RBA or Role Based Administration is one of the many new features in ConfigMgr 2012. It’s a very powerful feature and has already helped lots of customers minimizing the need for having multiple primary sites. One annoying fact in RTM is that all collections (users and devices) shows up when running a report. This has changed in Service Pack 1 which makes the RBA feature even more powerful. In this example I have a user (DskAdmin) who is member of the Desktop Admins group in Active Directory. Desktop admins must all be granted Application Administrator permissions and allowed to work with desktop operating systems only.
Creating the role
- Open the ConfigMgr Console as adminstrator and navigate to the Administration workspace.
- Select Security, Administrative Users and click Add User or Group from on the Ribbon.
- Click Browse and find the Desktop Admins group.
- In Assigned Security Role click Add and select Application Administrator.
- In Assigned Security scopes and collections, remove All Systems and All Users and add your custom “top level” collection. In my example desktop administrators are limited to objects in the All VIA Workstations collection.
- Click OK when the configuration is done.
Testing the role
- Start the ConfigMgr console using the Desktop admin user and notice that you can only see objects belonging to the All VIA Workstations collection and work with Application related features.
- Now open a browser and navigate tp http://cm02/reports (where Cm02 is the name of your report server).
- Navigate to the User – Device Affinity folder and run the User device affinity associations per collection report
- In Collection Type, select Device and in Collection notice that you are now limited to objects in the All VIA Workstations collection – Nice