Wednesday, April 2, 2014

Grant Access to Specific Runbooks in Orchestrator

Since I had a hard time finding a clear guide on the topic here goes...

As a systems administrator / domain admin I typically have access to just about any system. As such, no big deal for me to be in the "users" group recommended for the initial Orchestrator install. This group is a bit of a misnomer. These are your designers. So in my case I have a group called “app-scorch-users” which consists for systems administrators.

So the issue is, how to provide runbooks specific to other roles. I want my DBA, developers, and so on to be able to execute their runbooks from the web console with ease but only those we choose. i.e. DBAs can’t run developers runbooks.

  • I started by creating a domain group: app-scorch-operators. Anyone who will run (not design) runbooks will go in this group.
  • Add that group to the root Runbooks container (right click > permissions)
  • Restrict its access to "read"
  • Go to Advanced > Select the group > change "Applies to:" to "This object only"

The purpose of the operators group is simply to grant access to read objects under the “Runbooks” node in the connections pane.


 
This opens up the ability to assign perms to users/group on the subfolders or directly to runbooks. In this example, I am attempting to grant several individuals to a folder (you could create domain groups per folder too).

  • So I'll go to the "Patching" folder > Right click > Permissions
  • Add any users or groups you'd like to execute runbooks with ONLY Read




  • Once added, you'll need to add one more thing…."Publish". Otherwise you'll get an error stating the user must have publish to run a runbook.
  • Go to Advanced > Edit > "Show advanced permissions"
  • Read properties and list contents will already be checked.



Now when your "Operators" go to the web Orchestrator Console they'll only see the folders where they were granted read/publish. (note below SC2012 Solutions from the first screenshot is not displayed)