This forum has migrated to Microsoft Q&A. Visit Microsoft Q&A to post new questions.

Remove From My Forums

phased deployments not viewable in monitoring tab

Question
0

Sign in to vote

I have a VERY unusual problem. I just upgraded to SCCM cb 2002. My app admin has been working with phased deployments and after the upgrade he could no longer configure them. I found some information from cb 1902 regarding phased deployment perms in the security roles not being available, so I added them into one of the security roles. He can now create the phased deployments but can't view them in the monitoring tab of the admin console. I did some research and it says you need the "ALL" security scope, which he already has. I used a test account and assigned the full admin role to cut to the chase, and can see the phased deployment in the monitoring tab. I was trying to determine what other rights were needed in the role and after not having any luck, I decided to back into it, so I made copy of the full admin security role and decided to remove stuff from there. However, even if I make a copy and make NO changes, it doesn't show anything with the copy of the role. But if I apply the full admin role it works. I even removed my test account, added it back in, gave it "ALL" security scope, and it still didn't work. Any ideas out there? Thank you.

Tuesday, August 4, 2020 8:02 PM

All replies

0

Sign in to vote

Hi,

Thanks for posting in TechNet. We will do more research about this issue, and will let you know if there is any update.

Best regards,
Larry
Please remember to mark the replies as answers if they help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

Wednesday, August 5, 2020 2:45 AM
0

Sign in to vote
Hi,

Deployments created by phased deployments aren't viewable to any administrative user that doesn't have the All security scope.

Use security scopes to provide administrative users with access to securable objects. A security scope is a named set of securable objects that are assigned to administrator users as a group. All securable objects must be assigned to one or more security scopes. Configuration Manager has two built-in security scopes:

The All built-in security scope grants access to all scopes. You can't assign objects to this security scope.

The Default built-in security scope is used for all objects, by default. When you first install Configuration Manager, all objects are assigned to this security scope.

If you want to restrict the objects that administrative users can see and manage, you must create and use your own custom security scopes. Security scopes don't support a hierarchical structure and can't be nested. Security scopes can contain one or more object types.

For more information, see:
Security scopes

This MECM Forum will be migrating to a new home on Microsoft Q&A<Link>, please refer to this sticky post<Link> for more details.

Best regards,
Larry

"MECM" forum will be migrating to a new home on Microsoft Q&A!
We invite you to post new questions in the "MECM" forum's new home on Microsoft Q&A!
For more information, please refer to the sticky post.
- Edited by Larry_zMicrosoft contingent staff Wednesday, August 5, 2020 9:34 AM
Wednesday, August 5, 2020 9:33 AM
0

Sign in to vote

As I stated above, this account DOES have "All" security scope assigned. So does the test account I referenced that can see the phased deployment in the console if assigned to full admin security role. I don't want these accounts assigned to full admin, and toward that end, I made a copy of the full admin security role to determine what other perms might be needed, and even though the copy is identical, it won't allow my test account to see the phased deployments. The only way it can see phased deployments is if it is a member of the original full admin security role. That is the problem I am trying to resolve.

Wednesday, August 5, 2020 10:54 PM
0

Sign in to vote

Hi,

Thanks for your reply. I will do more research about this issue, and will let you know if there is any update.

Best regards,
Larry
"MECM" forum will be migrating to a new home on Microsoft Q&A!
We invite you to post new questions in the "MECM" forum's new home on Microsoft Q&A!
For more information, please refer to the sticky post.

Thursday, August 6, 2020 9:41 AM
0

Sign in to vote

Good morning. I was wondering if you had any luck with this. If nothing else I would at least like to find out how I can mitigate the issue of an exact copy of the full admin role not actually being a true duplicate, since an exact copy of the role does not allow access to existing phased deployments in the monitoring tab. Thank you.

Thursday, August 13, 2020 4:07 PM