In this post, I’ll provide few tips to resolve some common issues with build-in security role “Infrastructure Administrator” assignments in ConfigMgr 2012.
More Details about Role-Based Administration here. Infra admins are not able to view “Default Client Settings” and couldn’t create “Custom Client Device Setting” or “Custom Client User Setting”.
FIX SCCM Default Client Settings Issue with SCCM Security Role Infra Admin ConfigMgr
Yes, we can easily make out this could be because of some Security Scope issues. But how to rectify?
I’ve two administrative groups (Infra Admin India and Infra Admin SGP) assigned to build in security role “Infrastructure Administrator”. One is for India admins and other is for Singapore admins.
They’ve access to their respective primary servers. I’ve created two scopes “India” and “Singapore”. These scopes are assigned to proper objects.
You can see the details of “Infra Admin India” administrative user from the following picture.
Security Role = Infrastructure Administrator
Security Scopes and Collections = All India Systems, All India User Collection and India
1. “Infra Admin India” user is not able to create “Custom Client Device Setting” or “Custom Client User Setting”.
You do not have permission to ‘Site’ on CAS. Make sure you have proper permission to ’Site’ on CAS and ‘Site’ is associated with your security Scope.
2. “Infra Admin India” user is not able to view the “Default Client Setting”. Result panel shows “No Item Found”
1. Open up ConfigMgr 2012 Console, Navigate through Administration –> Security –> Administrative Users –> Infra Admin India.
2. Right Click on “Infra Admin India” administrative User and click on Properties.
3. Go to second tab “Security Roles” and Click on “Add” button at the bottom to add new security role “Read Only Analyst”
4. Go to “Security Scopes” tab and Select the option called “Associate Assigned Security Roles with Specific Security Scopes and Collections”
5. Click on “Read-Only Analyst” security role and “Edit”
6. Removed the security Scope called “India”
7. Added security Scope called “Default”. Why? Will this give more rights to the Infra Admin India ? NO. It won’t because, we are allowing ONLY “Read-Only Analyst” access to “Infra Admin India” user. How we can do that associate “Read-Only Analyst” role with “Default” security Scope. Click OK button two times.
Launch Console with “Infra Admin India”.
1. “Default Client Settings” is viewable
2. “Infra Admin India” don’t have access to EDIT “Default Client Settings”. All options are greyed out .
3. “Infra Admin India” user can create “Custom Client Device Setting” and “Custom Client User Setting”