Introduction
Authorization is required to manipulate objects such as queues and work items in Microsoft System Center Service Manager 2010. These authorizations are managed by using profiles. A profile is a collection of items that are used for authorization. For operations such as create, read, update, and delete, the following structure is used for the items of authorization:
ProfileName Operation Type Property Relationship RelationshipEndPointFor authorization, a user role specifies operations that specific users can perform on specific objects by associating a profile, a scope, and users. Profiles are also used by the Service Manager console to filter objects such as tasks and templates.
The three stored procedures that are included in this hotfix have the following file names:-
p_GetRestrictrictionsOnOperationsInProfile
-
p_AddRestrictrictionToOperationInProfile
-
p_RemoveRestrictrictionFromOperationInProfile
These SQL stored procedures let you add or remove rights for an operation in profiles to support custom types that were added to the Service Manager environment. The Service Manager console cannot add or remove these rights. For example, you can add the following authorization to the IncidentResolver profile if you customized the User type by adding a new New Relationship relationship:
ProfileName Operation Type Property Relationship RelationshipEndPoint
IncidentResolver Object_Set User New Relationship These stored procedures also give you more details for accessing properties of specific types. The Service Manager console cannot provide these details. These SQL stored procedures cannot add new operations to a profile and can perform only the following tasks:-
View the authorizations that are configured in an existing profile.
-
Add types to existing operations in existing profiles. You can add the type, property, and relationship restrictions to the following operations:
-
Object__Add
-
Object__Set
-
Object__Get
-
Object__Delete
-
-
Remove types from existing operations in existing profiles.
More Information
Hotfix information
A supported hotfix is available from Microsoft. However, this hotfix is intended to correct only the problem that is described in this article. Apply this hotfix only to systems that are experiencing the problem described in this article. This hotfix might receive additional testing. Therefore, if you are not severely affected by this problem, we recommend that you wait for the next software update that contains this hotfix.
If the hotfix is available for download, there is a "Hotfix download available" section at the top of this Knowledge Base article. If this section does not appear, contact Microsoft Customer Service and Support to obtain the hotfix. Note If additional issues occur or if any troubleshooting is required, you might have to create a separate service request. The usual support costs will apply to additional support questions and issues that do not qualify for this specific hotfix. For a complete list of Microsoft Customer Service and Support telephone numbers or to create a separate service request, visit the following Microsoft Web site:http://support.microsoft.com/contactus/?ws=supportNote The "Hotfix download available" form displays the languages for which the hotfix is available. If you do not see your language, it is because a hotfix is not available for that language.
Prerequisites
To apply this hotfix, you must have Microsoft System Center Service Manager 2010 Service Pack 1 (SP1) installed.
Note This hotfix applies to the Service Manager Primary Management Server (SM Server) component in System Center Service Manager 2010.How to install this hotfix
Important Before you install this hotfix, we recommend that you follow these steps:
-
Back up the ServiceManager databases.
-
Back up the encryption keys for SM Server.
Note This hotfix cannot be uninstalled after you install it.
To install this hotfix, follow these steps:-
Close all Service Manager-related applications such as the Service Manager console and the Self-Service Portal.
-
In Windows Explorer, open the folder that contains this hotfix package.
-
Right-click the following file, and then click Run as administrator:
Scsm2010_amd64_sp1_kb2525307.exe
-
Accept the license agreement in the System Center Service Manager SCSM2010_SP1_KB2525307 Setup Wizard on the License agreement page, and then click Install to complete the wizard.
How to determine whether this hotfix was applied correctly
Method 1
-
In Control Panel, open Programs and Features.
-
Click View installed updates.
-
If the following item is listed, the hotfix was applied correctly:
Hotfix for Microsoft System Center Service Manager SP1 (KB2525307)Note If the system is running SM Server, this item is listed under Microsoft System Center Service Manager SP1.
Method 2
View the following log files in the %temp% folder to determine whether any errors occurred during the installation of the hotfix:
-
Scsm2010_sp1_kb2525307.msp.0.log
-
Scsmpatchersetupwizard01.log
Registry information
To use the hotfix in this package, you do not have to make any changes to the registry.
