Our Expertise. Your Business. Improved.

Configuration Manager 2012 – Role Based Administration – Notes from the Field

  1. Excellent post! Great tips on setting up RBA to work for you and your organization. It does generate questions though! For instance:

    Why do I need to assign a custom security scope to the site? What happens if I don’t?

    Is there even any reason to make folders these days? Sounds like Scopes will keep everything clean for each admin (seeing only what they are supposed to see).

    Keep up the great work!

    • If you don’t assign the custom scopes to the site system(s) then they won’t be able to see them, for example in the client push wizard, they won’t be able to select the site to install from.

      Folders are a neat idea, but with the search function, it’s almost a mute point. The biggest issue with Folders is that they don’t filter by your view, so that alone leads me to not use them if you have multiple people in the console.

  2. Thanks for the response! This is good information! I have one more question for you:

    I’m trying to accomplish what you outline in the “Security Scopes” section of your post above when you mention you can grant read only analyst access to the “All Systems” collection and other roles to other collections. I’ve tried this and have identified 2 potential issues:

    1) My main goal is to prevent departmental admins from accidentally deploying something to the All Systems collection. When I’m looking at that device collection, the option to deploy does not show up. However, when I’m looking at my applications or packages in the console and choose to deploy, I can still select “All Systems” as the target collection. I’m afraid of moving forward to test any further (this is a live environment) so will this process error out at some point and not let them target “All Systems?”

    2) Secondarily, I’ve realized that by granting read-only analyst to the “All Systems” collection, these departmental ConfigMgr admins can also see any collections that use “All Systems” as the limiting collection (i.e. many many). Am I doing something wrong here?

    Any advice or hints you can provide would be greatly appreciated!


    • You won’t actually see the error “Access denied” until you complete the wizard. Not ideal, but it will block you. In a perfect world you wouldn’t even see the deploy option. I submitted a DCR to the product team for this, we’ll see if it makes it in a future update.

      Correct, if you give read-only access to All Systems, then you would have to grant seperate permissions to another collection if you wanted them to do more. If you give them Read-Only to All SYstems, then they will have Read-Only to all systems limited to All Systems. That’s hwo security works, you will have always permission to any collection limited to the collection you grant access to.

  3. Great post, are you aware if Microsoft have any plans to resolve the bug “Modify Folder” permissions to create Collections? I have noticed that even with “Modify Folder” permissions collections can only be created at root and not from within a child folder.


Leave a Reply