SCOM 2012 RC – Side-by-Side Migration Phase 5 – Migrating Permissions

Important Note! 2012 RC is not supported in a production environment unless you are in the Microsoft TAP program for Operations Manager.

This blog post is to be considered an experience report, and not an official guideline.


I admit it, I’m lazy – especially when it comes down to dull tasks like creating a bulk of User Roles. Fortunately, this can be 100% scripted.


What I first need to do is getting a list of all User Roles (non-system only) and their configurations.
Note: I don’t use the System Rules and I don’t want to modify them – relatively any Role that already exists to prevent me from locking myself out.

Since Role Configurations target Ids of certain Objects (Groups, Classes, Views, Tasks) I also retrieve the name of these objects as I want to verify that they are still the same in the new environment, and that they actually exist. Objects that don’t exist or that conflict (different object with same Id) won’t be added to the newly created Roles in the 2012 environment.

Once all that information is gathered, I’ll test-run my role creation script in a simulation mode (it acts as if it’d create roles but it doesn’t) to see if there are any issues.

If everything is fine, I’ll go ahead with the live script and create my roles.

NOTE: The scripts mentioned in this blog post are available in the attached zip file as a reference. Use at your own risk.

Running Inventory of User Roles

First I need to get a list of all User Roles in my 2007 environment including which tasks/views/groups they have access to and all other configuration parameters. Then I store that information in a char-separated text file.
Additionally I’ll get each object (Task/View/Etc.) that is part of the configuration and its name that I will add to my inventory as well – This way I can later verify that the Id I target exists in the new environment and that it is still the same.
Script: GetRolesAndPermissions.ps1 (needs to run in Operations Manager Shell) creates C:\temp\RoleConfigurations.txt


I then copy the RoleConfigurations.txt over to c:\temp on my 2012 Management Server from which I’ll run the verification and creation scripts. They all assume it’s at this location.

Simulate User Role Creation

User Roles can be scoped against certain views, groups and also tasks can be added to it. The question is – are all of these available in the new environment? And of course, would my script function properly?
Note: In my last Blog Posts I covered the Management Pack Migration therefore all Management Packs are available in the new environment.

For this I wrote a script that simulates the creation of the User Roles so I can verify each role and its configuration before I actually make any changes.

Script: SimulateCreateRolesAndPermissions.ps1

What the script does:

  • Read the RoleConfigurations.txt file
  • Parse configuration parameters
  • Verify that the Object Ids relatively that the objects are there and still the same
  • Check if Role already exists – if yes, no creation
  • If no, Ask if Role should be created


Note: As you can see, some views don’t exist in the 2012 environment. These won’t be added to the Views of this Role.

If yes, create Role and output configuration

Note: This will create the role object, it will not import it yet


Ask if Role should be imported
If yes, it WON’T import the role as the actual import line has been commented out.

Create User Roles

Once I have verified that everything works fine I go ahead and use the actual creation script: CreateRolesAndPermissions.ps1

The steps are the same as above except for that when it asks “Do you want to import the Role?” it will actually import the Role.

3 thoughts on “SCOM 2012 RC – Side-by-Side Migration Phase 5 – Migrating Permissions

  1. mikal

    Great article! Can you by any chance reupload the scripts for migrating the permissions?

    Thanks in advance!



  2. Mark

    Hi, i’m also looking to get hold of the scripts listed in this guide. Phase 4 has its scripts missing also, It would be great to be able to take a look at them.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.