Restricting User to import Computer information and deploy OS to a collection

We have RBAC (Role based access control) in Configmanager
2012 SP1 and it has a multiple purpose and can do miracles.

Many a times we get a requirement on how to restrict a user
only to do a specific action in the console. In our case, we want a non admin
user to perform two operations

1)     Import computer information

2)     Operating system Deployment

We don’t want the user to view the “All system collection”
but still wants to import a computer and target a Task sequence. So let’s get started!

Considering you already have a user account created in AD

1)     Create two collections “OSD Test” and OSD Test2.
Note down the limiting collection of both the collections.


 
  
  
  
  
In my case, I have limiting collection for
OSD test, you can use limiting collection based on the department name such as
Finance, HR, etc. Limiting collection of OSD Test2 is OSD test.

 

2)     Create administrative users. Administration-->Security-->Administrative Users

I have created user named AB\User.

 

3)     Under Security Roles, Make a copy of “Infrastructure
Administrator” role and name it as “Modify Collection” and disable every other
permission except collection permission.

 

 

 

4)     Under administrative users, go to properties of
AB\User we created in Step2 and under Security Roles, add below two roles.

 

 

And under Security Scopes, Add OSD Test and
Default under instance selection.

 

 

5)     Now open a console with the user AB\User and
navigate to Asset and Compliance and check if you are able to see “OSD test”
and “OSD test2”. Make sure that “OSD Test” is not modifiable but “OSD Test2”
is. You can check by getting into properties of each of these two collections.

6)     Point to Devices under Assets and Compliance and
on the top left, import Computer Information. In my case, I tried importing a
single computer

 

Under Choose Target collection, select the
available collection “OSD Test2”. And in a while, you should be able to see
MyComputer under “OSD test2” collection. Need patience here J

 

 

 

Now you are good to Deploy TS to the
collection with your restricted user account.

 

So the idea here is to grant access to the
users who are separated by region or departments. And also that I wanted to
show you how RBAC works and the way you control the access using this.

Will be happy to see if you have any feedback or
would like to see more information.

 

Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights. Use of included script samples are subject to the terms specified at https://www.microsoft.com/info/cpyright.htm