locked
Permissions within MDT Deployment Workbench RRS feed

  • Question

  • We are using ConfigMgr with a MDT Integrated task sequence.

    We recently had an issue where a developer made changes to the production role, instead of the development role causing all builds in production to fail.

    Short of telling devs 'dont do that' is there any way to secure what an individual can and cannot edit within MDT?  Ideally we'd have only our validation team able to edit the production roles, with the developers only modifying the non-production roles. This is accomplished through scoping in SCCM, but I see nothing similar in MDT.

    Has anyone else successfully implemented something to this end?

    Will


    Will

    Thursday, January 8, 2015 12:47 PM

All replies

  • Consider adding custom ntfs permissions that only allow write within the deployment share the user is intended to edit.

    MCP/MCSA/MCTS/MCITP

    Thursday, January 8, 2015 1:47 PM
  • I'm not sure how NTFS would help?  The roles are stored within the SQL database. You can't secure the table because all roles are written to the same table.

    Or am I missing something?


    Will

    Thursday, January 8, 2015 1:51 PM
  • I'm slightly confused. Are you using ConfigMgr for all of your deployments or do you have ConfigMgr as well as an MDT Litetouch environment?

    As you mentioned, ConfigMgr access is controlled with RBAC. MDT Litetouch (standalone) doesn't have anything like RBAC; at best, you would be relegated to looking at security permissions on the deployment share or perhaps setting up a second deployment share for non-production tasks.


    -Nick O.

    Thursday, January 8, 2015 4:04 PM
  • I'm slightly confused. Are you using ConfigMgr for all of your deployments or do you have ConfigMgr as well as an MDT Litetouch environment?

    As you mentioned, ConfigMgr access is controlled with RBAC. MDT Litetouch (standalone) doesn't have anything like RBAC; at best, you would be relegated to looking at security permissions on the deployment share or perhaps setting up a second deployment share for non-production tasks.


    -Nick O.

    We are using ConfigMgr for deployment, but storing different load configurations in MDT. The build configuration is populated in MDT, and the task sequences determines which applications to install by querying the role from MDT.

    One role within MDT will be 'finance', while the other will be 'finance-dev'. Unfortunately these are just rows in a database, so I think MDT lacks in any way to limit which items a user can edit.

    Hoping someone can tell me otherwise...


    Will

    Thursday, January 8, 2015 4:10 PM