Modifying access in SCOM user roles – without the console


In general, the *supported* method to add users and groups to user roles is using the console.  This is article will demonstrate an alternative method, that might be needed in cases where security got totally messed up, our a critical admin group got deleted.

The idea came from Michel Kamp’s article:

Authorization Manager source (AzMan) was moved from a file in SCOM 2007, to a SQL database store in SCOM 2012.  It was possible in SCOM 2007, to accidentall delete the domain group used for SCOM admins, and lock out access.  To read about how to recover this scenario in SCOM 2007 see:

In SCOM 2012, you can load up Authorization Manager from SQL.  Here is how.

On your SCOM management server, open a MMC, and load the Authorization Manager snap in.



Once you lad that, right click Authorization Manager in the left pane and choose “Open Authorization Store”



Choose Microsoft SQL and input the properly formatted connect string.  Here is an example:

mssql://Driver={SQL Server};Server={SERVERNAME\INSTANCE};/OperationsManager/AzmanStore

Replace SEVERNAME\INSTANCE with your SCOM SQL server name (and named instance if needed) and change “OperationsManager” to whatever your SCOM OpsDB is named.  Here is mine:

mssql://Driver={SQL Server};Server={DB01};/OperationsManager/AzmanStore

When this opens up – you can see a list of GUIDS.  Each represents a built-in user role or custom scoped user role.  Expand 597f9d98-356f-4186-8712-4f020f2d98b4 and look at the Role Assignments:



We can see that belongs to The Operations Manager Administrators role.

Right click the top level GUID 597f9d98-356f-4186-8712-4f020f2d98b4 in the left hand side, and choose Properties:


On the security tab – you can add new groups here, or even individual users.



The above should only be used in a recovery scenario, use the console to directly administer membership of user roles.

Comments (8)

  1. Kevin Holman says:

    “Technically” ? Maybe.
    “Supported” ? No.

  2. bill says:

    Since I can’t create a new Administrator level role that is scoped via the console, could this be a way to do so? I have developers that would like to be able to work with the APM templates but can’t because I don’t want to give them Administrator rights. Ok, so they are members of Administrators so they can get into AppDiagnostics (bad design on the part of that PG. IMO) but I keep them away from the full console.

  3. Anonymous says:

    You may be one of those asking:
    Why an Operator can’t see the monitor properties so that they

  4. Good Post Kevin, Just to add, you need to have full rights on the OperationsManager DB to make any changes(add/remove) in user roles.

  5. Ian Smith says:

    If you add a user as a member does it show up in the console? Also can any SQL SA make him self a SCOM admin this way? Mwahaha

  6. If you add a user as a member does it show up in the console? Also can any SQL SA make him self a SCOM admin this way? Mwahaha

  7. talha says:

    thank you so much