That detail helped. I had forgotten that you have to visit the Sites node in Administration and add the scope to the site object there. After that I created a new collection with a query rule that basically looks for manual machine entries in the last 30 minutes. This collection is the limiting collection for my deployment collections. The users I have running the script are RBACd to just see the deploy collections and my new manual machine query collection. Once they run the script the entry is created and lives there only 30 minutes, long enough to start OSD, then it disappears. Which also has the handy side effect of not leaving the objects in the deploy collection, where a redeploy is a risk.
Thanks for getting me there, Kim. Todd From: [email protected] [mailto:[email protected]] On Behalf Of Kim Oppalfens Sent: Friday, October 10, 2014 2:43 PM To: [email protected] Cc: '[email protected]' Subject: RE: [mssms] RBAC and import computer Site object in your security scope? Sent from my Windows Phone ________________________________ From: Mote, Todd<mailto:[email protected]> Sent: 10/10/2014 21:36 To: [email protected]<mailto:[email protected]> Cc: '[email protected]'<mailto:[email protected]> Subject: RE: [mssms] RBAC and import computer Yep, I figured that, so I have a new scope, all systems collection (the limited to), my deploy collection (limited to all systems), and the role are all assigned to the user. The role is as such: Read just about everything, I used Brian Mason’s “Read-only analyst” role as the base, then added Collection -Modify -Modify Resource -Delete Resource Site -Import Machine Anything else? From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Kim Oppalfens Sent: Friday, October 10, 2014 1:22 PM To: [email protected]<mailto:[email protected]> Cc: '[email protected]' Subject: RE: [mssms] RBAC and import computer The user needs permissions to the site object in a security scope assigned to him and needs read on the collection that the collection he is importing to is limited to. That last sentence is a somewhat complicated technically accurate way of saying the user needs access to the parent collection of the collection he is importing to. Hth Sent from my Windows Phone ________________________________ From: Mote, Todd<mailto:[email protected]> Sent: 10/10/2014 19:37 To: [email protected]<mailto:[email protected]> Cc: '[email protected]'<mailto:[email protected]> Subject: [mssms] RBAC and import computer So I’m trying to set up a user account that will be used in a script to be able to import computer information. Using the RBA Viewer, I worked out a set that RBA Viewer says works. When I actually go and put the same scope, user, and collections together and open the console as the user, I get different results from what the RBA viewer tells me I should see. SCCM 2012 R2 CU2. The rights I’ve granted are essentially read only-analyst (from Brian) plus in the Collection section I’ve added Modify, Modify Resource, Delete Resource, and in the Site section added Import Machine. Like I said, RBA Viewer using RunAs for the same user produces different results than when I open the console as the user. Any ideas, or have I left something out I need? Todd
