Technology Tips and News
Hi,
I have the following requirement for the site admins roles
1) They should be able to add the machines to the collections.
2) Do a client Push
3) Able to see visible members only for the collections they have access
What I have noticed that they are able to create and delete collections which I dont want.
Current roles are :
Application AdministratorCan i prevent this from happening by modifying the roles permissions ?
Yes Peter,
I know that its the Application Administrator role which is affecting the permissions.
Will check the modifications and get back to you soon.
I haven't tested this, but...
1) you cannot just grant modify membership; no such permission. To manage membership, but also many properties of the actual collection:
2) assuming that you configured an account for client push (local administrator on client systems)
3) Have a collection with all the systems you want them to have access to, and then add this collection and the security role(s) when creating the administrative user
I haven't tested this, but...
1) you cannot just grant modify membership; no such permission. To manage membership, but also many properties of the actual collection:
2) assuming that you configured an account for client push (local administrator on client systems)
3) Have a collection with all the systems you want them to have access to, and then add this collection and the security role(s) when creating the administrative user
Fern,
I was able to test the access for client push and addition of machines to the collection.
I already had a custom role for Reports, where in permissions, i have enabled "YES" for "Run Reports" option but for some reasons, reports doesnt show up when the customized created scope is added. As soon as I change the scope to default, all reports are shown.
How could I change this to show reports as well ?
Fern,
I was able to test the access for client push and addition of machines to the collection.
I already had a custom role for Reports, where in permissions, i have enabled "YES" for "Run Reports" option but for some reasons, reports doesnt show up when the customized created scope is added. As soon as I change the scope to default, all reports are shown.
How could I change this to show reports as well ?
Fern,
I was able to test the access for client push and addition of machines to the collection.
I already had a custom role for Reports, where in permissions, i have enabled "YES" for "Run Reports" option but for some reasons, reports doesnt show up when the customized created scope is added. As soon as I change the scope to default, all reports are shown.
How could I change this to show reports as well ?
Run reports also requires Site:Read, for the Primary Site (assuming standalone hierarchy).
You can use the Default scope if no other permissions are assigned to it, or you can create a custom Scope and assign it to the Primary Site. Then add it to the administrative user along with the Security Role with Site:Read and Run Reports...
Run reports also requires Site:Read, for the Primary Site (assuming standalone hierarchy).
You can use the Default scope if no other permissions are assigned to it, or you can create a custom Scope and assign it to the Primary Site. Then add it to the administrative user along with the Security Role with Site:Read and Run Reports...
Hi,
Please refer to the following hints & links:
How to Use RBA Viewer Exe in SCCM ConfigMgr 2012
http://anoopcnair.com/2012/06/29/sccm-configmgr-2012-how-to-use-rba-viewer-rbaviewer-exe/
Note: Microsoft provides third-party contact information to help you find technical support. This contact information may change without notice. Microsoft does not guarantee the accuracy of this third-party contact information.
Hi,
Please refer to the following hints & links:
How to Use RBA Viewer Exe in SCCM ConfigMgr 2012
http://anoopcnair.com/2012/06/29/sccm-configmgr-2012-how-to-use-rba-viewer-rbaviewer-exe/
Note: Microsoft provides third-party contact information to help you find technical support. This contact information may change without notice. Microsoft does not guarantee the accuracy of this third-party contact information.
Dear Fern,
Thanks, I used the default scope and as it had access to the primary site, the reports were visible now.
But I noticed that along with the reports, the users would also be able to see the primary server properties, their maintenance tasks, SUP configuration etc, and other critical things. I have other scopes defined as well but if I give them security scope access on Primary server, it does the same thing and everything is visible.
In total, i need the site admins to do the following :
1) They should be able to add/remove machines to the collections.
2) Do a client Push
3) Able to see visible members only for the collections they have access. i.e. only for their site.
4) Able to run reports
Is there any way to get this working without giving access, though it is read access only. to the primary site components.Dear Fern,
Thanks, I used the default scope and as it had access to the primary site, the reports were visible now.
But I noticed that along with the reports, the users would also be able to see the primary server properties, their maintenance tasks, SUP configuration etc, and other critical things. I have other scopes defined as well but if I give them security scope access on Primary server, it does the same thing and everything is visible.
