Search the Community
Showing results for tags 'role based administration'.
Found 2 results
Hello All, I'm currently banging my head against a problem that I'm sure has a simple solution that I just can't see through the weeds right now. Thus I'm turning to you other gurus to see if you can help open my eyes! First, a little background: as I'm sure is common, we have one primary site (no CAS) and I have several divisions who all are their own Config Manager administrators for their own areas. Thus, I've been thankful for Roll Based Administration in Config Manager 2012 to give me better control over the granular security necessary to accomplish this without utilizing separate sites for each political unit. I've run into a snag with importing new computers by MAC address and Computer Name though. The new collection system holds that each collection has to be limited by another. I don't want to give access to "All Systems" to each Config Manager admin, so I create their own "root collection" which is based off of an AD query of their division's root OU in Active Directory. I then directly assign this collection to them in place of "All Systems" using the security section of the Administration work space. However, it turns out that Microsoft says no one can "modify" or "delete" a collection that is directly assigned to them in this fashion, which in turn means they cannot import new machines (via right-clicking on devices and choosing "import computer information"). They also can't import new machines into "All Systems" because they don't have those privileges. Therefore, they are stuck. Like I said, I'm sure this situation has to have an easy answer that I'm missing. Can anyone provide some insight here? Can I grant these departmental admins just enough rights to "All Systems" to read that collection and also to import new computers to it but nothing else (i.e. I can't let them deploy to it). Thanks in advance for any insight the community can provide! Regards, Ben