为 Configuration Manager 配置基于角色的管理Configure role-based administration for Configuration Manager

适用范围: Configuration Manager (Current Branch)Applies to: Configuration Manager (current branch)

在 Configuration Manager 中,基于角色的管理结合了安全角色、安全作用域和分配的集合来定义每个管理用户的管理作用域。In Configuration Manager, role-based administration combines security roles, security scopes, and assigned collections to define the administrative scope for each administrative user. 管理作用域包括管理用户可在 Configuration Manager 控制台中查看的对象,以及管理用户有权执行的与这些对象相关的任务。An administrative scope includes the objects that an administrative user can view in the Configuration Manager console and the tasks related to those objects that the administrative user has permission to perform. 基于角色的管理配置应用于层次结构中的每个站点。Role-based administration configurations are applied at each site in a hierarchy.

如果还不熟悉基于角色的管理的概念,请参阅基于角色的管理基础If you're not yet familiar with concepts for role-based administration, see Fundamentals of role-based administration.

下列过程中的信息有助于创建和配置基于角色的管理以及相关安全设置:The information in the following procedures can help you create and configure role-based administration and related security settings:

创建自定义安全角色Create custom security roles

Configuration Manager 提供若干内置安全角色。Configuration Manager provides several built-in security roles. 如果需要其他安全角色,你可以通过创建现有安全角色的副本然后对该副本进行修改来创建自定义安全角色。If you require additional security roles, you can create a custom security role by creating a copy of an existing security role, and then modifying the copy. 可创建自定义安全角色,向管理用户授予他们需要的但未包含在当前已分配安全角色中的其他安全权限。You might create a custom security role to grant administrative users the additional security permissions they require that aren't included in a currently assigned security role. 通过使用自定义安全角色,你可以只向管理用户授予他们需要的权限,并避免分配会授予超出其所需的权限的安全角色。By using a custom security role, you can grant them only the permissions they require, and avoid assigning a security role that grants more permissions than they require.

使用下列过程,通过使用现有安全角色作为模板来创建一个新安全角色。Use the following procedure to create a new security role by using an existing security role as a template.

创建自定义安全角色To create custom security roles

  1. 在 Configuration Manager 控制台中,转到“管理” 。In the Configuration Manager console, go to Administration.

  2. 在“管理” 工作区,展开“安全” ,然后选择“安全角色” 。In the Administration workspace, expand Security, and then choose Security Roles.

    使用下列过程之一来创建新安全角色:Use one of the following processes to create the new security role:

    • 要创建新的自定义安全角色,请执行下列操作:To create a new custom security role, perform the following actions:

      1. 选择现有安全角色以用作新安全角色的来源。Select an existing security role to use as the source for the new security role.

      2. 在“主页” 选项卡上的“安全角色” 组中,选择“复制” 。On the Home tab, in the Security Role group, choose Copy. 此操作将创建源安全角色的副本。This action creates a copy of the source security role.

      3. 在复制安全角色向导中,为新的自定义安全角色指定“名称” 。In the Copy Security Role wizard, specify a Name for the new custom security role.

      4. 在“安全操作分配” 中,展开每个“安全操作” 节点以显示可用操作。In Security operation assignments, expand each Security Operations node to display the available actions.

      5. 若要更改安全操作的设置,请在“值” 列中选择向下箭头,然后选择“是” 或“否” 。To change the setting for a security operation, choose the down arrow in the Value column, and choose either Yes or No.

        注意

        配置自定义安全角色时,请确保不要向与新安全角色关联的管理用户授予其不需要的权限。When you configure a custom security role, ensure that you don't grant permissions that aren't required by administrative users that are associated with the new security role. 例如,“安全角色” 的“修改” 值安全操作将向管理用户授予编辑任何可访问安全角色的权限,即使这些用户未与该安全角色关联。For example, the Modify value for the Security Roles security operation grants administrative users permission to edit any accessible security role – even if they aren't associated with that security role.

      6. 配置权限后,选择“确定” ,保存新安全角色。After you configure the permissions, choose OK to save the new security role.

    • 要导入从另一个 Configuration Manager 层次结构中导出的安全角色,请执行下列操作:To import a security role that was exported from another Configuration Manager hierarchy, perform the following actions:

      1. 在“主页” 选项卡上的“创建” 组中,选择“导入安全角色” 。On the Home tab, in the Create group, choose Import Security Role.

