Jay Paloma's Tech and Music Blog

Sometimes, this writer can no longer distinguish between the two.

Configuration Manager RBAC – Practical Applications

with one comment


It’s 2 Jan 2016. Happy New Year 2016! I am currently in vacation in my hometown in Manila (am based in Singapore), and to spend some quality time, I want to write another chapter in the ConfigMgr RBAC series.

 

In continuation of our series on ConfigMgr RBAC, let’s now take a look at some practical applications of Role Based Access Control in ConfigMgr.

First, division and compartmentalization of Responsibilities. To do this, customize RBAC Roles and assign into different AD Groups but having access to all collections.

Secondly, division and compartmentalization of Objects. To do this, you can use some high-access RBAC Role like Operations Admin but ensure that permissions are assigned only to specific collections, and never assign permissions to the All Systems collection. Do note that as a caveat to this, you cannot assign permissions to any collection that use All Systems as its limiting Collection. Therefore you should create a collection that use All Systems as its collection, then use the newly created collection as a Limiting Collection for the collections that you could assign permissions to.

Something like

All Systems –> Limiting Collection of CollectionB –> Limiting Collection of CollectionC <– Assign permissions

Thirdly as hybrid division and compartmentalization of both Objects and Responsibilities. This one is just a combination of both. Something like this setup:

  • APAC Admins
  • APAC Packagers
  • APAC Deployment
  • EMEA Admins
  • EMEA Packagers
  • EMEA Deployment
  • HQ Admins
  • HQ Packagers
  • HQ Deployment

You have 3 regions: APAC, EMEA and HQ and you have 9 sets of admins as shown above. So you have at least 3 sets of collections (APAC, EMEA and HQ) and 3 sets of admins for each region (Admins, Packagers and Deployment), and ensure that APAC Packagers can only package apps intended for APAC, and not EMEA and HQ, and cannot perform any other administrative task or deploy stuff.

If you have this kind of setup, do ensure that you thoroughly check the implementation of RBAC. Also, my experience to this is that since your working collection is 3 layers down (All Systems –> CollectionB –> CollectionC in the above example) do not go cheap on your database server.

 

As I am right now not in my lab, I cannot have screenshots to show. However I will update this document when I get back after vacation.

jay paloma  |  2 jan 2016  |  manila

Advertisements

Written by jpaloma

January 2, 2016 at 3:28 PM

One Response

Subscribe to comments with RSS.

  1. […] Part 8: Configuration Manager RBAC – Practical Applications […]


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: