In the first part of SCSM role customization I showed how you can modify existing user profiles to target additional work item classes. If you followed my post you recognized that when customizing the user profile you can allow specific users – that are members of a user role that uses this user profile – to create and edit objects of a specific work item class (like an existing or a custom one). However, if your custom work item class also uses relations to other objects, these relationships can NOT be edited with the configuration I demonstrated. For this some more magic is needed.
SCSM User Role customization – Part 1
SCSM User Role customization – Part 2 (this post)
In part 1 we added a new ImplicitScope to create new work item objects (Operation “Object__Add”) and to edit existing work item objects (Operation “Object__Set”). To give the user profile access to the relationship we need to add another entry to the “Object__Set” operation. The following PowerShell script does it (check the path to the SDK binaries in your environment).
#connect using sdk
# use the dll’s in the Service Manager SDK folder
Add-Type -path “C:\Program Files\Microsoft System Center 2012\Service Manager\SDK Binaries\Microsoft.EnterpriseManagement.Core.dll”
$NS = “Microsoft.EnterpriseManagement”;
$EMGType = “$NS.EnterpriseManagementGroup”;
$EMG = new-object $EMGType localhost;
#get the user profile that should be changed
$prof_ir = $emg.Security.GetProfiles() | where{$_.name -eq “IncidentResolver”}
#get the class where the relationship goes to (not the class that new objects are created! in this example my work item class has a relationship to the active directory user class, so I get the id of this class)
$class_aduser = $emg.EntityTypes.GetClasses() | where{$_.id -eq “10a7f898-e672-ccf3-8881-360bfb6a8f9a”}
#get relationship
$rel = get-scsmrelationshipclass MyWorkItemClassHasAnalyst
#prepare
$relendpoint = [microsoft.enterprisemanagement.security.RelationshipEndpoint]
$oiscope = [microsoft.enterprisemanagement.security.OperationImplicitScope]
#give access to edit (set) the relationship (Operation “Object__Set”)
$obj_set = $prof_ir.operations | where{$_.name -eq “Object__Set”}
$relendpointobject = New-Object $relendpoint
$oiobject = New-Object $oiscope -ArgumentList @($class_ADUser.id,$rel.id,$relendpointobject)
$obj_set.ImplicitScopes.Add($oiobject)
$prof_ir.Update()
That’s it! After the script is executed the user profile now allows to edit the targeted relationship and therefore user role owners will be allowed to add, edit or delete related objects in this relationship.
Stay tuned for the next post!
Cheers
Marcel
Pingback: SCSM User Role customization using PowerShell and SDK – Part 1 | marcelzehner.ch
Pingback: Customize Service Manager User Profiles by using C# and SDK | scsmlab
This is really great. I would like to pose a question if I may. How would one go about adding more than one (two or three) properties to a User profile? For example: If a customer would like Change Implementers to alou ways be able to modify the Reason and description fields on a CR.
Thank you again.
Hey
You should be able to run this multiple times for multiple relationshipsto other classes. That works.
Cheers
Marcel