Jay Paloma's Tech and Music Blog

Sometimes, this writer can no longer distinguish between the two.

Configuration Manager RBAC – Security Roles

with one comment

Security roles in Configuration Manager answer the question What operation could be done?

The following are the default Security Roles available in Configuration Manager 2012 R2

  1. Application Administrator – Grants permissions to perform both the Application Deployment Manager role and the Application Author role. Administrative users who are associated with this role can also manage queries, view site settings, manage collections, edit settings for user device affinity, and manage App-V virtual environments.
  2. Application Author – Grants permissions to create, modify, and retire applications. Administrative users who are associated with this role can also manage applications, packages, and App-V virtual environments.
  3. Application Deployment Manager – Grants permissions to deploy applications.  Administrative users who are associated with this role can view a list of applications, and they can manage deployments for applications, alerts, templates and packages, and programs. Administrative users who are associated with this role can also view collections and their members, status messages, queries, conditional delivery rules, and App-V virtual environments.
  4. Asset Manager – Grants permissions to manage the Asset Intelligence Synchronization Point, Asset Intelligence reporting classes, software inventory, hardware inventory, and metering rules.
  5. Company Resource Access Manager – Grants permissions to create, manage and deploy company resource access profiles such as Wi-Fi, VPN and certificate profiles to users and devices.
  6. Compliance Settings Manager – Grants permissions to define and monitor Compliance Settings. Administrative users associated with this role can create, modify, and delete configuration items and baselines. They can also deploy configuration baselines to collections, and initiate compliance evaluation, and initiate remediation for non-compliant computers.
  7. Endpoint Protection Manager – Grants permissions to define and monitor security policies. Administrative Users who are associated with this role can create, modify and delete Endpoint Protection policies. They can also deploy Endpoint Protection policies to collections, create and modify Alerts and monitor Endpoint Protection status.
  8. Full Administrator – Grants all permissions in Configuration Manager. The administrative user who first creates a new Configuration Manager installation is associated with this security role, all scopes, and all collections.
  9. Infrastructure Administrator – Grants permissions to create, delete, and modify the Configuration Manager server infrastructure and to perform migration tasks.
  10. Operating System Deployment Manager – Grants permissions to create operating system images and deploy them to computers. Administrative users who are associated with this role can manage operating system installation packages and images, task sequences, drivers, boot images, and state migration settings.
  11. Operations Administrator – Grants permissions for all actions in Configuration Manager except for the permissions that are required to manage security, which includes managing administrative users, security roles, and security scopes.
  12. Read-only Analyst – Grants permissions to view all Configuration Manager objects.
  13. Remote Tools Operator – Grants permissions to run and audit the remote administration tools that help users resolve computer issues. Administrative users that are associated with this role can run Remote Control, Remote Assistance and Remote Desktop from the Configuration Manager console. In addition, they can run the Out of Band Management console and AMT power control options.
  14. Security Administrator – Grants permissions to add and remove administrative users and to associate administrative users with security roles, collections, and security scopes. Administrative users who are associated with this role can also create, modify, and delete security roles and their assigned security scopes and collections.
  15. Software Update Manager – Grants permissions to define and deploy software updates. Administrative users who are associated with this role can manage software update groups, deployments, deployment templates, and enable software updates for Network Access Protection (NAP).

For details on each RBAC role, download the Matrix of Role-Based Administration Permissions for ConfigMgr 2012.

To copy an existing Security Role to a custom one

1. In Configuration Manager Console > Administration workspace > Overview > Security > Security Roles, right-click  the security role you want to customize, and click Copy

Copy Security Role 12. in Specify details for the customized copy of the selected security role, add a name and description, and modify the permissions as necessary. Click OK.

Copy Security Role 2


Written by jpaloma

January 4, 2015 at 7:25 PM

Posted in Microsoft

Tagged with ,

One Response

Subscribe to comments with RSS.

  1. […] Part 2: Configuration Manager RBAC – Security Roles […]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: