RBAC in Configmgr 2012

A feature that I hold dear in SCCM 2012 is the Role Based Access Control, in previous versions (2007)  there were no good way to control permissions in 1 site. Now in 2012 its much easier to assign permissions to a group or user in the SCCM console.

For those that don’t know what RBAC is, it describes who gets access to what on which objects

In SCCM 2012 you can alter these security settings under Administration -> Security

On the left side there you can see 5 options.
Administrative users (this is the who can access )
Security rules ( this is what permissions those users get read/write )
Security Scopes ( this is which objects can they access )

SCCM 2012 comes default with 14 security roles, the account you install SCCM with gets default Full Administrator rights and is placed in the Administrative users list.  This account also gets the security scope “all” which grants my account full Access to everything in the site.

In a regular enviroment you don’t want to give anyone full administrator rights in your SCCM infrastructure, most likely you want to give him/her custom permissions to his/her device collection (which is this case is a bunch of servers)

First thing you need to do is create a custom security role that this user is going to have. What actions does the user need to do inside SCCM ? deploy software ? Remote control ? Run reports ?
For the simplicity im going to create a custom role that can use remote control on a custom device collection.

SCCM has a default security role that has the permissions to just do remote control (which is called Remote Tools operator) so we are going to copy that role and customize it a bit.

Go into Security Roles -> Find the remote tools operator -> right click and choose copy

Now a new window appear which shows you all the permissions that the role has. It only has permission to do something on a Collection, which is what we want.
As you can see there are alot of permissions that you can change here! We will just leave it to the default and give it the name “Help Desk

Now that we created the role, we have to create a security scope. Which is pretty simple. Go into the security scope right click and choose “Create Security Scope” you don’t define here what the scope grants access to.

Now we have to import a user and grant that user those spesific permissions and the scope of those permissions. Go to Administrative Users and choose “Add user or group”
Choose browse and find the spesific user from Active Directory.
From Assigned security role choose and and click the “Help Desk” role that we created.

In the bottom you will see which scopes the user will have with its permissions.  Remove all the default and choose a custom Device collection and the help desk security scope that we created.
Then click OK.

When the user logges into the ConfigMgr Console he will only see what he can access with his permissions.

Leave a Reply

Scroll to Top