Use the information in this topic to help you configure role-based administration in Configuration Manager 2012. Role-based administration combines security roles, security scopes, and assigned collections, to define the administrative scope for each administrative user. An administrative scope includes the objects a user can view in the Configuration Manager console, and the tasks related to those objects that the user has permission to perform. Role-based administration configurations are applied at each site in a hierarchy.
Use the following procedures to create and configure role-based administration and related security settings.
Important |
---|
Role-based administration uses security roles, security scopes, and collections. These combine to define an administrative scope for each administrative user. Your own administrative scope defines the objects and settings that you can assign when you configure role-based administration for another administrative user. |
Use the information in the following sections of this topic to help you manage these configurations:
- Create Custom
Security Roles in Configuration Manager 2012
- Configure
Security Roles in Configuration Manager 2012
- Create
Security Scopes in Configuration Manager 2012
- Configure
Security Scopes for an Object in Configuration Manager 2012
- Configure
Collections to Manage Security in Configuration Manager
2012
- Create a New
Administrative User in Configuration Manager 2012
- Modify the
Administrative Scope of an Administrative User in Configuration
Manager 2012
Create Custom Security Roles in Configuration Manager 2012
Configuration Manager provides several built-in security roles. If you require additional security roles, you can create a custom security role by creating a copy of an existing security role, and then modifying the copy.
Use the following procedure to create a new security role by using an existing security role as a template.
To create custom security roles in Configuration Manager 2012
-
In the Configuration Manager console, click Administration.
-
In the Administration workspace, expand Security, and click Security Roles.
Use one of the following processes to create the new security role:
- To create a new custom security role perform
the following actions:
- Select an existing security role to use as the source for the
new security role.
- On the Home tab, in the Security Role group, click Copy. This
creates a copy of the source security role.
- In the Copy Security Role wizard, specify a Name for the new
custom security role.
- In Security operation assignments, expand each Security
Operations node to display the available actions.
- To change the setting for a security operation, click the
drop-down arrow in the Value column, and then select either Yes or
No.
- After you configure the permissions, click OK to save the new
security role.
- Select an existing security role to use as the source for the
new security role.
- To import a security role that was exported
from another Configuration Manager 2012 hierarchy,
perform the following actions:
- On the Home tab, in the Create group, click Import Security
Role.
- Specify the .xml file that contains the security role
configuration that you will import, and click Open to complete the
procedure and save the security role.
Note After you import a security role, you can edit the security role properties to change the object permissions that are associated with the security role.
- On the Home tab, in the Create group, click Import Security
Role.
- To create a new custom security role perform
the following actions:
Configure Security Roles in Configuration Manager 2012
The groups of security permissions that are defined for a security role are called security operation assignments. Security operation assignments represent a combination of object types and actions that are available for each object type. You can modify which security operations are available for any custom security role but you cannot modify the built-in security roles provided with Configuration Manager.
Use the following procedure to modify the security operations for a security role:
To modify security roles in Configuration Manager 2012
-
In the Configuration Manager console, click Administration.
-
In the Administration workspace, expand Security, and click Security Roles.
-
Select the custom security role that you want to modify.
-
On the Home tab, in the Properties group, click Properties.
-
Select the Permissions tab.
-
In Security operation assignments, expand each Security Operations node to display the available actions.
-
To change the setting for a security operation, click the drop-down arrow in the Value column, and then select either Yes or No.
-
When you have finished configuring security operation assignments, click OK to save the new security role.
Create Security Scopes in Configuration Manager 2012
Use security scopes to secure access to object instances for an administrative user by associating the object to a security scope, and then assigning the security scope to the administrative user. The permissions administrative users have to objects from their assigned security scopes are determined by the security operations that are enabled in their assigned security roles.
Use the following procedure to create a security scope:
To create security scopes in Configuration Manager 2012
-
In the Configuration Manager console, click Administration.
-
In the Administration workspace, expand Security, and click Security Scopes.
-
On the Home tab, in the Create group, click Create Security Scope.
-
In the Create Security Scope wizard, specify a Security scope name for the new security scope.
-
Click OK to save the new security scope.
Configure Security Scopes for an Object in Configuration Manager 2012
You manage the association of a security scope for an object from the object and not from the security scope. The only direct configurations that security scopes support are changes to its name and description. You can change the name and description only for security scopes you create, and when you view the security scope properties.
When you create a new object in Configuration Manager 2012, the new object is associated with each security scope that is associated with the security roles of the account used to create the object. Only after the object is created can you can change the security scopes it is associated with.
Use the following procedure to configure the security scopes assigned to an object:
To configure security scopes for an object in Configuration Manager 2012
-
In the Configuration Manager console, select an object that supports assignment to a security scope.
-
On the Home tab, in the Classify group, click Set Security Scopes.
