locked
SCCM 2012 Security Scopes and roles migrating from SCCM 2007 RRS feed

  • Question

  • SCCM 2012 Security Scopes and roles

    We are planning an upgrade to SCCM 2012. Actually we run 20 primary sites (and a few secondaries and a bunch of Branch distribution points but that is irrelevant for this question). The main reason is that we have approx 20 IT managed locations that work independently (i.e. manage their own computers) from each other.

    Overview of tasks that matter (in a nutshell)

    HQ: packaging, OS imaging (including task sequences), Software Updates, SCCM infrastructure
    Locations: software deployment (mainly advertisements, collections and queries), OS deployment

    With SCCM 2012 we would like to reduce the number of primary sites to ONE (1).

    Therefore we would rely on security roles and security scopes.

    With security scopes I can perfectly limit each location to its own users and computers.

    I have some doubt if “security roles” gives me enough flexibility. Yes I can create different roles that contain only the tasks that will be executed in the different locations BUT how can I avoid that an IT staff member of location A deletes a collection/deployment of Location B?

    Do I somehow somewhere miss something?

    Thanks in advance.

    Kind regards,
    Alain VDP.

    Friday, October 18, 2013 7:39 AM

Answers

  • That's just a matter of limiting collections. Just make sure that "IT staff members of location A" are assigned a collection that contains "location A clients only".

    Torsten Meringer | http://www.mssccmfaq.de

    • Marked as answer by Alain VDP Friday, October 18, 2013 10:58 AM
    Friday, October 18, 2013 8:04 AM

All replies

  • That's just a matter of limiting collections. Just make sure that "IT staff members of location A" are assigned a collection that contains "location A clients only".

    Torsten Meringer | http://www.mssccmfaq.de

    • Marked as answer by Alain VDP Friday, October 18, 2013 10:58 AM
    Friday, October 18, 2013 8:04 AM
  • Dear Torsten,

    Thanks for your prompt reply. I clearly missed something somewhere (in SCCM time)

    Basically it comes to this:

    (per "location")
    - collection containing all users LOCATION
    - collection containing all devices LOCATION
    - Distribution groups containing DP LAN + all the ex-bdp's
    - a security scope.

    Then

    - creation "LOCATION limited admins" in "security / administrative users" that are limited to the above created collections/scope granting the correct security role (custom or not).

    - set the above created security scope to the above created DP group. here I can limit "location" specific packages.

    And so on.

    Thanks and have a nice Weekend.

    Friday, October 18, 2013 8:55 AM
  • With SCCM 2012 we would like to reduce the number of primary sites to ONE (1).
    Awesome idea! Sorry, just felt the need to congratulate you on properly interpreting the new hierachy model in 2012 -- there are so many folks who want to install multiple primaries and a CAS in 2012 for no reason other then they can or because they want to mirror their 2007 hierarchy. So, good on ya.

    Jason | http://blog.configmgrftw.com

    Friday, October 18, 2013 3:17 PM
  • Dear Jason,
    I'll take that as a compliment.
    Kind regards,
    Alain VDP.

    Monday, October 21, 2013 8:29 AM