Correct. The granularity of RBAC is very good but does not go down as far as the methods for populating a collection. There was a good suggestion for deploying a modified SCCM console to those users who will be using the SCCM console and this might work for you Date: Wed, 8 Jan 2014 11:14:15 -0500 Subject: Re: [mssms] RBAC, is this possible? From: [email protected] To: [email protected]
Security Group based collection membership? I actually love to go that method, but this client doesn't want to do that. It seems the consensus is that one cannot easily prohibit others from modifying the queries used in a query based collection. On Wed, Jan 8, 2014 at 11:02 AM, Jason Sandys <[email protected]> wrote: Why not use AD Security groups for this? J From: [email protected] [mailto:[email protected]] On Behalf Of Krueger, Jeff Sent: Wednesday, January 8, 2014 8:55 AM To: [email protected] Subject: RE: [mssms] RBAC, is this possible? I did this for some of our IT staff, gave them the ability to just add direct memberships to a collection and remove devices from a collection. Had our Citrix team publish the console and I modified the xml files to take away the collection properties from the context menu and force them to just use the add resource menu item. Unfortunately with RBAC you have to give the modify right for users to be able to add devices to a collection which also includes the ability to create query rules, it would be nice to have those rights broken down a bit in future updates From: [email protected] [mailto:[email protected]] On Behalf Of Stephen Owen Sent: Wednesday, January 8, 2014 9:29 AM To: [email protected] Subject: Re: [mssms] RBAC, is this possible? We did this in 2007 but in 2012, they're wanting to go all Console. I think I'll be rolling a PowerShell GUI to help facilitate all of this. Thanks, On Wed, Jan 8, 2014 at 9:21 AM, Sherry Kissinger <[email protected]> wrote: Once someone has create or modify on a collection, they can change anything. I suggest have a "front end" -- either a web page, or a powershell gui (something like that) which those regional staff can use; you could keep it simple "input computer names here" (and a separate one for usernames), and trust they've already confirmed the exact computer name and the exact username, or your could get as complex as you like on verification--confirming the computer or user exists, confirming that the user running the "add a computer" has the correct "rights" to manage that particular computer or user. The web page does the actual adding using a service account--which has rights to that collection. Basically, a "roll your own shopping". You could also look at all the various shopping addons for CM12--that's pretty much what you are looking for. Sherry Kissinger Microsoft MVP - ConfigMgr [email protected] From: Jason Wallace <[email protected]> To: "[email protected]" <[email protected]> Sent: Wednesday, January 8, 2014 7:32 AM Subject: Re: [mssms] RBAC, is this possible? I really don’t think that you would be able to do this. http://gallery.technet.microsoft.com/Matrix-of-Role-Based-d6318b96 is a very useful resource on RBAC, as is Chris Nacker’s blog Sent from Windows Mail From: Stephen Owen Sent: Wednesday, 8 January 2014 13:27 To: [email protected] Hi all, My client would like to setup RBAC so that regional IT users are able to add individual computers or users to a collection, but not create or modify query-based collection membership queries, which I will be creating. I've not spent a lot of time with RBAC, do you know if this is possible? Thanks! CONFIDENTIALITY NOTICE: This email contains information from the sender that may be CONFIDENTIAL, LEGALLY PRIVILEGED, PROPRIETARY or otherwise protected from disclosure. This email is intended for use only by the person or entity to whom it is addressed. If you are not the intended recipient, any use, disclosure, copying, distribution, printing, or any action taken in reliance on the contents of this email, is strictly prohibited. If you received this email in error, please contact the sending party by reply email, delete the email from your computer system and shred any paper copies. Note to Patients: There are a number of risks you should consider before using e-mail to communicate with us. See our Privacy & Security page on www.henryford.com for more detailed information as well as information concerning MyChart, our new patient portal. If you do not believe that our policy gives you the privacy and security protection you need, do not send e-mail or Internet communications to us.
