Build-In User Role missing from Operations Manager 2012
Something strange happened recently where we tried to install OM 2012 Reporting, but that failed with the follwing error message logged into the installation log file:
Warn: :Message:SRSPolicySetter SoapException Exception: System.Web.Services.Protocols.SoapException: The user or group name '{2537B367-6D74-4110-B0B5-1F51C1B1B09E}' is not recognized. ---> Microsoft.ReportingServices.Diagnostics.Utilities.UnknownUserNameException: The user or group name '{2537B367-6D74-4110-B0B5-1F51C1B1B09E}' is not recognized.<br> at Microsoft.ReportingServices.WebServer.ReportingService2005Impl.SetSystemPolicies(Policy[] Policies)<br> at Microsoft.ReportingServices.WebServer.ReportingService2005.SetSystemPolicies(Policy[] Policies). Will retry..
Notice this GUID from the error message 2537B367-6D74-4110-B0B5-1F51C1B1B09E. Because of the fact that when installing OM Reporting, it will integrate the SQL SRS Security with the OM Security, this user/group will be checked in OM. So this user should exist in OM - it is actually a OM User Role. If you try to add this manually to SQL SRS before installing OM Reporting, it will not be possible because the security integration is not done yet ... When installing OM Reporting the security integration is done and after that, the Reporting Role is added to SQL SRS as a user/group.
So when this failed I opened up the OM Console in Administation tab under the User Roles view and noticed that the build-in user role Opertions Manager Report Operators role was missing?! ... No idea what heppened in this test environment and if someone deleted this, but the role needed to be manually added back into OM. This role (along with the other "defaults") will get created on OM Installation.
NOTE: In OM 2007 the user roles and their permissions, roles, etc. were managed through Authorization Manager which is an OS component and the data was stored in an XML file called MomAuth.xml which could be found on the RMS. Now, in OM 2012, this has been changed and AzMan is no longer used - the user roles and security checks, permissionsm information, etc. about the OM Management Group is stored and checked directly in the OM operational database.
So after a while and some investigations on the UserRoleScopeHandle and UserRole tables of the OM operational database from this bad environment and another healthy one, I've created this role again using this following SQL Query:
IF NOT EXISTS (<br> SELECT *<br> FROM UserRoleScopeHandle<br> WHERE UserRoleId = '2537B367-6D74-4110-B0B5-1F51C1B1B09E'<br> ) BEGIN<br> SET IDENTITY_INSERT UserRoleScopeHandle ON<br> INSERT INTO UserRoleScopeHandle (<br> UserRoleId,<br> GroupId,<br> ScopeId<br> ) VALUES (<br> '2537B367-6D74-4110-B0B5-1F51C1B1B09E',<br> NULL,<br> (<br> SELECT MAX(ScopeId) + 1<br> FROM UserRoleScopeHandle<br> )<br> )<br> SET IDENTITY_INSERT UserRoleScopeHandle OFF<br> END<br> IF NOT EXISTS (<br> SELECT *<br> FROM UserRole<br> WHERE UserRoleId = '2537B367-6D74-4110-B0B5-1F51C1B1B09E'<br> ) BEGIN<br> EXEC p_UserRoleInsert<br> '2537B367-6D74-4110-B0B5-1F51C1B1B09E',<br> N'Operations Manager Report Operators',<br> N'Operations Manager Report Operators',<br> N'The Operations Manager Report Operators user role is created during setup and has a global scope.',<br> '0B3F51FD-6F81-47C5-8E6F-87085DBD4CEC',<br> 1,<br> 0,<br> NULL,<br> 'ENU',<br> 0<br> END
Now when trying to install OM 2012 Reporting it worked like a charm! ;)
If you find yourself with another build-in user role missing, it would be best to open a support case with Microsoft than to try to edit the query yourselft - in case you miss anything, then you may find yourself in an UNSUPPORTED scenario ...
Cheers! :D