3 minute readApplies to: v4

How to allow SCOM Operators to edit Company Knowledge

Company knowledge allows you to extend alert information with escalation notes, troubleshooting steps or resolutions that may be specific to your organisation.

Overview

By default only SCOM administrators are able to edit company knowledge. You may wish to allow SCOM Operators or Advanced Operators to be able to edit Company Knowledge, without giving them the full SCOM administrator role.

Normally SquaredUp makes all calls to SCOM using the identity of the end user – this allows SCOM to enforce role-based access control. This article describes how to configure SquaredUp to use its own application pool identity to save the company knowledge instead of the users identity, thus ‘elevating’ the users privileges for this particular call.

Procedure

A. Add the SquaredUp application pool account to a SCOM Author role

  1. Identify the SquaredUp v4 application pool account, see How to check and modify the application pool identity
  2. From a security point of view, best practice is to create a new SCOM Author role for the SquaredUp identity to use, and configure that role to only provide author permissions and no operator permissions. To do this using the SCOM console, go to Administration, Security, User Roles in the SCOM console and create a new Author user role as normal, but uncheck all items in the Group Scope.
  3. Add the SquaredUp application pool account to a SCOM Author role.  If the app pool account is not a computer account you can do this by going to Administration, Security, User Roles, right-clicking on a SCOM Author role, selecting Properties, then 'Add' under User Role Members.

If the app pool account is Network Service you will need to add the computer account. Computer accounts cannot be added in the SCOM console, so you need to use a Powershell cmdlet instead:

Start > Microsoft System Center > Operations Manager Shell.

Run the following script, replacing MY AUTHOR ROLE with the name of the new Author role you have created and MYDOMAIN\COMPUTER with the domain and computer name of the SquaredUp server (which can be found on the server where SquaredUp in installed by going to the Start menu, right-clicking on Computer and selecting Properties).

$scomrole = Get-SCOMuserrole –displayname “MY AUTHOR ROLE”

Set-ScomUserrole –user “MYDOMAIN\COMPUTER$” –userrole $scomrole

B. Edit the scom.json file

On the SquaredUp server:

  1. In IIS stop the SquaredUpv4 application pool.
  2. Run notepad as administrator (File, Run, type notepad, and then right-click and select Run as administrator) and then open the following file:

    C:\inetpub\wwwroot\SquaredUpv4\User\Configuration\scom.json

  3. To allow Operators and Advanced Operators to be able to edit Company Knowledge you should modify the file to read as below: (ensuring there is a comma after "SquaredUp Operations Custom Knowledge")

    {
    "server-address": "sand-scom-ms02.int.squaredup.com",
    "managementpack-knowledge": "SquaredUp Operations Custom Knowledge",
    "elevate-companyknowledge-operators": true
    }

    If you wish only Advanced Operators (and SCOM administrators) to be able to edit Company Knowledge you should use the following instead:

    "elevate-companyknowledge-advancedoperators": true

  4. Save the scom.json file.
  5. In IIS start the SquaredUpv4 application pool.

Depending on which setting you use, Operators (or Advanced Operators) will now be able to edit company knowledge assuming the application pool identity is permitted to do so. That is, edits to company knowledge by Operators (or Advanced Operators) occur as the application pool, rather than the user themselves.

Deployment FAQ

How to change where company knowledge is saved

How to check and modify the application pool identity

Squared Up Ltd. (c) 2020Report an issue with this article