question

MHuddleston-2605 avatar image
0 Votes"
MHuddleston-2605 asked Amandayou-MSFT commented

Custom role needed in SCCM


I would like to setup a role in SCCM that would allow my technicians to delete a device from SCCM when it needs reimaging and add and remove the devices from a collection.

I do not want them to be able to change or add collections, nor do I want them to get into anything other than Assets and Compliance.

Ultimately, I would like to limit them to just see the Devices and Collections.

I attempted to create a Security Role and take away a lot of the permissions, but still too broad.

Are these things possible, and if so what settings to I need to add/remove?

mem-cm-general
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

SherryKissinger-ECM avatar image
0 Votes"
SherryKissinger-ECM answered

Possibly... but I don't have anything like that. But I was thinking what you possibly really need is a front end for your technicians; where a web service (with for example, a service account with lots of rights to your CM) does the actions. Since you define exactly what collections or actions the front end can do; that limits what the techs can do.

I did a quick search for "ConfigMgr Reimaging Front End" and found several hits. Two of the links I followed appeared to me to be free tools (of course you'll need to internally get servers and accounts for them; so it's "free" as in cold hard cash, but not "free" as in you may likely need internal resources to use them).

Have you already considered, and rejected, having a web front end for this type of requirement?

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Amandayou-MSFT avatar image
0 Votes"
Amandayou-MSFT answered Amandayou-MSFT commented

Hi @MHuddleston-2605

In Configuration Manager, role-based administration combines security roles, security scopes, and assigned collections to define the administrative scope for each administrative user. We might create a custom role to grant administrative users other permissions that they require and aren't included in a built-in role.

Please navigate to Administration workspace. Expand Security, and then select the Security Roles node. Then use one of the following processes to create a new security role:

123479-816.png

For more details, we could refer to this article:
https://docs.microsoft.com/en-us/mem/configmgr/core/servers/deploy/configure/configure-role-based-administration

Here is an Excel spreadsheet which captures a list of the built-in security roles, the permission groups each role uses, and the individual permissions for each group for role-based administration:
http://www.system-center.fr/?p=3611
Note: Non-Microsoft link, just for the reference.



If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.



816.png (185.2 KiB)
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi,

May we know the current status of the question? If there is any other assistance we can provide, please feel free to let us know, we will do our best to help you.

Thanks and regards,
Amanda

0 Votes 0 ·