Restricting User to import Computer information and deploy OS to a collection

  • Article

We have RBAC (Role based access control) in Configmanager
2012 SP1 and it has a multiple purpose and can do miracles.

Many a times we get a requirement on how to restrict a user
only to do a specific action in the console. In our case, we want a non admin
user to perform two operations

1)     Import computer information

2)     Operating system Deployment

We don’t want the user to view the “All system collection”
but still wants to import a computer and target a Task sequence. So let’s get started!

Considering you already have a user account created in AD

1)     Create two collections “OSD Test” and OSD Test2.
Note down the limiting collection of both the collections.


 
  
  
  
  
In my case, I have limiting collection for
OSD test, you can use limiting collection based on the department name such as
Finance, HR, etc. Limiting collection of OSD Test2 is OSD test.

 

2)     Create administrative users. Administration-->Security-->Administrative Users

I have created user named AB\User.

 

3)     Under Security Roles, Make a copy of “Infrastructure
Administrator” role and name it as “Modify Collection” and disable every other
permission except collection permission.

 

 

 

4)     Under administrative users, go to properties of
AB\User we created in Step2 and under Security Roles, add below two roles.

 

 

And under Security Scopes, Add OSD Test and
Default under instance selection.

 

 

5)     Now open a console with the user AB\User and
navigate to Asset and Compliance and check if you are able to see “OSD test”
and “OSD test2”. Make sure that “OSD Test” is not modifiable but “OSD Test2”
is. You can check by getting into properties of each of these two collections.

6)     Point to Devices under Assets and Compliance and
on the top left, import Computer Information. In my case, I tried importing a
single computer

 

Under Choose Target collection, select the
available collection “OSD Test2”. And in a while, you should be able to see
MyComputer under “OSD test2” collection. Need patience here J

 

 

 

Now you are good to Deploy TS to the
collection with your restricted user account.

 

So the idea here is to grant access to the
users who are separated by region or departments. And also that I wanted to
show you how RBAC works and the way you control the access using this.

Will be happy to see if you have any feedback or
would like to see more information.

 

Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights. Use of included script samples are subject to the terms specified at https://www.microsoft.com/info/cpyright.htm

Comments

  • Anonymous
    January 01, 2003
    HI Yogan, Please check step 1.
    1) Create two collections “OSD Test” and OSD Test2.
    Note down the limiting collection of both the collections.

    If this is intact, i would check if the member in the targeting collection if it its visible.
    next one would be is to check smsprov log at the time of choosing the collection. You may try running the same query manually on WMI and SQL.

  • Anonymous
    October 18, 2013
    Is there a way i can restrict only certain set of users to be able to perform the OS Install. Lets say i start the install from PXE it asks from the my domain credentials and only for specific user or group  the installation would proceed. Possible via only MDT

  • Anonymous
    October 29, 2013
    Yes, make the group available for the roles that has OSD access and the user is the member of it. That should work.

  • Anonymous
    June 09, 2014
    Hi Chandan,thanks for your blog, the only issue I am having, is when I click on Under Choose Target collection, I cannot see the collection. I can however see the collection when I browse under Assets and Compliance.

  • Anonymous
    August 25, 2016
    Good article but this gives the ability for users to add/remove queries from the OS build collection. Not ideal in my environment

  • Anonymous
    September 20, 2016
    Hi Chandan I did it, but I was waiting for 1 hours to see the devices on collection.The device is not member of OSDtest1, maybe it's the reason that I cannot see the device on OSDtest2

    • Anonymous
      April 28, 2017
      Please check the limiting collection, Machine should be in limiting collection to appear in your main collection.