locked
Service Manager 2016 - User Roles and accessible Classes RRS feed

  • Question

  • Hi all, I am attempting to add the ability for Incident Resolvers to add and update Knowledge Articles without having an Advanced Operators Users Role set for them. We are unable to use the Advanced Operators User Role as it allows access to other functions (Service / Request Offerings, ability to modify Views). I have used the below Powershell script to add the classes to the Incident Resolve Role;

    # Connect to the Management Server using the SDK
    # Use the dll’s in the Service Manager SDK folder
    Add-Type -path "D:\Microsoft System Center\References\Service Manager Assemblies\Microsoft.EnterpriseManagement.Core.dll"
    
    $NameSpace = “Microsoft.EnterpriseManagement”;
    $EnterpriseManagementGroupType = “$NameSpace.EnterpriseManagementGroup”;
    $EnterpriseManagementGroup = New-Object $EnterpriseManagementGroupType "D-D-SCSM-100.derbyad.net";
    
    
    # Get the user profile that should be changed
    $UserProfile = $EnterpriseManagementGroup.Security.GetProfiles() | where{$_.name -eq “IncidentResolver”}
    
    
    # Get class to be give access to
    $Class = $EnterpriseManagementGroup.EntityTypes.GetClasses() | where{$_.name -eq “System.Knowledge.Article“}
    
    
    # Prepar variables
    $EmptyGUID = [guid]::empty
    [byte]$RelationshipEndpointByte = "2"
    
    $OperationImplicitScope = [microsoft.enterprisemanagement.security.OperationImplicitScope]
    $RelationshipEndpoint = [microsoft.enterprisemanagement.security.RelationshipEndpoint]
    #$OperationImplicitScope | FL
    
    
    # Give access to create (Add) new objects of class type (Operations “Object__Add”)
    $ObjectAdd = $UserProfile.Operations | where{$_.Name -eq “Object__Add”}
    
    $ObjectAdd.ImplicitScopes | FL
    
    $ImplicitScopes = $ObjectAdd.ImplicitScopes | where{$_.Class -eq $Class.Id -and $_.IsCustomized -eq $true}
    
    foreach ($ImplicitScope in $ImplicitScopes)
    {
        $ObjectAdd.ImplicitScopes.Remove($ImplicitScope)
    }
    
    $ObjectAdd.ImplicitScopes | FL
    
    $OperationImplicitScopeObject = New-Object $OperationImplicitScope –ArgumentList @($Class.Id, $EmptyGUID, $EmptyGUID, $RelationshipEndpointByte)
    
    $ObjectAdd.ImplicitScopes.Add($OperationImplicitScopeObject)
    
    $UserProfile.Update()
    
    
    # Give access to edit (Set) new objects of class type (Operations “Object__Set”)
    $ObjectSet = $UserProfile.Operations | where{$_.Name -eq “Object__Set”}
    
    $ObjectSet.ImplicitScopes | FL
    
    $ImplicitScopes = $ObjectSet.ImplicitScopes | where{$_.Class -eq $Class.Id -and $_.IsCustomized -eq $true}
    
    foreach ($ImplicitScope in $ImplicitScopes)
    {
        $ObjectSet.ImplicitScopes.Remove($ImplicitScope)
    }
    
    $ObjectSet.ImplicitScopes | FL
    
    $OperationImplicitScopeObject = New-Object $OperationImplicitScope –ArgumentList @($Class.Id, $EmptyGUID, $EmptyGUID, $RelationshipEndpointByte)
    
    $ObjectSet.ImplicitScopes.Add($OperationImplicitScopeObject)
    
    $UserProfile.Update()

    This results in the analyst still getting a Access Denied error message when setting up a relationship from an Incident to Knowledge Article.

    Error Message: Date: 11/06/2018 11:49:22 Application: Application Version: 7.5.7487.0 Severity: Error Message: Microsoft.EnterpriseManagement.Common.UnauthorizedAccessEnterpriseManagementException: The user %USERNAME% does not have sufficient permission to perform the operation. at Microsoft.EnterpriseManagement.Common.Internal.ServiceProxy.HandleFault(String methodName, Message message) at Microsoft.EnterpriseManagement.Common.Internal.ConnectorFrameworkConfigurationServiceProxy.ProcessDiscoveryData(Guid discoverySourceId, IList`1 entityInstances, IDictionary`2 streams, ObjectChangelist`1 extensions) at Microsoft.EnterpriseManagement.ConnectorFramework.IncrementalDiscoveryData.CommitInternal(EnterpriseManagementGroup managementGroup, Guid discoverySourceId, Boolean useOptimisticConcurrency) at Microsoft.EnterpriseManagement.ConnectorFramework.IncrementalDiscoveryData.CommitForUserDiscoverySource(EnterpriseManagementGroup managementGroup, Boolean useOptimisticConcurrency) at Microsoft.EnterpriseManagement.UI.SdkDataAccess.DataAdapters.EnterpriseManagementObjectProjectionWriteAdapter.WriteSdkObject(EnterpriseManagementGroup managementGroup, IList`1 sdkObjects, IDictionary`2 parameters) at Microsoft.EnterpriseManagement.UI.SdkDataAccess.DataAdapters.SdkWriteAdapter`1.DoAction(DataQueryBase query, IList`1 dataSources, IDictionary`2 parameters, IList`1 inputs, String outputCollectionName) at Microsoft.EnterpriseManagement.UI.ViewFramework.SingleItemSupportAdapter.DoAction(DataQueryBase query, IList`1 dataSources, IDictionary`2 parameters, IList`1 inputs, String outputCollectionName) at Microsoft.EnterpriseManagement.UI.DataModel.QueryQueue.StartExecuteQuery(Object sender, ConsoleJobEventArgs e) at Microsoft.EnterpriseManagement.ServiceManager.UI.Console.ConsoleJobExceptionHandler.ExecuteJob(IComponent component, EventHandler`1 job, Object sender, ConsoleJobEventArgs args) We used to use the Advanced Operator Role to allow some extended access for our analysts but this caused some issues with then creating there own views and adding new Service and Request Offerings and things started to get in a mess before I started to mange Service Manager. I am suspecting that I may need to add the ability for the User Role to also Add and Edit the ConfigItem class as well but I am unsure if this will fix the issue. Any advice?

    Monday, June 11, 2018 3:09 PM