Share via

Custom role needed in SCCM

M Huddleston 1 Reputation point
2021-08-13T20:37:01.927+00:00

I would like to setup a role in SCCM that would allow my technicians to delete a device from SCCM when it needs reimaging and add and remove the devices from a collection.

I do not want them to be able to change or add collections, nor do I want them to get into anything other than Assets and Compliance.

Ultimately, I would like to limit them to just see the Devices and Collections.

I attempted to create a Security Role and take away a lot of the permissions, but still too broad.

Are these things possible, and if so what settings to I need to add/remove?

Microsoft Security | Intune | Configuration Manager | Other
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Sherry Kissinger 5,531 Reputation points
    2021-08-15T13:58:25.397+00:00

    Possibly... but I don't have anything like that. But I was thinking what you possibly really need is a front end for your technicians; where a web service (with for example, a service account with lots of rights to your CM) does the actions. Since you define exactly what collections or actions the front end can do; that limits what the techs can do.

    I did a quick search for "ConfigMgr Reimaging Front End" and found several hits. Two of the links I followed appeared to me to be free tools (of course you'll need to internally get servers and accounts for them; so it's "free" as in cold hard cash, but not "free" as in you may likely need internal resources to use them).

    Have you already considered, and rejected, having a web front end for this type of requirement?

    0 comments
  2. Amandayou-MSFT 11,156 Reputation points
    2021-08-16T09:01:25.827+00:00

    Hi @M Huddleston

    In Configuration Manager, role-based administration combines security roles, security scopes, and assigned collections to define the administrative scope for each administrative user. We might create a custom role to grant administrative users other permissions that they require and aren't included in a built-in role.

    Please navigate to Administration workspace. Expand Security, and then select the Security Roles node. Then use one of the following processes to create a new security role:

    123479-816.png

    For more details, we could refer to this article:
    https://learn.microsoft.com/en-us/mem/configmgr/core/servers/deploy/configure/configure-role-based-administration

    Here is an Excel spreadsheet which captures a list of the built-in security roles, the permission groups each role uses, and the individual permissions for each group for role-based administration:
    http://www.system-center.fr/?p=3611
    Note: Non-Microsoft link, just for the reference.

    If the response is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.