SCOM 2022 - New Delegated Admin Role Customisation Function

Possibly the most anticipated feature of SCOM 2022 is Delegated Administrators! It’s not the shiniest of features but it has long been a pain point of SCOM admins, which have only ever been able to use three pre-defined roles to grant to users (plus read only).

In SCOM 2022 you now have the ability to create Delegated Administrators, which overcomes some of the pain points previously felt with rigid roles and permissions.

For example, you can now create roles to manage the following scenarios:

Use Case 1: Change control processes:

o   Give people the permissions to export MPs but not import/delete.

o   Force changes to be approved/escalated.

o   Programmatically import new MPs.

Use Case 2: Outsourced SCOM Administration:

o   Enable a group of external contractors to administer SCOM.

o   Provide enough permissions to enable this but not break/change key functions.

o   Grant access to modify notifications but not see Run As accounts/permissions, etc.

Use Case 3: Managed Service Providers:

o   Enable one SCOM Management Group, to have multiple end customers as tenants

o   Provide “SCOM as a service”

o   Prevent customers/tenants from viewing other customers’ systems.

How to Create a Delegated Admin Role

From SCOM 2022 navigate to Security > User Roles in the Admin pane, to discover a new option ‘Delegated Administrator’

This role adds an extra screen to the existing wizard for granting a role to a specific scope, ‘Profile’. On this screen you can grant any of the SCOM permissions you like to a profile, in effect allowing you to create a custom role! One thing to note, once a profile has been created it cannot be modified, but this is not the end of the world as you can create additional profiles if you need to change permissions granted. Take a look at the possibilities in the screen shots below:

The classic roles within SCOM are typically defined as follows:

1)      The Report Operator profile includes a set of privileges designed for users who need access to reports. A role based on the Report Operator profile grants members the ability to view reports.

2)      The Read-Only Operator profile includes a set of privileges designed for users who need read-only access to alerts and views. A role based on the Read-Only Operators profile grants members the ability to view alerts and access views according to their configured scope.

3)      The Operator profile includes a set of privileges designed for users who need access to alerts, views, and tasks. A role based on the Operators profile grants members the ability to interact with alerts, run tasks, and access views according to their configured scope.

4)      The Advanced Operator profile includes a set of privileges designed for users who need access to limited tweaking of monitoring configurations in addition to the Operators privileges. A role based on the Advanced Operators profile grants members the ability to override the configuration of rules and monitors for specific targets or groups of targets within the configured scope.

5)      The Application Monitoring Operator profile includes a set of privileges designed for users that need access to Application Diagnostics. A user role based on the Application Monitoring Operator profile grants members the ability to see the Application Monitoring Events in Application Diagnostics web console.

6)      The Author profile includes a set of privileges designed for authoring monitoring configurations. A role based on the Authors profile grants members the ability to create, edit, and delete monitoring configuration (tasks, rules, monitors, and views) within the configured scope. For convenience, Authors can also be configured to have Advanced Operator privileges scoped by group.

7)      The Administrator profile includes full privileges to Operations Manager. No scoping of the Administrator profile is supported.

8)      The Report Security Administrator profile includes a set of privileges designed to enable the integration of SQL Server Reporting Services security with Operations Manager. 

The operations associated with these user role profiles in SCOM, are outlined in the table below: 

Note: ¹Permissions scope can be fine-tuned for the role.

If you want to find out more about SCOM 2022’s new features, you also may want to take a look at our blog on ‘How does SCOM 2022’s Native Microsoft Teams Integration Work’ where you’ll find setup tips, troubleshooting guides, and options for other Teams integration tools.