SCCM 2012 RBA Example

Delegating permissions in SCCM can be a trial and error process to get those permissions exactly as you need them.  This blog goes through a common scenario where you need to allow an IT administrator limited access into SCCM by letting them create or modify existing collections then deploy software to them using existing applications, packages or task sequences.  You can use this scenario to help you build your own delegation security model.

Let's say your organization in North America and Europe has decided to delegate some responsibilities to remote IT administrators to offload some of the work from the SCCM Administrators.  These admins should not be able to affect other remote sites. Your organization has decided to grant the popular Nick Burns access into SCCM to manage the systems in North America. 

As background information I built a single server SCCM environment and configured it with the below items to support this scenario.

1. Created an AD Domain User called Nick Burns
2. Import 4 devices called:
   1. Donald
   2. Jim
   3. Robert
   4. Sally
   5. 
3. Create the following Collection folders
   1. North America
   2. Europe
4. Created the following collections:
   1. North America limited to All Systems
      1. Added a Direct Rule for the Donald and Jim devices
   2. Europe limited to All Systems
      1. Added a Direct Rule for the Robert and Sally devices
   3. 

The goal is to allow Nick Burns the same permissions that all the remote IT Staff members will have but only on the North American devices.  He should not be able to see any device in Europe.

He should be able to:

• Create new or change existing collections
• Delete North America collections but not the North America collection itself
• Deploy Applications
• Deploy Packages
• Deploy Task Sequences
• Remote Control a device

The first thing is to create a new Security Role for the IT Staff members

1. Open RBA Viewer from the SCCM 2012 SP1 Toolkit
   1. This can be found here: https://www.microsoft.com/en-us/download/details.aspx?id=36213
2. Click Security Roles then uncheck Full Administrator to uncheck all the boxes
   1. 
3. Check the following permissions:
   1. Application
      1. Read
   2. Collection
      1. Read
      2. Modify
      3. Delete
      4. Remote Control
      5. Create
      6. Read Resource
      7. Deploy Packages
      8. Deploy Applications
      9. Deploy
         Task Sequences
   3. Package
      1. Read
   4. Task Sequence Package
      1. Read
4. Click the Export button and save it to the Documents folder called IT Support.xml
   1. 

Next is to import the policy into SCCM

1. Launch the SCCM Console
2. Click Administration
3. Expand Security
4. Right click Security Roles --> Click Import Security Role
   1. 
5. Select the IT Support.xml file in the documents folder --> Click Open
6. Click Security Roles and you should see the IT Support security role listed
   1. 

Next create the security scope that will define what the permissions can apply to. 

1. While still in the SCCM console right click Security Scopes --> Create Security Scope
   1. 
2. Name the security scope North America
3. Click OK
4. Right click each package that the scope will have access to --> Click Set Security Scopes
   1. 
5. Select the North America scope
   1. 
6. Click OK
7. Perform the same action on the Applications and Task Sequences to add them to them to the North America scope 

The final step is to grant Nick Burns access into SCCM with the new IT Staff permissions

1. While still in the SCCM console right click Administrative Users --> Add User or Group
   1. 
2. Click Browse and select Nick Burns domain account
   1. It is recommended to use security groups instead of an individual account
3. Click Add for Assigned security roles:
4. Select the IT Support role --> Click OK
5. Under Security scopes and collections, remove all existing collections and scopes
   
6. Click Add --> Collection
7. Select the North America collection --> Click OK
   1. This step is very important as this determines what Nick is limited to support
8. Click Add --> Security Scope
9. Select North America --> Click OK
10. Click OK

When Nick Burns launches the SCCM console he will be limited to what he can see and can do.

With these permissions there are a couple of items to take note of:

• Nick is only able to create a collection by right clicking an object then selecting Add Selected Items to New Device Collection.
  
• Nick doesn’t have permissions to move a collection.  The ConfigMgr Administrator would need to move the collection he created if it is in the wrong location or he would need the Move Folder Item permission under Collections to move it.  With this permissions he would be able to move it to any folder as permissions can not be set directly to folders however, he would not be able to see any other collection in that folder. 
• Nick is only able to see the devices assigned to the North America collection due to the collection limitation that was defined with his user permissions even if he tries to create a query rule to select all systems.  He cannot delete or modify the North America collection.
  

If you are looking for more detailed information on SCCM 2012 RBA you may find these links helpful:

• https://technet.microsoft.com/en-us/library/gg699359.aspx
• https://blogs.technet.com/b/hhoy/archive/2012/03/07/role-based-administration-in-system-center-2012-configuration-manager.aspx
• https://technet.microsoft.com/en-us/library/gg682088.aspx#FAQ_Security
• https://msdn.microsoft.com/en-us/library/hh948344.aspx