Jay Paloma's Tech and Music Blog

Sometimes, this writer can no longer distinguish between the two.

Configuration Manager RBAC – Testing and Potential Issues

with one comment


This blog post is about my personal gotchas! in implementing Role Based Access Control in System Center 2012 R2 Configuration Manager.

When implementing Role Based Access Control in Configuration Manager, I personally recommend that the consultant come up with conditions in the whole RBAC space and ensure thorough testing of these RBAC roles, with very specific success criteria.

Perhaps the first potential issue I would emphasize to the consultant is that Reporting Services would probably be the first collateral damage in implementing RBAC, so ensure that this one is your primary test criteria. Why? If we limit the RBAC roles, especially Security Scopes, to objects that directly affect the client (e.g., applications, DP, etc.), then Reporting Services will not work. I will write a separate blog post on this issue, but the quick solution is to ensure that a Security Scope is created that includes the Site container, and should be given also to all RBAC roles that require reporting.

If your primary RBAC requirement is that exclusive visibility to client computers for different client admins, your RBAC focus is on Collections. Your first move is to ensure that the client-administering RBAC roles do not have access to All Systems (which contain, of all things, all your servers that have installed CM client). But doing so would mean you cannot use All Systems as the Limiting Collection of all other collections required by these admins (the resulting collection will not contain any objects). Therefore, you need to create one collection each for the client-administering groups, and this collection should contain all the computers that the said group can administer, and should not contain any computer that should not be administered by that group. This collection will now be used as the Limiting Collection of all other collections that these admins will create.

  • EUROPE Client Admins – Collection that only contain EUROPE computers
  • APAC Client Admins – Collection that only contain APAC computers
  • EMEA Client Admins – Collection that only contain EMEA computers

It is highly recommended that you use Incremental Updates on these collections so that the memberships update every 5 minutes by default.

Advertisements

Written by jpaloma

January 12, 2015 at 10:19 AM

One Response

Subscribe to comments with RSS.

  1. […] Part 7: Configuration Manager RBAC – Testing and Potential Issues […]


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: