Help with collection Security inheritence

Author Message
Pvt_Ryan

  • Total Posts : 310
  • Scores: 3
  • Reward points : 77050
  • Joined: 8/25/2009
  • Location: Belfast, UK
  • Status: offline
Help with collection Security inheritence Thursday, August 02, 2012 7:18 AM (permalink)
0
I have a central site CEN, and the All Systems collection.
I have 3 Groups that have the following permissions:
Class:
G1 = No
G2 = Read, Advertise, Create
G3 = No
 
Instance:
G1 = read, read resource, view collected files and use remote tools.
G2 = read, modify, Delete, use Remote Tools, Advertise, Modify Resource, Delete Resource, view collected files, read resource, modify collection setting.
G3 = read, read resource, view collected files and use remote tools.
 
Below the CEN site I have 3 Child primaries, CP1, CP2, CP3
On CP1:
Class
p\G1 = Same as CEN
p\G2 = Same as CEN
p\G3 = Same as CEN
Instance
p\G1 = Same as CEN
p\G2 = Same as CEN
p\G3 = Same as CEN
 
On CP2:
Class
p\G1 = Full Permissions
p\G2 = Same as CEN
p\G3 = Same as CEN
Instance
p\G1 = Same as CEN
p\G2 = Same as CEN
p\G3 = Not Present
 
On CP3
Class
d\G1 = Same as CEN
d\G2 = Same as CEN
d\G3 = Same as CEN
Instance
d\G1 = Not Present
d\G2 = Not Present
d\G3 = Not Present
 
 
Now CP3 is "special" as it is in a seperate domain and forest (our development domain) but this doesn't cause issues for any of our deployments or anything else. p\ is production, d\ is development domains.
 
I can sort of understand the differences between CEN and CP3 but not CEN and CP2. Is there any way to get the permissions to be consistant across all 3 CPs?
 
Ryan
Citrix Desktop Infrastructure Analyst
MCTS: SCCM, CCNA

Blog/Site: http://ninet.org
 
#1
    skissinger

    • Total Posts : 4810
    • Scores: 458
    • Reward points : 106230
    • Joined: 9/13/2001
    • Location: Sherry Kissinger
    • Status: offline
    Re:Help with collection Security inheritence Thursday, August 02, 2012 11:14 AM (permalink)
    0
    Remember primary sites in cm07 are all independent of each other for security rights.  If you want them to be in sync, then you have to set them up initially to be that way.
    For collections, once you have it setup instance-rights; you can use the collection inheritance script linked from here:  http://www.mnscug.org/art...e-software-update-role
    Note that CM12 has RBAC, Security Scopes and Roles, so it's all moot in the next version--and likely you won't have multiple primaries in CM12 anyway.
    mofmaster@myitforum.com
    My Blog
    Microsoft MVP - ConfigMgr
     
    #2
      Pvt_Ryan

      • Total Posts : 310
      • Scores: 3
      • Reward points : 77050
      • Joined: 8/25/2009
      • Location: Belfast, UK
      • Status: offline
      Re:Help with collection Security inheritence Thursday, August 02, 2012 12:17 PM (permalink)
      0
      I was aware they were independent but I thought for collections defined on the central site (i.e. the collections that have the padlock beside them) the permissions where inherited as you cannot edit them at the lower levels.
       
      But thanks for the answer it clears up some head scratching I was doing.
      Citrix Desktop Infrastructure Analyst
      MCTS: SCCM, CCNA

      Blog/Site: http://ninet.org
       
      #3
        Online Bookmarks Sharing: Share/Bookmark

        Jump to:

        Current active users

        There are 0 members and 2 guests.

        Icon Legend and Permission

        • New Messages
        • No New Messages
        • Hot Topic w/ New Messages
        • Hot Topic w/o New Messages
        • Locked w/ New Messages
        • Locked w/o New Messages
        • Read Message
        • Post New Thread
        • Reply to message
        • Post New Poll
        • Submit Vote
        • Post reward post
        • Delete my own posts
        • Delete my own threads
        • Rate post

        2000-2013 ASPPlayground.NET Forum Version 3.9