< Blog

“Role-ing” with Role-Based Administration (RBA)

By Joseph Yedid

Role-Based Administration (RBA) is a great feature in Configuration Manager 2012 and above. What’s the whole purpose of RBA? Simple, delegated administration. RBA allows administrators to delegate specific roles to other administrators.

I will use the Remote Tools client setting and Remote Tools Operator role as a demonstration.

First, I need to create a user, or preferably a group, in Active Directory. The user or group will need to be added to the local administrator’s group of the targeted system(s) manually or through a GPO.

Once that is done, in the Configuration Manager console, I then need to create a standalone client setting for Remote Tools.

Role-ing with RBA-Create Custom Client Device Settings

To do this, in the Administration workspace, in the Client Settings node, open Create Custom Client Device Settings from the ribbon.

Role-ing with RBA-Custom Device Settings

Give the settings a name and check off Remote Tools. Click OK.

Role-ing with RBA-Remote Settings

Open the newly created settings. Select Remote Tools. On the Remote Tools page, click Configure…

Role-ing with RBA-Remote Control

Click Enable Remote Control on client computers and then choose your profile. In this example I chose Domain. Click OK.

Role-ing with RBA-Set Viewers

Click Set Viewers…

Role-ing with RBA-Configure Client Setting

Click the star Role-ing with RBA-Star Buttonbutton.

Role-ing with RBA-New Permitted Viewer

Click Browse…

Role-ing with RBA-Select User

Enter the user or group you will use for the viewers. I will be using the CTO Remote Group. Click OK.

Role-ing with RBA-New Permitted Viewer-OK

Click OK.

Role-ing with RBA-Configure Client Setting-OK

Click OK.

Now any member of the CTO Remote Group AD group, in my case, will be permitted to perform remote tasks such as Remote Assistance, or Remote Control of another user’s system.

Now let’s restrict this group from interacting with anything else other than performing remote tasks. In this case we will have to configure the administrative users.

RBA is controlled from the Security Roles and Security Scopes nodes. See the screenshot below. This can be found in the Administration workspace under the Security node. Right-click Administrative Users and select Add User or Group.

Role-ing with RBA-Administrative Users-Add User or Group

Once again I will use the CTO Remote Group in this example. I assigned them the Remote Tools Operator role, but this time I set the scope to: Only the instances of objects that are assigned to the specified security scopes or collections. I then added the CTO collection which only contains workstations.

Role-ing with RBA-Add User or Group

Now when a user that is part of the CTO Remote Group logs into the Configuration Manager console, RBA will take effect. They will be restricted to only performing remote actions to the assigned collections. They will not be allowed to perform any other actions outside their security role and scope.