Jay Paloma's Tech and Music Blog

Sometimes, this writer can no longer distinguish between the two.

Review: SCCM 2012 Role-based Administration Modelling and Auditing Tool

leave a comment »

Problem: You are tasked with coming up with a huge organization’s role-based access control for System Center 2012 Configuration Manager during early deployment. You already have the strategy, but you are very much aware that given the hundreds of Active Directory Groups, Collections, Security Scopes and Custom Security Roles. You need a tool to test all possible security combinations.

To make it worse: because of the thousands of objects that need to be created, you know you will deploy via PowerShell to make it easier. Unfortunately in automation, one does not make small mistakes — you either make no mistake or a massive one. You need a tool to test out your strategy in small scale, and then after creation of all those objects using PowerShell, ensure that as far as the security settings is concerned, everything’s properly in place.

Solution: Good thing there’s the Role Based Administration Modelling and Auditing Tool for Microsoft System Center 2012 Configuration Manager.

  • Compare your custom groups with the default ones
  • Ensure that user accounts could only access the intended collections, scopes, etc.
  • Test out how the Console behaves based on different user accounts logged on.
  • And more!

The Role Based Auditing and Modelling Tool is available as part of the System Center 2012 Configuration Manager Component Add-ons and Extensions. Download it now!

Testing against a user account

01 RunAs A

02 RunAs B

In the Console tab, we can see that this user account can only see Device Collections of “AAA” in spite of the fact that there are more collections in this SCCM Site than what’s visible to this user account

03 Based on Full Admin A

Choosing the Full Administrator default role to test

04 Based on Full Admin B

05 Based on Full Admin C

Comparing two roles – the default role and the custom role

Audit RBA

06 Audit RBA A

In Audit RBA, we can see which roles and scopes had been assigned to a specific Active Directory Group

07 Audit RBA B

The AAA Engineers can only access AAA resources

08 Audit RBA C

We can see here that the AA2 engineer can only access AA2 objects and scopes


Written by jpaloma

February 1, 2014 at 2:21 PM

Posted in Microsoft

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: