Creating a read-only MOM Operator Console

A question that I hear frequently is “How do I create a read-only Operator Console”?

The MOM security groups are ‘MOM User’, ‘MOM Author’, and ‘MOM Administrator’.  Unfortunately, there is no ‘MOM Read-only User’ security group.  This means that there is no possibility of creating a completely secure read-only user profile.  The Operator Console does not have some other kind of switch on it which will put it into read only mode either.  Bummer!

However, there is some hope.  You can make the web console web site “read-only” and point your users to the web console if you dont want them to change anything.

Here is how you do it:

1. On the server hosting the Microsoft Operations Manager 2005 Web Console
application, open the %INSTALLDRIVE%Program FilesMicrosoft Operations Manager
2005WebConsoleweb.config file in a text editor.

2. In the <appSettings> node change the node “<!–add key=”Readonly”
value=”true”/–>” to “<add key=”Readonly” value=”true”/>”.

3. Stop and Restart the Microsoft Operations Manager 2005 Web Console application
in the Internet Information Services snap-in.

This will disable all of the constrols on the web pages so that nobody can make any changes.

 A few notes on this:

1)  This is not a secure solution.  You will still need to add the users to one of the MOM security roles.  Once  user has been granted the permission, he can either a) install a Opertor Console and use it to change things or 2) write code that calls the DAS directly to change things.

2)  This change will be applicable to all users that access the web console on this server.  If you want to have some users have a read-only experience and some users to have a writable experience in the web console you will need to set up multiple web sites and point the users to the appropriate one depending on what you want them to do.