You are browsing the archive for 2010 March.

Avatar of kurtvh

by kurtvh

Service Manager role based security scoping

9:12 pm in Uncategorized by kurtvh

An important aspect in the overall configuration of the Service Manager environment is providing access to the SCSM environment to perform operations. This in a controlled way, so End Users, Operators, Resolvers, Change Owners… can easily access SCSM and perform the their tasks in a controlled environment.

With Role based security scoping in SCSM there is the possibility to configure a controlled environment for different service roles. A SCSM role profile is a configuration set to define access to objects, views in the console, operations they can perform and members of the role (AD User/Group). SCSM components of a User role are:

  • The security scope: Is the security boundary in SCSM. Boundaries can be set on Group/queue, Class, Property & relationships.
  • UI filter scope: This filter is for defining what an operator can see in the SCSM console. Limiting the options visible in the console improves the usability. UI filters can be set on console tasks, templates and views.
  • User role profile: SCSM includes some predefined user profiles who include a set of allowed operations with a class/property/relationship scope over objects.
  • User Assignment: The members of the user role in SCSM. This can be set for users or groups. (Always recommended to use groups)

When configuring role based security scoping we have to think about the profiles that have to be defined in SCSM with the corresponding operations. The different profiles for an implementation is specific and is something that needs to be defined upfront.

The following example “runs” through the creation of the Mail incident resolver role.

Example info:

  • Only incidents from the “Email problem" category need to be visible for the role.
  • The mgmt console Views access is limited.
  • User roles can be controlled with AD security group.

Preparing the Security Scope

As specified above, Security Scope for a user profile can be specified on different levels. This preparation step goes through the creation of the group and the incident queue for further use in the user profile creation.

Create a group in SCSM

Creating a group in the SCSM console is a straightforward task. In this example the

  • In the Service Manager console, click Library, expand Library, and then click Groups.
  • In the Tasks pane, click Create Group.
    • On the Before You Begin page, click Next.
    • On the General page, do the following:
      • Provide a name for the group, such as Email Servers.
      • In the Description text box, type a description for the group.
      • Under Management pack, make sure that an unsealed management pack is selected. In our example we store the information in a dedicated custom mgmt pack.
      • Click Next.


    • On the Included Members page, click Add.
      • In the Select Objects dialog box, select a class such as “Windows Computer”. (Groups can includes members of the same class or from different classes.)
      • In our example select all the Exchange servers in the organization.
      • Click OK, click Next


    • On the Dynamic members page, click Next.
    • On the Subgroups page, click Next.
    • On the Excluded Members page, click Next.
    • On the Summary page, confirm the group settings that you made, and then click Create.
    • On the Completion page, make sure that you receive the following confirmation message, and then click Close.


Create the incident queue

Next step in the preparation of the User Role profile configuration is to create a Queue for incidents.

  • In the Library pane, expand Library, and then click Queues.
  • In the Tasks pane, click Create Queue.
  • On the Before You Begin page, click Next.
  • On the General page,
    • type a name in the Queue name box. (In our example, Mail incidents Queue)
    • Work item type box, in the Select a Class dialog box, select a class. In our case “Incident”, and then click OK.
    • In the Management pack list, select the same “roles” mgmt pack that is used to create the group. (keeping the thing together)
    • Click Next.


  • On the Criteria page, build the criteria that you want to use to filter work items for the queue, and then click Next
    • In our example, select the Classification Category property in the “Available Properties” area, click Add.
    • In the list, select Email Problems, and then click Next.
    • (more the one criteria can be specified on this page)


  • On the Summary page, click Create to create the queue.
  • On the Completion page, click Close.


Create a User role Profile in SCSM

Group and queue are created in the SCSM console, the User Role Profile creation can start. Groups and queues are two configuration items of a User Profile. Mgmt Pack access, Views, templates & tasks are other configuration items in the wizard. If there is a need to limit access to these items then this information needs to be available before the creation of the profile.

Example step-by-step for the email incident resolver user profile:

  • In the Administration pane of the SCSM console, expand Security, and then select User Roles.
  • In the Tasks pane under User Roles, select Create User Role, and then select the user role profile.
    • In our example we select the Incident Resolver role.


  • On the Before You Begin page, click Next.
  • On the General page, enter a name and description for this user role, and then click Next.
    • Important Info: on the general page of each predefined role there is a clear description of the rights of the selected role profile.


  • On the Management Packs page, select the management packs that contain the data that you want to assigned access to. In our example “select all” and click Next.


  • On the Queues page, select the Queues that this user role will have access to, and click Next. Here we use the just created Queue for our Email Incident Resolvers role.


  • On the Groups page, select the Groups that this user role will have access to, and click Next. Here we use the just created Group for our Email Incident Resolvers role.


  • On the Tasks page, select the Tasks that this user role will have access to, and click Next. In our example I don’t limit the available tasks.


