Configuration Manager 的基于角色的管理基础Fundamentals of role-based administration for Configuration Manager

适用范围: Configuration Manager (Current Branch)Applies to: Configuration Manager (current branch)

在 Configuration Manager 中,使用基于角色的管理来保护管理 Configuration Manager 所需的访问权限。With Configuration Manager, you use role-based administration to secure the access that is needed to administer Configuration Manager. 还需保护对你管理的对象(如集合、部署和站点)的访问权限。You also secure access to the objects that you manage, like collections, deployments, and sites. 了解在本文中引入的概念后,可以为 Configuration Manager 配置基于角色的管理After you understand the concepts introduced in this article, you can Configure role-based administration for Configuration Manager.

此基于角色的管理模式使用以下项目为所有站点和站点设置集中定义并管理层次结构范围的安全访问设置:The role-based administration model centrally defines and manages hierarchy-wide security access settings for all sites and site settings by using the following items:

  • 安全角色将分配给管理用户,并为这些用户(或用户组)提供不同 Configuration Manager 对象的权限。Security roles are assigned to administrative users to provide those users (or groups of users) permission to different Configuration Manager objects. 例如创建或更改客户端设置的权限。For example, permission to create or change client settings.

  • 安全作用域用于对管理用户负责管理的对象的特定实例进行分组,如安装 Microsoft 365 Apps 的应用程序。Security scopes are used to group specific instances of objects that an administrative user is responsible to manage, like an application that installs Microsoft 365 Apps.

  • 集合用于指定管理用户可管理的用户和设备资源组。Collections are used to specify groups of user and device resources that the administrative user can manage.

    组合使用安全角色、安全作用域和集合,可分离满足组织需求的管理任务。With the combination of security roles, security scopes, and collections, you segregate the administrative assignments that meet your organization's requirements. 将它们组合使用可定义用户的管理作用域,这就是用户可在 Configuration Manager 部署中查看和管理的内容。Used together, they define the administrative scope of a user, which is what that user can view and manage in your Configuration Manager deployment.

基于角色的管理的好处Benefits of role-based administration

  • 站点不再用作管理边界。Sites aren't used as administrative boundaries.
  • 可为层次结构创建管理用户,并仅需将安全性分配给他们一次。You create administrative users for a hierarchy and only need to assign security to them one time.
  • 所有安全分配都已复制,并在整个层次结构中可用。All security assignments are replicated and available throughout the hierarchy.
  • 有用于分配典型管理任务的内置安全角色。There are built-in security roles that are used to assign the typical administration tasks. 创建自己的自定义安全角色来满足特定业务需求。Create your own custom security roles to support your specific business requirements.
  • 管理用户仅查看他们有权管理的对象。Administrative users see only the objects that they have permissions to manage.
  • 你可以审核管理安全操作。You can audit administrative security actions.

为 Configuration Manager 设计和实现管理安全性时,使用以下内容为管理用户创建一个管理作用域When you design and implement administrative security for Configuration Manager, you use the following to create an administrative scope for an administrative user:

管理作用域控制管理用户可以在 Configuration Manager 控制台中查看的对象,以及该用户对这些对象所具有的权限。The administrative scope controls the objects that an administrative user views in the Configuration Manager console, and it controls the permissions that a user has on those objects. 基于角色的管理配置作为全局数据复制到层次结构中的每个站点,然后应用到所有管理连接。Role-based administration configurations replicate to each site in the hierarchy as global data, and then are applied to all administrative connections.

重要

站点间复制的延迟可能会阻止站点收到基于角色的管理的变化。Intersite replication delays can prevent a site from receiving changes for role-based administration. 有关如何监视站点间数据库复制的信息,请参阅站点间的数据传输主题。For information about how to monitor intersite database replication, see the Data transfers between sites topic.