Restart requirement
You do not have to restart the computer after you apply this hotfix.
Hotfix replacement information
This hotfix does not replace a previously released hotfix.For more information about software update terminology, click the following article number to view the article in the Microsoft Knowledge Base:
824684 Description of the standard terminology that is used to describe Microsoft software updates
How to use the stored procedures together with custom relationships
If you add relationships to extend a type, and if you want to restrict the update rights for these relationships, you have to add the extended type to the desired operations that update the appropriate profiles.
For example, you add the System.CallingUser relationship between the System.WorkItem.Incident and System.Domain.User endpoints. If you want the IncidentResolver profile to be able to enable the ability to update the relationship, you have to add the relationship to the Object__Set (update) right of the System.Domain.User endpoint. In this example, you do not have to add the relationship to the Object__Set (update) right of the System.WorkItem.Incident endpoint. The relationship does not have to be added because the following entry indicates that the System.WorkItem.Incident endpoint already has the Object__Set (update) rights for all properties and relationship endpoints:ProfileName Operation Type Property Relationship RelationshipEndPoint
IncidentResolver Object__Set System.WorkItem.Incident NUL NULL N/A You can call the following stored procedure to add the Object__Set (update) right to the System.Domain.User endpoint for the System.CallingUser relationship in the IncidentResolver profile:
exec p_RemoveRestrictrictionFromOperationInProfile 'IncidentResolver', 'Object__Set', 'System.Domain.User', NULL, 'System.CallingUser', NULL
Syntax
The following section describes the syntax of the stored procedures that are included in this hotfix.
The p_GetRestrictrictionsOnOperationsInProfile stored procedure
Parameter
@ProfileName nvarchar(max) = NULLThis stored procedure displays a list of operations from the specified profile. For each operation, this stored procedure also displays the types, the properties, and the relationships that are defined in the type and that can be used by the operation.
Note To define relationships correctly, they must be defined as properties on both endpoints of the relationship.How to use the stored procedure and interpret the output
-
If ProfileName is null, all profiles are displayed.
-
An operation, a property, and a type that are listed in the same row indicate that the operation is restricted to the property from the type.
-
An operation, a type, and a relationship endpoint that are listed in the same row indicate that the operation is restricted to the relationship endpoint from the type.
-
If the type, the property, and the relationship endpoint are all null values, the associated operation is enabled on all types, all properties, and all relationships endpoints.
The following are valid profile names:
-
ActivityImplementer
-
Administrator
-
AdvancedOperator
-
Author
-
ChangeInitiator
-
IncidentResolver
-
ProblemAnalyst
-
ReadOnlyOperator
-
Workflow
-
ChangeManager
-
EndUser
-
ImpliedConfigItemCustodian
-
ImpliedIncidentAffectedUser
-
ImpliedPrimaryComputerUser
-
ImpliedReviewer
-
ImpliedUserPreference
The p_AddRestrictrictionToOperationInProfile stored procedure
Parameters
@ProfileName AS NVARCHAR(MAX) = null
@OperationName AS NVARCHAR(MAX) = null @TypeName AS NVARCHAR(MAX) = null @PropertyName AS NVARCHAR(MAX) = null @RelationshipTypeName AS NVARCHAR(MAX) = null @RelationshipEndpoint AS NVARCHAR(MAX) = nullNote This stored procedure adds the specified restrictions to the specified profile.The p_RemoveRestrictrictionFromOperationInProfile stored procedure
Parameters
@ProfileName AS NVARCHAR(MAX) = null
@OperationName AS NVARCHAR(MAX) = null @TypeName AS NVARCHAR(MAX) = null @PropertyName AS NVARCHAR(MAX) = null @RelationshipTypeName AS NVARCHAR(MAX) = null @RelationshipEndpoint AS NVARCHAR(MAX) = nullNote This stored procedure removes the specified restrictions from the specified profile.Example 1
The following example shows the output of the p_GetRestrictrictionsOnOperationsInProfile stored procedure. The results indicate that the Object__Get (Read) operation for the IncidentResolver profile is unrestricted.
