Role Based Administration in SCCM 2012

Role Based Administration in SCCM 2012

In SCCM 2007, implementing granular security in System Center Configuration Manager was a bit of a unlikable task. To get really granular meant architecting the SCCM environment into multiple primary sites or creating custom consoles for specific classes of administrators

In SCCM 2007, administrative access to site resources is controlled by using class and instance security settings which ware verified by the SMS Provider computer to allow access to site information and configuration settings.

SCCM 2012 Configuration Manager introduces role-based administration to centrally define and manage hierarchy-wide security access settings for all sites and site settings. Instead of using individual class rights, role-based administration uses security roles to group typical administrative tasks that are assigned to multiple administrative users. Security scopes replace individual instance rights per object to group the permissions that are applied to site objects. The combination of security roles, security scopes, and collections allow you to segregate the administrative assignments that meet your organization requirements and this combination defines what an administrative user can view and manage in the Configuration Manager hierarchy.

Role-based administration provides the following benefits:

·         Sites are no longer administrative boundaries. Which was there in SCCM 2007.

·         We can create administrative users for the hierarchy and assign security to them one time only.

·         All security assignments are replicated and available throughout the hierarchy.

·         There are built-in security roles to assign the typical administration tasks and we can create our own custom security roles.

·         Administrative users see only the objects that they have permissions to manage.

Listed are the  default built-in roles provided in SCCM 2012:

Role	Description
Application Administrator	Grants permissions to perform both the Application Deployment Manager role and the Application Author role. Administrative users who are associated with this role can also manage queries, view site settings, manage collections, and edit settings for user device affinity.
Application Author	Grants permissions to create, modify, and retire applications. Administrative users who are associated with this role can also manage applications, packages.
Application Deployment Manager	Grants permissions to deploy applications.  Administrative users who are associated with this role can view a list of applications, and they can manage deployments for applications, alerts, templates and packages, and programs. Administrative users who are associated with this role can also view collections and their members, status messages, queries, and conditional delivery rules.
Asset Manager	Grants permissions to manage the Asset Intelligence Synchronization Point, Asset Intelligence reporting classes, software inventory, hardware inventory, and metering rules.
Compliance Settings Manager	Grants permissions to define and monitor Compliance Settings. Administrative users associated with this role can create, modify, and delete configuration items and baselines. They can also deploy configuration baselines to collections, and initiate compliance evaluation, and initiate remediation for non-compliant computers.
Endpoint Protection Manager	Grants permissions to define and monitor security policies. Administrative Users who are associated with this role can create, modify and delete Endpoint Protection policies. They can also deploy Endpoint Protection policies to collections, create and modify Alerts and monitor Endpoint Protection status.
Full Administrator	Grants all permissions in Configuration Manager. The administrative user who first creates a new Configuration Manager installation is associated with this security role, all scopes, and all collections.
Infrastructure Administrator	Grants permissions to create, delete, and modify the Configuration Manager server infrastructure and to perform migration tasks.
Operating System Deployment Manager	Grants permissions to create operating system images and deploy them to computers. Administrative users who are associated with this role can manage operating system installation packages and images, task sequences, drivers, boot images, and state migration settings.
Operations Administrator	Grants permissions for all actions in Configuration Manager except for the permissions that are required to manage security, which includes managing administrative users, security roles, and security scopes.
Read-Only Analyst	Grants permissions to view all Configuration Manager objects.
Remote Tools Operator	Grants permissions to run and audit the remote administration tools that help users resolve computer issues. Administrative users that are associated with this role can run Remote Control, Remote Assistance and Remote Desktop from the Configuration Manager console. In addition, they can run the Out of Band Management console and AMT power control options.
Security Administrator	Grants permissions to add and remove administrative users and to associate administrative users with security roles, collections, and security scopes. Administrative users who are associated with this role can also create, modify, and delete security roles and their assigned security scopes and collections.
Software Update Manager	Grants permissions to define and deploy software updates. Administrative users who are associated with this role can manage software update groups, deployments, deployment templates, and enable software updates for Network Access Protection (NAP).

A simplified logical design diagram which layers the key concepts in Role Based Administration

Role Based Administration  provides a security model that provides the ability to assign and manage administrative permissions - Delegation. RBA is accomplished by using Security Roles, Security Scopes and Collections in Configuration Manager 2012. This controls Who, How, What, Which and Where Administrative tasks can be performed.

Implementing a custom security role

In SCCM 2012 console, click on Administration and expand Security, click on Security Roles. The 14 built-in roles can be seen here.

We want to create a custom security role to allow users assigned to that role to read Software Update Reports. As there is no option to create a blank new role, we will have to use the Copy function to create our new security role. Select the built-in Software Updates Manager role, right click and choose Copy.

We will have to expand any permission not required and change it from YES to NO ( double click on each one to change). For example, expand the Alerts permissions and set them all to NO as none of these permissions is required to read reports.

Configure the Permissions so the only the following are set to Yes

·         Site: Read

·         Software Updates: Read, Run Report

Click OK when done, the custom SUM Reports Reader role should now appears in our console.