Security Rights to Add Computers to specific collections without adding the entire collecton RRS feed

  • Question

  • I'm attempting to create a security role for the Helpdesk team, where they'll be able to look at the "All Clients" collection and add clients to an "OSD" collection to perform OS deployments. (The "All Clients" collection is essentially All Systems with servers removed.)

    The Security Role ("Helpdesk OSD") has the following settings:

    Collection: Read, Modify, Modify Resource, Read Resource
    Global condition: Read
    Site: Read, Import Computers

    All of the helpdesk technicians are in an AD group called "SCCM OSD Console Access;" the SCCM OSD Console Access group has the "Helpdesk OSD" security role assigned. For security scope, we've selected "Only the instances of the objects..." with the "All Clients" and "OSD" collections added, and the "Default" security scope.

    The "OSD" collection uses "All Clients" for its limiting collection. "All Clients" uses "All Systems" for its limiting collection.

    Right now, the helpdesk has no issue accessing the "All Clients" collection, locating the device, and adding it to the "OSD" collection. My problem comes from the fact that they have the ability to add the entire "All Clients" collection to the "OSD" collection. So, if someone accidentally chooses the collection instead of a specific device, it will add all ~20,000 devices to the OSD collection. Is there a way to give them the ability to search through "All Clients" but disallow them from selecting the entire collection?

    On a side note, what enables the "Add Resources" item in the right-click menu of a collection? I can't seem to find the setting.

    -Nick O.

    Wednesday, January 9, 2013 10:18 PM


  • I know of know method to disallow them from selecting the entire collection--within the console.  however, what a lot of companies do is simply not allow "lower rights" users (like Helpdesk) rights to the console at all.  Well, let me rephrase--they have rights to the console--but you don't let them have the console.  Instead, you use a front-end, and give them (in your case) basically two fields.  an input field to put in a computer name,  "add this computer to the OSD collection". And they'll either get a "ok, added" or "computer not visible to you / doesn't exist" message.

    Basically, you give them all the rights they need... but you don't present them with the opportunity to do bad things.  i know I'm simplifying things, and likely your helpdesk needs more than just 2 things.  However, taking away the console is often the best way to control what they can see and do.  You may want to look into the SDK, around powershell scripts you can leverage, and get your helpdesk folk out of the console, and with a simple interface instead.  For all I know someone already has something free out there for you to grab--I haven't looked lately.

    As for the 'add resources' right-click tool, I always thought that was enabled when my rights included "modify" on the collection.  Again--I haven't tested that.  Just sounds right.

    Standardize. Simplify. Automate.

    • Proposed as answer by Garth JonesMVP Tuesday, February 3, 2015 6:39 PM
    • Marked as answer by Garth JonesMVP Sunday, November 8, 2015 6:38 PM
    Wednesday, January 9, 2013 11:44 PM