      2. 指定包含要导入的安全角色配置的 xml 文件。Specify the .xml file that contains the security role configuration that you want to import. 选择“打开” ,完成该过程并保存安全角色。Choose Open to complete the procedure and save the security role.

        备注

        导入安全角色之后,你可以编辑安全角色属性来更改与安全角色关联的对象权限。After you import a security role, you can edit the security role properties to change the object permissions that are associated with the security role.

配置安全角色Configure security roles

为安全角色定义的安全权限组称为安全操作分配。The groups of security permissions that are defined for a security role are called security operation assignments. 安全操作分配表示对象类型以及可用于每个对象类型的操作的组合。Security operation assignments represent a combination of object types and actions that are available for each object type. 可为任何自定义安全角色修改可用的安全操作,但无法修改 Configuration Manager 提供的内置安全角色。You can modify which security operations are available for any custom security role, but you can't modify the built-in security roles that Configuration Manager provides.

使用下列过程来修改安全角色的安全操作。Use the following procedure to modify the security operations for a security role.

修改安全角色To modify security roles

  1. 在 Configuration Manager 控制台中,选择“管理” 。In the Configuration Manager console, choose Administration.

  2. 在“管理” 工作区,展开“安全” ,然后选择“安全角色” 。In the Administration workspace, expand Security, and then choose Security Roles.

  3. 选择要修改的自定义安全角色。Select the custom security role that you want to modify.

  4. 在“主页” 选项卡上的“属性” 组中,选择“属性” 。On the Home tab, in the Properties group, choose Properties.

  5. 选择“权限” 选项卡。Choose the Permissions tab.

  6. 在“安全操作分配” 中,展开每个“安全操作” 节点以显示可用操作。In Security operation assignments, expand each Security Operations node to display the available actions.

  7. 若要更改安全操作的设置,请在“值” 列中选择向下箭头,然后选择“是” 或“否” 。To change the setting for a security operation, choose the down arrow in the Value column, and then choose either Yes or No.

    注意

    配置自定义安全角色时,请确保不要向与新安全角色关联的管理用户授予其不需要的权限。When you configure a custom security role, ensure that you don't grant permissions that aren't required by administrative users that are associated with the new security role. 例如,“安全角色” 的“修改” 值安全操作将向管理用户授予编辑任何可访问安全角色的权限,即使这些用户未与该安全角色关联。For example, the Modify value for the Security Roles security operation grants administrative users permission to edit any accessible security role – even if they aren't associated with that security role.

  8. 完成配置安全操作分配后,选择“确定” ,保存新安全角色。When you've finished configuring security operation assignments, choose OK to save the new security role.

配置对象的安全作用域Configure security scopes for an object

通过对象(而不是安全作用域)管理对象的安全作用域关联。You manage the association of a security scope for an object from the object–not from the security scope. 安全作用域支持的唯一直接配置是更改其名称和描述。The only direct configurations that security scopes support are changes to its name and description. 要在查看安全作用域属性时更改安全作用域的名称和描述,你必须具有“安全作用域” 安全对象的“修改” 权限。To change the name and description of a security scope when you view the security scope properties, you must have the Modify permission for the Security Scopes securable object.

在 Configuration Manager 中创建新对象时,它与每个与用于创建对象的帐户安全角色关联的安全作用域相关联。When you create a new object in Configuration Manager, it's associated with each security scope that's associated with the security roles of the account used to create the object. 当这些安全角色提供创建 权限或设置安全作用域 权限时,会发生此行为。This behavior occurs when those security roles provide the Create permission or Set Security Scope permission. 在创建对象后,可以更改其安全作用域。You can change the security scopes for the object after you create it.

例如,已为你分配了一个安全角色,该安全角色可授予创建新边界组的权限。As an example, you're assigned a security role that grants you permission to create a new boundary group. 创建新边界组时,你没有可为其分配特定安全作用域的选项。When you create a new boundary group, you have no option that you can assign specific security scopes to. 作为替代,会将与你关联的安全角色中的可用安全作用域自动分配给新的边界组。Instead, the security scopes that are available from the security roles you're associated with are automatically assigned to the new boundary group. 保存新边界组之后,可编辑与新边界组关联的安全作用域。After you save the new boundary group, you can edit the security scopes that are associated with the new boundary group.

