To be enable to work with operators console your account has to be member of a MOM security group, MOM Users, MOM Administrators or MOM Authors. You account can be member of a another security group that is member of a MOM security group, group nesting. When you start operators console your permissions will be checked and if you have permission operators console will start.
You account is also bound to a console scope. Console scope is based on computer groups. Console scope control what you can see in the operators console. If a computer group is in your console scope you will enable to work with them in operators console. A account can be member of many console scopes.
Administrator, Operator and User console scope is created during installation and can work with all computer groups. You can modify them, but it is not recommended. If a client is member of for example MOM User security group and you add him/her to another console scope, the last added console scope will be the one he/she use.
In MOM 2005 permissions to console scope is based on username and domain, not SID as it use to be. This could give some funny results, for example:
If you have a client named Anton Berg (ANBE) and you add him to a console scope (scope1) and then he quite, his SID will be removed from all security groups in AD, but there will still be a DOMAIN\ANBE in the console scope. If you then hire a new guy named Antonio Beludas (ANBE) he will be enable to run scope1, because he and Anton Berg have the same DOMAIN and logonname, DOMAIN\ANBE.
Console Scope is used to filter computer groups in operators console. This is not a security boundary. If you need a security boundary you will have to deploy multiple management groups and then connect them to each other.
You do all console scope settings in MOM Administrator Console
MOM 2005 Administrator Console
-Micrsosoft Operations Manager