|This topic appears in the Site Administration for System Center 2012 Configuration Manager guide and in the Security and Privacy for System Center 2012 Configuration Manager guide.|
Use the information in this topic to help you configure the following security-related options:
Settings for Client PKI Certificates
- Configure Signing and
Accounts that Are Used by Configuration Manager
Configure Settings for Client PKI Certificates
If you want to use public key infrastructure (PKI) certificates for client connections to site systems that use Internet Information Services (IIS), use the following procedure to configure settings for these certificates.
To configure client PKI certificate settings
Configure Signing and Encryption
Configure the most secure signing and encryption settings for site systems that all clients in the site can support. These settings are especially important when you let clients communicate with site systems by using self-signed certificates over HTTP.
To configure signing and encryption for a site
Configure Role-Based Administration
Use the information in this section to help you configure role-based administration in Configuration Manager. Role-based administration combines security roles, security scopes, and assigned collections to define the administrative scope for each administrative user. An administrative scope includes the objects that an administrative user can view in the Configuration Manager console, and the tasks related to those objects that the administrative user has permission to perform. Role-based administration configurations are applied at each site in a hierarchy.
The information in the following procedures can help you create and configure role-based administration and related security settings.
- Create Custom
Security Scopes for an Object
Collections to Manage Security
- Create a New
- Modify the
Administrative Scope of an Administrative User
|Role-based administration uses security roles, security scopes, and collections. These combine to define an administrative scope for each administrative user. Your own administrative scope defines the objects and settings that you can assign when you configure role-based administration for another administrative user. For information about planning for role-based administration, see the Planning for Role-Based Administration section in the Planning for Security in Configuration Manager topic.|
Create Custom Security Roles
Configuration Manager provides several built-in security roles. If you require additional security roles, you can create a custom security role by creating a copy of an existing security role, and then modifying the copy. You might create a custom security role to grant administrative users the additional security permissions they require that are not included in a currently assigned security role. By using a custom security role, you can grant them only the permissions they require, and avoid assigning a security role that grants more permissions than they require.
Use the following procedure to create a new security role by using an existing security role as a template.
To create custom security roles
Configure Security Roles
The groups of security permissions that are defined for a security role are called security operation assignments. Security operation assignments represent a combination of object types and actions that are available for each object type. You can modify which security operations are available for any custom security role, but you cannot modify the built-in security roles that Configuration Manager provides.
Use the following procedure to modify the security operations for a security role.
To modify security roles
Configure Security Scopes for an Object
You manage the association of a security scope for an object from the object and not from the security scope. The only direct configurations that security scopes support are changes to its name and description. To change the name and description of a security scope when you view the security scope properties, you must have the Modify permission for the Security Scopes securable object.
When you create a new object in Configuration Manager, the new object is associated with each security scope that is associated with the security roles of the account that is used to create the object when those security roles provide the Create permission, or Set Security Scope permission. Only after the object is created, can you change the security scopes it is associated with.
For example, you are assigned a security role that grants you permission to create a new boundary group. When you create a new boundary group, you have no option to which you can assign specific security scopes. Instead, the security scopes available from the security roles you are associated with are automatically assigned to the new boundary group. After you save the new boundary group, you can edit the security scopes associated with the new boundary group.
Use the following procedure to configure the security scopes assigned to an object.
To configure security scopes for an object
Configure Collections to Manage Security
There are no procedures to configure collections for role-based administration. Collections do not have a role-based administration configuration; instead, you assign collections to an administrative user when you configure the administrative user. The collection security operations that are enabled in the users assigned security roles determine the permissions an administrative user has for collections and collection resources (collection members).
When an administrative user has permissions to a collection, they also have permissions to collections that are limited to that collection. For example, your organization uses a collection named All Desktops, and there exist a collection named All North America Desktops that is limited to the All Desktops collection. If an administrative user has permissions to All Desktops, they also have those same permissions to the All North America Desktops collection. In addition, an administrative user cannot use the Delete or Modify permission on collection that is directly assigned to them, but can use these permissions on the collections that are limited to that collection. Using the previous example, the administrative user can delete or modify the All North America Desktops collection, but cannot delete or modify the All Desktops collection.
Create a New Administrative User
To grant individuals or members of a security group access to manage Configuration Manager, create an administrative user in Configuration Manager and specify the Windows account of the User or User Group. Each administrative user in Configuration Manager must be assigned at least one security role and one security scope. You can also assign collections to limit the administrative scope of the administrative user.
Use the following procedures to create new administrative users.
To create a new administrative user
Modify the Administrative Scope of an Administrative User
You can modify the administrative scope of an administrative user by adding or removing security roles, security scopes, and collections that are associated with the user. Each administrative user must be associated with at least one security role and one security scope. You might have to assign one or more collections to the administrative scope of the user. Most security roles interact with collections and do not function correctly without an assigned collection.
When you modify an administrative user, you can change the behavior for how securable objects are associated with the assigned security roles. The three behaviors that you can select are as follows:
- All securable objects that are relevant to
their associated security roles: This option associates the
administrative user with the All scope and the root level
built-in collections for All Systems, and All Users and
User Groups. The security roles that are assigned to the user
define access to objects.
- Only securable objects in specified
security scopes or collections: This option associates the
administrative user to the same security scopes and collections
that are associated to the account you use to configure the
administrative user. This option supports the addition or removal
of security roles and collections to customize the administrative
scope of the administrative user.
- Only securable objects as determined by
the security roles of the administrative user: This option lets
you create specific associations between individual security roles
and specific security scopes and collections for the user.
Note This option is available only when you modify the properties of an administrative user.
The current configuration for the securable object behavior changes the process that you use to assign additional security roles. Use the following procedures that are based on the different options for securable objects to help you manage an administrative user.
Use the following procedure to view and manage the configuration for securable objects for an administrative user:
To view and manage the securable object behavior for an administrative user
Use the following procedure to modify an administrative user that has the securable object behavior set to All securable objects that are relevant to their associated security roles:
Option: All securable objects that are relevant to their associated security roles
Use the following procedure to modify an administrative user that has the securable object behavior set to Only securable objects in specified security scopes or collections.
Option: Only securable objects in specified security scopes or collections
Use the following procedure to modify an administrative user that has the securable object behavior set to Only securable objects as determined by the security roles of the administrative user.
Option: Only securable objects as determined by the security roles of the administrative user
Manage Accounts that Are Used by Configuration Manager
Configuration Manager supports Windows accounts for many different tasks and uses.
Use the following procedure to view which accounts are configured for different tasks, and to manage the password that Configuration Manager uses for each account.