Since I had a hard
time finding a clear guide on the topic here goes...
As a systems
administrator / domain admin I typically have access to just about any system.
As such, no big deal for me to be in the "users" group recommended
for the initial Orchestrator install. This group is a bit of a misnomer. These
are your designers. So in my case I have a group called “app-scorch-users”
which consists for systems administrators.
So the issue is, how
to provide runbooks specific to other roles. I want my DBA, developers, and
so on to be able to execute their runbooks from the web console with ease but
only those we choose. i.e. DBAs can’t run developers runbooks.
- I started by creating a domain group: app-scorch-operators. Anyone who will run (not design) runbooks will go in this group.
- Add that group to the root Runbooks container (right click > permissions)
- Restrict its access to "read"
- Go to Advanced > Select the group > change "Applies to:" to "This object only"
The purpose of the
operators group is simply to grant access to read objects under the “Runbooks”
node in the connections pane.
This opens up the
ability to assign perms to users/group on the subfolders or directly to
runbooks. In this example, I am attempting to grant several individuals to a
folder (you could create domain groups per folder too).
- So I'll go to the "Patching" folder > Right click > Permissions
- Add any users or groups you'd like to execute runbooks with ONLY Read
- Once added, you'll need to add one more thing…."Publish". Otherwise you'll get an error stating the user must have publish to run a runbook.
- Go to Advanced > Edit > "Show advanced permissions"
- Read properties and list contents will already be checked.
Now when your
"Operators" go to the web Orchestrator Console they'll only see the
folders where they were granted read/publish. (note below SC2012 Solutions from
the first screenshot is not displayed)