ProfileName Operation Type Property Relationship RelationshipEndPoint
IncidentResolverObject__GetNULLNULL NULL NULLExample 2
The following example shows the output of the p_GetRestrictrictionsOnOperationsInProfile stored procedure. The results indicate that the Object__Set operation for the IncidentResolver profile is restricted to the following types:
-
System.WorkItem.Incident and all its properties including relationship endpoints
-
System.FileAttachment and all its properties including relationship endpoints
-
System.WorkItem.Log and all its properties including relationship endpoints
-
System.WorkItem.Activity.ManualActivity and its properties including relationship endpoints
-
System.Config item and relationship endpoint System.WorkItemAboutConfigItem
-
System.Config item and relationship endpoint System.WorkItemRelatesConfigItem
-
System.Domain.User and relationship endpoint System.WorkItem.TroubleTicketClosedByUser
-
System.Domain.User and relationship endpoint System.WorkItemAssignedToUser
-
System.Domain.User and relationship endpoint System.WorkItemCreatedByUser
ProfileName Operation Type Property Relationship RelationshipEndPoint
IncidentResolver Object__Set System.WorkItem.Incident NULL NULL N/A IncidentResolver Object__Set System.FileAttachment NULL NULL N/A IncidentResolver Object__Set System.WorkItem.Log NULL NULL N/A IncidentResolver Object__Set System.WorkItem.Activity.ManualActivity NULL NULL N/A IncidentResolver Object__Set System.ConfigItem NULL System.WorkItemAboutConfigItem N/A IncidentResolver Object__Set System.ConfigItem NULL System.WorkItemRelatesToConfigIte N/A IncidentResolver Object__Set System.Domain.User NULL System.WorkItem.TroubleTicketClosedByUser N/A IncidentResolver Object__Set System.Domain.User NULL System.WorkItemAssignedToUser N/A IncidentResolver Object__Set System.Domain.User NULL System.WorkItemCreatedByUser N/AImportant The last five operation items let you relate configuration items to an incident and assign users to incidents.Example 3
The following example of the p_GetRestrictrictionsOnOperationsInProfile stored procedure indicates that the Object__Set operation for the ImpliedReviewer profile is restricted to the following types:
-
System.Reviewer and only properties Comments, DecisionDate, and Decision
-
System.Reviewer and only relationship endpoint System.ReviewerVotedByUser
-
System.Domain.User and only relationship endpoint System.ReviewerVotedByUser
Notes
-
This example output is only a sample of the output and not the complete output.
-
The System.ReviewerVotedByUserObject__Set (Update) rights were granted to both the System.Reviewer endpoint and the System.Domain.User endpoint. If you do not grant relationship rights to both endpoints, you cannot update reviewer objects by using the following relationship:
ProfileName Operation Type Property Relationship RelationshipEndPoint
ImpliedReviewer Object__Set System.Reviewer Comments NULL N/A ImpliedReviewer Object__Set System.Reviewer DecisionDate NULL N/A ImpliedReviewer Object__Set System.Reviewer Decision NULL N/A ImpliedReviewer Object__Set System.Reviewer NULL System.ReviewerVotedByUser N/A ImpliedReviewer Object__Set System.Domain.User NULL System.ReviewerVotedByUser N/A
Example 4
The following example shows how to use the p_AddRestrictrictionToOperationInProfile stored procedure to update the Notes property:
exec p_AddRestrictrictionToOperationInProfile 'ImpliedReviewer', 'Object__Set', 'System.Reviewer', 'Notes', NULL, NULL
Example 5
The following example shows how to use the p_AddRestrictrictionToOperationInProfile stored procedure to update the System.WorkItemRelatesToWorkItem relationship:
exec p_AddRestrictrictionToOperationInProfile 'ImpliedReviewer', 'Object__Set', 'System.Reviewer', NULL, 'System.WorkItemRelatesToWorkItem', 'N/A'
Example 6
The following example shows how to use the p_AddRestrictrictionToOperationInProfile stored procedure to update the Incident class, all properties, and all relationships:
exec p_AddRestrictrictionToOperationInProfile 'ImpliedReviewer', 'Object__Set', 'System.WorkItem.Incident', NULL, NULL, 'N/A'