RBAC, or Role Based Administration, is new with the SCCM 2012 product. Many customers I encounter are excited with the separation and flexibility it can provide, but daunted by the activity of getting it setup initially. There are a few handy tricks I share time and again with customers at this stage and I thought it might be nice to share with everyone.
1 - Create a security role template
If you get into RBA you will find that you can copy an existing role, then modify it for your needs. However, this means that you have to go and remove all those perms that came over from your copy…, and you have to do this for each role you have to make. Save yourself some time and the very first time make a copy of the Remote Tools Operator. This has the least amount of existing perm lines that need cleared. I like to change all the existing lines to ‘no’ then add 1 single perm at the very top, under Alert Subscription. Save this as “_Template” and from this time forward you can just copy it as your starting point, making things a little easier.
2 - Think ahead about your potential use of scopes
If today you manage desktops only, and that is all you will ever have in SCCM, then stick to the default scope. If, however, you think that some day you may want to add servers and have management of them separated out, then the time to create the “desktop” and “server” scopes is right after SCCM finishes installation. Sure, you can do it any time, but the problem is that any object you create going forward is tagged to the scopes you are in.., which means they can all be tagged as part of the “desktop” scope, or they can be tagged as part of the “default” scope and you can go change them all to “desktop” later (not simple, but possible).
3 – Use RBAViewer
This tool is free as part of the SCCM 2012 R2 toolkit. It will make your visualization and exploration of the different perms necessary to reach your ends goals easier and more clear. There is also a helpful spreadsheet made by Brent Dunsire that many people find useful.
As a little side note, I was asked to figure out what the minimum permission necessary to allow an admin to block/deny devices from communicating with SCCM. That requires “Read Resource” perm under collections. Of course, if you can’t see the collections or connect to the admin console you will probably need an additional perm of some kind. “Read” under collections was the easy one I used.