~ Karen Sullivan
This article explains the steps to create a collection of users using a query, how to copy and modify a role, how to assign it to a collection, and then finally the steps to create a scope and assign it to the collection.
Security in System Center 2012 Configuration Manager (ConfigMgr 2012) was changed to allow more granular control of users and devices. The following steps will create a user collection based on a "Marketing Admins" group in Active Directory, and then once that’s done we'll create and modify both roles and scope to limit access.
Creating the collection
1. In the ConfigMgr admin console, go to Assets and Compliance –> User Collections, then click on "Create user collection" in the ribbon.
2. Enter a name for the collection. In our example the name will be Marketing Admins.
3. Click on Browse, then All Users and User Groups. Click Next.
4. Click on Add Rule, then Query Rule. Give the query a name.
5. Choose User resource and then Edit Query Statement.
6. Click on the Criteria tab and then on the asterisk.
7. Click the top Select button and choose User Resource. For Attribute, choose User Group Name, and click OK.
8. Choose "is equal to" for Operator.
9. Put the name of the group or whatever criteria you are using. In this case we’ll use Marketing Admins since that’s the name of the group we want to use in AD.
Now we have a Marketing Admins collection. Next, we'll copy the role we are using and modify it as needed.
Copying and editing the role
1. In the ConfigMgr admin console, go to Administration –> Security –> Security Roles. Choose one of the 16 roles, right-click on it and choose copy.
2. Give the new role a name.
3. In the bottom half of the screen, change the permissions if needed.
4. Click OK.
Next we will create the scope. The scope is used to limit access to things like distribution points and packages.
Creating the scope
1. In the ConfigMgr admin console, go to Administration –> Security –> Security Scopes and click on "Create Security Scope" in the ribbon.
2. Give the scope a name. For now, just choose the default account name.
Bringing it all together
1. In the ConfigMgr admin console, go to Administration –> Security –> Administrative Users.
2. Choose Add User or Group from the ribbon.
3. Click the Browse button and add the user or group you need from Active Directory. In our example we’ll use Marketing Admins. If you haven't created an AD group for this department, you'll need to do it now, or assign the scope and role to each individual user.
4. Click the Add button and choose the role created in the steps above.
5. Choose "Only the Instances of objects that are assigned to the specified security scopes or collections”.
6. Highlight All Systems in the bottom half of the screen and click Remove. Do the same with All Users and Groups as well as Default.
7. Click Add –> Collection, then User Collection in the drop-down.
8. Click Add –> Collection and then Security Scope. Choose the scope created in the steps above. Click OK and then OK again.
For more information on this topic please see Planning for Security in Configuration Manager at http://technet.microsoft.com/en-us/library/gg712284.aspx.
You now have a group of users with permissions defined in a role and limited by the scope. You can also use this process to add more granular objects with a scope such as Distribution Points, packages, and task sequences.
Karen Sullivan | Senior Support Engineer | Microsoft GBS Management and Security Division
System Center All Up: http://blogs.technet.com/b/systemcenter/
System Center – Configuration Manager Support Team blog: http://blogs.technet.com/configurationmgr/
System Center – Data Protection Manager Team blog: http://blogs.technet.com/dpm/
System Center – Orchestrator Support Team blog: http://blogs.technet.com/b/orchestrator/
System Center – Operations Manager Team blog: http://blogs.technet.com/momteam/
System Center – Service Manager Team blog: http://blogs.technet.com/b/servicemanager
System Center – Virtual Machine Manager Team blog: http://blogs.technet.com/scvmm
The Forefront Endpoint Protection blog : http://blogs.technet.com/b/clientsecurity/
The Forefront Identity Manager blog : http://blogs.msdn.com/b/ms-identity-support/
The Forefront TMG blog: http://blogs.technet.com/b/isablog/
The Forefront UAG blog: http://blogs.technet.com/b/edgeaccessblog/