RBA on the Folder level
Currently Administrators have the ability to set Role Based Access to Collections but we do not have the ability to block access to specific folders. Currently in my environment we have many different departmental administrators who need to manage only their machines and their collections. each time we add collections we then need to grant them access. if the Role Based Administration gave the ability to grant access on the folder level it would reduce the complexity for area's that have a setup similar to mine.
I have attached a screenshot of how my setup looks.
This is shipped in #SCCM 1906.
Jörg Schnarre commented
If you do not have permissions to 'Modify Folder' for 'Collection' under 'Security Roles' (Modify Folder = 'No'), you cannot create Collection (Device Collections \ Create Device Collection).
Anthony Janson commented
@Harlan; unfortunately the previous CM admin I took over from did do that, resulting in a massive list of (unused) collections. Needless to say, it took me days to clean that up.
@djam, thank you for implementing this.
WOOHOO! Thanks for the update @djam :)
Peter Bajurny commented
I suspect I'm in the same position as OP, I run the SCCM infrastructure for a large university where we offer SCCM as a "service." We use scoping and limiting collections to control who has access to what devices, so we wouldn't use folders to control access, but it would be nice of departmental admins could use folders for their own organization without worrying about everyone seeing their folder structure (which to other admins would look empty).
@Last Anonymous poster; I've never met any CM admin that's done this since SMS 2003. Maybe for smaller shops.
I know most CM admins do not use folders in their collection tree and just lump everything in the root node. We started down the folder path and changing that is not an option at this time. So for all my other folder admins out there, here's my idea....
We will be giving limited sccm console access to our support teams. The problem is that when we give them access to even a single collection, they see our entire collection folder structure. There are a few folders management doesn't want them to see at all. The bigger issue from their point of view, it that it is a lot to swim through to find what they are looking for.
It would be nice if the individual folders would disappear the way nodes do when a user does not have rights to see anything inside.
I would like to be able to set security scopes at a folder level in addition to individual applications. We have numerous software products that are licensed. As such, we want to limit who can see/install them. While you can set the security on a an individual application, it would be helpful to have the ability to do it on the folder.
Popovici Ioan commented
I really don’t see this as a problem. If you have a proper collection system and know how collection refresh works setting permissions is a breeze. And having a ton of folders sucks. I mThe structure should be as flat as possible tou have search and sorting for god sake...
I had 50 clients and 18k machines, it’s really not that difficult.
@William Hunt, how would you set security on a parent folder, or an individual collection? You can only set permissions on Collections as a whole, not individual Folders/Collections. Currently there is no way to select a Folder and set role access. It's all or nothing.
William Hunt (BillerDude) commented
If I understand your need correctly this is already achievable. You'll want to create "parent" collections containing all the workstations for each department that is managed. These collections can then be used as the Limiting Collection for each collection needed for that departmental administrator. The "Parent" collections can then be set up with the limited role access and each collection where the parent collection is limited to, only has access to those collection. Each user that is limited to their parent collection can only see their parent collection.
I can't believe something as basic as this is not implemented. Frankly, it shows how out of touch the developers are with respect to the everyday responsibilities of an administrator.
Stephen Moore commented
I have to same issue. Please add this feature. It is frustrating we can't give permissions to admins so they can only create collections within named folders. This is definitely needed.
Dustin Lenz commented
This is definitely needed. Please implement sooner than later.
Anthony Janson commented
This is what I need right now like others have mentioned. It's a real shame this cannot be done as this was possible to set the security level in SCCM 2007. It feels like we went backwards with this.
I would love to have this added. Right now, I'm using scopes to limit what others can access, but this is far from perfect. I want certain groups to access folders and not even see folders they don't have access for or to see a deny request or that it's blank. Anything will do at this stage.
"So I'm trying to find a way to make a subfolder have greater permissions directly. Not sure why MS never added permission or security option when you right click. Seems like a smart thing to do, its 2017 after all and the options are limited compared to previous versions.. anyways. I can't have full right to the main domain collection for people that are not full admin. so there needs to be a way to do this."
Any way to do this yet?
Gary O'Connor commented
I would absolutely love this feature to be available, it would make sorting previously created content sorted easily without going into each application to change the scope
Scott Kissel commented
This is huge when sharing things like Applications with both Server teams and Workstations teams. For example, if you have a folder called Server Apps, and a folder called Workstation apps, and someone else comes along and creates a folder called Software, no one really knows what goes where anymore because:
1) Someone had the rights to create a new folder they shouldn't have
2) They weren't locked down to a specific folder where they could then see all of their scoped apps (i.e. either server or workstation)
Bob Panick commented
The two security mechanisms, collection scopes for users and machines, and security scopes for most everything else don't work.
In theory you can delegate who has access to different parts using collection scopes. The idea might work where you have nice clean separations in business. But the problem is that rarely seems to quite work out that way. There is also a huge problem with update frequency of those limiting collections. All Systems updates fairly quick, but each collection below that doesn't and incremental updates if enabled cause system resource issues. Further the incremental updates aren't smart enough to do the dependent collections first. Which then causes other collections dependent on picking up the changes fail to pick up a change. Maybe if SCCM were smart enough to look at the collection dependencies and evaluate them first, it might work.
Collection security also ends up being a nightmare trying to scope properly. About the only real use it seems to have is in reporting.
Security Scopes for everything else have to be set by an administrator. Our SCCM system has hundreds of items that we would have to set security scopes on. Further, we don't have an easy way of seeing that something new has been added that doesn't have scope set. Yeah, we could write a query or report, but that's a poor workaround.
What we need is to be able to set security on the folders themselves. If you don't have access to the folder, you can't see child folders, collections, etc... This would work with things that get created, it could be used to control application distribution, and a lot more without a lot of administrative work.
If I wanted to give a business unit access to collections that covered their unit, I could simply create a folder for the BU, and add the collections I want them to have access to. Lets go further and set that they can only use the collections for reporting/read only, or that they can target software distributions to them, etc...
Folder security for everything in the Software Library would be a lot simpler to manage. For instance read and distribution only access to centrally administered objects, and full control to a BU folder for that BU, and read and copy for everyone else.
Or Server and Workstation administration with folder level security to allow the two separate IT teams not to mess up each other's stuff.
Justin King commented
If you create collections _as_ folders then assign RBAC to those you get the desired result.
For example create to root collections: Dev and Prod. Every collection after that should use either of those two as a parent, and you merely place your RBAC roles on said parent collection. It works well, the only downside being you end up with LOTS of collections.
Heck I created a DSC Module to help me build out a default structure for clients. It works well.