Share via


Orchestrator Users Group

 

Updated: May 13, 2016

Applies To: System Center 2012 SP1 - Orchestrator, System Center 2012 - Orchestrator, System Center 2012 R2 Orchestrator

Users gain access to Orchestrator through membership in the Orchestrator Users group. Any user account added to this group is granted permission to use the Runbook Designer and Deployment Manager tools. By default, users in this group have the authority to perform the following actions:

  • Create new runbooks. View, change, and run existing runbooks.

  • Deploy new runbook servers

  • Deploy new Runbook Designers

  • Register and deploy integration packs

  • View and change global settings for a management server

The Orchestrator Users group has the following permissions in the management server DCOM component:

  • Local & Remote Launch

  • Local & Remote Activation

  • Local & Remote Access

If you enable remote access for the user group (by selecting Remote Permissions during installation), the user group is added to the machine limits – Local and Remote launch, activation and access.

You specify the Orchestrator Users group during the Orchestrator installation process. Because the Orchestrator web service uses the same group for authorization, you must use a domain group in Active Directory if the Orchestration console is not installed on the management server. If the Orchestration console is installed on the management server, the group can be a local group on the management server.

The decision of which to use depends on where you want to manage the group’s users. Typically using an Active Directory group provides better centralized access to the group as opposed to managing it locally on the management server.

Note

A member of the Orchestrator Users group can grant access to other users to view and run runbooks from the Orchestration console without having to add those users to the group. Those who only use the Orchestration console are referred to as operators. They typically require the ability to run runbooks, but not to create them. For information about setting permissions for individual runbooks, see Runbook Permissions in Using Runbooks in System Center 2012 - Orchestrator.