使用下列过程来配置分配给对象的安全作用域。Use the following procedure to configure the security scopes that are assigned to an object.

为对象配置安全作用域To configure security scopes for an object

  1. 在 Configuration Manager 控制台中,选择支持分配给安全作用域的对象。In the Configuration Manager console, select an object that supports being assigned to a security scope.

  2. 在“主页” 选项卡上的“分类” 组中,选择“设置安全作用域” 。On the Home tab, in the Classify group, choose Set Security Scopes.

  3. 在“设置安全作用域” 对话框中,选中或清除此对象与之关联的安全作用域。In the Set Security Scopes dialog box, select or clear the security scopes that this object is associated with. 必须将支持安全作用域的每个对象分配给至少一个安全作用域。Each object that supports security scopes must be assigned to at least one security scope.

  4. 选择“确定” ,保存分配的安全作用域。Choose OK to save the assigned security scopes.

    备注

    在创建新对象时,你可以将对象分配给多个安全作用域。When you create a new object, you can assign the object to multiple security scopes. 若要修改与对象关联的安全作用域的数量,必须在创建对象之后更改此分配。To modify the number of security scopes that are associated with the object, you must change this assignment after the object is created.

为文件夹配置安全作用域(从版本 1906 开始)To configure security scopes for a folder (starting in version 1906)

  1. 在 Configuration Manager 控制台中,选择一个文件夹。In the Configuration Manager console, select a folder.

  2. 在功能区的“文件夹”选项卡上,选择“设置安全作用域” 。On the Folder tab in the ribbon, choose Set Security Scopes.

    • 也可以右键单击该文件夹,然后选择“文件夹” > “设置安全作用域” 。You can also right-click the folder and choose Folder > Set Security Scopes.
  3. 在“设置安全作用域” 对话框中,选中或清除文件夹的安全作用域。In the Set Security Scopes dialog box, select or clear security scopes for the folder. 至少必须为每个文件夹分配一个安全作用域。Each folder must be assigned to at least one security scope. 系统默认为所有文件夹分配安全作用域,直到对它进行更改 。All folders are assigned the Default security scope until you change it.

  4. 选择“确定” ,保存分配的安全作用域。Choose OK to save the assigned security scopes.

    重要

    • 安装 Configuration Manager 版本 1906 时, 现有安全角色将自动获得“文件夹类”权限。Existing security roles will automatically get Folder Class permissions added when you install Configuration Manager version 1906. 将需要为任何新安全 角色添加“文件夹类”权限,并验证现有角色是否具有适用于你的环境的适当权限。You'll need to add Folder Class permissions for any new security roles and verify existing roles have the appropriate permissions for your environment.

    • 如果用户与对象的创建者共享安全范围,则可在此用户的安全范围之外的文件夹中搜索项目。An item is searchable in folder outside of a user's security scope if that user shares a security scope with the person who created the object.

配置集合来管理安全性Configure collections to manage security

没有用于为基于角色的管理配置集合的过程。There are no procedures to configure collections for role-based administration. 集合不具有基于角色的管理配置。Collections don't have a role-based administration configuration. 作为替代,会在配置管理用户时将集合分配给管理用户。Instead, you assign collections to an administrative user when you configure the administrative user. 用户已分配安全角色中启用的集合安全操作可确定管理用户对集合和集合资源(集合成员)所拥有的权限。The collection security operations that are enabled in the user-assigned security roles determine the permissions that an administrative user has for collections and collection resources (collection members).

如果管理用户拥有某个集合的权限,则对于限制为该集合的集合,他们也拥有权限。When an administrative user has permissions to a collection, they also have permissions to collections that are limited to that collection. 例如,你的组织使用一个名为“所有台式机”的集合。As an example, your organization uses a collection named All Desktops. 此外,还有一个限定为“所有台式机”集合的名为“所有北美台式机”的集合。There's also a collection named All North America Desktops that's limited to the All Desktops collection. 如果管理用户拥有“所有台式机”的权限,则他们也拥有“所有北美台式机”集合的那些相同权限。If an administrative user has permissions to All Desktops, they also have those same permissions to the All North America Desktops collection.