In total, i need the site admins to do the following :
1) They should be able to add/remove machines to the collections.
2) Do a client Push
3) Able to see visible members only for the collections they have access. i.e. only for their site.
4) Able to run reports
Is there any way to get this working without giving access, though it is read access only. to the primary site components.Dear Fern,
Thanks, I used the default scope and as it had access to the primary site, the reports were visible now.
But I noticed that along with the reports, the users would also be able to see the primary server properties, their maintenance tasks, SUP configuration etc, and other critical things. I have other scopes defined as well but if I give them security scope access on Primary server, it does the same thing and everything is visible.
In total, i need the site admins to do the following :
1) They should be able to add/remove machines to the collections.
2) Do a client Push
3) Able to see visible members only for the collections they have access. i.e. only for their site.
4) Able to run reports
Is there any way to get this working without giving access, though it is read access only. to the primary site components.Site:Read gives more than just access to reporting... As far as I know there is no workaround.
If you don't like this, you could use custom folders in the reporting server (ssrs) and grant the permissions there instead of the SCCM console. The security on the builtin folders is reset by SCCM every 15 minutes.
Check this thread:
Site:Read gives more than just access to reporting... As far as I know there is no workaround.
If you don't like this, you could use custom folders in the reporting server (ssrs) and grant the permissions there instead of the SCCM console. The security on the builtin folders is reset by SCCM every 15 minutes.
Check this thread:
Even I have come up with the same results, that Site's Read permission gives more unnecessary accesses, which I dont want.
Below are the settings exactly :
AD group with the name : ABC
ABC group was imported in SCCM with scope as default
Security Role created in SCCM with the name : Report Users with permissions to run reports for few objects along with Site Read permission. This role was assigned to ABC group in SCCM.
1) Now if the test user ID "TEST" is made part of the ABC group, it gets the console reports access but this give alot of other accesses which I don't want to provide.
Is there any way to prevent this with getting reports access in SCCM console as well ?
2) Who all does have access to the web reports for SCCM, are those the IDs in the security tab which comes up when we go to "Servername/reports" ??
There are some users to whom I don't want to provide reports access, (either via Console or web). how could I achieve this?
Even I have come up with the same results, that Site's Read permission gives more unnecessary accesses, which I dont want.
Below are the settings exactly :
AD group with the name : ABC
ABC group was imported in SCCM with scope as default
Security Role created in SCCM with the name : Report Users with permissions to run reports for few objects along with Site Read permission. This role was assigned to ABC group in SCCM.
1) Now if the test user ID "TEST" is made part of the ABC group, it gets the console reports access but this give alot of other accesses which I don't want to provide.
Is there any way to prevent this with getting reports access in SCCM console as well ?
2) Who all does have access to the web reports for SCCM, are those the IDs in the security tab which comes up when we go to "Servername/reports" ??
There are some users to whom I don't want to provide reports access, (either via Console or web). how could I achieve this?
Yes, I know this is an old post, but Im trying to clean them up. Did you solve this problem, if so what was the solution?
1) I never recommend accessing the Report via the CM12 console (too much overhead) instead point them to the website face and never give them the console.
2) Yes that right.
3) Don't grant them access to the reports. aka create a new security role that doesn't grant them access to any of the reports.
1) In order for them to give the access even to the web report, I have to make them member of the reports group under SCCM, otherwise the permission refreshes and they lose control of the web report
3) If I add similar ID in two different roles, One of which provides them access to the report and another doesn't. Will the NOT one override, i.e. Would the user be denied permissions even if the ID has the ALLOWED security role added to it ?
Item 1 is correct. We have custom role of 'report runner' which only can run reports. To grant rights we have to make users members of the appropriate group. Then we just email the link of the report on the report server.
Item 3, the permissions will role up. At least that is what I experienced when I am working them a while back. 1 deny + 1 allow = allow.
1) You grant permission within the CM!2 console, now within web interface.
3) User permission are the sum total of all role permissions.
use this sec role to help you. http://www.enhansoft.com/freetools/enhansoft-report-reader-configmgr-2012-r2
This topic is archived. No further replies will be accepted.
Other recent topics
Click here to get your free copy of Network Administrator. Over 25 plugins to make your life easier