In general, the *supported* method to add users and groups to user roles is using the console. This is article will demonstrate an alternative method, that might be needed in cases where security got totally messed up, our a critical admin group got deleted.
The idea came from Michel Kamp’s article: http://michelkamp.wordpress.com/2012/05/05/audit-scom-sdk-usage-operations/
Authorization Manager source (AzMan) was moved from a file in SCOM 2007, to a SQL database store in SCOM 2012. It was possible in SCOM 2007, to accidentall delete the domain group used for SCOM admins, and lock out access. To read about how to recover this scenario in SCOM 2007 see: http://support.microsoft.com/kb/2640222
In SCOM 2012, you can load up Authorization Manager from SQL. Here is how.
On your SCOM management server, open a MMC, and load the Authorization Manager snap in.
Once you lad that, right click Authorization Manager in the left pane and choose “Open Authorization Store”
Choose Microsoft SQL and input the properly formatted connect string. Here is an example:
mssql://Driver={SQL Server};Server={SERVERNAME\INSTANCE};/OperationsManager/AzmanStore
Replace SEVERNAME\INSTANCE with your SCOM SQL server name (and named instance if needed) and change “OperationsManager” to whatever your SCOM OpsDB is named. Here is mine:
mssql://Driver={SQL Server};Server={DB01};/OperationsManager/AzmanStore
When this opens up – you can see a list of GUIDS. Each represents a built-in user role or custom scoped user role. Expand 597f9d98-356f-4186-8712-4f020f2d98b4 and look at the Role Assignments:
We can see that belongs to The Operations Manager Administrators role.
Right click the top level GUID 597f9d98-356f-4186-8712-4f020f2d98b4 in the left hand side, and choose Properties:
On the security tab – you can add new groups here, or even individual users.
The above should only be used in a recovery scenario, use the console to directly administer membership of user roles.