jasonbsstt Posted February 22, 2013 Report post Posted February 22, 2013 HI All Id first of all like to thank all you guys for such a great resource............ I have a quick question relating sccm2012 and RBA, We have a single site set up with a couple of remote DP's nothing too complex running sccm2012 sp1. I have one collection called "imaging" that has our current task sequence deployed to which we drop machines into for either re-imaging and or new hardware to deploy our SOE. Therefore I would like to be able to set up or modify some existing security roles to allow our desktop technicians to either: A: Create a new computer association for new hardware and import into this collection B: Move a machine from an existing collection into the imaging collection for re-building. My problem is (as far as I can tell) that in order to allow the technicians to create a new computer association I need to allow them access to the "all systems collection" thus exposing all the other collections for them to view.If they do not have acces to the "all systems collection" they connot see the "Imaging" collection when they go through the process of importing a new computer and get the the screen you can choose specifically which collection you would like to add the machine to. So I would like to "lock this down" as much as possible so that these guys can only see the bare minumum of what they need to do thier job (thats the idea of RBA right?) If anyone out there can offer me a sugestion it would be greatly appreciated. Im sure it has to do with my understanding of how this is supposed to work so please correct me if Im wrong. Cheers Quote Share this post Link to post Share on other sites More sharing options...
Oneone Posted February 22, 2013 Report post Posted February 22, 2013 Well you actually need to be able to the se all systems Collection if you want to add computers to the Collection or else you cant find the computer? One thing that has changed tho is that the "All systems" Collection is now READ Only so they cant make any unwanted Changes to the Collection atleast. Maybe you could create a folder structure with OSD and give them permission to those? Quote Share this post Link to post Share on other sites More sharing options...
jdmiller Posted February 22, 2013 Report post Posted February 22, 2013 I've encountered a similar business need for our organization and have run into the same dilemma. I want to allow our desktop support team to move and manage all desktops, but none of our servers. I don't have a problem with them seeing our servers, I just don't want them to be able to move, delete, deploy or in any way interact with our servers. In my first attempt at this I created two machine collections ("desktops" and "servers") filtered by OS type and limited by the All Systems collection, but unfortunately giving them full control over the desktops collection does nothing unless they also have full control over the All Systems collection, which then in turn gives them de facto full permission of my servers collection. I'm guessing that I'm not really understanding how RBA is supposed to work either. Quote Share this post Link to post Share on other sites More sharing options...
jasonbsstt Posted March 4, 2013 Report post Posted March 4, 2013 Well still playing around with this and still no workable solution...... Anyone..... Quote Share this post Link to post Share on other sites More sharing options...
