RBA on the Folder level
Currently Administrators have the ability to set Role Based Access to Collections but we do not have the ability to block access to specific folders. Currently in my environment we have many different departmental administrators who need to manage only their machines and their collections. each time we add collections we then need to grant them access. if the Role Based Administration gave the ability to grant access on the folder level it would reduce the complexity for area's that have a setup similar to mine.
I have attached a screenshot of how my setup looks.
This is shipped in #SCCM 1906.
Michael Schultz commented
I would rather assign permissions to folders with or without recursive and collections and never have to touch scopes again.
Kara Hoponick commented
It would be great if you could apply a security scope to a folder to prevent accidental deletion, and to also allow that scope to propagated down to objects within the folder
Matt Hawkins commented
This is a needed change. I currently have customers that need to run scripts periodically to change scoping on the contents of folders to get this functionality.
This would save alot of effort and time on locking down environments that have more than administrative group working within the same site. +3 votes here
this will be really helpful and save lot of manual effort for admins
Fabio RINCON commented
+3 on this item, I see huge benefits for RBA on the folder level. We have over 200 sites with numerous collections throughout many locations. Having RBA on the folder would allow us to keep their containers locked down even further.
Jason Kellar commented
to explain better i would like to see permissions to the folder in combination with or replacing collection level permissions. i needed to delete old wsus collections and to do this i had to first remove access from all other roles. this took up a large amount of time and could easily be avoided.
Rube Rahman commented
+1 on this. This gets very cumbersome since RBAC allows you to onboard multiple IT teams into SCCM but then you face this burden of keeping them there.
Allowing folders to be securable objects would be a tremendous improvement for large environments.
marc graham commented
I concur on this as it would also make securing applications/packages down as well which is useful when both development and production are being managed in the same CM environment.