Jay Paloma's Tech and Music Blog

Sometimes, this writer can no longer distinguish between the two.

Configuration Manager RBAC – Collections

leave a comment »


2nd Jan 2016, continuing with the doing-nothing-while-on-vacation series.

You can assign access Collection access to Administrative Users. However keep in mind the following:

  1. If your objective is to ensure limited visibility of collection results, then see to it that you do not grant access to the All Systems collection. You have to have what I call a Top-Level Collection in lieu of the default collections (including All Systems). Ensure that the membership of this Top-Level collection is limited to the objects you want the specific admin to see. Use specific conditions, e.g., OU membership, computer name, etc., to populate. Also keep in mind that the objects are still available in Queries, so if you really need to ensure non-visibility of objects, deal with Queries as well.
  2. Use this Top-Level collection as the limiting collection for all other collections that you would create. Do not use the All Systems collection because if the user account does not have access to All Systems, then the user account will always see 0 membership. Remember: the user does not have access to the Top Level collection (ergo, 0 members) and you created a collection that limits itself to the All Systems collection (again, 0 members), and you’ll get a collection of 0 members!

So for example you want to create an RBAC role to be able to deploy Applications and Patches to machines from the APAC region:

  1. Create an APAC Top-Level collection, using All Systems as its limiting collection using OU membership as its criteria.
  2. Create a second collection of with APAC Top-Level as its limiting collection, and add the additional conditions that it is a ConfigMgr client and it is a workstation OS . Let’s call this APAC Clients 
  3. Create an AD Group APAC Deployment
  4. Add this group in ConfigMgr Administrative Users, and grant access to the APAC Clients collection. Also assign it the RBAC Role nearest to the deployment role you want, or customize the role further to get the actions you want this role to perform.

Screenshots to follow once I’m back in my lab. Too bad I haven’t installed my ConfigMgr lab in Azure yet at this point in time.

jay paloma  |  02 jan 2016  |  manila

Advertisements

Written by jpaloma

January 2, 2016 at 7:15 PM

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: