RBA in config manager 2012 SP1

August 13, 2013


There are several built in administrative roles in config manager 2012 SP1. Today we are going to add some custom in an easy way.

First of all download and install the config manager 2012 SP1 toolkit. Here : http://www.microsoft.com/en-us/download/details.aspx?id=36213

Perform a default install.

Now start the RBA viewer utility.

Pick the security role you want to modify. You can see the actions available in the left pane.

Now select the objects that you want to modify , for example we want to have a role used for adding resources to collections. So select collection -> Modify ( for adding resources ) and modify resources for updating membership

You can find the actions by using the right side of the screen and selecting the required actions ex. Add resource

Now export the created profile.

Import the xml in config manager and assign a user with the role within the config manager console. You can now test the result for the user without knowing password of the specific user.

Just start the runas feature.

Fill in username ( no password required )

And verify the result using the console and reports button.

Nice toolset.


CM2012 Role Based Administration: Computer Import Manager

October 25, 2012

Hi there,

At a customer where I went a few weeks ago there was a need of an extra Configuration Manager 2012 role which only had the rights to import computers. It struck me that there was no default role provided which provided the necessary rights.

This security role would then be assigned to someone who would import the computers to run OSD.

This is the way I’ve done it.

– First of all I imported the Computer Import Manager role under the form of an .XML file which can be found here. The .XML file can be downloaded at the bottom of that webpage.

– The default behavior of this role is to only allow computer import in the All Systems collection. If the OSD task sequences are targeted to other collections then the All Systems collections this behavior should be extended so the user is able to import computer to other collections. This is done by editing the newly created security role and under Collection add the Modify resource right like shown below. Click Apply and OK.

– When the console is now opened with a user that has this Computer Import Manager role associated, the console looks as follows:

When the same role also needs the rights to delete computers from collection , just add the additional right: Collection –> Delete Resources in the same way the previous rights were added.

After all modifications I’ve exported the Computer Import Manager security role so I can just reuse it at other customers when needed.

Hope this helps.