Notes from ConfigMgr 2012 CEP Theme 5: Role-Based Administration & Collections
The following notes are what I gleaned from today's Community Evaluation Program theme--Role-based Administration.
- Mark Florida is the speaker today. He is one of the Principle Lead Program Managers at Microsoft.
- 18 Attendees on the webcast. Another decent decline from the previous meeting.
- Brandon Linton is the November CEP contest winner. Congratulations Brandon!
- Session Takeaways
- Sites are no longer used to support administrator segmentation
- Attempt to stop or limit complex collection query logic
- Collection updating/eval is done for you. No need to update collection membership anymore
- Role Based Administration
- Security roles
- What types of objects can I see and what can I do to them
- Similar to security options available today in CM 2007
- Security scope
- Which instances can I see and interact with.
- I can say from my experience with the lab that this is a nice feature because admins will only see resources in the console based on the scopes that are assigned to them
- Collection limiting
- Which resources can I interact with
- admin has one or more security roles and scopes associated
- Security management is simplified by defining once for the entire hierarchy since it is global data
- Today security is tightly coupled with the assigned primary site
- In 2012, admins can just use the CAS (Central Admin Site) to administer resources. Primaries are only needed to scale.
- If a user is responsible for deploying software, the configmgr admin just assigns the Application Deployment role to that user.
- Collections are global data within the hierarchy
- Collection membership will be different based on the site but the total collection member count will be the displayed at all sites
- Collection limiting is accomplished by put collections limits within the scope of another
- 2012 will ship with two read-only root collections
- All systems and All Users and User Groups
- Based on role you can create, modify, delete, read and deploy software or baselines to the collection
- Collection limiting will be great to have because of the effort involved today to manually limit based on querying within the collection rules today
- Can define on a per-role basis the scopes that can be added to an administrator
- Collection Migration from 2007
- Not coded yet
- Typed Collections
- User and Device
- No more sub collections
- Organizational Folders
- Composable Collections
- Membership Rules
- Direct, Query, Include (use for staggered deployments), Exclude (simple reuse of exclusion)
- Member Evaluation - Fast, uses deltas instead of full eval, every ten minutes, based on R3 fast collection support
- I see that you can create folders now instead of subcollections but isn't this just a different term for the same thing?
- Collection migration from 2007
- Sub-collections will become an organizational folder
- Or they will create a new collection within this org folder if it has membership rules or adverts targeted to it
- If a collection is limited to or sub/linked to another collection then the whole collection structure is migrated to org folders/collections
- User and device mixed collections are out of scope for 2012. Partner/community opportunity!
- collection definitions are globally replicated
- An option will be offered to limit a collection for an existing 2012 collection (currently not available in Beta 1)
- direct membership collections will be migrated as is
- collections that are limited to multiple collections and collections that query by site code will migrated as is
- Jeff says that they will have a contest to increase attendee count. The number only maxed out at 26 for this session. Try to make it to the Live Meetings people!
- Next Meeting is December 15th--OS Deployment! Hoorah!