此外,管理用户不能在直接分配给他们的集合上使用“删除” 或“修改” 权限。Additionally, an administrative user can't use the Delete or Modify permission on a collection that's directly assigned to them. 但是,他们可在限于该集合的集合上使用这些权限。But, they can use these permissions on the collections that are limited to that collection. 在之前的示例中,管理用户可以删除或修改“所有北美台式机”集合,但无法删除或修改“所有台式机”集合。In the previous example, the administrative user can delete or modify the All North America Desktops collection, but they can't delete or modify the All Desktops collection.

创建新管理用户Create a new administrative user

要授予个人或安全组成员访问权限以管理 Configuration Manager,请在 Configuration Manager 中创建一个管理用户,并指定 Windows 帐户“用户”或“用户组”。To grant individuals or members of a security group access to manage Configuration Manager, create an administrative user in Configuration Manager and specify the Windows account of the User or User Group. 必须为 Configuration Manager 中的每个管理用户分配至少一个安全角色和一个安全作用域。Each administrative user in Configuration Manager must be assigned at least one security role and one security scope. 你还可以分配集合来限制管理用户的管理作用域。You can also assign collections to limit the administrative scope of the administrative user.

使用以下过程来创建新的管理用户。Use the following procedures to create new administrative users.

创建新的管理用户To create a new administrative user

  1. 在 Configuration Manager 控制台中,选择“管理” 。In the Configuration Manager console, choose Administration.

  2. 在“管理” 工作区中,展开“安全” ,然后选择“管理用户” 。In the Administration workspace, expand Security, and then choose Administrative Users.

  3. 在“主页” 选项卡上的“创建” 组中,选择“添加用户或组” 。On the Home tab, in the Create group, choose Add User or Group.

  4. 选择“浏览” ,然后选择要用于此新管理用户的用户帐户或组。Choose Browse, and then select the user account or group to use for this new administrative user.

    备注

    对于基于控制台的管理,只能将域用户或安全组指定为管理用户。For console-based administration, only domain users or security groups can be specified as an administrative user.

  5. 对于“关联的安全角色” ,选择“添加” 打开可用安全角色的列表,选中一个或多个安全角色的复选框,然后选择“确定” 。For Associated security roles, choose Add to open a list of the available security roles, check the box for one or more security roles, and then choose OK.

  6. 选择以下两个选项之一,定义新用户的安全对象行为:Choose one of the following two options to define the securable object behavior for the new user:

    • 与分配的安全角色相关的所有对象实例:此选项将管理用户与“所有”安全作用域以及“所有系统”和“所有用户和用户组”集合关联 。All instances of the objects that are related to the assigned security roles: This option associates the administrative user with the All security scope, and the All Systems and All Users and User Groups collections. 分配给用户的安全角色定义对象的访问权限。The security roles that are assigned to the user define access to objects. 会将此管理用户创建的新对象分配到“默认” 安全作用域。New objects that this administrative user creates are assigned to the Default security scope.

    • 仅分配给指定安全作用域和集合的对象实例:默认情况下,此选项将管理用户与“默认”安全作用域以及“所有系统”和“所有用户和用户组”集合关联 。Only the instances of objects that are assigned to the specified security scopes and collections: By default, this option associates the administrative user with the Default security scope, and the All Systems and All Users and User Groups collections. 但是,实际安全作用域和集合仅限于那些与创建新管理用户所需的帐户关联的安全作用域和集合。However, the actual security scopes and collections are limited to those that are associated with the account that you used to create the new administrative user. 此选项支持添加或删除安全作用域和集合来自定义管理用户的管理作用域。This option supports the addition or removal of security scopes and collections to customize the administrative scope of the administrative user.

    重要

    前面的选项将每个分配的安全作用域和集合与分配给管理用户的每个安全角色关联。The preceding options associate each assigned security scope and collection to each security role that is assigned to the administrative user. 可使用第三个选项“将分配的安全角色与特定安全作用域和集合相关联” 将单独的安全角色与特定安全作用域和集合关联。You can use a third option, Associate assigned security roles with specific security scopes and collections, to associate individual security roles to specific security scopes and collections. 在你创建新管理用户之后修改管理用户时,可以使用这第三个选项。This third option is available after you create the new administrative user, when you modify the administrative user.

  7. 根据在步骤 6 中所做的选择执行以下操作:Depending on your selection in step 6, take the following action:

    • 如果选择了“与分配的安全角色相关的所有对象实例” ,请选择“确定” ,完成此过程。If you selected All instances of the objects that are related to the assigned security roles, choose OK to complete this procedure.

