Microsoft

System Center Configuration Manager Feedback

Suggestion box powered by UserVoice

How can we improve Configuration Manager?

Role-Based Administration - Document what permissions control... or at least start!

The Role-Based Administration documentation does not describe what the individual permissions actually control, and they are not self explanatory. For example, under Collection, you see several different 'modify' permissions and it isn't clear what they each control:

-Modify
-Modify Client Status Alert
-Modify Collection Setting
-Modify Folder
-Modify Resource

Please provide even a basic amount of information about what they control in the console. This will help prevent us silly sysadmins from just giving people tons of permissions so we don't have to reverse engineer what each of the settings does in order to let people do just what they need.

Thanks for your help!

37 votes
Vote
Sign in
(thinking…)
Sign in with: Facebook Google
Signed in as (Sign out)
You have left! (?) (thinking…)
Nash Pherson (MVP) shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →

5 comments

Sign in
(thinking…)
Sign in with: Facebook Google
Signed in as (Sign out)
Submitting...
An error occurred while saving the comment
  • Anonymous commented  ·   ·  Flag as inappropriate

    This documentation describes the "How-To configure role based configuration" in very detailed way and it's very helpful but it do unfortunately not answer the request.

    Request was: " The Role-Based Administration documentation does not describe what the individual permissions actually control, and they are not self explanatory. Please provide even a basic amount of information about what they control in the console. This will help prevent us silly sysadmins from just giving people tons of permissions so we don't have to reverse engineer what each of the settings does in order to let people do just what they need"

  • Matt Schultz [BCBSNE] commented  ·   ·  Flag as inappropriate

    This is especially needed. The RBAC controls are still confusing and require a great deal of trial-and-error (mostly error) to get right.

    I also think some security/permission info in debug mode would be helpful. For example, instead of hiding UI elements that the user doesn't have permission for, show them as disabled with some text showing the permission that is missing. Or maybe something like F12 tools DOM explorer, but for the console. :)

  • Max commented  ·   ·  Flag as inappropriate

    I think my favorite part of how strange RBA acts is you need both CREATE and MODIFY FOLDER set to yes in order to grant access to create collections. If CREATE is set to YES and MODIFY FOLDER is set to NO.....then that role cannot create collections. If this were documented it sure would be easier!

  • Nash Pherson (MVP) commented  ·   ·  Flag as inappropriate

    Even a single sentence description that is only half-right would be better than nothing. Thanks for getting something put together on this!

Feedback and Knowledge Base