Zdroje informací pro profesionály v oboru IT >
Domovská stránka fór
>
Configuration Manager Admin Console
>
Security - admin console best practices
Security - admin console best practices
Our SCCM deployment is about finished. We are now getting ready to determine what rights to provide our outside techs within SCCM. Our goal is to limit the outside tech's ability to manage the pc's they are responsible for. I have read on the forums that a site admin can create and populate a collection and assign rights to that collection. In doing that will the outside tech still have access to add machines from other locations (locations they are not responsible for)?
What is considered best practices for situations like I described? Is there an option that will not require a great deal of managerial overhead?
Thanks in advanced
Odpovědi
- RBAC (Role Based Access Control) is definitely possible... but as you've probably already guessed it's not currently a super-easy thing to accomplish.
Currently, it's either bite the bullet and deal with the fun times of designing the Collection security, or (this is what I did at another company) evaluate all the reasons a tech might need access to the console anyway.
Why do they need access to the console? Techs can accomplish the following without giving them access to the console itself:
- Remote Control: Several tools for this outside of the console.
- Anything to do with an individual client (health, rerun an ad, check why an ad failed, assign a site code): Several tools for this outside of the console.
About the ONLY thing I can think of why a local tech might need rights to the console is if they are 100% resposible for creating the collection which will be the target for an Advertisement, a DCM baseline, or Task Sequence. If creating a collection query is not something you would pass on to them anyway... I can't think of anything that couldn't be done outside of the console.
Some tools to possibly provide your techs instead of the console:
Ron Crumbaker's Web Remote Console 3.21
Roger Zanders' Client Center
Greg Ramsey's SCCM Client Troubleshooter
Links to those can be found here:
http://www.myitforum.com/myITWiki/SCCMTools.ashx
Standardize. Simplify. Automate.- Označen jako odpověďWallyMSFT, Vlastník6. července 2009 22:19
Všechny reakce
- RBAC (Role Based Access Control) is definitely possible... but as you've probably already guessed it's not currently a super-easy thing to accomplish.
Currently, it's either bite the bullet and deal with the fun times of designing the Collection security, or (this is what I did at another company) evaluate all the reasons a tech might need access to the console anyway.
Why do they need access to the console? Techs can accomplish the following without giving them access to the console itself:
- Remote Control: Several tools for this outside of the console.
- Anything to do with an individual client (health, rerun an ad, check why an ad failed, assign a site code): Several tools for this outside of the console.
About the ONLY thing I can think of why a local tech might need rights to the console is if they are 100% resposible for creating the collection which will be the target for an Advertisement, a DCM baseline, or Task Sequence. If creating a collection query is not something you would pass on to them anyway... I can't think of anything that couldn't be done outside of the console.
Some tools to possibly provide your techs instead of the console:
Ron Crumbaker's Web Remote Console 3.21
Roger Zanders' Client Center
Greg Ramsey's SCCM Client Troubleshooter
Links to those can be found here:
http://www.myitforum.com/myITWiki/SCCMTools.ashx
Standardize. Simplify. Automate.- Označen jako odpověďWallyMSFT, Vlastník6. července 2009 22:19
- So if you want to limit what the admin can do (only access systems they have responsibility for) *and* allow them to add systems to their collections, then there's no real way to prevent them from adding systems they are not responsible for.
However, if you want to have one person create and populate all the collections, then you certainly can set rights on the collections so that only specific people have ability to adminster those collections, and *not* give them the right to add any new members to the collection.
That is possible, though as Sherry said, not a trivial process - it takes time to build the collections and assign the security rights. You might want to check out the docs on the console - http://technet.microsoft.com/en-us/library/bb632786.aspx
Wally Mead