    • 如果选择了“仅限分配到指定安全作用域和集合的对象实例” ,则可选择“添加” ,选择其他集合和安全作用域。If you selected Only the instances of objects that are assigned to the specified security scopes and collections, you can choose Add to select additional collections and security scopes. 或者选择列表中的一个或多个对象,然后选择“删除” ,将其删除。Or select one or more objects in the list, and then choose Remove to remove them. 选择“确定” 完成此过程。Choose OK to complete this procedure.

修改管理用户的管理作用域Modify the administrative scope of an administrative user

你可以通过添加或删除与管理用户关联的安全角色、安全作用域和集合来修改该用户的管理作用域。You can modify the administrative scope of an administrative user by adding or removing security roles, security scopes, and collections that are associated with the user. 必须将每个管理用户与至少一个安全角色和一个安全作用域关联。Each administrative user must be associated with at least one security role and one security scope. 你可能必须将一个或多个集合分配到用户的管理作用域。You might have to assign one or more collections to the administrative scope of the user. 大多数安全角色都与集合交互,如果没有分配的集合,将无法正常工作。Most security roles interact with collections and don't function correctly without an assigned collection.

当你修改管理用户时,你可以更改有关安全对象如何与分配的安全角色关联的行为。When you modify an administrative user, you can change the behavior for how securable objects are associated with the assigned security roles. 你可选择的三个行为如下所示:The three behaviors that you can select are as follows:

  • 与分配的安全角色相关的所有对象实例:此选项将管理用户与“所有”作用域以及“所有系统”和“所有用户和用户组”集合关联 。All instances of the objects that are related to the assigned security roles: This option associates the administrative user with the All scope, and the All Systems and All Users and User Groups collections. 分配给用户的安全角色定义对象的访问权限。The security roles that are assigned to the user define access to objects.

  • 仅分配给指定安全作用域和集合的对象实例:此选项将管理用户关联到与用于配置管理用户的帐户关联的相同安全作用域和集合。Only the instances of objects that are assigned to the specified security scopes and collections: This option associates the administrative user to the same security scopes and collections that are associated to the account you use to configure the administrative user. 此选项支持添加或删除安全角色和集合来自定义管理用户的管理作用域。This option supports the addition or removal of security roles and collections to customize the administrative scope of the administrative user.

  • 将分配的安全角色与特定安全作用域和集合关联:使用此选项,可以在各个安全角色与用户的安全作用域和集合之间创建特定关联。Associate assigned security roles with specific security scopes and collections: This option lets you create specific associations between individual security roles and specific security scopes and collections for the user.

    备注

    只有在你修改管理用户的属性时,此选项才可用。This option is available only when you modify the properties of an administrative user.

安全对象行为的当前配置会改变你用于分配其他安全角色的过程。The current configuration for the securable object behavior changes the process that you use to assign additional security roles. 使用基于安全对象的不同选项的以下过程来帮助你对管理用户进行管理。Use the following procedures that are based on the different options for securable objects to help you manage an administrative user.

使用以下过程查看和管理管理用户的安全对象配置。Use the following procedure to view and manage the configuration for securable objects for an administrative user.

查看和管理管理用户的安全对象行为To view and manage the securable object behavior for an administrative user

  1. 在 Configuration Manager 控制台中,选择“管理” 。In the Configuration Manager console, choose Administration.
  2. 在“管理” 工作区中,展开“安全” ,然后选择“管理用户” 。In the Administration workspace, expand Security, and then choose Administrative Users.
  3. 选择要修改的管理用户。Select the administrative user that you want to modify.
  4. 在“主页” 选项卡上的“属性” 组中,选择“属性” 。On the Home tab, in the Properties group, choose Properties.
  5. 选择“安全作用域” 选项卡,查看此管理用户安全对象的当前配置。Choose the Security Scopes tab to view the current configuration for securable objects for this administrative user.
  6. 要修改安全对象行为,请为安全对象行为选择一个新选项。To modify the securable object behavior, select a new option for securable object behavior. 更改此配置后,请查看相应的过程,了解为此管理用户配置安全作用域和集合以及安全角色的进一步指引。After you change this configuration, see the appropriate procedure for further guidance to configure security scopes and collections, and security roles for this administrative user.
  7. 选择“确定” 完成该过程。Choose OK to complete the procedure.