-
In the Set Security Scopes dialog box, select or clear the security scopes that this object is associated with. Each object that supports security scopes must be assigned to at least one security scope.
-
Click OK to save the assigned security scopes.
Note When you create a new object, the object can be assigned to multiple security scopes. To modify the number of security scopes associated with the object, you must change this assignment after the object is created.
Configure Collections to Manage Security in Configuration Manager 2012
There are no procedures to configure collections for role-based administration. Collections do not have a role-based administration configuration; instead, you assign collections to an administrative user when you configure the administrative user. The permissions an administrative user has for collections and collection resources (collection members), is determined by the collection security operations that are enabled in the users assigned security roles.
Create a New Administrative User in Configuration Manager 2012
To grant individuals or members of a security group access to manage Configuration Manager 2012, create an administrative user in Configuration Manager and specify the Windows account of the user or user group. Each administrative user in Configuration Manager must be assigned at least one security role and one security scope. You can also assign collections to limit the administrative scope of the administrative user.
Use the following procedures to create new administrative users:
To create a new administrative user in Configuration Manager 2012
-
In the Configuration Manager console, click Administration.
-
In the Administration workspace, expand Security, and then click Administrative Users.
-
On the Home tab, in the Create group, click Add User or Group.
-
Click Browse and then select the user account or group to use for this new administrative user.
Note For console-based administration, only domain users or security groups can be specified as an administrative user. -
For Associated security roles, click Add to open a list of the available security roles, select the check box for one or more security roles, and then click OK.
-
Select one of the following two options to define the securable object behavior for the new user:
- All securable objects that are relevant to
their associated security roles: This option associates the
administrative user with the All security scope and the root level
built-in collections for All Systems, and All Users and User
Groups. Access to objects is defined by the security roles assigned
to the user. New objects that are created by this administrative
user are assigned to the Default security scope.
- Only securable objects in specified security
scopes or collections: By default, this option associates the
administrative user to the same security scopes and collections
that are associated with the account that you used to create the
new administrative user. This option supports the addition or
removal of security scopes and collections to customize the
administrative scope of the user.
Important The preceding options associate each assigned security scope and collection to each security role assigned to the administrative user. A third option, Only securable objects as determined by the security roles of the administrative user, can be used to associate individual security roles to specific security scopes and collections. This third option is available after you create the new user, when you modify the administrative user. - All securable objects that are relevant to
their associated security roles: This option associates the
administrative user with the All security scope and the root level
built-in collections for All Systems, and All Users and User
Groups. Access to objects is defined by the security roles assigned
to the user. New objects that are created by this administrative
user are assigned to the Default security scope.
-
Depending upon your selection in step 6, take the following action:
- If you selected All securable objects that
are relevant to their associated security roles, click OK to
complete this procedure.
- If you selected Only securable objects in
specified security scopes or collections, you can click Add to
select additional collections and security scopes, or select one or
more objects from the list and click Remove to remove them. Click
OK to complete this procedure.
- If you selected All securable objects that
are relevant to their associated security roles, click OK to
complete this procedure.
Modify the Administrative Scope of an Administrative User in Configuration Manager 2012
You can modify the administrative scope of an administrative user by adding or removing security roles, security scopes, and collections that are associated with the user. Each administrative user must be associated with at least one security role and one security scope. You might need to assign one or more collections to the administrative scope of the user. Most security roles interact with collections and will not function correctly without an assigned collection.
When you modify an administrative user, you can change the behavior for how securable objects are associated with the assigned security roles. The three behaviors that you can select are as follows:
- All securable objects that are relevant to
their associated security roles: This option associates the
administrative user with the All scope and the root level built-in
collections for All Systems, and All Users and User Groups. Access
to objects is defined by the security roles assigned to the
user.
- Only securable objects in specified security
scopes or collections: This option associates the administrative
user to the same security scopes and collections that are
associated to the account you use to configure the administrative
user. This option supports the addition or removal of security
roles and collections to customize the administrative scope of the
user.
- Only securable objects as determined by the
security roles of the administrative user: This option allows you
to create specific associations between individual security roles
and specific security scopes and collections for the user.
Note This option is available only when you modify the properties of an administrative user.
The current configuration for the securable object behavior changes the process that you use to assign additional security roles. Use the following procedures that are based upon the different options for securable objects to help you manage an administrative user.
Use the following procedure to view and manage the configuration for securable objects for an administrative user:
To view and manage the securable object behavior for an administrative user
-
In the Configuration Manager console, click Administration.
-
In the Administration workspace, expand Security, and click Administrative Users.
-
Select the administrative user that you want to modify.
-
On the Home tab, in the Properties group, click Properties.
-
Select the Security Scope tab to view the current configuration for securable objects for this user.
-
To modify the securable object behavior, select a new option for securable object behavior. After you change this configuration, reference the appropriate procedure for further guidance to configure security scopes and collections, and security roles for this user.
