juice13610
-
Total Posts
:
75
- Scores: 0
-
Reward points
:
9970
- Joined: 3/8/2012
-
Status: offline
|
Securing device collections in SCCM
Wednesday, June 27, 2012 11:23 AM
( permalink)
I have more than one question regarding the security of device collections in SCCM. I created a device collection where the criteria is that it must be in the AD group named "SCCM-TestPCs". I gave my desktop admins rights to the device collection, but they are unable to modify it. Is there some way to give them access to modify a device collection? I understand they have to have rights to add to a security group in AD, but he was just attempting to create a "direct rule" to add a particular PC. Next, I want to give our security team the rights to deploy applications to desktops, and I want them to be able to see the servers, but not deploy applications to servers. Is this possible?
|
|
|
|
bmason505
-
Total Posts
:
3271
- Scores: 246
-
Reward points
:
80150
- Joined: 1/23/2003
- Location: Minneapolis, MN
-
Status: offline
|
Re:Securing device collections in SCCM
Wednesday, June 27, 2012 2:39 PM
( permalink)
You are creating root collections to let them make new collections with. They should be able to make new collections which are limited to the root collections you create. But RBA would have no value if they could just add a server to a workstation collection, for example. You set what they should see and they can limit that with new collections which are limited to the one you make for them.
|
|
|
|
juice13610
-
Total Posts
:
75
- Scores: 0
-
Reward points
:
9970
- Joined: 3/8/2012
-
Status: offline
|
Re:Securing device collections in SCCM
Wednesday, June 27, 2012 2:47 PM
( permalink)
How did I know it would be you to respond?  What I'm trying to accomplish is as follows; the security team sometimes deploys software upgrades (not definition updates, but upgrades of the actual software) of our antivirus software, and they want to keep that ability. However, they also want to be able to see servers as well. WIth that, we are fine with them seeing them, but we do not want them to have access to deploy anything to them. So is there a way that we can make it so that they can deploy to desktops, but no servers, while still maintaing "read" access to the server collection?
|
|
|
|
bmason505
-
Total Posts
:
3271
- Scores: 246
-
Reward points
:
80150
- Joined: 1/23/2003
- Location: Minneapolis, MN
-
Status: offline
|
Re:Securing device collections in SCCM
Wednesday, June 27, 2012 3:21 PM
( permalink)
You and Nackers have this need in common. He just found that if you go back to the security roles tab after adding your read-only collection on the security scopes tab, you'll see a new set of options to fine tune the settings you're looking for.
|
|
|
|
juice13610
-
Total Posts
:
75
- Scores: 0
-
Reward points
:
9970
- Joined: 3/8/2012
-
Status: offline
|
Re:Securing device collections in SCCM
Wednesday, June 27, 2012 3:49 PM
( permalink)
I have been looking in vain to find how to add a device collection to a security scope. Is it possible??
|
|
|
|
bmason505
-
Total Posts
:
3271
- Scores: 246
-
Reward points
:
80150
- Joined: 1/23/2003
- Location: Minneapolis, MN
-
Status: offline
|
Re:Securing device collections in SCCM
Wednesday, June 27, 2012 3:53 PM
( permalink)
Admin users\properties, security scopes. Last radio button\edit.
|
|
|
|
juice13610
-
Total Posts
:
75
- Scores: 0
-
Reward points
:
9970
- Joined: 3/8/2012
-
Status: offline
|
Re:Securing device collections in SCCM
Wednesday, June 27, 2012 4:01 PM
( permalink)
I found where I can assign administrative users to a scope, but I can't find how to add a device collection to a scope.
|
|
|
|