Share via

System Center Orchestrator Runbooks Permissions

Ronald Seow 206 Reputation points
2020-08-24T07:00:31.043+00:00

Good afternoon!

I have a question with regards to Runbook's permissions and hope to find help here.

I have created some Folders to represent departments in Orchestrator Runbook Designer and there are 1 runbook in each folder as an example. I have also created some other Administrative User Accounts to be used to execute some of the Runbooks. My question is?

My objective is to allow specific Administrative Account to see only their respective Runbooks in the Orchestrator Console (Web). Can these be achieved?

As I have tried assigning permission for those Administrative Accounts to only their Respective Folders and Runbooks but once they are logged in to the Web Console, all Folders and Runbooks are visible.

Thank you and appreciate any advise.

Ronald

System Center Orchestrator
System Center Orchestrator
A family of System Center products that provide an automation platform for orchestrating and integrating both Microsoft and non-Microsoft IT tools.
217 questions
0 comments
Accepted answer
  1. Stefan Horz 3,461 Reputation points
    2020-08-24T10:15:45.24+00:00

    Hi,

    you do NOT need SQL Logins for each user/group of the Orchestrator Web Console.
    If you have

    -Runbooks
    |-Folder A
    |--- Folder 1
    |--- Folder 2
    |- Folder B

    and the Runbooks for Web Console are in "Folder 1" which is under "Folder A":

    The user need Read Permissions for Runbooks, Folder A and Folder 1 and also "publish" for Folder 1.

    The setting is perhaps not visible immediately: https://support.microsoft.com/de-de/help/2738490/orchestrator-runbooks-folders-and-or-statistics-are-not-displayed-or-u
    Run this after the changes:

    TRUNCATE TABLE [Microsoft.SystemCenter.Orchestrator.Internal].AuthorizationCache

    0 comments

9 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. SChalakov 10,271 Reputation points MVP
    2020-08-24T08:04:37.787+00:00

    Hi @Ronald Seow ,

    did you try to truncate the Authorization Cache as Stefan suggested? This should speed things up.

    Regards,
    Stoyan

    0 comments
  2. Ronald Seow 206 Reputation points
    2020-08-24T08:15:44.95+00:00

    Hi! Stoyan,

    Yes, I have just executed the command. Now the account that was previously able to see just their own Runbooks can no longer see any Runbooks. I am gonna restart the servers to see whether it would help.

    Regards.
    Ronald

    0 comments
  3. Ronald Seow 206 Reputation points
    2020-08-24T08:29:25.42+00:00

    Hi!

    I am attaching some screenshots for your kind reference.

    19891-sco-orchestrator-console-no-runbooks-displayed.jpg19892-sco-orchestrator-runbook-designer-folder-permissio.jpg19853-sco-orchestrator-runbook-designer-folder-advance-p.jpg19854-sco-orchestrator-runbook-designer-runbook-permissi.jpg19893-sco-orchestrator-runbook-designer-runbook-advance.jpg

    Best regards.
    Ronald

    0 comments
  4. Ronald Seow 206 Reputation points
    2020-08-24T08:53:12.103+00:00

    Hi!

    Am I correct to say of the following permission assignments;

    1. SQL Database - Add User to Login with Public and Sysadmin Server Roles
    2. SCO - Runbook Server - Add User with Read only
    3. SCO - Runbooks - Add User with Read, List Contents and Publish Rights
    4. SCO - Folder - Add User with Read, List Contents and Publish Rights
    5. SCO - Individual Runbook - Add User with Read and Publish Rights

    Is there any other places where permission needs to be assigned? IIS Admin, et cetera?

    Thank you and hope to have all your affirmations.

    Best regards.
    Ronald

    0 comments