Part 2: SCSM Security User Roles Script

This blog post outlines the script posted on Technet Gallery that will make it easier to see what User roles a user has, what permissions have been assigned to a User Role and where a tasks/view/etc has been assigned to a User Role.

The script also allows you to export a report in CSV format of all the user roles and associated permissions or run a report on a specific role. This can be useful if you want to audit the user roles in Service Manager or document what has been set. It can also be useful if you want to copy the security settings between SCSM instances.

Also refer to Part 1: SCSM Security User Roles

Powershell Version

For the script I have used the out of the box PowerShell rather than SMLets. The main command that I use is Get-SCSMUserRole and both of SMLets and Standard SCSM PowerShell have a the cmdlet, but they give different output.

There is a downside to using the standard PowerShell command and it relates to the display name on CI Groups, Catalog Groups or Queues - this will display may not honor the display language of the console and will sue the language settings from the install on the first server.

Also y using the standard PowerShell version I have sacrificed some information about which management pack the data is stored in.

It was too difficult (and very confusing) to load and unload the different PowerShell modules to be able to use both versions of the Get-SCSMUserRole command.

Standard SCSM PowerShell Get-SCSMUserRole Output:

SMLets PowerShell Get-SCSMUserRole Output

SMLets and Standard PowerShell Get-SCSMUSerRole

The screenshots the output above are different and they have different properties and data.

The main differences between SMLets and Standard PowerShell Get-SCSMUSerRole are:

SMLets does not have the "All" settings - Alltasks, AllQueues, AllViews, AllTemplates etc.
SMLets groups Queues, CI Groups and Catalog Groups under one property - Objects
SMLets does have Management Pack Name where things are stored more often than Standard PowerShell. To see this you need to expand each of the properties eg see all the properties for each member of Views and management pack name will be displayed.
Standard PowerShell has a language issue with CI Groups, Catalog Groups or Queues - the displayname used is the default language rather than the current language.
SMLets does not have any information on tasks.

You might need to run the SMLets version of Get-SCSMUserRole manually to get the information that the standard version does not get.

Other Useful PowerShell Commands

These PowerShell Commands can also be useful as well:

Get-SCSMTask
Get-SCSMView
Get-SCSMTemplate
Get-SCSMGroup
Get-SCSMQueue

Script: SecurityUserRoles

The script starts by getting all the User Roles in the SCSM instance - this can take a bit of time (up to 3-5 mins in an instance with a lot of roles), but it is only done once and it is used by most of the options in the script. The script does not exit until you are finished running the options you need.

The script uses a PowerShell "GUI" that prompts for the input - a bit old school, but it is simple for Administrators to use and they don't need to remember or worry about what parameters to use.

The colors made sense to me, but feel free to edit them to something you like. The theme was Green for general information and Yellow for where a choice or input was required.

Script menu Options

The script has a lot of options to choose from and they can be broken down into the following sections:

Find what has been assigned to a User Role

Input a role name and get:

the direct assigned users and groups
the assigned tasks
the assigned templates
the assigned views
the assigned queues
the assigned CI Groups
the assigned Catalog Groups

Note: to find all objects associated with a User Role use the Specific Report option 22

Input a UserID to find User Roles

a User ID - will recursively find all groups for a user ID (Samaccountname) and then check which User Roles the user is assigned to.

Note this assumes the user and SCSM instance are in the same domain.

All Settings

A list of where the All settings, AllTasks, AllViews, AllQueues etc, have been used. These are usually one of the main reasons why analysts can "see" too many things.

Input Object to find the associated User Roles:

a task display name
a template display name
a view display name
a catalog group display name (language settings may be an issue)
a CI Group display name (language settings may be an issue)
a queue display name (language settings may be an issue)

List the display name of all objects of a particular type

This is very useful if the script is not accepting the display name you have entered for an object and it might be using a different language value or slightly different name: