How-to restrict collection membership changes for branch office admins
Hi all,
i have one primary site at the headquarter and a secondary site at a branch office. There is a site admin for the branch office. There are also collections with an advertisement for application deployments, they are populated with direct membership rules.
Now the question is: is it possible to restrict the site admin in a way that he can only add "certain" resources (the ones from his branch office) to a given collection? Or is there another way to do this? Is there a general "scoping" for collection memberships?
I know, generally, secondary sites can't be used for segregation of duties, but this specific problem could also arise in a single-site scenario. If it's not possible in SCCM 2007, can it be done in v.Next?
Greetings,
Dieter
December 30th, 2010 2:53am
Hi Dieter,
It is possible by adding security rights to the collections. Basically you need to assign the branch admin read access to the root collection and the proper permissions
to the branch collection. After that; assign permissions to the different objects like packages, site (read is often required), advertisements, reports etc.
I have a blog post here that can get you started. It describes how you can assign permissions to service desk personal -
http://blog.coretech.dk/confmgr07/security/configuration-manager-2007-defining-the-servicehelpdesk-role/Kent Agerlund | My blogs: http://blog.coretech.dk/author/kea/ and http://scug.dk/ | Twitter @Agerlund | Linkedin: /kentagerlund
Free Windows Admin Tool Kit Click here and download it now
December 30th, 2010 3:28am
Also, please refer to the following links for more information on security permissions in ConfigMgr.
http://technet.microsoft.com/en-us/library/bb632791.aspx
http://technet.microsoft.com/en-us/library/bb632332.aspx
Regards, Madan
December 31st, 2010 1:31am