New-CMAdministrativeUserPermission

Module:

ConfigurationManager

Create a permissions object to assign to an administrative user.

Syntax

New-CMAdministrativeUserPermission
   [-Collection <IResultObject[]>]
   [-CollectionId <String[]>]
   [-CollectionName <String[]>]
   -InputObject <IResultObject>
   [-SecurityScope <IResultObject[]>]
   [-SecurityScopeId <String[]>]
   [-SecurityScopeName <String[]>]
   [-DisableWildcardHandling]
   [-ForceWildcardHandling]
   [<CommonParameters>]

New-CMAdministrativeUserPermission
   [-Collection <IResultObject[]>]
   [-CollectionId <String[]>]
   [-CollectionName <String[]>]
   -RoleId <String>
   [-SecurityScope <IResultObject[]>]
   [-SecurityScopeId <String[]>]
   [-SecurityScopeName <String[]>]
   [-DisableWildcardHandling]
   [-ForceWildcardHandling]
   [<CommonParameters>]

New-CMAdministrativeUserPermission
   [-Collection <IResultObject[]>]
   [-CollectionId <String[]>]
   [-CollectionName <String[]>]
   -RoleName <String>
   [-SecurityScope <IResultObject[]>]
   [-SecurityScopeId <String[]>]
   [-SecurityScopeName <String[]>]
   [-DisableWildcardHandling]
   [-ForceWildcardHandling]
   [<CommonParameters>]

Description

Use this cmdlet to create a permissions object to assign to an administrative user in Configuration Manager. Permissions can include security roles, security scopes, or collections. An administrative user in Configuration Manager defines a local or domain user or group. For more information about security roles, see Fundamentals of role-based administration in Configuration Manager.

Use this permissions object with the New-CMAdministrativeUser cmdlet and its Permission parameter.

Note

Run Configuration Manager cmdlets from the Configuration Manager site drive, for example PS XYZ:\>. For more information, see getting started.

Examples

Example 1

This example creates an object that defines the following permissions:

• Security role: Read-only Analyst
• Security scope: Scope1
• Collection: All Systems

It then creates a new administrative user for contoso\jqpublic and assigns these permissions. The last command displays the new user's permissions.

$accountName = "contoso\jqpublic"
$roleName = "Read-only Analyst"
$scopeName = "Scope1"
$collectionName = "All Systems"

$role = Get-CMSecurityRole -Name $roleName
$scope = Get-CMSecurityScope -Name $scopeName
$collection = Get-CMCollection -Name $collectionName

$perms = $role | New-CMAdministrativeUserPermission -RoleName $role.RoleName -SecurityScopeNames $scope.CategoryName -CollectionNames $collection.Name

$User = New-CMAdministrativeUser -Name $accountName -Permission $perms
$User.Permissions

Parameters

-Collection

Specify an array of collection objects to add to the permissions. To get this object, use the Get-CMCollection cmdlet.

Type:	IResultObject[]
Aliases:	Collections
Position:	Named
Default value:	None
Required:	False
Accept pipeline input:	False
Accept wildcard characters:	False

-CollectionId

Specify an array of collection IDs to add to the permissions. This value is the CollectionID property, for example, SMS00001.

Type:	String[]
Aliases:	CollectionIds
Position:	Named
Default value:	None
Required:	False
Accept pipeline input:	False
Accept wildcard characters:	False

-CollectionName

Specify an array of collection names to add to the permissions.

Type:	String[]
Aliases:	CollectionNames
Position:	Named
Default value:	None
Required:	False
Accept pipeline input:	False
Accept wildcard characters:	False

-DisableWildcardHandling

This parameter treats wildcard characters as literal character values. You can't combine it with ForceWildcardHandling.

Type:	SwitchParameter
Position:	Named
Default value:	None
Required:	False
Accept pipeline input:	False
Accept wildcard characters:	False

-ForceWildcardHandling

This parameter processes wildcard characters and may lead to unexpected behavior (not recommended). You can't combine it with DisableWildcardHandling.

Type:	SwitchParameter
Position:	Named
Default value:	None
Required:	False
Accept pipeline input:	False
Accept wildcard characters:	False

-InputObject

Specify a security role object to add to the permissions. To get this object, use the Get-CMSecurityRole cmdlet.

Type:	IResultObject
Aliases:	Role
Position:	Named
Default value:	None
Required:	True
Accept pipeline input:	True
Accept wildcard characters:	False

-RoleId

Specify the ID of a security role to add to the permissions. This value is the RoleID property, for example SMS000AR for the OS Deployment Manager role.

Type:	String
Position:	Named
Default value:	None
Required:	True
Accept pipeline input:	False
Accept wildcard characters:	False

-RoleName

Specify the name of a security role to add to the permissions.

Type:	String
Position:	Named
Default value:	None
Required:	True
Accept pipeline input:	False
Accept wildcard characters:	False

-SecurityScope

Specify a security scope object to add to the permissions. To get this object, use the Get-CMSecurityScope cmdlet.

Type:	IResultObject[]
Aliases:	SecurityScopes
Position:	Named
Default value:	None
Required:	False
Accept pipeline input:	False
Accept wildcard characters:	False

-SecurityScopeId

Specify the ID of a security scope to add to the permissions. This value is the CategoryID property, for example SMS00UNA for the Default scope.

Type:	String[]
Aliases:	SecurityScopeIds
Position:	Named
Default value:	None
Required:	False
Accept pipeline input:	False
Accept wildcard characters:	False

-SecurityScopeName

Specify the name of a security scope to add to the permissions.

Type:	String[]
Aliases:	SecurityScopeNames
Position:	Named
Default value:	None
Required:	False
Accept pipeline input:	False
Accept wildcard characters:	False

Inputs

Microsoft.ConfigurationManagement.ManagementProvider.IResultObject

Outputs

IResultObject

Notes

For more information on this return object and its properties, see SMS_APermission server WMI class.

Related Links

• New-CMAdministrativeUser
• Automate role-based administration with Windows PowerShell