Security Considerations
Betrifft: Operations Manager 2007
This section provides information about using a low-privilege account with the Windows Server 2003 Cluster Management Pack for Operations Manager 2007.
Certain monitors, rules, discoveries, tasks, and recoveries cannot be run in a low-privilege environment or must have minimum permissions.
Low-Privilege Environments
The Windows Server 2003 Cluster Management Pack uses the agent action account to perform discovery and run monitors, rules, and tasks. The agent action account can run as Local System or as a named account. When running as Local System, the agent action account has the privileges needed to perform discovery and run monitors, rules, and tasks.
If the action account for the agent is using a low privilege account, you will need to configure the “Windows Cluster Action Account” Run As profile with an account that has the appropriate rights to access the cluster. If you do not perform this configuration, discovery, monitoring, tasks, and recoveries will not function.
Using Roles
You can delegate authority as needed by your organization by using Operations Manager 2007 user roles, in conjunction with Operations Manager 2007 groups. Role-based security allows you to limit users' privileges to only designated areas of Operations Manager 2007.
For more information about user roles, see the "About User Roles in Operations Manager 2007" (https://go.microsoft.com/fwlink/?LinkId=100925) topic in the Operations Manager 2007 Help.
Using Groups
In Operations Manager 2007, groups are logical collections of objects, such as Web sites, disk drives, network interfaces, and databases. Management packs usually provide one or more groups for the technology for which they enable monitoring. Groups, along with user roles, make it possible to delegate authority. Groups also allow you to apply overrides to a specified set of objects.
For more information about groups, see the "How to Create Groups in Operations Manager 2007" (https://go.microsoft.com/fwlink/?LinkId=101188) topic in the Operations Manager 2007 Help. For more information about overrides, see the "Overrides in Operations Manager 2007" (https://go.microsoft.com/fwlink/?LinkId=86870) topic in the Operations Manager 2007 Help.
Groups
You can delegate authority to a precise level by using user roles.
For example, use the Windows Clusters group to delegate access to managing Windows clusters. This group contains all windows clusters. For every cluster, this group contains all resources, resource groups, networks, and cluster nodes. The group is populated automatically with any new discovered clusters.
For more information about user roles, see the "About User Roles in Operations Manager 2007" (https://go.microsoft.com/fwlink/?LinkId=108357) topic in the Operations Manager 2007 Help.