Yep, I figured that, so I have a new scope, all systems collection (the limited
to), my deploy collection (limited to all systems), and the role are all
assigned to the user. The role is as such:
Read just about everything, I used Brian Mason’s “Read-only analyst” role as
the base, then added
Collection
-Modify
-Modify Resource
-Delete Resource
Site
-Import Machine
Anything else?
From: [email protected] [mailto:[email protected]] On
Behalf Of Kim Oppalfens
Sent: Friday, October 10, 2014 1:22 PM
To: [email protected]
Cc: '[email protected]'
Subject: RE: [mssms] RBAC and import computer
The user needs permissions to the site object in a security scope assigned to
him and needs read on the collection that the collection he is importing to is
limited to.
That last sentence is a somewhat complicated technically accurate way of saying
the user needs access to the parent collection of the collection he is
importing to.
Hth
Sent from my Windows Phone
________________________________
From: Mote, Todd<mailto:[email protected]>
Sent: 10/10/2014 19:37
To: [email protected]<mailto:[email protected]>
Cc: '[email protected]'<mailto:[email protected]>
Subject: [mssms] RBAC and import computer
So I’m trying to set up a user account that will be used in a script to be
able to import computer information. Using the RBA Viewer, I worked out a set
that RBA Viewer says works. When I actually go and put the same scope, user,
and collections together and open the console as the user, I get different
results from what the RBA viewer tells me I should see. SCCM 2012 R2 CU2.
The rights I’ve granted are essentially read only-analyst (from Brian) plus in
the Collection section I’ve added Modify, Modify Resource, Delete Resource, and
in the Site section added Import Machine. Like I said, RBA Viewer using RunAs
for the same user produces different results than when I open the console as
the user. Any ideas, or have I left something out I need?
Todd