安全角色Security roles

安全角色用于向管理用户授予安全权限。Use security roles to grant security permissions to administrative users. 安全角色是安全权限的组合,你将这些权限分配给管理用户,以便他们能够执行管理任务。Security roles are groups of security permissions that you assign to administrative users so that they can perform their administrative tasks. 这些安全权限定义管理用户可以执行的管理操作,以及为特定对象类型授予的权限。These security permissions define the administrative actions that an administrative user can perform and the permissions that are granted for particular object types. 最佳安全方案是分配提供最低权限的安全角色。As a security best practice, assign the security roles that provide the least permissions.

Configuration Manager 具有多个内置的安全角色,能支持常见的管理任务组合,而且用户可以创建自己的自定义安全角色,以满足特定业务需求。Configuration Manager has several built-in security roles to support typical groupings of administrative tasks, and you can create your own custom security roles to support your specific business requirements. 内置安全角色的示例:Examples of the built-in security roles:

  • “完全权限管理员” 授予 Configuration Manager 中的所有权限。Full Administrator grants all permissions in Configuration Manager.

  • “资产管理器” 授予管理以下项目的权限:资产智能同步点、资产智能报告类、软件清单、硬件清单和计数规则。Asset Manager grants permissions to manage the Asset Intelligence Synchronization Point, Asset Intelligence reporting classes, software inventory, hardware inventory, and metering rules.

  • “软件更新管理员” 授予定义和部署软件更新的权限。Software Update Manager grants permissions to define and deploy software updates. 与此角色关联的管理用户可以创建集合、软件更新组、部署和模板。Administrative users who are associated with this role can create collections, software update groups, deployments, and templates.

  • 安全管理员授予添加和删除管理用户并将管理用户与安全角色、集合和安全作用域关联的权限。Security Administrator grants permissions to add and remove administrative users and associate administrative users with security roles, collections, and security scopes. 与此角色关联的管理用户还可以创建、修改和删除安全角色及其分配的安全作用域和集合。Administrative users who are associated with this role can also create, modify, and delete security roles and their assigned security scopes and collections.

提示

在 Configuration Manager 控制台中,可以查看内置的安全角色和创建的自定义安全角色的列表(包括它们的描述)。You can view the list of built-in security roles and custom security roles you create, including their descriptions, in the Configuration Manager console. 若要查看角色,请在“管理” 工作区中展开“安全” 然后选择“安全角色” 。To view the roles, in the Administration workspace, expand Security, and then select Security Roles.

每个安全角色都有针对不同对象类型的特定权限。Each security role has specific permissions for different object types. 例如,“应用程序作者”安全角色具有下列针对应用程序的权限 :“批准”、“创建”、“删除”、“修改”、“修改文件夹”、“移动对象”、“读取”、“运行报表”和“设置安全作用域”。For example, the Application Author security role has the following permissions for applications: Approve, Create, Delete, Modify, Modify Folder, Move Object, Read, Run Report, and Set Security Scope.

无法更改内置安全角色的权限,但可以复制角色,进行更改,然后将所做的更改另存为新的自定义安全角色。You can't change the permissions for the built-in security roles, but you can copy the role, make changes, and then save these changes as a new custom security role. 还可以导入从另一个层次结构(例如测试网络)中导出的安全角色。You can also import security roles that you've exported from another hierarchy, for example, from a test network. 查看安全角色及其权限,以确定是使用内置的安全角色还是必须创建自己的自定义安全角色。Review the security roles and their permissions to determine whether you'll use the built-in security roles, or whether you have to create your own custom security roles.

帮助你规划安全角色To help you plan for security roles

  1. 确定管理用户在 Configuration Manager 中执行的任务。Identify the tasks that the administrative users perform in Configuration Manager. 这些任务可能关系到一个或多个管理任务组,例如部署应用程序和包、部署操作系统和符合性设置、配置站点和安全性、审核、远程控制计算机以及收集清单数据。These tasks might relate to one or more groups of management tasks, such as deploying applications and packages, deploying operating systems and settings for compliance, configuring sites and security, auditing, remotely controlling computers, and collecting inventory data.

