By default and design, there is no access to the ACS reports from the Operations console. This prevents OpsMgr Administrators from viewing reports that fall under the purview of auditors. This setting is maintained with the following configuration:
- DataSource setting: Default
- ACS auditors are Administrators or Power Users of their dedicated Report Server
- Use local security group for ACS auditors on the dedicated ACS Report Server
Due to your company’s requirements, there may be a need to change this. Perhaps you don’t want to have to implement a separate Report Server for ACS. In this scenario, ACS uses the same Report Server as OpsMgr, but there is separation between administrators and auditors using that same Report Server, with no audit report access to the administrators. Audit reports appear in the Operations console (all reports in the OpsMgr Report Server appear in the Reporting node of the console whether they are OpsMgr reports are not), but cannot be run from the Operations Console, only from Report Manager. This scenario retains security separation and simply leverages the same Report Server to conserve SQL Reporting Services asset deployments. The following settings are used:
- DataSource setting: Credentials supplied by the user running the report, use for Windows credentials when connecting to the data source
- Add ACS Auditors to the OpsMgr Report Operators User Role
- Add ACS Auditors to the Power Users local group on the Report Server
- Use a domain security group for the ACS auditors, rather than a local group
A third scenario would be for the Operations console to allow access to the reports (versus simply displaying them since they are on the same Report Server). You might need to do this if you have a very small company that does not have a separate auditor’s role. Note that this approach is NOT recommended or supported by Microsoft, as it defeats the whole purpose of having a separate Audit Control System!
- DataSource settings: Credentials are not required
- Add the Data Reader account to the ACS Auditors security group
- Add the ACS Auditors to the OpsMgr Report Operators Users role
- Use a domain security group for the ACS auditors
This material was developed by our System Center Operations Manager 2007 Unleashed co-author John Joyner, and is discussed in detail in that book (which is currently being written). Look for a chapter on Monitoring Audit Collection Services!