Welcome to MicrosoftTechEd

What is RBAC?

RBAC is role based Role Based Administration Console. After implementing this feature you will able to secure objects from other Administrator.

How many Built-in Security Roles are in v.Next?

13

What are they?

What is the use of each role?

ConfigMgr Administration role

Allows administrative users to have Full Control access to all securable objects in Configuration Manager including security settings, with the exception of permission settings for reporting. Security for reporting is assigned by using SQL Reporting Services security.

Read-only role

Allows administrative users to read all object types in Configuration Manager, except for reporting. Security for reporting is assigned by using SQL Reporting Services security.

Remote Tools role

Allows administrative users to run remote administration tools to help users resolve computer issues. Administrative users that are associated with this role can run remote control, remote assistance, and remote desktop tools from the Configuration Manager console.

Asset Management role

Allows administrative users to configure the Asset Intelligence Synchronization Point site system role, Asset Intelligence reporting classes, software inventory, hardware inventory, and metering settings. Administrative users that are associated with this role can analyze collected client data.

Asset Analyst role

Allows administrative users to view data that is collected through asset intelligence, software inventory, hardware inventory, and metering. Administrative users that are associated with this role can create metering rules and Asset Intelligence categories, families, and labels.

Compliance Settings Management role

Allows administrative users to define, monitor, and remediate noncompliance by using compliance settings and configuration baselines. Administrative users that are associated with this role can create, modify, and delete configuration items and configuration baselines. They can also assign configuration baselines to collections, initiate compliance evaluation, and initiate remediation for noncompliant computers.

Application Deployment role

Allows administrative users to deploy applications. Administrative users that are associated with this role can view a list of applications, and they can manage deployments for applications, alerts, templates and Configuration Manager 2007 advertisements. In addition, administrative users can view collections, status messages, queries, and global conditions.

Application Editor role

Allows administrative users to create, modify, and retire applications. Administrative users that are associated with this role can manage Configuration Manager 2007 packages, and they can read the alerts and status messages for applications.

Application Administrator role

Allows administrative users to perform both the Application Deployment role and the Application Editor role. In addition, administrative users that are associated with this role can manage queries, read and modify site permissions, and manage collections and user device affinity settings.

Operating System Deployment Management role

Allows administrative users to create operating system images and then deploy them to computers. Administrative users associated with this role can manage operating system installation packages and images, task sequences, device drivers, boot images, and state migration settings.

Hierarchy Administrator

Hierarchy Administrator

Software Updates Management role

Allows administrative users to deploy software updates. Administrative users that are associated with this role can run software updates synchronization, download and deploy software updates, and create software update groups, automatic grouping rules, and software update templates. Administrative users can also manage Network Access Protection (NAP) policies.

Mobile Device Analyst role

Allows administrators to add new mobile devices to the system. Administrators associated with this role can use the Create Mobile Device wizard to add new mobile devices to the system and associate them with users. Once the new records are created they can reset the enrollment password on the newly created records.

Which are the related Views in database?

Filter Views by vRBAC

Which are the related Tables in database? 

Filter Tables by RBAC

How many Built-in security scope are in v.Next?

1) All

A built-in security scope that contains all securable objects. A Configuration Manager administrator associated with the All security scope will have the permissions of their role for every object in the Configuration Manager environment. This security scope cannot be changed or deleted.

2) Default

A built-in security scope with which securable objects can be associated. This security scope cannot be changed or deleted.

Note :- We can create a new security scope. Alt click Security scope –> create Security

Scope

How to Navigate?

Can we create custom security roles?

Yes with the “copy security role” option.

Can we add /remove security roles for an Account ?

Yes.

Go to \Administration\Overview\Security and Permissions\Administrative Users –> Alt click any Account –> Properties

Are there any reports available for RBAC?

Yes

Thanks and Regards |Abhishek Joshi

Incoming search terms:

• msdn scope category rbac (1)
• windows 2008 rbac (1)