Security Group based collection membership? I actually love to go that method, but this client doesn't want to do that.
It seems the consensus is that one cannot easily prohibit others from modifying the queries used in a query based collection. On Wed, Jan 8, 2014 at 11:02 AM, Jason Sandys <[email protected]> wrote: > Why not use AD Security groups for this? > > > > J > > > > *From:* [email protected] [mailto: > [email protected]] *On Behalf Of *Krueger, Jeff > *Sent:* Wednesday, January 8, 2014 8:55 AM > *To:* [email protected] > *Subject:* RE: [mssms] RBAC, is this possible? > > > > I did this for some of our IT staff, gave them the ability to just add > direct memberships to a collection and remove devices from a collection. > Had our Citrix team publish the console and I modified the xml files to > take away the collection properties from the context menu and force them to > just use the add resource menu item. > > > > Unfortunately with RBAC you have to give the modify right for users to be > able to add devices to a collection which also includes the ability to > create query rules, it would be nice to have those rights broken down a bit > in future updates > > > > *From:* [email protected] [ > mailto:[email protected] <[email protected]>] *On > Behalf Of *Stephen Owen > > *Sent:* Wednesday, January 8, 2014 9:29 AM > *To:* [email protected] > *Subject:* Re: [mssms] RBAC, is this possible? > > > > We did this in 2007 but in 2012, they're wanting to go all Console. > > > > I think I'll be rolling a PowerShell GUI to help facilitate all of this. > > > > Thanks, > > > > On Wed, Jan 8, 2014 at 9:21 AM, Sherry Kissinger < > [email protected]> wrote: > > Once someone has create or modify on a collection, they can change > anything. > > I suggest have a "front end" -- either a web page, or a powershell gui > (something like that) which those regional staff can use; you could keep it > simple "input computer names here" (and a separate one for usernames), and > trust they've already confirmed the exact computer name and the exact > username, or your could get as complex as you like on > verification--confirming the computer or user exists, confirming that the > user running the "add a computer" has the correct "rights" to manage that > particular computer or user. > > The web page does the actual adding using a service account--which has > rights to that collection. Basically, a "roll your own shopping". > > You could also look at all the various shopping addons for CM12--that's > pretty much what you are looking for. > > > > Sherry Kissinger > Microsoft MVP - ConfigMgr > [email protected] > > > ------------------------------ > > *From:* Jason Wallace <[email protected]> > *To:* "[email protected]" <[email protected]> > *Sent:* Wednesday, January 8, 2014 7:32 AM > *Subject:* Re: [mssms] RBAC, is this possible? > > > > I really don’t think that you would be able to do this. > > > > http://gallery.technet.microsoft.com/Matrix-of-Role-Based-d6318b96<https://urldefense.proofpoint.com/v1/url?u=http://gallery.technet.microsoft.com/Matrix-of-Role-Based-d6318b96&k=DRaZFQufJSh%2Bz2CJu01vGA%3D%3D%0A&r=G7Rp%2FyVEkz9AB1xRQWzmh1E0dbzzZxlFIY6QTWSRqzc%3D%0A&m=R7wAk66h%2BnO0g4iv7QL29mDiVRLN9Z7pPyfAwCNmOZM%3D%0A&s=aa86d8c2e0e6562753b5c8c1e05d14fa1597678744ec747532ae3606d8280e5f>is > a very useful resource on RBAC, as is Chris Nacker’s blog > > > > Sent from Windows Mail > > > > *From:* Stephen Owen <[email protected]> > *Sent:* Wednesday, 8 January 2014 13:27 > *To:* [email protected] > > > > Hi all, > > > > My client would like to setup RBAC so that regional IT users are able to > add individual computers or users to a collection, but not create or modify > query-based collection membership queries, which I will be creating. > > > > I've not spent a lot of time with RBAC, do you know if this is possible? > > > > > Thanks! > > > > > > > > > > > > > > > ------------------------------ > > > CONFIDENTIALITY NOTICE: This email contains information from the sender > that may be CONFIDENTIAL, LEGALLY PRIVILEGED, PROPRIETARY or otherwise > protected from disclosure. This email is intended for use only by the > person or entity to whom it is addressed. If you are not the intended > recipient, any use, disclosure, copying, distribution, printing, or any > action taken in reliance on the contents of this email, is strictly > prohibited. If you received this email in error, please contact the sending > party by reply email, delete the email from your computer system and shred > any paper copies. > > Note to Patients: There are a number of risks you should consider before > using e-mail to communicate with us. See our Privacy & Security page on > www.henryford.com for more detailed information as well as information > concerning MyChart, our new patient portal. If you do not believe that our > policy gives you the privacy and security protection you need, do not send > e-mail or Internet communications to us. > > > >
