in

myITforum.com

This Blog

Syndication

Tags

News

Hi, I am a developer at Microsoft and have been working with the SMS group for the past 5 years. Much of my work is with the database as well as the server components for handling discovery, inventory, and metering data. I get asked a lot of questions about these, so I thought I would put together some of the answers for the more interesting ones and post them occasionally. Hopefully you'll find these useful. - Eric

Links

Eric Holtz (MS-SMS) at myITforum.com

Overexposing the underdocumented

Allowing an SMS user (or group) to manage only a specific set of machines.

Sorry for getting behind in posts, but things have been pretty busy in SMS development lately. I wanted to pass this on however as this issue tends to come up a lot and I’m not sure the official solution widely known.

If you have a collection of machines and you’d like to have an SMS 2003 user (or user group) be able to see and manage only those machines, how do you set up the permissions?

To give a user or group permissions to manage a collection of machines and only those machines, follow the steps below: 

  • Grant a user or user group class (all instances) level advertise, create, and delegate permissions to collections.
  • Remove the user or group’s class level read/modify/delete permissions to collections.
  • Grant the user or group instance level read permissions to the master collection that contains the machines to manage.

 The user or group can now:

  • Create collections that only contain members of the master collection (because of the way collection limiting works)
  • Advertise only to visible collections, which will be the master collection and any subsequently created collections.
  • If it’s a group that’s managing the master collection, the user creating the collection can then grant the group instance rights by virtue of the delegate permission.

The key here is that while we’ve granted class level advertise permissions to the user, they can only advertise to collections that they can view. The viewable collections should only be the master collection and any collections they’ve created. Since the user doesn’t have class level read rights to collections, SMS 2003 limits the membership of collections they create to the collections they have read rights to. So every collection they create is a subset of the master collection.

 

This posting is provided "AS IS" with no warranties, and confers no rights.

Published Mar 08 2005, 12:17 PM by Anonymous
Filed under:

Comments

 

TrackBack said:

March 21, 2005 11:18 AM
 

TrackBack said:

Allowing an SMS user (or group) to manage only a specific set of machines.ooeess
June 2, 2005 4:49 AM
 

TrackBack said:

Allowing an SMS user (or group) to manage only a specific set of machines.ooeess
August 29, 2005 1:40 AM
 

TrackBack said:

Allowing an SMS user (or group) to manage only a specific set of machines.ooeess
September 2, 2005 9:54 AM
 

Anonymous said:

Hi Eric,

I just saw this post from some time back and noticed one thing that you didn't mention.  The situation that I'm sure many people have is when they also grant Create Class Level rights and expect users to be able to manage completely those collections they create.  The situation here is that under that master collection, any collections they create they do not get rights as required to modify.  

I'm sure others have seen this before.  I currently have to run a vbscript at intervals to work around this.  However, my question is when do we get to have permissions inherited at subcollections?

October 31, 2006 9:09 AM
Copyright - www.myITforum.com, Inc. - 2010 All Rights reserved.
Powered by Community Server (Commercial Edition), by Telligent Systems