3 minute readApplies to: v4

How to allow SCOM Operators to edit Company Knowledge

Company knowledge allows you to extend alert information with escalation notes, troubleshooting steps or resolutions that may be specific to your organisation.

Overview

By default only SCOM administrators are able to edit company knowledge. You may wish to allow SCOM Operators or Advanced Operators to be able to edit Company Knowledge, without giving them the full SCOM administrator role.

Normally Squared Up makes all calls to SCOM using the identity of the end user – this allows SCOM to enforce role-based access control. This article describes how to configure Squared Up to use its own application pool identity to save the company knowledge instead of the users identity, thus ‘elevating’ the users privileges for this particular call.

Procedure

A. Add the Squared Up application pool account to a SCOM Author role

  1. Identify the Squared Up v4 application pool account, see How to check and modify the application pool identity

  2. From a security point of view, best practice is to create a new SCOM Author role for the Squared Up identity to use, and configure that role to only provide author permissions and no operator permissions. To do this using the SCOM console, go to Administration, Security, User Roles in the SCOM console and create a new Author user role as normal, but uncheck all items in the Group Scope.

  3. Add the SquaredUp application pool account to a SCOM Author role.  If the app pool account is not a computer account you can do this by going to Administration, Security, User Roles, right-clicking on a SCOM Author role, selecting Properties, then 'Add' under User Role Members.

If the app pool account is Network Service you will need to add the computer account. Computer accounts cannot be added in the SCOM console, so you need to use a Powershell cmdlet instead:

Click Start, click All Programs, click Microsoft System Center, click Operations Manager, and then click Operations Manager Shell.

Run the following script, replacing MY AUTHOR ROLE with the name of the new Author role you have created and MYDOMAIN\COMPUTER with the domain and computer name of the Squared Up server (which can be found on the server where Squared Up in installed by going to the Start menu, right-clicking on Computer and selecting Properties).

$scomrole = Get-SCOMuserrole –displayname “MY AUTHOR ROLE”

Set-ScomUserrole –user “MYDOMAIN\COMPUTER$” –userrole $scomrole

B. Edit the scom.json file

On the Squared Up server:

  1. In IIS stop the SquaredUpv4 application pool.

  2. Run notepad as administrator (File, Run, type notepad, and then right-click and select Run as administrator) and then open the following file:

    C:\inetpub\wwwroot\SquaredUpv4\User\Configuration\scom.json

  3. To allow Operators and Advanced Operators to be able to edit Company Knowledge you should modify the file to read as below: (ensuring there is a comma after "Squared Up Operations Custom Knowledge")

    {
    "server-address": "sand-scom-ms02.int.squaredup.com",
    "managementpack-knowledge": "Squared Up Operations Custom Knowledge",
    "elevate-companyknowledge-operators": true
    }

    If you wish only Advanced Operators (and SCOM administrators) to be able to edit Company Knowledge you should use the following instead:

    "elevate-companyknowledge-advancedoperators": true

  4. Save the scom.json file.

  5. In IIS start the SquaredUpv4 application pool.

Depending on which setting you use, Operators (or Advanced Operators) will now be able to edit company knowledge assuming the application pool identity is permitted to do so. That is, edits to company knowledge by Operators (or Advanced Operators) occur as the application pool, rather than the user themselves.

Deployment FAQ

How to change where company knowledge is saved

How to check and modify the application pool identity

Squared Up Ltd. (c) 2018Report an issue with this article