  2. 将这些管理任务对应到一个或多个内置的安全角色。Map these administrative tasks to one or more of the built-in security roles.

  3. 如果某些管理用户执行多个安全角色的任务,则将多个安全角色分配给这些管理用户,而不是创建一个组合此类任务的新安全角色。If some of the administrative users perform the tasks of multiple security roles, assign the multiple security roles to these administrative users instead of creating a new security role that combines the tasks.

  4. 如果你确定的任务未能对应到内置的安全角色,则创建并测试新的安全角色。If the tasks that you identified don't map to the built-in security roles, create and test new security roles.

有关如何创建和配置安全角色以实现基于角色的管理的信息,请参阅为 Configuration Manager 配置基于角色的管理一文中的创建自定义安全角色配置安全角色For information about how to create and configure security roles for role-based administration, see Create custom security roles and Configure security roles in the Configure role-based administration for Configuration Manager article.

集合Collections

集合指定管理用户可以查看或管理的用户和计算机资源。Collections specify the user and computer resources that an administrative user can view or manage. 例如,若要使管理用户能够部署应用程序或运行远程控制,必须将它们分配到相应的安全角色,此角色授予对包含这些资源的集合的访问权限。For example, for administrative users to deploy applications or to run remote control, they must be assigned to a security role that grants access to a collection that contains these resources. 可以选择用户或设备的集合。You can select collections of users or devices.

有关集合的详细信息,请参阅集合简介For more information about collections, see Introduction to collections.

在配置基于角色的管理之前,请检查你是否必须出于下列任一原因创建新的集合:Before you configure role-based administration, check whether you have to create new collections for any of the following reasons:

  • 功能组织。Functional organization. 例如,独立的服务器和工作站集合。For example, separate collections of servers and workstations.
  • 地理位置协调。Geographic alignment. 例如,独立的北美洲和欧洲集合。For example, separate collections for North America and Europe.
  • 安全要求和业务流程。Security requirements and business processes. 例如,独立的生产计算机和测试计算机集合。For example, separate collections for production and test computers.
  • 组织协调。Organization alignment. 例如,每个业务单位的独立集合。For example, separate collections for each business unit.

有关如何配置集合以实现基于角色的管理的信息,请参阅为 Configuration Manager 配置基于角色的管理一文中的配置集合以管理安全性For information about how to configure collections for role-based administration, see Configure collections to manage security in the Configure role-based administration for Configuration Manager article.

安全作用域Security scopes

使用安全作用域为管理用户提供对安全对象的访问。Use security scopes to provide administrative users with access to securable objects. 安全作用域是作为一个组分配给管理用户的安全对象的命名集。A security scope is a named set of securable objects that are assigned to administrator users as a group. 必须将所有安全对象分配到一个或多个安全作用域。All securable objects must be assigned to one or more security scopes. Configuration Manager 具有两个内置安全作用域:Configuration Manager has two built-in security scopes:

  • “全部” 内置的安全作用域授予对所有作用域的访问权限。The All built-in security scope grants access to all scopes. 无法将对象分配到此安全作用域。You can't assign objects to this security scope.

  • “默认” 内置安全作用域默认用于所有对象。The Default built-in security scope is used for all objects, by default. 初次安装 Configuration Manager 时,所有对象均分配到此安全作用域。When you first install Configuration Manager, all objects are assigned to this security scope.

