Toggle menu
Toggle personal menu
Not logged in
Your IP address will be publicly visible if you make any edits.

System Center Service Manager:Active Directory Connector: Difference between revisions

From sysadminafterdark docs
No edit summary
No edit summary
 
(12 intermediate revisions by the same user not shown)
Line 23: Line 23:


== Deployment ==
== Deployment ==
Follow the instructions listed below to configure a working instance of the System Center Service Manager Active directory connector:
Follow the instructions listed below to configure a working instance of the System Center Service Manager Active Directory connector:


# Open the Service Manager console as a domain administrator. Navigate to the Administration Tab, Click Connectors, then click Create connector and select the Active Directory Connector. The Active Directory Connector Wizard should launch.
# Open the Service Manager console as a domain administrator. Navigate to the Administration Tab, Click Connectors, then click Create connector and select the Active Directory Connector. The Active Directory Connector Wizard should launch.
Line 41: Line 41:
== Internal Group Configuration ==
== Internal Group Configuration ==


The following is how sysadminafterdark internal group mappings are distributed. It maybe worth noting that [[Authentication: Active Directory]] is a much more robust reference on the internal workings of Active Directory. Since group mappings are key to Service Manager, it is worth mentioning them here.
It maybe worth noting that [[Authentication: Active Directory]] is a much more robust reference on the internal workings of Active Directory. Since group mappings are key to Service Manager, it is worth mentioning them here.


Each department has its own corresponding active directory group. The two that are relevant to this documentation are [[Users and Groups:dp_it_noc]] and [[Users and Groups:dp_it_systemsadministrators]]. Within these two groups are additional groups that are defined by the needs of the role, rather than users. This way, everyone within a department with a certain title receives the same amount of permission as their peers with the same title. This helps to combat security misconfiguration and configuration decay.
Each department has its own corresponding Active Directory group followed by a job title that is populated with user objects as well as "Member Of" nested groups. The two that are relevant to this documentation are [[Users and Groups:dp_it_noc]] and [[Users and Groups:dp_it_systemsadministrators]]. This way, everyone within a department with a certain job title receives the same amount of permission as their peers with the same title. This helps to combat security misconfigurations and configuration decay. This system is known as "Role-Based Access Control" or "RBAC". You may read more about this concept on Microsoft's article [https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/implementing-least-privilege-administrative-models Implementing Least-Privilege Administrative Models].
 
 
The following table shows how Active Directory security groups are mapped to Active Directory department groups, which are then mapped to SCSM user roles:
 
{| class="wikitable"
|-
! style="border-color:inherit;" | Active Directory Department Group
! style="border-color:inherit;" | Active Directory Security Group
! SCSM User Role
|-
| style="border-color:inherit;" | dp_it_systemsadministrators
| style="border-color:inherit;" | sg_scsm_administrators
| Administrators
|-
| style="border-color:inherit;" | dp_it_noc
| style="border-color:inherit;" | sg_scsm_authors
| Authors
|-
| style="border-color:inherit;" | All Department Groups
| style="border-color:inherit;" | sg_scsm_end_users
| End Users
|}
 
This enables standard IT user accounts (example: sysadminafterdark or mandolinsara), members of [[Users and Groups:dp_it_noc]], to have just enough permissions to process their tickets and write knowledgebase articles. When a server configuration must be changed, an administrator account (example: adminafterdark), a member of [[Users and Groups:dp_it_systemsadministrators]] must launch the Service Manager Console as an administrator to gain access to the Administration tab within the application and perform organization level changes.
 
== Status ==
This configuration was deployed into sysadminafterdark production and confirmed to be a working configuration. Further group permission tweaks may need to be made in the future and will be recorded here.

Latest revision as of 04:03, 27 May 2024

History

The System Center Service Manager:Active Directory Connector is a built in System Center Service Manager:System Center Service Manager connector that enables User and Groups: Users and Groups sync from Authentication:Active Directory. This enables systems administrators to map Active Directory Users and groups to built in and custom System Center groups.