使用以下过程来修改安全对象行为设置为“与分配的安全角色相关的所有对象实例” 的管理用户。Use the following procedure to modify an administrative user that has the securable object behavior set to All instances of the objects that are related to the assigned security roles.

  1. 在 Configuration Manager 控制台中,选择“管理” 。In the Configuration Manager console, choose Administration.

  2. 在“管理” 工作区中,展开“安全” ,然后选择“管理用户” 。In the Administration workspace, expand Security, and then choose Administrative Users.

  3. 选择要修改的管理用户。Select the administrative user that you want to modify.

  4. 在“主页” 选项卡上的“属性” 组中,选择“属性” 。On the Home tab, in the Properties group, choose Properties.

  5. 选择“安全作用域” 选项卡,确认已针对管理用户配置了“与分配的安全角色相关的所有对象实例” 。Choose the Security Scopes tab to confirm that the administrative user is configured for All instances of the objects that are related to the assigned security roles.

  6. 若要修改分配的安全角色,请选择“安全角色” 选项卡。To modify the assigned security roles, choose the Security Roles tab.

    • 若要为此管理用户分配其他安全角色,请选择“添加” ,选中要分配的每个其他安全角色的复选框,然后选择“确定” 。To assign additional security roles to this administrative user, choose Add, check the box for each additional security role that you want to assign, and then choose OK.
    • 若要删除安全角色,请从列表选择一个或多个安全角色,然后选择“删除” 。To remove security roles, select one or more security roles from the list, and then choose Remove.
  7. 若要修改安全对象行为,请选择“安全作用域” 选项卡,并为安全对象行为选择新选项。To modify the securable object behavior, choose the Security Scopes tab and choose a new option for the securable object behavior. 更改此配置后,请查看相应的过程,了解为此管理用户配置安全作用域和集合以及安全角色的进一步指引。After you change this configuration, see the appropriate procedure for further guidance to configure security scopes and collections, and security roles for this administrative user.

    备注

    如果将安全对象行为设置为“与分配的安全角色相关的所有对象实例” ,则无法添加或删除特定安全作用域和集合。When the securable object behavior is set to All instances of the objects that are related to the assigned security roles, you can't add or remove specific security scopes and collections.

  8. 选择“确定” 完成此过程。Choose OK to complete this procedure.

使用以下过程来修改其安全对象行为设置为“仅限分配到指定安全作用域和集合的所有对象实例” 的管理用户。Use the following procedure to modify an administrative user that has the securable object behavior set to Only the instances of objects that are assigned to the specified security scopes and collections.

对于选项:仅分配给指定安全作用域和集合的对象实例For option: Only the instances of objects that are assigned to the specified security scopes and collections

  1. 在 Configuration Manager 控制台中,选择“管理” 。In the Configuration Manager console, choose Administration.

  2. 在“管理” 工作区中,展开“安全” ,然后选择“管理用户” 。In the Administration workspace, expand Security, and then choose Administrative Users.

  3. 选择要修改的管理用户。Select the administrative user that you want to modify.

  4. 在“主页” 选项卡上的“属性” 组中,选择“属性” 。On the Home tab, in the Properties group, choose Properties.

  5. 选择“安全作用域” 选项卡,确认已针对用户配置了“仅限分配到指定安全作用域和集合的所有对象实例” 。Choose the Security Scopes tab to confirm that the user is configured for Only the instances of objects that are assigned to the specified security scopes and collections.

  6. 若要修改分配的安全角色,请选择“安全角色” 选项卡。To modify the assigned security roles, choose the Security Roles tab.

    • 若要为此用户分配其他安全角色,请选择“添加” ,选中要分配的每个其他安全角色的复选框,然后选择“确定” 。To assign additional security roles to this user, choose Add, check the box for each additional security role that you want to assign, and then choose OK.
    • 若要删除安全角色,请从列表选择一个或多个安全角色,然后选择“删除” 。To remove security roles, select one or more security roles from the list, and then choose Remove.
  7. 若要修改与安全角色关联的安全作用域和集合,请选择“安全作用域” 选项卡。To modify the security scopes and collections that are associated with security roles, choose the Security Scopes tab.

