Custom Role Based Administration for Importing Computers

In System Center 2012 Configuration Manger we have several roles that we ship with the product.  By default we offer a general ‘Operating System Deployment Manager’.  This is a fairly broad role that has a lot of access. The ‘Operating System Deployment Manager’ role combined with the access to All Systems, required to allow for  computer import, may be too open for some environments.  Below are some simple steps to make a role specific for just importing computers.  This will allow additional scoping and help prevent an administrator from accidently deploying to All Systems.

First off, we need to create a custom security role and a restricted scope:

  1. Create an XML with the text at the bottom of the blog.
  2. Go to  Administration > Security > Security Roles
  3. Select Import Security Role from the ribbon
  4. Browse to the XML, click OK.
  5. You will now see a new custom role ‘Computer Import Manager’

Now we need to setup a user:

  1. If you have not already done so, Add the user or group to the Administrative users
    1. Administration > Security > Administrative Users > Add User or Group
    2. Select the user or group and assign them the Operating System Deployment Manager role and Computer Import Manager
  2. Go to the properties of the user and select the ‘Security Scopes’ tab
  3. Select the radio button ‘Associate assigned security roles with specific security scopes and collections’
  4. Select the Computer Import Manager role and click Edit
  5. Ensure you only have All Systems and a default scope.  This can be your scope for OSD objects (or you can make a scope that is not assigned to anything).  Click OK.
  6. Select the Operating System Deployment Manager role and click Edit
  7. Add the appropriate collections and scopes.  At this point you will not need All Systems, maybe just a desktops collection and unknown computers.  Any collection you want to give the administrator permissions to deploy.  Click OK.
                   
    Note: the collection you assign cannot be edited, only collections limited by it. This is in order for an admin not to be able to change their own scope. So if you want the admin to change rules directly on the OSD collection make sure to assign them a higher level collection that the OSD collection is limited by.
  8. Click OK to save

clip_image001 

If anyone is logged in, remember to close and reopen the console to ensure the permissions are correct.

Now you are done.  If you assign the roles and scopes to an admin as described here, you end up with a user who can:

  1. Import computers
  2. View the properties and rules of any collection
  3. Modify any device – install a client, approve and block, etc.
  4. Deploy new software ONLY to the OSD collection  

 The admin will not be able to deploy to All Systems like the built-in role, so this is a more locked down approach.

Copy the information in red into a new XML file. 

<SMS_Roles>
<SMS_Role CopiedFromID="SMS00001" RoleName="Import Computer Role" RoleDescription="Add this role to an administrative user. Associate this security role specifically with All Systems.">
<Operations>
<Operation GrantedOperations="129" ObjectTypeID="1" />
<Operation GrantedOperations="524289" ObjectTypeID="6" />
</Operations>
</SMS_Role>
</SMS_Roles>

 Thanks to Maayan Bar-Niv for contributing to the post.

John Vintzel
Microsoft Corporation| Sr. Program Manager | System Center Configuration Manager | twitter: jvintzel

This posting is provided "AS IS" with no warranties, and confers no rights.