Once someone has create or modify on a collection, they can change anything.
I suggest have a "front end" -- either a web page, or a powershell gui (something like that) which those regional staff can use; you could keep it simple "input computer names here" (and a separate one for usernames), and trust they've already confirmed the exact computer name and the exact username, or your could get as complex as you like on verification--confirming the computer or user exists, confirming that the user running the "add a computer" has the correct "rights" to manage that particular computer or user. The web page does the actual adding using a service account--which has rights to that collection. Basically, a "roll your own shopping". You could also look at all the various shopping addons for CM12--that's pretty much what you are looking for. Sherry Kissinger Microsoft MVP - ConfigMgr [email protected] ________________________________ From: Jason Wallace <[email protected]> To: "[email protected]" <[email protected]> Sent: Wednesday, January 8, 2014 7:32 AM Subject: Re: [mssms] RBAC, is this possible? I really don’t think that you would be able to do this. http://gallery.technet.microsoft.com/Matrix-of-Role-Based-d6318b96 is a very useful resource on RBAC, as is Chris Nacker’s blog Sent from Windows Mail From: Stephen Owen Sent: Wednesday, 8 January 2014 13:27 To: [email protected] Hi all, My client would like to setup RBAC so that regional IT users are able to add individual computers or users to a collection, but not create or modify query-based collection membership queries, which I will be creating. I've not spent a lot of time with RBAC, do you know if this is possible? Thanks!
