In Service Manager one uses user roles to give access to the application. If a user account or a group that a user belongs to is assigned one of those user roles, he will be able to perform specific tasks in Service Manager. User roles can be easily configured from the Service Manager console, but sometimes some additional magic is needed.

Script updated 12.01.2014!

SCSM User Role customization – Part 1 (this post)
SCSM User Role customization – Part 2

A user role consists of the following elements (configured when you run the user role wizard):

• User profile
• Queues
• Groups
• Catalog Groups
• Tasks
• Views
• Templates
• Users

By selecting specific queues, groups, views or templates you can control what a user role will be able to see and do in Service Manager. By creating your own objects of the listed types, you are be very flexible. But wait, what about the user profile? This selection is preconfigured and defines what work item classes a specific user role can create and edit. For instance you have the “Incident Resolvers” user profile that allows to create and edit objects of the work item class “Incident” (plus it has access to some other work item classes). For all the predefined work item types (incidents, problems, change requests, service requests etc.) you have a default user profile. But what happens if you need to create your own work item types and want to tightly control that access to those objects? In this case you have the option to modify/extend existing user profiles and give them access to additional work item classes using the Service Manager SDK.

The example below demonstrates how an existing user profile can be extended with PowerShell to cover a custom work item class. After executing the script below, the default “Incident Resolvers” user profile will be able to create and edit objects of a custom work item class (in this example called “MyWorkItemClass”). Check the path to the SDK binaries in your environment.

#connect using sdk
# use the dll’s in the Service Manager SDK folder
Add-Type -path “C:\Program Files\Microsoft System Center 2012\Service Manager\SDK Binaries\Microsoft.EnterpriseManagement.Core.dll”
$NS = “Microsoft.EnterpriseManagement”;
$EMGType = “$NS.EnterpriseManagementGroup”;
$EMG = new-object $EMGType localhost;

#get the user profile that should be changed
$prof_ir = $emg.Security.GetProfiles() | where{$_.name -eq “IncidentResolver”}

#get class to give access to
$class_ssr = $emg.EntityTypes.GetClasses() | where{$_.name -match “MyWorkItemClass“}

#preparation
$emptyguid = [guid]::empty
[byte]$relendpoint = “2”
$oiscope = [microsoft.enterprisemanagement.security.OperationImplicitScope]

#give access to create (add) new objects of class type (Operations “Object__Add”)

$obj_add = $prof_ir.operations | where{$_.name -eq “Object__Add”}
$oiobject = New-Object $oiscope –ArgumentList @($class_ssr.id,$emptyguid,$emptyguid,$relendpoint)
$obj_add.ImplicitScopes.Add($oiobject)
$prof_ir.Update()

#give access to edit (set) new objects of class type (Operations “Object__Set”)
$obj_set = $prof_ir.operations | where{$_.name -eq “Object__Set”}
$oiobject = New-Object $oiscope -ArgumentList @($class_ssr.id,$emptyguid,$emptyguid,$relendpoint)
$obj_set.ImplicitScopes.Add($oiobject)
$prof_ir.Update()

More in the next blog post!

Cheers
Marcel