How-to restrict collection membership changes for branch office admins
Hi all, i have one primary site at the headquarter and a secondary site at a branch office. There is a site admin for the branch office. There are also collections with an advertisement for application deployments, they are populated with direct membership rules. Now the question is: is it possible to restrict the site admin in a way that he can only add "certain" resources (the ones from his branch office) to a given collection? Or is there another way to do this? Is there a general "scoping" for collection memberships? I know, generally, secondary sites can't be used for segregation of duties, but this specific problem could also arise in a single-site scenario. If it's not possible in SCCM 2007, can it be done in v.Next? Greetings, Dieter
December 30th, 2010 2:53am

Hi Dieter, It is possible by adding security rights to the collections. Basically you need to assign the branch admin read access to the root collection and the proper permissions to the branch collection. After that; assign permissions to the different objects like packages, site (read is often required), advertisements, reports etc. I have a blog post here that can get you started. It describes how you can assign permissions to service desk personal - http://blog.coretech.dk/confmgr07/security/configuration-manager-2007-defining-the-servicehelpdesk-role/Kent Agerlund | My blogs: http://blog.coretech.dk/author/kea/ and http://scug.dk/ | Twitter @Agerlund | Linkedin: /kentagerlund
Free Windows Admin Tool Kit Click here and download it now
December 30th, 2010 3:28am

Also, please refer to the following links for more information on security permissions in ConfigMgr. http://technet.microsoft.com/en-us/library/bb632791.aspx http://technet.microsoft.com/en-us/library/bb632332.aspx Regards, Madan
December 31st, 2010 1:31am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics