How to Use SCCM ConfigMgr RBA Viewer Exe to check RBAC settings

12

The RBA modeling and auditing (RBA viewer) tool is System Center 2012 Configuration Manager Server Troubleshooting Tool.  The RBA viewer is new addition to configmgr toolkit. The RBA modeling tool can help you to create a custom security role and export it. The auditing of security role/s and security scope/s is also possible through RBA Viewer (RBAViewer.exe). Have you ever played with RBAViewer.exe? If not, start using it !!!!

In this post, I ‘m trying to explore “RBA Viewer” in some more details. How it can be used more effectively? The documentation provided with this toolkit is excellent (ToolkitHelp), however, I’ve seen that lot of us never look into those documentations.This is continuation of the my post about Policy Spy. RBA modeling and auditing tool is part of ConfigMgr2012 Toolkit and can be downloaded from the This LINK.

Note :: You can use this tool only on is the machine where SCCM 2012 console is installed. To run this tool user has to be assigned to any one of the following security role Full Administrator, Read-only Analyst or Security Administrator. Also, the user has to be assigned to “All security scope” and “All collections”. To analyze report folder and reports, user must have SQL rights.

Three very useful buttons on left top corner of the tool – Audit RBA, Run As and Setting.

imageimage

Following topics are covered in this post

CREATE, CUSTOMIZE, TEST and EXPORT Security Role/s

Audit RBA – Entire Hierarchy

Run AsAudit RBA configuration for a specific user

 

CREATE, CUSTOMIZE, TEST and EXPORT Security Role/s

You can select built-in security roles from Security Roles drop down menu. Using RBA viewer, you can CREATE, CUSTOMIZE, TEST and EXPORT security role/s.

In the following pic, you can see that new Remote Tool operator role has selected.

image

You can customize this security role as per the requirement with the help of RBA tool. This can be done very easily by selecting/deselecting check marks as shown in the following pic.

image

Once you have customized the role as per the requirement, you can even test the same with the help of RBA tool. The tabs AdminConsole and Reports can be used to verify the assigned permissions.

image

Once you’ve done with the validation of the console and reports, you can export the new security role into a XML file and IMPORT the same for the production use.

image

 

Audit RBA – Entire Hierarchy

The Audit RBA button on the top left corner of the tool can be used to perform Audit for all Existing Administrative Users/Collections Hierarchy/Security scopes in Configuration Manager.

image

1) User Summary tab will help you to audit the rights of a particular user.

In the following pic, we can see the access details of a user Called Server Admins.

In my scenario, Server Admins user is having access to all the devices in a collection named All Server Clients. And Server Admins are Application Author, Application Administrator and Software Update Manager with respect to “All Server Clients” collection.

image

2) Collection Summary tab will help you to audit the permissions of a particular user with respect to a Collection.

In the following pic, we can see the access details of a user Called Desktop Admins in a collection named “All Desktop Clients”.

In my scenario, Desktop Admins can take remote control of the devices, Deploy applications to those devices in the collection “All Desktop Clients”. Also, the user “Desktop Admins” is Application Author and Application administrator for those devices.

Note :: “Server Admins” user don’t have any access to these devices……

Remote Tools Operator, Application Deployment Manager, Application Author and Application Administrator.

image

3) Scopes Summary tab will help you to perform the audit on security scopes assigned to a particular user/s in the Hierarchy.

In the following pic, we can see the access details of a user Called Server Admins. The user “Server Admins” has access to One application, One DP group and 16 Global Conditions. You can verify the same for same for the other users as well.

imageimage

 

Run AsAudit RBA configuration for a specific user

Select the Green Button on the RBA viewer (as shown in the pic). You just need to key in the Domain\UserName and select the button called CHECK.

There will be 3 Tabs available under Run As option.

1) Assignment 2) Console and 3) Reports

image

1) Assignment tab will help you to get the role and the scope details for that particular user. You will see the security roles assigned to the user or the security group the user belongs to.

In the following pic, you can see the roles and scopes assigned to a user called Desktop Admins.

The “Desktop Admins” user is associated with the roles like Remote Tools Operator, Application Deployment Manager, Application Author and Application Administrator.

image

2) Console tab will help you to get the view of SCCM 2012 console with that particular user.

In the following pic, you can see the console view of user called “Server Admins”. Notice that the user don’t have access to OSD. The OSD section is missing from the console because user don’t have access to perform OSD task.

image

3) Reports tab will help you to get the details about the permission of each reporting folder for the particular user. As mentioned above to run this tab you should have SQL access. View relationship between report folders and security objects.

In the following pic, you can see the more details with respect to reporting for a user called “Server Admins”.

image

12 COMMENTS

  1. Hello,
    I tried your RBA tool and was able to create a custom help desk type of security role. I’m trying to allow them to add/delete machines to collections, run reports and remote. Everything works except deleting computers from collections. Do you know what custom permissions are needed for right click tools? There is no error message, nothing happens. Any help would be greatly appreciated.

    thanks,
    Jeff

  2. Big Question – What do you do when the results of the RBA too conflict with what actually happens on the console?? ie you are granting rights to create metering rules to a role, the RBA tool says you should have rights to create metering rules, yet in the console it is greyed out?

LEAVE A REPLY

Please enter your comment!
Please enter your name here