    • 若要将新的安全作用域或集合与分配给此管理用户的所有安全角色关联,请选择“添加” 并选择四个选项之一。To associate new security scopes or collections with all security roles that are assigned to this administrative user, choose Add and select one of the four options. 如果选择“安全作用域” 或“集合” ,请选中一个或多个对象的复选框以完成该选择,然后选择“确定” 。If you select Security Scope or Collection, check the box for one or more objects to complete that selection, and then choose OK.
    • 若要删除安全作用域或集合,请选择该对象,然后选择“删除” 。To remove a security scope or collection, choose the object, and then choose Remove.
  8. 选择“确定” 完成此过程。Choose OK to complete this procedure.

使用以下过程来修改其安全对象行为设置为“将分配的安全角色与特定安全作用域和集合相关联” 的管理用户。Use the following procedure to modify an administrative user that has the securable object behavior set to Associate assigned security roles with specific security scopes and collections.

对于选项:将分配的安全角色与特定安全作用域和集合关联For option: Associate assigned security roles with specific security scopes and collections

  1. 在 Configuration Manager 控制台中,选择“管理” 。In the Configuration Manager console, choose Administration.

  2. 在“管理” 工作区中,展开“安全” ,然后选择“管理用户” 。In the Administration workspace, expand Security, and then choose Administrative Users.

  3. 选择要修改的管理用户。Select the administrative user that you want to modify.

  4. 在“主页” 选项卡上的“属性” 组中,选择“属性” 。On the Home tab, in the Properties group, choose Properties.

  5. 选择“安全作用域” 选项卡,确认已针对管理用户配置了“将分配的安全角色与特定安全作用域和集合相关联” 。Choose the Security Scopes tab to confirm that the administrative user is configured for Associate assigned security roles with specific security scopes and collections.

  6. 若要修改分配的安全角色,请选择“安全角色” 选项卡。To modify the assigned security roles, choose the Security Roles tab.

    • 若要为此管理用户分配其他安全角色,请选择“添加” 。To assign additional security roles to this administrative user, choose Add. 在“添加安全角色” 对话框上,选择一个或多个可用安全角色,选择“添加” ,并选择要与所选安全角色关联的对象类型。On the Add Security Role dialog box, select one or more available security roles, choose Add, and select an object type to associate with the selected security roles. 如果选择“安全作用域” 或“集合” ,请选中一个或多个对象的复选框以完成该选择,然后选择“确定” 。If you select Security Scope or Collection, check the box for one or more objects to complete that selection, and then choose OK.

      备注

      你至少必须配置一个安全作用域,然后才能将所选安全角色分配给管理用户。You must configure at least one security scope before the selected security roles can be assigned to the administrative user. 如果选择多个安全角色,则配置的每个安全作用域和集合将与每个所选的安全角色关联。When you select multiple security roles, each security scope and collection that you configure is associated with each of the selected security roles.

    • 若要删除安全角色,请从列表选择一个或多个安全角色,然后选择“删除” 。To remove security roles, select one or more security roles from the list, and then choose Remove.

  7. 若要修改与特定安全角色关联的安全作用域和集合,请选择“安全作用域” 选项卡,选择该安全角色,然后选择“编辑” 。To modify the security scopes and collections that are associated with a specific security role, choose the Security Scopes tab, select the security role, and then choose Edit.

    • 若要将新对象与此安全角色关联,请选择“添加” ,并选择要与所选安全角色关联的对象类型。To associate new objects with this security role, choose Add, and select an object type to associate with the selected security roles. 如果选择“安全作用域” 或“集合” ,请选中一个或多个对象的复选框以完成该选择,然后选择“确定” 。If you select Security Scope or Collection, check the box for one or more objects to complete that selection, and then choose OK.

      备注

      必须至少配置一个安全作用域。You must configure at least one security scope.

    • 若要删除与此安全角色关联的安全作用域或集合,请选择该对象,然后选择“删除” 。To remove a security scope or collection that is associated with this security role, select the object, and then choose Remove.

    • 完成修改关联对象后,选择“确定” 。When you have finished modifying the associated objects, choose OK.

  8. 选择“确定” 完成此过程。Choose OK to complete this procedure.

    注意

    如果安全角色向管理用户授予集合部署权限,则这些管理用户可从他们具有对象“读取” 权限的任何安全作用域中分发对象,即使该安全作用域与其他安全角色关联。When a security role grants administrative users the collection deployment permission, those administrative users can distribute objects from any security scope for which they have object read permissions, even if that security scope is associated with a different security role.

后续步骤Next steps

Configuration Manager 中使用的帐户Accounts used in Configuration Manager