How to go about ConfigMgr'07 role based security model?

As we are aware that ConfigMgr'07 admin full access provide a lot of privilege to manage all desktop in an enterprise so it’s critical to manage the ConfigMgr admin access with role based security model. And recently we have introduced the new security group model for managing ConfigMgr operations and having least admin access on ConfigMgr as role based which is very much align to ConfigMgr out of box security classes.

 

Below are the list of sample security groups we provisioned in AD and same configured in ConfigMgr admin console with equivalent access rights to manage the role based security in ConfigMgr'07.

 

Hope this helps in your planning for securing ConfigMgr'07 admin access with role based security model.

 

More details for ConfigMgr security planning are available on following link : https://technet.microsoft.com/en-us/library/bb680768.aspx

 

Sample Security Group

Security Group Definition

ConfigMgr_Web_Reporting_Consumers

This group contains members who needs to view ConfigMgr reports.

ConfigMgr_SQLDB_Consumers

This group contains members who need to have read access ConfigMgr Database for data feed or reporting purpose.

ConfigMgr_Detail_Consumers

This group contains members who need to read all details about a given SMS/ConfigMgr site.

ConfigMgr_Monitoring_Providers

This group contains members which perform monitoring functions on the ConfigMgr servers

ConfigMgr_Software_Deployment_Providers

This group contains members who that need to write package deployment items.

ConfigMgr_Patch_Management_Providers

This group contains the members who need to create patch deployments.

ConfigMgr_Collection_Providers

This group contains the members that need to create & manage collections.

ConfigMgr_Advertisement_Providers

This group contains the members who that need to create & manage advertisements.

ConfigMgr_OSD_Provider

This group contains the members who need to create ConfigMgr OSD objects.

ConfigMgr_DCM_Provider

This group contains members who need to create ConfigMgr DCM objects.

ConfigMgr_Software_Metering_Provider

This group contains the members that need to create ConfigMgr Software Metering objects.

ConfigMgr_DeviceMgmt_Provider

This group contains members who need to create ConfigMgr DMP objects.

ConfigMgr_Report_Provider

This group contains the objects that need to create ConfigMgr web reports.

ConfigMgr_Client_Troubleshooting_Provider

This group contains objects that need to access ConfigMgr client logs.

ConfigMgr_Infrastructure_Providers

This group contains the members who need to change ConfigMgr site settings and have full access for ConfigMgr

ConfigMgr_Troubleshooting_Providers

This group contains the troubleshooting teams that provide escalation and resolution services.

Comments

  • Anonymous
    June 11, 2008
    Do you think there is someting like this for SCOM? Harlan hmlane_2000@hotmail.com

  • Anonymous
    June 15, 2008
    Sorry folk, I do not have similar role based security model for OpsMgr'07 but I think same approach could be followed to meet the requirement.

  • Anonymous
    July 17, 2008
    Great work, is there a document describing each group's security settings? Andreas com.gmail@gm9213 <reverse

  • Anonymous
    February 27, 2009
    You've done a great job, would you share the underlying object security in sccm? thx Steve comm.net@live.com

  • Anonymous
    October 05, 2009
    Very good job, is there now a document describing each group's security settings?

  • Anonymous
    October 08, 2009
    Great great job....but there is any way to have some kind of doc that describes in details the settings?

  • Anonymous
    December 09, 2009
    Hello, great, really great job. would it be possible to send some details about the security to my email: andi-beyer@gmx.de I am very interested in the Security options of the osd_provider_user thanks andi

  • Anonymous
    December 11, 2009
    Yeah, um what are the settings for each of these groups?

  • Anonymous
    December 21, 2009
    Hi All, I am planning to post part 2 of all role based security with all your queries answered. -Shitanshu