SCCM RBAC Security Role OSD Manager Does Not Have Access to Create TS ConfigMgr

The SCCM RBAC Security Role OSD Manager does not have access to Create TS ConfigMgr.

RBAC, which stands for Role-Based Access Control, is a way to limit network admittance based on the roles of individual users within an enterprise.

With RBAC, also known as role-based security, organizations can choose who gets to do what based on an employee’s specific roles and duties.

In this post, I’ll provide a few tips on resolving some common issues with the built-in security role “Operating System Deployment Manager” (OSD Manager) assignments in ConfigMgr 2012.

Patch My PC

SCCM RBAC Security Role OSD Manager Does Not Have Access to Create TS ConfigMgr

SCCM RBAC Security Role OSD Manager Does Not Have Access to Create TS ConfigMgr - Fig.1
SCCM RBAC Security Role OSD Manager Does Not Have Access to Create TS ConfigMgr – Fig.1

OSD Managers are not able to view Task Sequence and are unable to create Task Sequence.

Yes, we can easily determine that this could be due to some Security Scope. But how can we rectify this? I don’t want local administrators to edit the Global Task Sequence, so there are no extra permissions.

Adaptiva

Setup

I’ve two administrative groups (OSD Manager India and OSD Manager SGP) assigned to the built-in security role Operating System Deployment Manager. One is for India admins, and the other is for Singapore admins.

All the OSD-related packages are global packages and assigned to Scope Global.

They have access to their respective primary servers. I’ve created two scopes, “India” and “Singapore.” These scopes are assigned to appropriate objects.

The following picture shows the details of the “OSD Manager India” administrative user.

Security Role = Operating System Deployment Manager

SCCM RBAC Security Role OSD Manager Does Not Have Access to Create TS ConfigMgr - Fig.2
SCCM RBAC Security Role OSD Manager Does Not Have Access to Create TS ConfigMgr – Fig.2

Security Scopes and Collections = All India Systems, All India User Collection, and India

SCCM RBAC Security Role OSD Manager Does Not Have Access to Create TS ConfigMgr - Fig.3
SCCM RBAC Security Role OSD Manager Does Not Have Access to Create TS ConfigMgr – Fig.3

Issue/Problem

1. OSD Manager India is unable to view the Task Sequence available. The Result panel shows No Item Found.

The same issue applies to Operating System Images, Boot Images, etc.

SCCM RBAC Security Role OSD Manager Does Not Have Access to Create TS ConfigMgr - Fig.4
SCCM RBAC Security Role OSD Manager Does Not Have Access to Create TS ConfigMgr – Fig.4

2. OSD Manager India cannot create a Task Sequence. (obviously, because the boot image and Operating System Image are not available)

Resolution

1. Open up ConfigMgr 2012 Console, Navigate through Administration –> Security –> Administrative Users –> OSD Manager India.

SCCM RBAC Security Role OSD Manager Does Not Have Access to Create TS ConfigMgr - Fig.5
SCCM RBAC Security Role OSD Manager Does Not Have Access to Create TS ConfigMgr – Fig.5

2. Right-click on the OSD Manager India administrative User and click on Properties.

3. Go to the second tab, Security Roles, and click on the “Add” button at the bottom to add the new security role “Read Only Analyst

SCCM RBAC Security Role OSD Manager Does Not Have Access to Create TS ConfigMgr - Fig.6
SCCM RBAC Security Role OSD Manager Does Not Have Access to Create TS ConfigMgr – Fig.6
SCCM RBAC Security Role OSD Manager Does Not Have Access to Create TS ConfigMgr - Fig.7
SCCM RBAC Security Role OSD Manager Does Not Have Access to Create TS ConfigMgr – Fig.7

4. Go to the “Security Scopes” tab and select the option called “Associate Assigned Security Roles with Specific Security Scopes and Collections”

SCCM RBAC Security Role OSD Manager Does Not Have Access to Create TS ConfigMgr - Fig.8
SCCM RBAC Security Role OSD Manager Does Not Have Access to Create TS ConfigMgr – Fig.8

5. Click on the Read-Only Analyst security role and Edit.

SCCM RBAC Security Role OSD Manager Does Not Have Access to Create TS ConfigMgr - Fig.9
SCCM RBAC Security Role OSD Manager Does Not Have Access to Create TS ConfigMgr – Fig.9

6. Removed the security Scope called India

SCCM RBAC Security Role OSD Manager Does Not Have Access to Create TS ConfigMgr - Fig.10
SCCM RBAC Security Role OSD Manager Does Not Have Access to Create TS ConfigMgr – Fig.10

7. We have added a security Scope called Default. Why? Will this give the OSD Manager India more rights? NO. It won’t because we allow only “Read-Only Analyst” access to the OSD Manager India users. How can we do that? Associate the “Read-Only Analyst” role with the “Default” security Scope. Click the OK button two times.

SCCM RBAC Security Role OSD Manager Does Not Have Access to Create TS ConfigMgr - Fig.11
SCCM RBAC Security Role OSD Manager Does Not Have Access to Create TS ConfigMgr – Fig.11
SCCM RBAC Security Role OSD Manager Does Not Have Access to Create TS ConfigMgr - Fig.12
SCCM RBAC Security Role OSD Manager Does Not Have Access to Create TS ConfigMgr – Fig.12

Results

Launch Console with “OSD Manager India”.

1. “Task Sequence” is viewable

SCCM RBAC Security Role OSD Manager Does Not Have Access to Create TS ConfigMgr - Fig.13
SCCM RBAC Security Role OSD Manager Does Not Have Access to Create TS ConfigMgr – Fig.13

2. “OSD Manager India” doesn’t have an EDIT option for global “Task Sequence”.

SCCM RBAC Security Role OSD Manager Does Not Have Access to Create TS ConfigMgr - Fig.14
SCCM RBAC Security Role OSD Manager Does Not Have Access to Create TS ConfigMgr – Fig.14

3.  “OSD Manager India” user can create “Deployments

SCCM RBAC Security Role OSD Manager Does Not Have Access to Create TS ConfigMgr - Fig.15
SCCM RBAC Security Role OSD Manager Does Not Have Access to Create TS ConfigMgr – Fig.15

We are on WhatsApp. To get the latest step-by-step guides and news updates, Join our Channel. Click here –HTMD WhatsApp.

Author

Anoop C Nair has been Microsoft MVP from 2015 onwards for 10 consecutive years! He is a Workplace Solution Architect with more than 22+ years of experience in Workplace technologies. He is also a Blogger, Speaker, and leader of the Local User Group Community. His main focus is on Device Management technologies like SCCM and Intune. He writes about technologies like Intune, SCCM, Windows, Cloud PC, Windows, Entra, Microsoft Security, Career, etc..

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.