OK - Reallly no need for that, because if you choose all targets, it means all targets hosted by the object(server) in your group.
If you choose, for example, to scope targets to 'Logical disk' You can limit your user to only operate on logical disk for the servers in your group. Venlig hilsen Henrik Andersen Værktøjer Direkte 636 36158 Mobile +45 21 57 90 37 [email protected] [cid:[email protected]] JN Data A/S · Havsteensvej 4 · 4000 Roskilde Telefon 63 63 63 63/ Fax 63 63 63 64 www.jndata.dk [cid:[email protected]] Fra: [email protected] [mailto:[email protected]] På vegne af Froese, Ethan Sendt: 25. februar 2015 17:29 Til: [email protected] Emne: [msmom] RE: restricting the Monitoring View #2 - I did restrict the target to the created group. Ethan Froese Vended Applications - Team Lead Division of IT - University of Missouri From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Henrik Andersen Sent: Wednesday, February 25, 2015 10:24 AM To: [email protected]<mailto:[email protected]> Subject: [msmom] SV: restricting the Monitoring View Hi!, As I understand it, you have: 1. Created a group with one object as member 2. You have created a new Author Role with no scope on targets, but scoped to the group created in 1. 3. Added a user to that role. 4. The user, when logged in, can do anything in the Monitoring pane. Yes, it seems that you can create folders and views in unsealed MPs, but you can only see and operate on objects you have permission for(objects in your group) /Henrik Fra: [email protected]<mailto:[email protected]> [mailto:[email protected]] På vegne af Froese, Ethan Sendt: 25. februar 2015 16:15 Til: [email protected]<mailto:[email protected]> Emne: [msmom] restricting the Monitoring View Hey all - working with a 2007 R2 system - though the problem exist in the new 2012 environment as well. We are trying to fine tune roles so different groups only see what they need within the Console yet have enough Authoring rights to get day to day work done. No matter how fine I tweak the "Authoring Security Profile Role", the user sees way too much via the monitoring tab. The user can also create objects within other pre-created folders too. Testing - Created a group and a new MP - Same MP used thru out the testing. Added one Windows Server Role to the group - (Windows Server|Filter by Name|Server object name) Created a Test Folder and an alert view - assigned all alerts to the group above. Created Authoring Security Profile and added one user to the Profile. Restricted the View and Group scope to only the one relevant folder/alert view. User has no rights in any other Security Profile Role. This has been verified by checking any other created Profiles. When I remove the user from the profile I created, the user has zero rights to the Opsman console. Can't even log in. However when I use the Operator Profile - the user can only see what they have rights to but the user can't create anything. Is this normal behavior in Opsman? If so, it strikes me odd that the wizard walks you thru a scenario where it really looks like you can tighten things down. Thanks - Ethan - University of Missouri
