Menu Close

Modifying access in SCOM user roles – without the console

In general, the *supported* method to add users and groups to user roles is using the console.  This is article will demonstrate an alternative method, that might be needed in cases where security got totally messed up, our a critical admin group got deleted.

The idea came from Michel Kamp’s article:  http://michelkamp.wordpress.com/2012/05/05/audit-scom-sdk-usage-operations/

Authorization Manager source (AzMan) was moved from a file in SCOM 2007, to a SQL database store in SCOM 2012.  It was possible in SCOM 2007, to accidentall delete the domain group used for SCOM admins, and lock out access.  To read about how to recover this scenario in SCOM 2007 see:  http://support.microsoft.com/kb/2640222

In SCOM 2012, you can load up Authorization Manager from SQL.  Here is how.

On your SCOM management server, open a MMC, and load the Authorization Manager snap in.

image

 

Once you lad that, right click Authorization Manager in the left pane and choose “Open Authorization Store”

image

 

Choose Microsoft SQL and input the properly formatted connect string.  Here is an example:

mssql://Driver={SQL Server};Server={SERVERNAME\INSTANCE};/OperationsManager/AzmanStore

Replace SEVERNAME\INSTANCE with your SCOM SQL server name (and named instance if needed) and change “OperationsManager” to whatever your SCOM OpsDB is named.  Here is mine:

mssql://Driver={SQL Server};Server={DB01};/OperationsManager/AzmanStore

When this opens up – you can see a list of GUIDS.  Each represents a built-in user role or custom scoped user role.  Expand 597f9d98-356f-4186-8712-4f020f2d98b4 and look at the Role Assignments:

image

 

We can see that belongs to The Operations Manager Administrators role.

Right click the top level GUID 597f9d98-356f-4186-8712-4f020f2d98b4 in the left hand side, and choose Properties:

image

On the security tab – you can add new groups here, or even individual users.

image

 

The above should only be used in a recovery scenario, use the console to directly administer membership of user roles.

6 Comments

      • baljeet singh

        An observation – The sql connection string worked only from SCOM’s SQL DB Server (host) and not from SCOM Management Servers. I think my user account had ‘sysadmin’ super privilege on SQL DB which might have allowed to connect to AzMan store and not from any where else. Not sure if this is a change in connecting to AzMan hosted on SCOM version 2016 , thought I’d mention it.
        Thanks again for sharing the wonderful article, Cheers! -Baljeet Singh

  1. Jim

    What if you modified the default port for SQL access and TLS 1.0 is disabled? I tried to connect to my SQL via this method and got invalid parameter, but it didn’t show what param was broken and there is limited documentation on azman.

  2. Cyprian

    Hi. I have the same problem with SQL connection to AzmanStore on my SCOM2019 / SQL 2017
    I get “Cannot open the authorization store. The following problem occured: The parameter is incorrect.” when Itry to use mssql://Driver={SQL Server};Server={Server\instane};/OperationsManager/AzmanStore,
    I have forced TLS 1.2 to use, or maybe problem is related to some .NET libs?

  3. Kevin Holman

    To connect to a SQL server that allows TLS 1.2 only, us the SQL Native Client 11.0 driver:

    mssql://Driver={SQL Server Native Client 11.0};Trusted_Connection=yes;Server={SQLServerName};/OperationsManager/AzmanStore

Leave a Reply

Your email address will not be published.