Problem with granular user rights
Our technical teams and application owners are members of the built-in "Operations Manager Read-Only Operators" role and therefore can see all objects in SCOM. Now I want to grant some teams access to some groups and allow them to put theirs systems into maintenance mode. For that I created a new role based on the Operators role and limited the group scope to just the group they should get higher pivileges on.
I've then added user accounts to the newly createed user role and tested access via the SCOM Web console. To my surprise, they now have operator access to all objects and not only to the ones the role is scoped to. By removing those user accounts from the read-only user role everything works as expected. They can only see the group members they were granted operator access to. However, this is not what we want. They should be able to see all objects.
The documentation is very vague on how this topic. It only states that a user can be a member of multiple roles.
I suggest that the permissions add up so that we can have a base setup with read-only access for all users and then be able to grant higher rights to certain objects for some users/groups