I did this for some of our IT staff, gave them the ability to just add direct memberships to a collection and remove devices from a collection. Had our Citrix team publish the console and I modified the xml files to take away the collection properties from the context menu and force them to just use the add resource menu item.
Unfortunately with RBAC you have to give the modify right for users to be able to add devices to a collection which also includes the ability to create query rules, it would be nice to have those rights broken down a bit in future updates From: [email protected] [mailto:[email protected]] On Behalf Of Stephen Owen Sent: Wednesday, January 8, 2014 9:29 AM To: [email protected] Subject: Re: [mssms] RBAC, is this possible? We did this in 2007 but in 2012, they're wanting to go all Console. I think I'll be rolling a PowerShell GUI to help facilitate all of this. Thanks, On Wed, Jan 8, 2014 at 9:21 AM, Sherry Kissinger <[email protected]<mailto:[email protected]>> wrote: Once someone has create or modify on a collection, they can change anything. I suggest have a "front end" -- either a web page, or a powershell gui (something like that) which those regional staff can use; you could keep it simple "input computer names here" (and a separate one for usernames), and trust they've already confirmed the exact computer name and the exact username, or your could get as complex as you like on verification--confirming the computer or user exists, confirming that the user running the "add a computer" has the correct "rights" to manage that particular computer or user. The web page does the actual adding using a service account--which has rights to that collection. Basically, a "roll your own shopping". You could also look at all the various shopping addons for CM12--that's pretty much what you are looking for. Sherry Kissinger Microsoft MVP - ConfigMgr [email protected]<mailto:[email protected]> ________________________________ From: Jason Wallace <[email protected]<mailto:[email protected]>> To: "[email protected]<mailto:[email protected]>" <[email protected]<mailto:[email protected]>> Sent: Wednesday, January 8, 2014 7:32 AM Subject: Re: [mssms] RBAC, is this possible? I really don't think that you would be able to do this. http://gallery.technet.microsoft.com/Matrix-of-Role-Based-d6318b96<https://urldefense.proofpoint.com/v1/url?u=http://gallery.technet.microsoft.com/Matrix-of-Role-Based-d6318b96&k=DRaZFQufJSh%2Bz2CJu01vGA%3D%3D%0A&r=G7Rp%2FyVEkz9AB1xRQWzmh1E0dbzzZxlFIY6QTWSRqzc%3D%0A&m=R7wAk66h%2BnO0g4iv7QL29mDiVRLN9Z7pPyfAwCNmOZM%3D%0A&s=aa86d8c2e0e6562753b5c8c1e05d14fa1597678744ec747532ae3606d8280e5f> is a very useful resource on RBAC, as is Chris Nacker's blog Sent from Windows Mail From: Stephen Owen<mailto:[email protected]> Sent: Wednesday, 8 January 2014 13:27 To: [email protected]<mailto:[email protected]> Hi all, My client would like to setup RBAC so that regional IT users are able to add individual computers or users to a collection, but not create or modify query-based collection membership queries, which I will be creating. I've not spent a lot of time with RBAC, do you know if this is possible? Thanks! ________________________________ CONFIDENTIALITY NOTICE: This email contains information from the sender that may be CONFIDENTIAL, LEGALLY PRIVILEGED, PROPRIETARY or otherwise protected from disclosure. This email is intended for use only by the person or entity to whom it is addressed. If you are not the intended recipient, any use, disclosure, copying, distribution, printing, or any action taken in reliance on the contents of this email, is strictly prohibited. If you received this email in error, please contact the sending party by reply email, delete the email from your computer system and shred any paper copies. Note to Patients: There are a number of risks you should consider before using e-mail to communicate with us. See our Privacy & Security page on www.henryford.com for more detailed information as well as information concerning MyChart, our new patient portal. If you do not believe that our policy gives you the privacy and security protection you need, do not send e-mail or Internet communications to us.
