemcenterom.uservoice.com/forums/293064-general-operations-manager-feedback
----------
(If the reply was helpful please don't forget to upvote or accept as answer, thank you)
Best regards,
Leon
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(92.8, 31%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EC%3C/text%3E%3C/svg%3E)
That is unfortunately correct, you will have to find another way to deploy the agents (SCCM for example).
We are doing a commandline remote push install so that will not be a issue, we are concerned with the uninstall. They can uninstall the agent from the server but the SCOM console will still have the object, is there a way to give them the right to uninstall the agent or delete it from the console without giving them full admin rights?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(166.4, 66%, 26%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAM%3C/text%3E%3C/svg%3E)
Hi,
Yes, this is by design. To manage operations manager agents, we need administrator privilege. We may fire this up at the user voice and hope product team may include this feature in future release.
https://systemcenterom.uservoice.com/forums/293064-general-operations-manager-feedback
Hope the above information helps.
Alex Zhu
If the response is helpful, please click "Accept Answer" and upvote it.
Now if you want to try something very unsupported, you can have a look at how AzMan (Authorization Manager) works. This is the component that actually handles RBAC for SCOM, and where you can edit the roles at a very granular level.
Have a look here for a short intro on how to manage it : https://kevinholman.com/2014/03/12/modifying-access-in-scom-user-roles-without-the-console/
But if you wan't my advice on this : simply don't touch it and find another way to achieve what you need.
You say you use a scripted push install... You can do scripted uninstall or delete just as fine, for example.
Note however that the Windows Authorization Manager (AzMan) is deprecated since Windows Server 2012, but if I recall correctly some functionality works but I don't remember exactly which.
Well I don't know how much deprecated it is, but it's still fully used by SCOM ;)