Configuration Manager 2007 – Defining the service/helpdesk role

Defining permissions requires configuring access rights in the Config Mgr. console and adding objects to predefined groups on the site server. In this example I am defining permissions to the service desk role.

Role description:

Access to a user defined administrator console.
Permissions to work with all objects in the “All workstations” collection.
Permissions to to use remote tools.
Permissions to read inventory data from the console and from reports.
Permissions to read software packages and advertisements
Permissions to read status messages.
Permissions to create and read queries.

To solve this case I have granted these Config Mgr. permissions:

Object Class/Instance	Permissions
Collection, All Workstations	Read, Read Resource, Use remote tools
Package	Read
Advertisement	Read
Status Message	Read
Report	Read
Query	Read, Modify, Create

If Service desk also requires permissions to install the Config Mgr agent from the console they need Read permissions to the Site class.

Group membership on the site server:

SMS admins
Distributed COM users
SMS Reporting Users

Group membership on local computer:

Local administrator

Om forfatteren: Kent Agerlund

Microsoft Regional Director, Enterprise Mobility MVP. Microsoft Certified Trainer and Principal consultant. I have been working with Enterprise client management since 1992. Co-founder of System Center User Group Denmark in 2009. Certified MCITP: Enterprise Administrator, MCSA+Messaing, and much more. Member of: Microsoft Denmark System Center Partner Expert Team The Danish Technet Influencers program System Center Influencers Program.

En kommentar

Darren september 27, 2011 af 21:52

hi Kent,

I hope you do not mind my posting a couple of questions.

We are currently flattening our hierarchy from multiple sites to a single site.

1. using your posting above as a model, if I were to grant “Permissions to work with all objects in the BusinessUnit123 collection”, would this allow the Tech to add/remove any member of that collection to any other collection but limit his ability to do the same with machines not in that BusinessUnit collection?

2. again based on your posting above, what permissions (if any) would need to be modified so the tech could modify (i.e. add/remove mandatory assignments) advert properties but could not create/delete advertisements? is there a way to group advertisements so these rights apply only to a particular set without having the apply rights to each advertisement individually?

Thank you in advance for your time.
Darren

Der er lukket for kommentarer.

Configuration Manager 2007 – Defining the service/helpdesk role

Role description:

Share This Story, Choose Your Platform!

Om forfatteren: Kent Agerlund

Beslægtede indlæg

Using Office 365 Portal Security Token for Authentication with custom website

Androids in the Enterprise, a blessing or nightmare? – part 1

The Big Bang and how it changed my life as an IT Pro

Remove non authorized members of the local administrator group with ConfigMgr

Petya Ransomware – The Attack method and Preventing it

En kommentar