18 June 2015 blogs Daniel Örneling 5 min read
Assigning user roles to separate Live Maps Services by Daniel Örneling
As you all (hopefully) know, Savision’s Live Maps Unity is a business service management solution built on top of System Center Operations Manager. Live Maps is a great way to visualize the status of your services and see whether or not you’re meeting your SLAs. The views within Live Maps range from high-level service overviews all the way down to the individual component level and offer something for every role in an IT organization from the CIO down to the helpdesk employee. However, you may find that you want to customize who is able to see what – for example, service owners may only want to see the services they are responsible for and not all services that IT provides.
Role-based access to the Live Maps dashboards is something I´ve often taken advantage of when working with Live Maps and business service management and I’ll use this blog post to discuss a use case at one particular customer. When working with this customer, there were some main requirements to take care of:
- IT Management (CIO etc.) should only see the overall status of the services to know whether it´s green, yellow or red.
- The application owners should be able to drill down and see all the information contained in the service, including SLA levels as well.
To do this, we created new user groups in Active Directory, delegated rights to them in SCOM and then used those groups to control access to Live Maps functionality.
So how is this done?
Start by navigating to Administration and then User Roles in the Operations Manager console as seen below. Among others, you will see the user roles listed below. There are four read-only Live Maps roles for: Helpdesk Engineers, IT Management, Service Owners, and the CIO. As a demo for this blog post, I have created two new AD accounts called OMITTechnician and OMITManagement that will be members of the Helpdesk Engineers and IT Management roles respectively. Right click the role you want to assign and choose Properties (or just double-click the role).
Click Add and then browse for the account or group that you want to add. When doing this in your production environment, I would strongly recommend using AD groups instead of the single accounts that I´m using below. By using AD groups instead, it will be a lot easier for you to add the rights to new users of each role. Assign the respective role to the user and move on. Since these are ready-made roles, you won´t be able to edit the scope and views so just move on by clicking OK.
The next step is to update the services and to assign rights to the respective role. This is done from within the “Live Maps Authoring Console” by opening up each service you want the user/group to be able to see. When you´ve opened up your service, navigate to the Security tab. What I´ve done below is to assign the following roles:
- IT management will be able to show the service on the dashboard and to open the service map. No further drill-down will be allowed.
- Helpdesk Engineers will be able to drill all the way down in each service assigned to them.
This has to be done for each service you want to assign. After having saved the service(s), you will be able to log on to the Live Maps web console and show the services on the screen.
Logging on as the OMITManagement user
Remember that I assigned “Show on Dashboard” and “Open Service Map” to the IT Management role. Since I only did this for two of my services, these services are all that the user will see when logging on to the Live Maps web console.
Below, I have drilled down one step into the “SCOM” service and so far it looks familiar. What happens next though, when clicking on one of the perspectives (User, Application, or Infrastructure) is something different. Since I´m not allowed to open the different perspectives, I will only see the state changes that have taken place for each perspective of the service as seen below.
The next user I created is allowed to drill all the way into the services and I have made the change for three of my five services. As you can see below, the technicians can also see the “Direct Access” service.
When drilling all the way into the service and into the infrastructure perspective, I can see the components that make up the infrastructure part of the service. This way the technician gets full read rights to the assigned services.
OM Admin user
Now that I´ve shown how the different roles work, I want to show what it looks like to me as a SCOM administrator. As you can see below there are five services in my dashboard instead of the two or three seen in the roles I assigned above. This is possible since I am an administrator and have full access in the SCOM environment.
So, what I´ve shown in this post is a way for you to delegate different access rights to the different services based on the user’s role and department within your organization. In the specific customer case I mentioned, this really helped out in showing the correct amount of information to the right people. By dividing the roles as we´ve done here we make life easier for the employees as they will only see what´s relevant to them in their work.
About Daniel Orneling
Daniel Örneling is a specialist consultant working for Approved Consulting. He focuses on SCOM, OMS and those parts of Azure that come along with it. Follow his blog if you want to learn more about his tips and fixes for System Center Operations Manager, Operations Management Suite and much more.