How to go about ConfigMgr'07 role based security model?
As we are aware that ConfigMgr'07 admin full access provide a lot of privilege to manage all desktop in an enterprise so it’s critical to manage the ConfigMgr admin access with role based security model. And recently we have introduced the new security group model for managing ConfigMgr operations and having least admin access on ConfigMgr as role based which is very much align to ConfigMgr out of box security classes.
Below are the list of sample security groups we provisioned in AD and same configured in ConfigMgr admin console with equivalent access rights to manage the role based security in ConfigMgr'07.
Hope this helps in your planning for securing ConfigMgr'07 admin access with role based security model.
More details for ConfigMgr security planning are available on following link : https://technet.microsoft.com/en-us/library/bb680768.aspx
Sample Security Group |
Security Group Definition |
ConfigMgr_Web_Reporting_Consumers |
This group contains members who needs to view ConfigMgr reports. |
ConfigMgr_SQLDB_Consumers |
This group contains members who need to have read access ConfigMgr Database for data feed or reporting purpose. |
ConfigMgr_Detail_Consumers |
This group contains members who need to read all details about a given SMS/ConfigMgr site. |
ConfigMgr_Monitoring_Providers |
This group contains members which perform monitoring functions on the ConfigMgr servers |
ConfigMgr_Software_Deployment_Providers |
This group contains members who that need to write package deployment items. |
ConfigMgr_Patch_Management_Providers |
This group contains the members who need to create patch deployments. |
ConfigMgr_Collection_Providers |
This group contains the members that need to create & manage collections. |
ConfigMgr_Advertisement_Providers |
This group contains the members who that need to create & manage advertisements. |
ConfigMgr_OSD_Provider |
This group contains the members who need to create ConfigMgr OSD objects. |
ConfigMgr_DCM_Provider |
This group contains members who need to create ConfigMgr DCM objects. |
ConfigMgr_Software_Metering_Provider |
This group contains the members that need to create ConfigMgr Software Metering objects. |
ConfigMgr_DeviceMgmt_Provider |
This group contains members who need to create ConfigMgr DMP objects. |
ConfigMgr_Report_Provider |
This group contains the objects that need to create ConfigMgr web reports. |
ConfigMgr_Client_Troubleshooting_Provider |
This group contains objects that need to access ConfigMgr client logs. |
ConfigMgr_Infrastructure_Providers |
This group contains the members who need to change ConfigMgr site settings and have full access for ConfigMgr |
ConfigMgr_Troubleshooting_Providers |
This group contains the troubleshooting teams that provide escalation and resolution services. |
Comments
Anonymous
June 11, 2008
Do you think there is someting like this for SCOM? Harlan hmlane_2000@hotmail.comAnonymous
June 15, 2008
Sorry folk, I do not have similar role based security model for OpsMgr'07 but I think same approach could be followed to meet the requirement.Anonymous
July 17, 2008
Great work, is there a document describing each group's security settings? Andreas com.gmail@gm9213 <reverseAnonymous
February 27, 2009
You've done a great job, would you share the underlying object security in sccm? thx Steve comm.net@live.comAnonymous
October 05, 2009
Very good job, is there now a document describing each group's security settings?Anonymous
October 08, 2009
Great great job....but there is any way to have some kind of doc that describes in details the settings?Anonymous
December 09, 2009
Hello, great, really great job. would it be possible to send some details about the security to my email: andi-beyer@gmx.de I am very interested in the Security options of the osd_provider_user thanks andiAnonymous
December 11, 2009
Yeah, um what are the settings for each of these groups?Anonymous
December 21, 2009
Hi All, I am planning to post part 2 of all role based security with all your queries answered. -Shitanshu