The following groups are built into System Center Service manager:

  1. Activity Implementers: Can read, create, and update activities.
  2. Administrators: Have full permissions, including creating, updating, and deleting configuration items and other records.
  3. Advanced Operators: Can read, create, and update configuration items, but cannot delete them.
  4. Change Initiators: Can create and manage change requests.
  5. End Users: Typically have read-only access to self-service features and can submit requests.
  6. Read-Only Operators: Have read-only access to most areas.
  7. Authors: Can create and manage knowledge articles and other documentation.
  8. Problem Analysts: Focus on managing problem records.
  9. Workflows: Automate processes and may have broad read/write permissions depending on workflow needs.
  10. Incident Resolvers: Manage incident records.
  11. Change Managers: Oversee change management processes.
  12. Report Users: Access and run reports (available after registering with the data warehouse).
  13. Release Managers: Handle release management.
  14. Service Request Analysts: Manage service requests.

You can learn more about groups via Microsoft's website: Manage Service Manager user roles and User role profiles in System Center - Service Manager if you require additional implementation instruction outside of my use case and scope.

Deployment

Follow the instructions listed below to configure a working instance of the System Center Service Manager Active Directory connector:

  1. Open the Service Manager console as a domain administrator. Navigate to the Administration Tab, Click Connectors, then click Create connector and select the Active Directory Connector. The Active Directory Connector Wizard should launch.
    1. On the Before You Begin tab, click Next
    2. On the General page, give your connector a name, description, and ensure the connector is enabled. In my case, I am using "Internal Active Directory Connector" as both the name and description.
    3. On the Domain or Organizational Unit page, Choose to sync the entire domain or an OU. Multiple Active Directory connectors can be used to sync only specific OUs. I cannot justify this in my environment, but you might. In my case, I am choosing to sync the entire directory. I will be managing this through Active Directory Users and Computers, anyway. Finally, choose the Run As Account. In my case, I am using the Operational Database Account which is Users and Groups:svc_servicemanager. Click Next when you are finished and there is a successful connection to Active Directory.
    4. On the Select Objects screen, I am choosing to import All computers, printers, users and user groups. Additionally, I checked "Do not write null values for properties that are not set in Active Directory". Once done, click Next.
    5. On the Schedule tab, you must choose a time when an automatic Active Directory sync is performed. I choose to sync everyday at 5:00PM so new users are synced before backups kick off. Click next once finished.
    6. On the Summary tab, review your configuration. If it is accurate, click Create.
    7. The wizard will let you know the Active Directory connector was Successfully created. Click Close.

Post-Configuration

Perform Initial Active Directory Sync

  1. On the Connectors tab, under Administration, click your Active Directory connector, then in the sidebar click Sync Now. It may take a while but if you occasionally press the Refresh button, a percentage of progress should be displayed. When this process is finished, the Status should read "Finished Success".

Internal Group Configuration

It maybe worth noting that Authentication: Active Directory is a much more robust reference on the internal workings of Active Directory. Since group mappings are key to Service Manager, it is worth mentioning them here.

Each department has its own corresponding Active Directory group followed by a job title that is populated with user objects as well as "Member Of" nested groups. The two that are relevant to this documentation are Users and Groups:dp_it_noc and Users and Groups:dp_it_systemsadministrators. This way, everyone within a department with a certain job title receives the same amount of permission as their peers with the same title. This helps to combat security misconfigurations and configuration decay. This system is known as "Role-Based Access Control" or "RBAC". You may read more about this concept on Microsoft's article Implementing Least-Privilege Administrative Models.


The following table shows how Active Directory security groups are mapped to Active Directory department groups, which are then mapped to SCSM user roles:

Active Directory Department Group Active Directory Security Group SCSM User Role
dp_it_systemsadministrators sg_scsm_administrators Administrators
dp_it_noc sg_scsm_authors Authors
All Department Groups sg_scsm_end_users End Users

This enables standard IT user accounts (example: sysadminafterdark or mandolinsara), members of Users and Groups:dp_it_noc, to have just enough permissions to process their tickets and write knowledgebase articles. When a server configuration must be changed, an administrator account (example: adminafterdark), a member of Users and Groups:dp_it_systemsadministrators must launch the Service Manager Console as an administrator to gain access to the Administration tab within the application and perform organization level changes.

Status

This configuration was deployed into sysadminafterdark production and confirmed to be a working configuration. Further group permission tweaks may need to be made in the future and will be recorded here.