Endpoint Insights
Role-Based Administration (RBA) Reporting Feature in MEMCM / SCCM
Garth JonesMicrosoft Configuration Manager (ConfigMgr / MEMCM / MECM/ SCCM) didn’t always allow for Role-Based Administration (RBA) within reports. This feature was added with the release of System Center 2012 R2 (CM12 R2). This provided some more advanced control over who can see which objects (generally computers or users via collections) within reports based on their access as defined within the MCM console.
Prior to the SCCM R2 release you were able to see all device (or user) collections regardless of your access to that resource or not. While this may not be an issue for many, for others it can be quite a headache if you have hundreds of device collections to scroll through to try to locate the ones actually accessible to you. This could also be a GDPR type issue for some multinational companies. Luckily, the release of CM12 R2 fixed that headache by allowing admins to view their collections only.
In the following webcast we take a quick look at how things were before and after implementing RBA. We will compare a couple of environments that I have set up, one with RBA and one without. This really helps to illustrate just how RBA is leveraged to limit which collections a particular user can see based on their MCM security roles.
Do all reports, both community written or commercially available, follow the RBA standards? No, not all reports leverage RBA. Primarily, many authors don’t know how to write their reports to follow the standard. There is also a slight performance hit when leveraging RBA reports. However, this performance hit can be limited to a second or two when report queries are optimized. This means most people will never notice the time difference between an RBA and non-RBA report. But Software Update reports are the one place that you might see the difference in speed. As such, Endpoint Insight provides both RBA and non-RBA dashboards / reports. The team at Recast Software does follow the RBA standard for both console dashboards within Right Click Tool and both dashboard and reports within Endpoint Insights. We feel it is important to limit access to reports, if you as the MCM administrator have limited what other MCM Admins can see.
We also recently re-explored this topic in our Endpoint Insights Hidden Gems webinar. In this example, I showed you how Endpoint Insights is leveraging the MCM RBA to only display the collection that the user has access to.
I hope you found this information helpful. As always, if you have any questions, please feel free to reach out to me at @GarthMJ.
