{"id":736,"date":"2015-08-13T08:48:39","date_gmt":"2015-08-13T08:48:39","guid":{"rendered":"http:\/\/www.davidpapkin.net\/?p=736"},"modified":"2015-08-13T08:48:39","modified_gmt":"2015-08-13T08:48:39","slug":"planning-and-configuring-role-based-administration-in-sccm-2012-r2","status":"publish","type":"post","link":"https:\/\/davidpapkin.com\/?p=736","title":{"rendered":"Configuring Role-Based Administration in SCCM 2012 R2 by David Papkin"},"content":{"rendered":"

This post by David Papkin\u00a0Configuring Role-Based Administration in SCCM 2012 R2<\/p>\n

Microsoft\u00ae System Center 2012 Configuration Manager and System Center 2012 R2 Configuration\u00a0Manager implement role-based access control (RBAC). With RBAC, you can use security roles, security scopes, and collections to define access permissions for your administrative users.<\/p>\n

Overview of Role-Based Administration<\/strong>
\nYou can use role-based administration in Configuration Manager to centrally define security settings\u00a0and to delegate administrative tasks to users or groups. You can assign an administrative user one or more security roles that represent a set of administration tasks. The security role includes all permissions necessary to complete the tasks that relate to the role. For example, you can assign the Application Deployment Manager security role to a user who will manage application deployments. This role automatically grants permissions to deploy applications to computer devices or users.You can further define the objects that a security role can administer, thereby limiting administrative access to specific collections and security scopes. You can use a security scope to associate specific objects with one or more administrative users. For example, you can give an administrator permission to deploy
\nonly specific applications by associating those applications with a security scope, instead of permissions to deploy all applications.
\nAdministrative users can see only the objects that they have permission to manage, which the security role, security scope, and collection define.
\nYou can use the built-in security roles and scopes, or you can create your own custom security settings to use throughout the hierarchy. When you create administrative users, you configure and replicate security assignments throughout the central administration site and the hierarchy\u2019s primary sites.<\/p>\n

Security Roles<\/strong>
\nA security role is a group of permissions that are necessary for performing specific administrative tasks. The role consists of individual permissions for each object type that an administrative user is allowed to manage.\u00a0For example, the Application Administrator role
\nhas a cumulative set of permissions that define its security role. This role consists of a set of
\nindividual permissions to manage a variety of objects, including the following permissions for
\napplication objects:
\n\u2022 Approve
\n\u2022 Create
\n\u2022 Delete
\n\u2022 Modify
\n\u2022 Modify Folder
\n\u2022 Move Object
\n\u2022 Read
\n\u2022 Modify Report
\n\u2022 Set Security Scope<\/p>\n

\"A<\/a>

A security role is a group of permissions that are necessary for performing specific administrative tasks. The role consists of individual permissions for each object type that an administrative user is allowed to manage.<\/p><\/div>\n

 <\/p>\n

 <\/p>\n

 <\/p>\n

 <\/p>\n

 <\/p>\n

You can use scopes and collections to limit access by administrative users to individual object instances because the roles themselves do not specify user permissions for individual objects.
\nConfiguration Manager includes 15 built-in roles that include permissions for executing typical tasks on different types of objects.\u00a0You cannot modify or delete the built-in roles, but you can create custom roles to match special administrative requirements.<\/p>\n

Built-In Roles<\/strong>
\nConfiguration Manager includes the 15 built-in security roles that the following table lists. Each
\nrole gives specific permissions to an administrative user to perform actions on certain types of
\nobjects.<\/p>\n

\"Bui8ltinROles\"<\/a><\/p>\n

 <\/p>\n

 <\/p>\n

 <\/p>\n

 <\/p>\n

 <\/p>\n

 <\/p>\n

Planning Role-Based Administration<\/strong>
\nConfiguring role-based administration requires careful consideration. When you plan to add an
\nadministrative user, you must consider the security roles, security scopes, and collections.
\nWhen planning security configuration, consider the following factors:
\n\u2022 Security roles control what you allow an administrative user to do.
\n\u2022 Security scopes control the securable Configuration Manager objects that the
\nadministrative user can administer.
\n\u2022 Collections control the users and devices that an administrative user can manage.
\n\u2022 You must assign an administrative user to at least one security scope.
\n\u2022 You can map each administrative user to separate security scopes and collections.<\/p>\n

\"\"
\nThis video Planning and Configuring Role Based Administration in SCCM 2012 R2 by David Papkin<\/p>\n