User Roles and RBAC
In a new scom environment i'm trying to create a better model of assigning permissions to the scom operators instead of allowing everyone everything.
We've defined user roles, for example SQL Administrator and Windows Administrator and i want to keep the 'what can you do' from the 'where can you do it'
Thus, keep tasks and groups seperated in scom. The user roles have both a group in AD.
R_SQL_Admin
R_Windows_Admin
I start out with the SQL Role and created 2 operator user roles:
1 containing the group/scope of objects named SCOPE_xyz
2 containing the tasks that the operator may perform named R_SQL_Admin
And i created a 3rd read-only user role in which i define which views and dashboards the roles can see, for now just all views enabled.
Since an operators role won't change much, but the objects he may see will differ from time to time i want those to seperate since windows operator 1 may access group1 systems and another operator with the same role may access other group(s) of systems, but since they all share the same role they should all be able to perform the same tasks.
Then linked the 3 user roles to the AD Group R_SQL_Admin.
Then when the user opens the scom console he sees all views, objects and tasks that he's supposed to see....BUT....the tasks won't work, giving an error that the user is not allowed to use the task.
It only seems to work if i enable both objects and tasks in 1 user role, not in seperate roles.
Is this how it's suppose to work? This way i need to maintain a role group per scope group which is to much work and very hard to maintain when new tasks need to be added to a role.