Sign in
 
Home2012Previous VersionsLibraryForumsGallery
System Center TechCenter >
Limiting access to Service Manager objects by OUs

Answered Limiting access to Service Manager objects by OUs

  • Thursday, December 03, 2009 6:31 PM
     
     
    Sign In to Vote
    0
    I need to create an operator role that could only see users and workstations from a specific OU and work items that are related to those object in that OU.

    First, I started to create two groups: computers at a specific OU and users at a specific OU. Windows computer object type has an organizational unit property, but it is empty in my environment. I think the reason is that I have only AD and ConfigMgr connectors, not OpsMgr connector. Even if I had OpsMgr connector, it wouldn't work because those workstations don't have OpsMgr agent installed. Is

    User objects don't even have Organization Unit property displayed.  Is it true that AD connector doesn't store OU information to Service Manager database?

    What would be a right way to create a Service Manager group based on OU information?

    Then I tried to create a queue with all incidents which are related to users/computers in a specific Service Manager group (ie. members of a specific OU if I managed to create such a group), but it was too difficult to me! How can I do that?

    If I had those groups and queues, then I could create an operator role based on those groups and queues... Maybe.   :-)

    OU based operator shouldn't be an uncommon scenario, so somebody must have had better success than me.

    Panu

     

All Replies

  • Tuesday, December 15, 2009 6:38 AM
    Owner
     
     Answered
    Sign In to Vote
    0
    Only the SCOM connector populates the WindowsComputer.OrganizationalUnit property.  You are correct that there is no System.Domain.User.OrganizationalUnit property.  We do have a domain property for both WindowsComputer and System.Domain.User which are populated by the AD connector if that is of any help.

    You could extend the System.Domain.User class to add an OrganizationalUnit property. 
    http://blogs.technet.com/servicemanager/archive/2009/05/28/modeling-deriving-and-extending-classes.aspx

    You could also use the CSV importer to set the OU property on the WindowsComputer and Domain properties.

    If you did all that then you could create groups pretty easily - just set the criteria as class = 'windows computer' and then 'organizational unit' = 'foo'
    the queue is a little bit more complicated but can be done in XML - it can't be done in the UI.  If you are going to go for it, let me know and I'll show you how to create the queue criteria in XML.

    Also, please file a DCR on the Connect site to add getting the OU property as part of the AD connector.  We really should be doing that.
    Travis Wright Senior Program Manager Lead Microsoft
     
  • Tuesday, December 22, 2009 3:42 AM
    Owner
     
     Answered
    Sign In to Vote
    0
    Panu -
    Check this out:
    http://blogs.technet.com/servicemanager/archive/2009/12/21/creating-an-ad-connector-using-powershell-and-csv-import.aspx
    Travis Wright Senior Program Manager Lead Microsoft