As we are aware that ConfigMgr'07 admin full access provide a lot of privilege to manage all desktop in an enterprise so it’s critical to manage the ConfigMgr admin access with role based security model. And recently we have introduced the new security group model for managing ConfigMgr operations and having least admin access on ConfigMgr as role based which is very much align to ConfigMgr out of box security classes.
Below are the list of sample security groups we provisioned in AD and same configured in ConfigMgr admin console with equivalent access rights to manage the role based security in ConfigMgr'07.
Hope this helps in your planning for securing ConfigMgr'07 admin access with role based security model.
More details for ConfigMgr security planning are available on following link : http://technet.microsoft.com/en-us/library/bb680768.aspx
Sample Security Group
Security Group Definition
This group contains members who needs to view ConfigMgr reports.
This group contains members who need to have read access ConfigMgr Database for data feed or reporting purpose.
This group contains members who need to read all details about a given SMS/ConfigMgr site.
This group contains members which perform monitoring functions on the ConfigMgr servers
This group contains members who that need to write package deployment items.
This group contains the members who need to create patch deployments.
This group contains the members that need to create & manage collections.
This group contains the members who that need to create & manage advertisements.
This group contains the members who need to create ConfigMgr OSD objects.
This group contains members who need to create ConfigMgr DCM objects.
This group contains the members that need to create ConfigMgr Software Metering objects.
This group contains members who need to create ConfigMgr DMP objects.
This group contains the objects that need to create ConfigMgr web reports.
This group contains objects that need to access ConfigMgr client logs.
This group contains the members who need to change ConfigMgr site settings and have full access for ConfigMgr
This group contains the troubleshooting teams that provide escalation and resolution services.
Do you think there is someting like this for SCOM?
Sorry folk, I do not have similar role based security model for OpsMgr'07 but I think same approach could be followed to meet the requirement.
Great work, is there a document describing each group's security settings?
You've done a great job, would you share the underlying object security in sccm?
Very good job, is there now a document describing each group's security settings?
Great great job....but there is any way to have some kind of doc that describes in details the settings?
great, really great job.
would it be possible to send some details about the security to my email: email@example.com
I am very interested in the Security options of the osd_provider_user
Yeah, um what are the settings for each of these groups?
I am planning to post part 2 of all role based security with all your queries answered.