question

TSchneider-3686 avatar image
0 Votes"
TSchneider-3686 asked XinGuo-MSFT answered

Problem with granular user rights

Our technical teams and application owners are members of the built-in "Operations Manager Read-Only Operators" role and therefore can see all objects in SCOM. Now I want to grant some teams access to some groups and allow them to put theirs systems into maintenance mode. For that I created a new role based on the Operators role and limited the group scope to just the group they should get higher pivileges on.
I've then added user accounts to the newly createed user role and tested access via the SCOM Web console. To my surprise, they now have operator access to all objects and not only to the ones the role is scoped to. By removing those user accounts from the read-only user role everything works as expected. They can only see the group members they were granted operator access to. However, this is not what we want. They should be able to see all objects.

Am I doing something wrong here ? The documentation is very vague on how this topic. It only states that a user can be a member of multiple roles.

Thanks


msc-operations-manager
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

XinGuo-MSFT avatar image
0 Votes"
XinGuo-MSFT answered

Hi,

I totally understand your concern. It's the same situation in my test environment.

we will report this issue and hopefully receive an answer as soon as possible.

We may also go to the Operations Manager Feedback site to submit a feedback.

General Operations Manager Feedback


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.