SCOM 2012 r2 role based administration

Aamer- used Ask the Experts™
I have SCOM 2012 R2 deployed in my domain and now we want to expand our monitoring capability to two more untrusted forests by installing SCOM gateway servers in the untrusted forests. the two untrusted forests have servers that will be monitored my the SCOM installed in my domain. I want to administrators of the untrusted forests to be able to view and monitor servers only from their domain. they should not be able to see anything from other domains. how should the security roles in SCOM be configured
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
In high-level terms:

They will need an account with access to your management group.

This would have to be an account either on the same domain as the management group or in a trusted domain.

Within SCOM you would group the servers that should be viewable to the team. (Authoring -> Groups). If you set up a site code during the gateway approval process, there should be allready by a group with the site name, you can use.

Depending on the amount of rights the team from the unstrusted domain needs on those servers (from a SCOM perspective that is), you would create a new User Role within the SCOM Admin pane.

Create a new user role, by right clicking somewhere on the screen.
Select Operator (Your selecting should reflect the privileges needed by the team)
Give the new User Role a descriptive name.
Use the Group Scope, Tasks approval screen and Dashboards and Views approval screen to configure exactly what these users should be able to see or do.

In your case the most important of these is the Group Scope. This will limit users that are members of this new role to only see objects (servers, disks etc) that are part of this/these selected group(s).

If computers are added or removed from the group, these changes will automatically apply to the newly defined User Role, however this does not go for the tasks or views (these have to be explicitly defined in the User Role and will remain the same)

Finally grant the account or group you created to allow the users access membership of your new role.

Hope this helps.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial