I recently did some work about modifying Operations Manager roles using the command shell. I started with this post from Eugene Bykov. Many thanks to Marco Shaw for his help and his time.
I worked on the creation of a read-only operator role. That role is scoped on a group and only views in a specific Management Pack are reachable. Note that tests are made with a non-sealed MP.
Create a Read-Only Operator Role:
$RoleName = "My New ROO role"
$mg = (get-item .).ManagementGroup
$profil = $mg.GetMonitoringProfiles() | where {$_.Name -eq "ReadOnlyOperator"}
$role = new-object Microsoft.EnterpriseManagement.Monitoring.Security.MonitoringUserRole
$role.Name = $RoleName
$role.DisplayName = $RoleName
$role.Description = "This is my new readonly operator role"
$role.MonitoringProfile = $profil
$mg.InsertMonitoringUserRole($role)
Scope the role on a group:
$GroupName = "Name of my group"
$ID = get-monitoringobject | where {$_.Displayname -eq $GroupName}
$role = get-userrole | where {$_.DisplayName -eq $RoleName}
($role.Scope).MonitoringObjects.add($ID.id)
$role.Update()
Adding all views contained in a MP to the role:
$MpName = "My MP"
$Mp = get-ManagementPack -Name $MpName
$Mp.getviews() | ForEach-Object {
$pair = new-object "Microsoft.EnterpriseManagement.Common.Pair``2[[System.Guid, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.Boolean, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]]" $_.Id,$false
($role.Scope).Monitoringviews.Add($pair)
}
$role.Update()
If you have any question don't hesitate to add a comment.