“Role-ing” with Role-Based Administration (RBA)
By Joseph Yedid
Role-Based Administration (RBA) is a great feature in Configuration Manager 2012 and above. What’s the whole purpose of RBA? Simple, delegated administration. RBA allows administrators to delegate specific roles to other administrators.
I will use the Remote Tools client setting and Remote Tools Operator role as a demonstration.
First, I need to create a user, or preferably a group, in Active Directory. The user or group will need to be added to the local administrator’s group of the targeted system(s) manually or through a GPO.
Once that is done, in the Configuration Manager console, I then need to create a standalone client setting for Remote Tools.
To do this, in the Administration workspace, in the Client Settings node, open Create Custom Client Device Settings from the ribbon.
Give the settings a name and check off Remote Tools. Click OK.
Open the newly created settings. Select Remote Tools. On the Remote Tools page, click Configure…
Click Enable Remote Control on client computers and then choose your profile. In this example I chose Domain. Click OK.
Click Set Viewers…
Enter the user or group you will use for the viewers. I will be using the CTO Remote Group. Click OK.
Now any member of the CTO Remote Group AD group, in my case, will be permitted to perform remote tasks such as Remote Assistance, or Remote Control of another user’s system.
Now let’s restrict this group from interacting with anything else other than performing remote tasks. In this case we will have to configure the administrative users.
RBA is controlled from the Security Roles and Security Scopes nodes. See the screenshot below. This can be found in the Administration workspace under the Security node. Right-click Administrative Users and select Add User or Group.
Once again I will use the CTO Remote Group in this example. I assigned them the Remote Tools Operator role, but this time I set the scope to: Only the instances of objects that are assigned to the specified security scopes or collections. I then added the CTO collection which only contains workstations.
Now when a user that is part of the CTO Remote Group logs into the Configuration Manager console, RBA will take effect. They will be restricted to only performing remote actions to the assigned collections. They will not be allowed to perform any other actions outside their security role and scope.