skullicious Posted February 15, 2014 Report post Posted February 15, 2014 Hey guys, I've created a service desk role in CM12 which allows the members to run reports, remote control machines and modify resources and collections. In CM07 I was comfortable with these guys having this level of access as it wasn't the easiest thing for them to add multiple devices erroneously to a collection. In CM12 I fear that one of the guys is going to right click a device collection (ie All Systems) "add items to existing collection" and add all the items in that there to a Photoshop CS6 collection or something like that. Why is this button available so easily!? I thought that with RBA I would be able to hide All Systems and collections like that from view using scopes etc to circumvent instances like this (sadly not the case). Does anyone have a solution or way round this or am I missing something really simple? Thanks. Quote Share this post Link to post Share on other sites More sharing options...
Eswar Koneti Posted February 17, 2014 Report post Posted February 17, 2014 try this if it helps you http://setupconfigmgr.com/using-rba-to-separate-servers-and-workstations-configuration-manager-2012/ Quote Share this post Link to post Share on other sites More sharing options...
skullicious Posted February 25, 2014 Report post Posted February 25, 2014 Hey! Thanks for that but that's not quite what I'm looking for. I basically want to8*remove* from my Service Desk role the ability to add one collection to another collection using the "add items to existing collection" button. In the example above the functionality is still available for them to add for instance "All Desktops" to "Photoshop CS6" etc. Anyone have any ideas? Quote Share this post Link to post Share on other sites More sharing options...
skullicious Posted March 12, 2014 Report post Posted March 12, 2014 I took another run at this and no joy.I've got two roles:SDREADER which had NO "modify" permission.SDMODIFY : which has "modify" permissions.I assigned them both to "MYDOMAIN\sdgroup" administrative user.Then in security scopes I have: Associate assigned security roles with specific security scopes and collections.There I modify the security roles so that:SDReader : Assigned to "All Systems" Collection and Default scope.SDModify: Assigned to "Photoshop" Collection and Default scope.I would expect that this would allow "MYDOMAIN\sdgroup" to navigate collections as normal but not allow "add selected items" or "add resource" anywhere other than the "Photoshop" collection where the permissions would be available.Am I on the right track here or have I totally missed something? Quote Share this post Link to post Share on other sites More sharing options...
Darren Posted October 20, 2016 Report post Posted October 20, 2016 Hello folks, wondering about this exact concern. anyone make any progress on this? Thank you Quote Share this post Link to post Share on other sites More sharing options...