如果想限制管理用户可以查看和管理的对象,则必须创建并使用你自己的自定义安全作用域。If you want to restrict the objects that administrative users can see and manage, you must create and use your own custom security scopes. 安全作用域不支持层次结构,而且不能嵌套。Security scopes don't support a hierarchical structure and can't be nested. 安全作用域可以包含一个或多个对象类型,其中包括以下项目:Security scopes can contain one or more object types, which include the following items:

  • 警报订阅Alert subscriptions
  • 应用程序Applications
  • 启动映像Boot images
  • 边界组Boundary groups
  • 配置项目Configuration items
  • 自定义客户端设置Custom client settings
  • 分发点和分发点组Distribution points and distribution point groups
  • 驱动程序包Driver packages
  • 文件夹(从版本 1906 开始)Folders (starting in version 1906)
  • 全局条件Global conditions
  • 迁移作业Migration jobs
  • 操作系统映像Operating system images
  • 操作系统安装包Operating system installation packages
  • Packages
  • 查询Queries
  • 站点Sites
  • 软件计数规则Software metering rules
  • 软件更新组Software update groups
  • 软件更新包Software updates packages
  • 任务序列包Task sequence packages
  • Windows CE 设备设置项目和包Windows CE device setting items and packages

还有一些对象是无法包含在安全作用域中的,因为它们仅由安全角色保护。There are also some objects that you can't include in security scopes because they're only secured by security roles. 无法将对这些对象进行的管理性访问限制在一部分可用的对象内。Administrative access to these objects can't be limited to a subset of the available objects. 例如,管理用户可能创建了用于特定站点的边界组。For example, you might have an administrative user who creates boundary groups that are used for a specific site. 由于边界对象不支持安全作用域,因此,无法向此用户分配这样一个安全作用域:仅提供对可能与该站点关联的边界的访问。Because the boundary object doesn't support security scopes, you can't assign this user a security scope that provides access to only the boundaries that might be associated with that site. 由于边界对象无法关联到安全作用域,因此,在向用户分配包含对边界对象的访问的安全角色时,该用户可以访问层次结构中的每个边界。Because a boundary object can't be associated to a security scope, when you assign a security role that includes access to boundary objects to a user, that user can access every boundary in the hierarchy.

不受安全作用域限制的对象包括以下项目:Objects that aren't limited by security scopes include the following items:

  • Active Directory 林Active Directory forests
  • 管理用户Administrative users
  • 警报Alerts
  • 反恶意软件策略Antimalware policies
  • 边界Boundaries
  • 计算机关联Computer associations
  • 默认客户端设置Default client settings
  • 部署模板Deployment templates
  • 设备驱动程序Device drivers
  • Exchange Server 连接器Exchange Server connector
  • 迁移站点间映射Migration site-to-site mappings
  • 移动设备注册配置文件Mobile device enrollment profiles
  • 安全角色Security roles
  • 安全作用域Security scopes
  • 站点地址Site addresses
  • 站点系统角色Site system roles
  • 软件标题Software titles
  • 软件更新Software updates
  • 状态消息Status messages
  • 用户设备相关性User device affinities

在必须限制对独立的对象实例的访问时,请创建安全作用域。Create security scopes when you have to limit access to separate instances of objects. 例如:For example:

  • 你有一组管理用户,他们必须能够查看生产应用程序而不是测试应用程序。You have a group of administrative users who must be able to see production applications and not test applications. 请为生产应用程序创建一个安全作用域,并为测试应用程序创建另一个安全作用域。Create one security scope for production applications and another for the test applications.

  • 不同的管理用户需要对某个对象类型的一些实例进行不同的访问。Different administrative users require different access for some instances of an object type. 例如,一组管理用户需要特定软件更新组的“读取”权限,而另一组管理用户需要其他软件更新组的“修改”和“删除”权限。For example, one group of administrative users requires Read permission to specific software update groups, and another group of administrative users requires Modify and Delete permissions for other software update groups. 请为这些软件更新组创建不同的安全作用域。Create different security scopes for these software update groups.

有关如何配置安全作用域以实现基于角色的管理的信息,请参阅为 Configuration Manager 配置基于角色的管理一文中的配置对象的安全作用域For information about how to configure security scopes for role-based administration, see the Configure security scopes for an object in the Configure role-based administration for Configuration Manager article.

后续步骤Next steps

为 Configuration Manager 配置基于角色的管理Configure role-based administration for Configuration Manager