Role-Based Administration (RBA) is a great feature in Configuration Manager 2012 and above. What’s the whole purpose of RBA? Simple, delegated administration. RBA allows administrators to delegate specific roles to other administrators.
I will use the Remote Tools client setting and Remote Tools Operator role as a demonstration.
First, I need to create a user, or preferably a group, in Active Directory. This user or group needs to be added to the local administrator’s group of the targeted system(s) manually or through a GPO.
Once that is done, in the Configuration Manager console, I need to create a standalone client setting for Remote Tools.
To do this, in the Administration workspace, in the Client Settings node, open Create Custom Client Device Settings from the ribbon.
Give the settings a name and check off Remote Tools. Click OK.
Open the newly created settings. Select Remote Tools. On the Remote Tools page, click Configure…
Click Enable Remote Control on client computers and then choose your profile. In this example I chose Domain. Select OK.
Next, click Set Viewers…
Enter the user or group you are using for the viewers. I am using the CTO Remote Group. Click OK.
Next, click OK.
Again, click OK.
Now any member of the CTO Remote Group AD group, in my case, is permitted to perform remote tasks such as Remote Assistance, or Remote Control of another user’s system.
Now let’s restrict this group from interacting with anything else other than performing remote tasks. In this case, I have to configure the administrative users.
RBA is controlled from the Security Roles and Security Scopes nodes. See the screenshot below. This is found in the Administration workspace under the Security node. Right-click Administrative Users and select Add User or Group.
Once again, I use the CTO Remote Group in this example. I assign them the Remote Tools Operator role, but this time I set the scope to: Only the instances of objects that are assigned to the specified security scopes or collections. I then add the CTO collection which only contains workstations.
RBA now takes effect when a user that is part of the CTO Remote Group logs into the Configuration Manager console. The user is restricted to only performing remote actions to the assigned collections. They are not allowed to perform any other actions outside their security role and scope.