Setting System Center Orchestrator Runbook Operator Privileges

  • Article

Hi,

Common question I keep getting asked by my customers is: How do I set Orchestrator Operator privileges in specific Runbook contexts?

This post is all about providing you with a simple and precise set of guidelines to enable to answer the question above.

The Scenario:

"WSUS Operators" Domain Group needs to only gain Operator access to Start/Stop/Assess Runbook execution on the WSUS Runbook structure within Orchestrator while using the Orchestrator Console.

Enabling listing of Runbooks\Folders

This is required otherwise nothing is listed on the Orchestrator Console.

Set User or Group (recommended) on "Runbooks" root folder on the Designer Tool

  • Right-click Runbooks > Permissions

clip_image001

  • Click Add to include the Group ("WSUS Operators" in this example)

 clip_image002

  • Click Advanced
  • Select the group you added
  • Click Edit
  • Click Show Advanced Permissions
  • Set permissions as follows:

clip_image003

  • Click Ok > Apply > OK > OK
  • Permissions should then show as follows:

clip_image004

NOTE: To make changes quickly effective run the following SQL statement against your Orchestrator Database:

TRUNCATE TABLE [Microsoft.SystemCenter.Orchestrator.Internal].AuthorizationCache

 

Setting specific Runbook Execution privileges

Set permissions for User or Group (recommended) on Specific Runbooks\Folders (Read, List, Publish)

  • Right-click the specific folder (in this case "WSUS") > Permissions

clip_image005

  • Click Add to include the Group ("WSUS Operators" in this example)

clip_image006

  • Click Advanced
  • Select the group you added
  • Click Edit
  • Click Show Advanced Permissions
  • Set permissions as follows:

clip_image007

  • Click Ok > Apply > OK > OK
  • Permissions should then show as follows:

clip_image008

NOTE: To make changes quickly effective run the following SQL statement against your Orchestrator Database:

TRUNCATE TABLE [Microsoft.SystemCenter.Orchestrator.Internal].AuthorizationCache

 

  • The Orchestrator Console should show as follows, hence preventing access to the other Runbook contexts for a given Operator member of the "WSUS Operators" group:

clip_image009

The above is shown regardless of the additionally existent Runbooks\Folders:

clip_image010

 

Hope the above helps!