System Center Orchestrator Runbooks Permissions

Ronald Seow 206 Reputation points
2020-08-24T07:00:31.043+00:00

Good afternoon!

I have a question with regards to Runbook's permissions and hope to find help here.

I have created some Folders to represent departments in Orchestrator Runbook Designer and there are 1 runbook in each folder as an example. I have also created some other Administrative User Accounts to be used to execute some of the Runbooks. My question is?

My objective is to allow specific Administrative Account to see only their respective Runbooks in the Orchestrator Console (Web). Can these be achieved?

As I have tried assigning permission for those Administrative Accounts to only their Respective Folders and Runbooks but once they are logged in to the Web Console, all Folders and Runbooks are visible.

Thank you and appreciate any advise.

Ronald

System Center Orchestrator
System Center Orchestrator
A family of System Center products that provide an automation platform for orchestrating and integrating both Microsoft and non-Microsoft IT tools.
215 questions
0 comments
Accepted answer
  1. Stefan Horz 3,461 Reputation points
    2020-08-24T10:15:45.24+00:00

    Hi,

    you do NOT need SQL Logins for each user/group of the Orchestrator Web Console.
    If you have

    -Runbooks
    |-Folder A
    |--- Folder 1
    |--- Folder 2
    |- Folder B

    and the Runbooks for Web Console are in "Folder 1" which is under "Folder A":

    The user need Read Permissions for Runbooks, Folder A and Folder 1 and also "publish" for Folder 1.

    The setting is perhaps not visible immediately: https://support.microsoft.com/de-de/help/2738490/orchestrator-runbooks-folders-and-or-statistics-are-not-displayed-or-u
    Run this after the changes:

    TRUNCATE TABLE [Microsoft.SystemCenter.Orchestrator.Internal].AuthorizationCache

    0 comments

9 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. SChalakov 10,266 Reputation points MVP
    2020-08-24T07:25:38.76+00:00

    Hi @Ronald Seow ,

    even if the user doesn't get the "Read" permissions, he/she is able to view the runbook?

    Runbook permissions

    Regards,

    ----------

    (If the reply was helpful please don't forget to upvote or accept as answer, thank you)
    Stoyan

    0 comments
  2. Leon Laude 85,666 Reputation points
    2020-08-24T07:26:34.617+00:00

    Hi,

    It is achievable to restrict the runbook permissions to specific users/groups only, you can follow a long here:

    Grant Access to Specific Runbooks in Orchestrator

    (If the reply was helpful please don't forget to upvote or accept as answer, thank you)

    Best regards,
    Leon

    0 comments
  3. Stefan Horz 3,461 Reputation points
    2020-08-24T07:41:59.15+00:00

    Hi Roland,

    you must give the user or group read/list permissions from the top-level folder Runbooks to the folder where are the Runbooks which should be started from this user or group. For the folder which contains the Runbooks give the user or group also publish permissions (Advanced).

    The setting is perhaps not visible immediately: https://support.microsoft.com/de-de/help/2738490/orchestrator-runbooks-folders-and-or-statistics-are-not-displayed-or-u
    Run this after the changes: 

    TRUNCATE TABLE [Microsoft.SystemCenter.Orchestrator.Internal].AuthorizationCache

    Regards,
    Stefan

    0 comments
  4. Ronald Seow 206 Reputation points
    2020-08-24T08:02:13.157+00:00

    Hi! Stoyan/Leon/Stefan,

    Does it take some time for the permission to take effect? The permission I assigned, seems to have taken effect and is working for 1 user but not others which are set similarly.

    Also, I am not able to connect successfully from other terminals. The error is always "Orchestrator Console. Error executing the current operation..."

    Thanks once again.

    Best regards.
    Ronald