Jump to content


letsgoflyers81

How can I use RBAC to exclude access to a collection in SCCM 1710?

Recommended Posts

I know I can use Security Roles and Scopes to give administrative users access to only certain collections (for example only desktops or only servers), but I need to allow access to All Systems except for a single collection.

My operational team are Full Administrators since they handle most day to day activites. However I'm considering adding some clients to the environment that I don't want them to be able to manage, deploy software or updates to, etc. I thought about copying the Full Administrator role and assigning it a new scope, but since they need access to the All Systems collection, any clients in this new collection would be there as well so I think they'd have access.

Is there an easy way to do this that I'm missing? Thanks!

Share this post


Link to post
Share on other sites

Ok, I will bite, Why do they need to the All Systems collection? If you write your All Workstations / All Server collections correctly, there should be no need for this. except in rare cases. Then you are the overall admin, will fix it for them. 

Share this post


Link to post
Share on other sites

2 hours ago, GarthMJ said:

Ok, I will bite, Why do they need to the All Systems collection? If you write your All Workstations / All Server collections correctly, there should be no need for this. except in rare cases. Then you are the overall admin, will fix it for them. 

As of right now my environment only manages workstations and the team I want to limit handles almost all of our BAU activities.  Because of that, most collections are limited against All Systems and the team has access to everything.  I'm looking into properly implementing RBAC in the near future which will require modifying most existing collections, deployments, admin users, etc. so I was hoping there would be an easier workaround for what I'm trying to do.

Share this post


Link to post
Share on other sites

On 5/2/2018 at 11:01 AM, GarthMJ said:

I'm not following you as to why they need access to the All Systems collection.  Why exactly do they need access to the All System collection? 

What is BAU? 

Until now the team has been responsible for all SCCM management except for OSD so there was no reason to limit their access.  I'm not against removing their access to All Systems now, but wouldn't I need to change the limiting collection of every collection that uses it?

BAU means business as usual, day to day work such as software packaging and deployment, Windows updates, reporting and monitoring, etc.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...


×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.