SCSM security role delegation can be managed (listed and modified) using PowerShell commands. In this recipe, we discuss and provide steps to list all SCSM security roles a specific user is a member of using the SCSM PowerShell commands.
You need to ensure you have successfully installed the SCSM product, are a user in the SCSM Administrators role and have the SCSM console open.
You must download and install the SCSM PowerShell Cmdlets found at http://smlets.codeplex.com/ (see the Downloading and installing SMLets recipe in Chapter 12, Automating Service Manager 2016).
Here are the steps you must follow to list the configuration of security roles using PowerShell commands:
- Type the following code into a notepad or a plain text editor:
Param([string]$userName) # Name of the SCSM Management Server $smDefaultComputer = "TDSCSM03" Import-Module SMLets Import-Module ActiveDirectory If (!$userName) { Write-Host -ForegroundColor Red "Please start the script with a valid username! ... For instance: Get-UsersSCSMRoles.ps1 andreas.baumgarten" Break } $memberInAdGroups = Get-ADUser -Identity $userName -Properties MemberOf $memberInAdGroups = $memberInAdGroups.MemberOf $scsmRoles = Get-SCSMuserRole foreach ($scsmRole in $scsmRoles) { if ($scsmRole.users) { $scsmRoleName = $scsmRole.Displayname if ($scsmRole.users -like "*$userName*") { Write-Host -ForegroundColor Blue "=== SCSM Role: $scsmRoleName ===" Write-Host -ForegroundColor Green "User $userName is direct member of this SCSM user role" } if ($scsmRole.Users -like "*Domain Users*") { Write-Host -ForegroundColor Blue "=== SCSM Role: $scsmRoleName ===" Write-Host -ForegroundColor Green "User $userName is member of this SCSM user role by AD groupmembership: Domain Users" } if ($scsmRole.Users -like "*Authenticated Users*") { Write-Host -ForegroundColor Blue "=== SCSM Role: $scsmRoleName ===" Write-Host -ForegroundColor Green "User $userName is member of this SCSM user role by AD groupmembership: Authenticated Users" } foreach ($adGroup in $memberInAdGroups) { $adGroupName = Get-ADGroup -Identity $adGroup $adGroupName = $adGroupName.SamAccountName if ($SCSMrole.Users -like "*$adGroupName*") { Write-Host -ForegroundColor Blue "=== SCSM Role: $scsmRoleName ===" Write-Host -ForegroundColor Green "User $userName is member of this SCSM user role by AD groupmembership: $ADgroupName" } } } } - Save the file as a PowerShell file with a
.PS1extension to a filesystem location (for example, C:Get-UsersSCSMRoles.ps1). - Start a PowerShell command prompt as an administrator.
- Run the following command:
Set-ExecutionPolicy RemoteSigned - Press the Y and Enter keys.
- In the PowerShell command window, navigate to the location of the script. Type
C: Get-UsersSCSMRoles.ps1 <username>. Replace <username> with any valid AD username. - Press the Enter key.
- A list of all the SCSM user roles the user is a member is presented:
The script gets the group membership of the user specified by the username from Active Directory and the list of all SCSM user roles. The script then checks what SCSM roles the user is a member of based on their AD group membership. This assumes the delegation of SCSM roles is done with AD groups (this is the recommended practice).
Running a script and seeing the output is great, but you may want to save the results of the script.
See the Using SMLets to delete a Work Item and Autoclose resolved Incidents with SMLets and a custom workflow recipes in Chapter 12, Automating Service Manager 2016, for additional SCSM management examples of using PowerShell commands.