  • On the Views page, select the Views that this user role will have access to, and click Next. In our example I want to limit the view in the mgmt console and selected only items from Incident management and configuration management.


  • On the Form Templates page, select the Templates that this user role will have access to, and click Next. In our example I don’t limit the available templates.


  • On the Users page, click Add, and use the Select Users or Groups dialog box to select users and user groups from Active Directory Domain Services for this user role, and click Next.


  • On the Summary page, review settings and click Create.
  • On the Completion page, click Close.


To validate the creation of a user role

  • In the Service Manager console, verify that the newly created user role appears in the middle pane.
  • Log on to the Service Manager console as one of the users assigned to the user role.
    • Verify the access in the mgmt console
    • Verify the Views in the mgmt console


  • Only the “Work Items” and “Configuration Items” pane are visible for the user. “Work Items” pane is limited by the Views filter in the configuration of the profile.
  • Only Incidents from the Email queue are visible in the console
  • Read-only access to the configuration items in the console

This is just an example how you can setup a user profile. There are a lot of different roles with different configuration items that can be set in SCSM, all depends on the requirements of the environment. Keep in mind that each additional role profile that is created will have an additional load on the server.

I hope this gives you an idea how to configure role based security scoping for your environment.


Have fun!



Avatar of kurtvh

by kurtvh

System Center Service Manager Update

9:28 am in Uncategorized by kurtvh

The last weeks there were some major updates on the release of System Center Service Manager. A little overview:

  • The Service Manager announce the availability of the EN-US version of Service Manager Release Candidate (RC). In this build there are some significant improvements to stability and performance as well as a number of additional features:
    • Improved Performance, Scale and Stability
    • Improved Notifications with batching email
    • New Change Management Features
      • Reviewer Notification
      • Line Manager Approval
    • New and Updated Reports
    • Improved Self Service Software Provisioning
    • Improved View Editing
    • UX Improvements throughout the product
    • Data Warehouse improvements
    • Authoring Tool Improvements
      • Extending and adding classes and relationships
      • Support for controls in form customization
      • Added workflow activities in activity library
    • Disaster Recovery
    • Localizability and Globalization bug fixed
    • Supportability bug fixes
    • To download, simply go to the Downloads link for this connection, and find Service Manager Release Candidate or follow this direct link and then select all of the following three files on the download details page:
      • SMCDImage_AMD64.exe
      • SMCDImage_x86.exe
  • Service Manager needs Authorization Manager Hotfix
  • Authoring Console Beta 2 Preview Released!!
    • TAP and RDP customers can now download the Authoring Console Beta 2 Preview from Connect.  This version of the authoring console will work with the recently released RC version of Service Manager.
      • This release contains several key improvements and new features, including :
      • Support for additional controls in form customization
      • Additional activities in the workflow activity library
      • Class editor for creating and extending classes and relationships
      • UX & Usability improvements all around
  • Maybe not direct the latest news, but an important topic in the Service Manager environment is the Microsoft Operations Framework. Microsoft Operations Framework (MOF) 4.0 delivers practical guidance for everyday IT practices and activities. SCSM helps to apply and automate these activities. People who want to go a bit deeper in this framework:

Have fun with the RC testing.

Kind Regards,


Avatar of kurtvh

by kurtvh

MMS 2010 is only 6 weeks away and SCUG will be there…

10:35 am in Uncategorized by kurtvh

Yes, MMS 2010 is coming soon and it will be an exciting week. The complete SCUG team from Belgium will be there!

My schedule is made and I will have a more or less complete Service Manager week. From Service Manager assessment to customizing the environment, a complete track is available in this week. Little overview:

Breakout sessions:

  • Implementation, Architecture and Administration of a Service Manager Deployment
  • Service Manager Integration with System Center
  • Extending and Customizing Service Manager
  • Service Manager 2010: Drilldown
  • System Center Service Manager: Pre-assessment Considerations
  • Service Manager: Data Warehouse and Custom Report Creation
  • Real World Incident Management on
  • Automating and Simplifying Compliance and Risk with System Center: Tour Compliance and Risk Mgmt with System Center Service Manager 2010
  • + 3 breakout session on Opalis Integration Server
  • + some partner sessions who are covering their solutions on top of Service Manager

Instructor lab sessions:

  • Service Manager 2010 Data Warehouse and Reporting
  • Automating IT Processes on Service Manager 2010
  • Incident and Change Management in Service Manager 2010
  • Service Manager Integration with System Center
  • Implementing Service Manager 2010
  • Introduction to Opalis

For the other System Center products, I see a lot of SCCM vNext and SCOM customization sessions. Will be certainly followed by our other SCUG attendees :-)

Maybe we have a big announcement at MMS. There is some speculating and people who are taking bets that Service Manager might be announced as RTM at MMS. (Microsoft to RTM System Center Service Manager at MMS?) I’ll keep you posted on this !