Use SCCM RBAC Viewer Exe to check RBAC settings ConfigMgr Endpoint Manager

Use SCCM RBAC Viewer Exe to check RBAC settings. The RBA modeling and auditing (RBA viewer) tool is the System Center Configuration Manager Server Troubleshooting Tool. 

The SCCM RBAC viewer is a new addition to the ConfigMgr toolkit. The RBA modeling tool can help you to create a custom security role and export it.

Use SCCM RBAC Viewer Exe to check RBAC settings

The auditing of security role/s and security scope/s is also possible through RBA Viewer (RBAViewer.exe). Have you ever played with RBAViewer.exe? If not, start using it !!!!

Patch My PC

Looking for Intune RBAC – I would recommend reading the following post  https://www.anoopcnair.com/intune-rbac-roles

Use SCCM RBAC Viewer Exe to check RBAC settings ConfigMgr Endpoint Manager
Use SCCM RBAC Viewer Exe to check RBAC settings ConfigMgr Endpoint, Manager.

In this post, I‘m trying to explore “RBA Viewer” in some more detail. How can it be used more effectively? The documentation provided with this toolkit is excellent (ToolkitHelp); however, I’ve seen many of us never look into those documentations.

This is a continuation of my post about Policy Spy. RBA modeling and auditing tool is part of ConfigMgr Toolkit and can be downloaded from this LINK.

1E Nomad

Note:: You can use this tool only on is the machine where the SCCM console is installed. To run this tool, the user has to be assigned to any one of the following security roles: Full Administrator, Read-only Analyst, or Security Administrator.

Also, the user has to be assigned to “All security scope” and “All collections.” To analyze the report folders and reports, the user must have SQL rights. Use SCCM RBAC Viewer Exe to check RBAC settings ConfigMgr Endpoint Manager.

Three very useful buttons are on the left top corner of the tool – Audit RBA, Run As, and Setting.

Use SCCM RBAC Viewer Exe to check RBAC settings ConfigMgr Endpoint Manager
Use SCCM RBAC Viewer Exe to check RBAC settings ConfigMgr Endpoint, Manager.
image

The following topics are covered in this post.

CREATE, CUSTOMIZE, TEST, and EXPORT Security Role/s

Audit RBA – Entire Hierarchy

Run AsAudit RBA configuration for a specific user

CREATE, CUSTOMIZE, TEST, and EXPORT Security Role/s

You can select built-in security roles from Security Roles to the drop-down menu. Using RBA viewer, you can CREATE, CUSTOMIZE, TEST, and EXPORT security role/s.

In the following pic, you can see that the new Remote Tool operator role has been selected.

image

You can customize this security role as per the requirement with the help of the RBA tool. This can be done very easily by selecting/deselecting check marks, as shown in the following pic.

image

Once you have customized the role as per the requirement, you can even test the same with the help of the RBA tool. The tabs AdminConsole and Reports can be used to verify the assigned permissions.

image

Once you’ve validated the console and reports, you can export the new security role into an XML file and IMPORT the same for production use.

image

Audit RBA – Entire Hierarchy – SCCM RBAC

The Audit RBA button on the top left corner of the tool can perform Audit for all Existing Administrative Users/Collections Hierarchy/Security scopes in Configuration Manager.

image

1) User Summary tab will help you to audit the rights of a particular user.

In the following pic, we can see the access details of a user Called Server Admins.

In my scenario, the Server Admins user has access to all the devices in a collection named All Server Clients. And Server Admins are Application Author, Application Administrator, and Software, Update Manager, concerning “All Server Clients” collection.

image

2) Collection Summary tab will help you audit the permissions of a particular user concerning a Collection.

In the following pic, we can see the access details of a user Called Desktop Admins in a collection named “All Desktop Clients.”

In my scenario, Desktop Admins can take remote control of the devices, Deploy applications to those devices in the collection “All Desktop Clients.” Also, the user “Desktop Admins” is Application Author and Application administrator for those devices. SCCM RBAC viewer is helpful in this scenario.

Note:: “Server Admins” users don’t have any access to these devices……

Remote Tools Operator, Application Deployment Manager, Application Author, and Application Administrator.

image

3) Scopes Summary tab will help you perform the Audit on security scopes assigned to a particular user/s in the Hierarchy.

In the following pic, we can see the access details of a user Called Server Admins. The user “Server Admins” has access to One application, One DP group, and 16 Global Conditions. You can verify the same for the other users as well.

image
image

Run AsAudit RBA configuration for a specific user

Select the Green Button on the RBA viewer (as shown in the pic). You need to key in the Domain\UserName and select the button called CHECK.

There will be 3 Tabs available under the Run As option. SCCM RBAC viewer is helpful in this scenario.

1) Assignment 2) Console and 3) Reports

image

1) Assignment tab will help you get the role and the scope details for that particular user. You will see the security roles assigned to the user or the security group the user belongs to.

In the following pic, you can see the roles and scopes assigned to a user called Desktop Admins.

The “Desktop Admins” user is associated with the roles like Remote Tools Operator, Application Deployment Manager, Application Author, and Application Administrator.

image

2) Console tab will help you get the view of the SCCM 2012 console with that particular user.

In the following pic, you can see the console view of the user called “Server Admins.” Notice that the user doesn’t have access to OSD. The OSD section is missing from the console because users don’t have access to perform OSD tasks. SCCM RBAC viewer is helpful in this scenario.

image

3) Reports tab will help you get the details about the permission of each reporting folder for the particular user. As mentioned above, to run this tab, you should have SQL access—view the relationship between report folders and security objects.

In the following pic, you can see more details concerning reporting for a user called “Server Admins.” SCCM RBAC viewer is helpful in this scenario.

image

Author

Anoop is Microsoft MVP! He is a Solution Architect on enterprise client management with over 17 years of experience (calculation done in 2018). He is Blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, Intune. He writes about technologies like ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc.…

7 thoughts on “Use SCCM RBAC Viewer Exe to check RBAC settings ConfigMgr Endpoint Manager”

  1. Hello,
    I tried your RBA tool and was able to create a custom help desk type of security role. I’m trying to allow them to add/delete machines to collections, run reports and remote. Everything works except deleting computers from collections. Do you know what custom permissions are needed for right click tools? There is no error message, nothing happens. Any help would be greatly appreciated.

    thanks,
    Jeff

    Reply
  2. Big Question – What do you do when the results of the RBA too conflict with what actually happens on the console?? ie you are granting rights to create metering rules to a role, the RBA tool says you should have rights to create metering rules, yet in the console it is greyed out?

    Reply

Leave a Reply to Anoop's Cancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.