scripting user roles

Forum: Operations Manager4
Viewing 8 posts - 1 through 8 (of 8 total)
  • #215752
    Profile photo of curtmcgirt
    curtmcgirt
    Participant

    am I correct that neither add-scomuserrole nor set-scomuserrole allow me to configure which views and dashboards a user role is allowed to see in the scom console? I see -groupscope, I see -tasksscope, , i see -classscope. I don’t see -viewscope.

    so is there a way to do this outside of the gui?

    #215770
    Profile photo of Alexey Zhuravlev
    Alexey Zhuravlev
    Participant

    Hi,

    yes, you are correct. You can do it using SDK calls from a powershell script. You can find the example here: http://blogs.msdn.com/b/rslaten/archive/2008/11/03/exporting-and-importing-user-roles.aspx

    HTH

    #217616
    Profile photo of curtmcgirt
    curtmcgirt
    Participant

    that example requires an existing user already scoped to the Views i want, to export and then import into a new role. I don’t have that. i’m trying to script a new operator for a brand new management pack with brand new views. I need the GUIDs of the views I want to add to the role. how can I get the guids of views if I don’t have an existing user role scoped to those views? would I have to query the database?

    #217618
    Profile photo of curtmcgirt
    curtmcgirt
    Participant

    ok. figured it out. there is a getviews method on the management pack object, so that

    (get-scomManagementPack -displayname ‘my management pack’).getviews() | select ID

    will give me the guids of the Views in My Management Pack. I couldn’t find a ‘getdashboards’ method, but I don’t really use dashboards yet.

    so here is what I came up with to

    1. add an operator user role
    2. remove the default access to all dashboards and views
    3. and add the views contained in My Management Pack.
    (i’m having a hard time adding code anywhere except the top of a post.)

    #217619
    Profile photo of curtmcgirt
    curtmcgirt
    Participant

    (actually i’m having a hard time adding code anywhere in a post, so forgive me for this unformatted version)

    #variables, substitute your values
    $mpdisplayname= ‘display name of the management pack containing the views you want’
    $ms = ‘your management server’
    $rolename = “name for your new role”
    $roleusers = ‘domain\user or domain\group to include in the role’

    ipmo operationsmanager
    New-SCOMManagementGroupConnection -ComputerName $ms

    #add the user role
    $userrole=add-scomuserrole -operator -name $rolename -users $roleusers

    #remove access to all dashboards, which were added by default when we created the User Role
    $userrole.scope.DashboardReferences.Remove([guid]$userrole.scope.DashboardReferences.guid)
    $userrole.update()

    #create a “common pair” “type” necessary for the add/remove of views
    $genericType = [Type] “Microsoft.EnterpriseManagement.Common.Pair2″
    $typeParameters = “System.Guid”,”System.Boolean”
    [type[]] $typedParameters = $typeParameters
    $closedType = $genericType.MakeGenericType($typedParameters)

    #remove the ‘all views’ view, which was added by default when we created the User Role
    $params = [guid]$userrole.scope.views[0].first,$false
    $pair = [Activator]::CreateInstance($closedType, $params)
    $userrole.scope.views.remove($pair)
    $userrole.update()

    #get the views from your management pack
    $mp = Get-SCOMManagementPack -displayname $mpdisplayname
    $viewnames= $mp.getviews() | select name
    $viewIDs = $mp.getviews() | select ID

    #cycle through the management pack views and add them to the User Role
    foreach ($viewID in $viewIDs) {
    $params = [guid]$viewID.id,$false
    $pair = [Activator]::CreateInstance($closedType, $params)
    $userrole.Scope.Views.Add($pair)
    $userrole.Update()
    }

    #217620
    Profile photo of curtmcgirt
    curtmcgirt
    Participant

    attached

    Attachments:
    You must be logged in to view attached files.
    #218239
    Profile photo of skyqay
    skyqay
    Participant

    Thanks curtmcgirt !
    I need to fully automate User Roles.
    Working very well for me
    Thanks again

     

    #230714
    Profile photo of Maxime Blais
    Maxime Blais
    Participant

    Hi Curt,

    I’m not sure if you’ll see this as the thread is pretty old. I just wanted to thank you for publishing your PowerShell script to automate user roles creation. I’ve used most of it in my own script.

    I see that you had trouble getting a list of list of Dashboards in order to give the new user role access to them. I wanted to explain how I’ve done it, if this could be useful to you.

    As you realized, there’s no .GetDashboards() method on the Management pack object. On top of that, there’s also no way to add dashboards to a user scope as there is for views (Scope.Views.Add()).

    I had to use the Operations Manager operational database in order to accomplish that.

    Considering the XML tag for Dashboards references in a Management Pack is <ComponentReference>, I tried to find a table that would contain some information about them.

    It turns out there is one, the [dbo].[ComponentReferences] table. If you look carefully, you should find the IDs for all your dashboards there in the column [ComponentReferenceName].

    The second information you’ll need is the user role “Scope ID”. It seems any user role is assigned a ScopeID that refers to all the views/dashboards they’ve been given access to. This information is available in the table [dbo].[UserRoleScopeHandle].

    Finally, once you have all the information you need (UserRoleId, ComponentReferenceId, ScopeId), you have to call a stored procedure with those parameters to assign the Dashboard to the user role.

    The stored procedure is dbo.p_UserRoleDashboardReferenceInsert. Here is how you would call it (replace the information between parentheses) :

    exec dbo.p_UserRoleDashboardReferenceInsert @UserRoleId='(UserRoleId)’,@DashboardReferenceId='(DashboardReferenceId)’,@ScopeId=(ScopeId)

    I’ve been able to automate all this in a Powershell script as all the IDs we specify when creating a management pack are standardized.

    Good luck !

Viewing 8 posts - 1 through 8 (of 8 total)

You must be logged in to reply to this topic.