question

Loc750 avatar image
0 Votes"
Loc750 asked Loc750 edited

What are the minimum permission required to download Console Extensions from Community Hub?

The site runs CB 2107. I read the Permissions section of https://docs.microsoft.com/en-us/mem/configmgr/core/servers/manage/community-hub . Copied the Read Only Analyst role and gave the new custom role Community hub Download Yes. Also gave SMS_Scripts Create Yes. Added that role to an existing Administrative User group. The group has access to the All Systems Collection and the Default Security scope.
Tried to download a console extension. It fails with "Download failed. The item cannot be imported. Review the SmsAdminUI.log and AdminService.log for additional information."

AdminService.log reports the following. I'm unsure what other permissions are needed for this operation.

Processing incoming request for resource [https://<name>/AdminService/v1.0/ConsoleExtensionMetadata/AdminService.UploadExtension], method: [POST], User - [<user>] Microsoft.ConfigurationManager.AdminService 9/15/2021 1:32:18 PM 25 (0x0019)
Header: [SMSAppName]=[Configuration Manager Administrator console] Microsoft.ConfigurationManager.AdminService 9/15/2021 1:32:18 PM 25 (0x0019)
Header: [MachineName]=[<name>] Microsoft.ConfigurationManager.AdminService 9/15/2021 1:32:18 PM 25 (0x0019)
Header: [UserName]=[<user>] Microsoft.ConfigurationManager.AdminService 9/15/2021 1:32:18 PM 25 (0x0019)
Header: [ObjectLockContext]=[ec1860a7-b523-401c-86da-d2da768fd8f8] Microsoft.ConfigurationManager.AdminService 9/15/2021 1:32:18 PM 25 (0x0019)
Header: [ApplicationName]=[Microsoft.ConfigurationManagement.exe] Microsoft.ConfigurationManager.AdminService 9/15/2021 1:32:18 PM 25 (0x0019)
Header: [ApplicationVersion]=[5.2107.1063.1000] Microsoft.ConfigurationManager.AdminService 9/15/2021 1:32:18 PM 25 (0x0019)
Header: [LocaleID]=[MS\0x409] Microsoft.ConfigurationManager.AdminService 9/15/2021 1:32:18 PM 25 (0x0019)
Header: [Content-Length]=[33409998] Microsoft.ConfigurationManager.AdminService 9/15/2021 1:32:18 PM 25 (0x0019)
Header: [Content-Type]=[application/json] Microsoft.ConfigurationManager.AdminService 9/15/2021 1:32:18 PM 25 (0x0019)
Header: [Authorization]=[**] Microsoft.ConfigurationManager.AdminService 9/15/2021 1:32:18 PM 25 (0x0019)
Header: [Expect]=[100-continue] Microsoft.ConfigurationManager.AdminService 9/15/2021 1:32:18 PM 25 (0x0019)
Header: [Host]=[<name>] Microsoft.ConfigurationManager.AdminService 9/15/2021 1:32:18 PM 25 (0x0019)
Context: [RemoteIpAddress]=[10.10.250.14] Microsoft.ConfigurationManager.AdminService 9/15/2021 1:32:18 PM 25 (0x0019)
Context: [RemotePort]=[51824] Microsoft.ConfigurationManager.AdminService 9/15/2021 1:32:18 PM 25 (0x0019)
Context: [ContentType]=[application/json] Microsoft.ConfigurationManager.AdminService 9/15/2021 1:32:18 PM 25 (0x0019)
Context: [Accept]=[] Microsoft.ConfigurationManager.AdminService 9/15/2021 1:32:18 PM 25 (0x0019)
Provider authentication level and exception list up to date. Microsoft.ConfigurationManager.AdminService 9/15/2021 1:32:18 PM 25 (0x0019)
User <name> is allowed because it is validated with current authentication level Default. Microsoft.ConfigurationManager.AdminService 9/15/2021 1:32:18 PM 25 (0x0019)
User <name> does not have enough permissions for this operation. Microsoft.ConfigurationManager.AdminService 9/15/2021 1:33:04 PM 25 (0x0019)
Completing request with response code [403] reason [Forbidden] Microsoft.ConfigurationManager.AdminService 9/15/2021 1:33:04 PM 25 (0x0019)

mem-cm-general
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

Amandayou-MSFT avatar image
0 Votes"
Amandayou-MSFT answered Loc750 edited

Hi @Loc750

I check the type of Console Extensions, the same classification belongs to different plug-ins. Different plug-ins require different permissions. So we could check what permissions are required for different plug-ins before making a choice of permissions.



If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thanks for your reply @Amandayou-MSFT. I'm trying to add Right Click Tools from bryand-recastsoftware. The extension's page in Community Hub provides limited details about the extension, but it provides a link to bryand's website. I browsed around that site and it mentions reports. The docs page I referenced in my initial post note the Full Administrator security role is required to import a report. Granting that role allowed me to download the extension. It would be nice if each page in Community had two required fields: Imports a Script Yes/No and Imports a Report Yes/No.

1 Vote 1 ·