Hi,

I am using the OpsMgr 2012 SDK to retrieve alert information from SCOM.

I tried configuring a read-only role for a user account (Group Scope: All, Dashboards & Views: All) but, as I call some of the APIs like Administration.GetAllManagementServers(), Administration.GetAllAgentManagedComputers() etc. I get a UnauthorizedAccessEnterpriseManagementException.

I need to know what are the minimum permissions required for a user to query alert information and to make calls I mentioned above using the OpsMgr 2012 SDK.

Warm Regards

Himanshu Agarwal

Hi,

I would like to suggest you use SDK and config account

Or you may try data reader account.

Regards,

Yan Li

Thanks for the reply.

Just to give you a context, I am writing a client application where a user can fetch alert information from SCOM using OpsMgr 2012 SDK. There could be many users that would use this application, hence I need to know the minimum set of permissions I can grant or add them to a group for easy maintenance.

I believed Read-Only admin role was intended for that purpose but some of the SDK APIs as I mentioned throw the said exception.

I would like to know, how can i create such role/group from SCOM 2012 console.

PS: SDK and Config account is used by SCOM to perform DB operations and I would not like to impersonate this account in my client application. Instead I want to make my clients as admins with just enough permissions to read information. I'll have a better control this way.

Is there any documentation around configuring permissions for SCOM SDK APIs?

I do not want my SDK clients to be SCOM Operators (full admins), instead I just want them to be able to get information using SCOM SDK.

Warm Regards

Himanshu Agarwal

Hi

I have not tested it but I would try Read-Only Operator this should be sufficient to retrieve and Read the alerts. Your Problem is, that you want to enumerate the Management Servers and this requires Administrator permission. Check this post here http://blogs.catapultsystems.com/cfuller/archive/2012/05/11/quicktricks-what-user-roles-can-put-a-server-into-maintenance-mode-in-scom.aspx .

I hope this helps.

Cheers,

Stefan

Administration.GetAllManagementServers(), Administration.GetAllAgentManagedComputers() is under Administration namespace and Microsoft.EnterpriseManagement.Administration namespace contains classes and methods that you can use to automate administrative tasks, required Administrator privilege. As a Read-only Operator role can use Microsoft.EnterpriseManagement.Monitoring namespace to retrieve alert information.
Roger

Administration.GetAllManagementServers(), Administration.GetAllAgentManagedComputers() is under Administration namespace and Microsoft.EnterpriseManagement.Administration namespace contains classes and methods that you can use to automate administrative tasks, required Administrator privilege. As a Read-only Operator role can use Microsoft.EnterpriseManagement.Monitoring namespace to retrieve alert information.
Roger

• Proposed as answer by Yan Li_Microsoft contingent staff, Moderator 5 hours 54 minutes ago

Administration.GetAllManagementServers(), Administration.GetAllAgentManagedComputers() is under Administration namespace and Microsoft.EnterpriseManagement.Administration namespace contains classes and methods that you can use to automate administrative tasks, required Administrator privilege. As a Read-only Operator role can use Microsoft.EnterpriseManagement.Monitoring namespace to retrieve alert information.
Roger

• Proposed as answer by Yan Li_Microsoft contingent staff, Moderator Tuesday, April 14, 2015 1:16 AM
• Marked as answer by Yan Li_Microsoft contingent staff, Moderator 22 hours 15 minutes ago
• Unmarked as answer by hemaanshu 1 hour 36 minutes ago

Administration.GetAllManagementServers(), Administration.GetAllAgentManagedComputers() is under Administration namespace and Microsoft.EnterpriseManagement.Administration namespace contains classes and methods that you can use to automate administrative tasks, required Administrator privilege. As a Read-only Operator role can use Microsoft.EnterpriseManagement.Monitoring namespace to retrieve alert information.
Roger

• Proposed as answer by Yan Li_Microsoft contingent staff, Moderator Tuesday, April 14, 2015 1:16 AM
• Marked as answer by Yan Li_Microsoft contingent staff, Moderator Tuesday, April 14, 2015 8:55 AM
• Unmarked as answer by hemaanshu Wednesday, April 15, 2015 5:34 AM

Administration.GetAllManagementServers(), Administration.GetAllAgentManagedComputers() is under Administration namespace and Microsoft.EnterpriseManagement.Administration namespace contains classes and methods that you can use to automate administrative tasks, required Administrator privilege. As a Read-only Operator role can use Microsoft.EnterpriseManagement.Monitoring namespace to retrieve alert information.
Roger

• Proposed as answer by Yan Li_Microsoft contingent staff, Moderator Tuesday, April 14, 2015 1:16 AM
• Marked as answer by Yan Li_Microsoft contingent staff, Moderator Tuesday, April 14, 2015 8:55 AM
• Unmarked as answer by hemaanshu Wednesday, April 15, 2015 5:34 AM

Administration.GetAllManagementServers(), Administration.GetAllAgentManagedComputers() is under Administration namespace and Microsoft.EnterpriseManagement.Administration namespace contains classes and methods that you can use to automate administrative tasks, required Administrator privilege. As a Read-only Operator role can use Microsoft.EnterpriseManagement.Monitoring namespace to retrieve alert information.
Roger

• Proposed as answer by Yan Li_Microsoft contingent staff, Moderator Tuesday, April 14, 2015 1:16 AM
• Marked as answer by Yan Li_Microsoft contingent staff, Moderator Tuesday, April 14, 2015 8:55 AM
• Unmarked as answer by hemaanshu Wednesday, April 15, 2015 5:34 AM

Datareader on the DB will suffice

So, in effect, there's no way a read-only admin can query all management servers or all agent managed computers?