-
Click OK to complete the procedure.
Use the following procedure to modify an administrative user that has the securable object behavior set to All securable objects that are relevant to their associated security roles:
Option: All securable objects that are relevant to their associated security roles
-
In the Configuration Manager console, click Administration.
-
In the Administration workspace, expand Security, and click Administrative Users.
-
Select the administrative user that you want to modify.
-
On the Home tab, in the Properties group, click Properties.
-
Select the Security Scopes tab to confirm that the user is configured for All securable objects that are relevant to their associated security roles.
-
To modify the assigned security roles, select the Security Roles tab.
- To assign additional security roles to this
user, click Add, select the check box for each additional security
role that you want to assign, and then click OK.
- To remove security roles, select one or more
security roles from the list, and then click Remove.
- To assign additional security roles to this
user, click Add, select the check box for each additional security
role that you want to assign, and then click OK.
-
To modify the securable object behavior, select the Security Scopes tab and select a new option for the securable object behavior. After you change this configuration, reference the appropriate procedure for further guidance to configure security scopes and collections, and security roles for this user.
Note When the securable object behavior is set to All securable objects that are relevant to their associated security roles, you cannot add or remove specific security scopes and collections. -
Click OK to complete this procedure.
Use the following procedure to modify an administrative user that has the securable object behavior set to Only securable objects in specified security scopes or collections:
Option: Only securable objects in specified security scopes or collections
-
In the Configuration Manager console, click Administration.
-
In the Administration workspace, expand Security, and click Administrative Users.
-
Select the administrative user that you want to modify.
-
On the Home tab, in the Properties group, click Properties.
-
Select the Security Scopes tab to confirm that the user is configured for Only securable objects in specified security scopes or collections.
-
To modify the assigned security roles, select the Security Roles tab.
- To assign additional security roles to this
user, click Add, select the check box for each additional security
role that you want to assign, and then click OK.
- To remove security roles, select one or more
security roles from the list, and then click Remove.
- To assign additional security roles to this
user, click Add, select the check box for each additional security
role that you want to assign, and then click OK.
-
To modify the security scopes and collections associated with security roles, select the Security Scopes tab.
- To associate new security scopes or
collections with all security roles that are assigned to this user,
click Add and select one of the four options. If you select
Security Scope or Collection, select the check box for one or more
objects to complete that selection, and then click OK.
- To remove a security scope or collection,
select the object, and then click Remove.
- To associate new security scopes or
collections with all security roles that are assigned to this user,
click Add and select one of the four options. If you select
Security Scope or Collection, select the check box for one or more
objects to complete that selection, and then click OK.
-
Click OK to complete this procedure.
Use the following procedure to modify an administrative user that has the securable object behavior set to Only securable objects as determined by the security roles of the administrative user:
Option: Only securable objects as determined by the security roles of the administrative user
-
In the Configuration Manager console, click Administration.
-
In the Administration workspace, expand Security, and click Administrative Users.
-
Select the administrative user that you want to modify.
-
On the Home tab, in the Properties group, click Properties.
-
Select the Security Scopes tab to confirm that the user is configured for Only securable objects in specified security scopes or collections.
-
To modify the assigned security roles, select the Security Roles tab.
- To assign additional security roles to this
user, click Add. On the Add Security Role dialog box, select one or
more available security roles, click Add, and select an object-type
to associate with the selected security roles. If you select
Security Scope or Collection, select the check box for one or more
objects to complete that selection, and then click OK.
Note You must configure at least a one security scope before the selected security roles can be assigned to the user. When you select multiple security roles, each security scope and collection that you configure is associated with each of the selected security roles. - To remove security roles, select one or more
security roles from the list, and then click Remove.
- To assign additional security roles to this
user, click Add. On the Add Security Role dialog box, select one or
more available security roles, click Add, and select an object-type
to associate with the selected security roles. If you select
Security Scope or Collection, select the check box for one or more
objects to complete that selection, and then click OK.
-
To modify the security scopes and collections associated with a specific security role, select the Security Scopes tab, select the security role, and then click Edit.
- To associate new objects with this security
role, click Add, and select an object-type to associate with the
selected security roles. If you select Security Scope or
Collection, select the check box for one or more objects to
complete that selection, and then click OK.
Note You must configure at least a one security scope. - To remove a security scope or collection that
is associated with this security role, select the object, and then
click Remove.
- When you have finished modifying the
associated objects, click OK.
- To associate new objects with this security
role, click Add, and select an object-type to associate with the
selected security roles. If you select Security Scope or
Collection, select the check box for one or more objects to
complete that selection, and then click OK.
-
Click OK to complete this procedure.
Caution When a security role grants an administrative user the collection deployment permission, that user can distribute objects from any security scope for which they have object read/deploy permissions, even if that security scope is associated with a different security role.