The SCCM RBAC Security Role OSD Manager does not have access to Create TS ConfigMgr.
RBAC, which stands for Role-Based Access Control, is a way to limit network admittance based on the roles of individual users within an enterprise.
With RBAC, also known as role-based security, organizations can choose who gets to do what based on an employee’s specific roles and duties.
In this post, I’ll provide a few tips on resolving some common issues with the built-in security role “Operating System Deployment Manager” (OSD Manager) assignments in ConfigMgr 2012.
- New Granular Permissions for Endpoint Security Workloads in Intune
- Create Custom Roles RBAC in Intune
- OSD Known Issues Troubleshooting Guide | SCCM | ConfigMgr
- ConfigMgr OSD Troubleshooting Known Issues Guide Part 2 | SCCM
- ConfigMgr Task Sequence OSD Multiple Physical Drives | SCCM
Table of Contents
SCCM RBAC Security Role OSD Manager Does Not Have Access to Create TS ConfigMgr
OSD Managers are not able to view Task Sequence and are unable to create Task Sequence.
Yes, we can easily determine that this could be due to some Security Scope. But how can we rectify this? I don’t want local administrators to edit the Global Task Sequence, so there are no extra permissions.
Setup
I’ve two administrative groups (OSD Manager India and OSD Manager SGP) assigned to the built-in security role Operating System Deployment Manager. One is for India admins, and the other is for Singapore admins.
All the OSD-related packages are global packages and assigned to Scope Global.
They have access to their respective primary servers. I’ve created two scopes, “India” and “Singapore.” These scopes are assigned to appropriate objects.
The following picture shows the details of the “OSD Manager India” administrative user.
Security Role = Operating System Deployment Manager
Security Scopes and Collections = All India Systems, All India User Collection, and India
Issue/Problem
1. OSD Manager India is unable to view the Task Sequence available. The Result panel shows No Item Found.
The same issue applies to Operating System Images, Boot Images, etc.
2. OSD Manager India cannot create a Task Sequence. (obviously, because the boot image and Operating System Image are not available)
Resolution
1. Open up ConfigMgr 2012 Console, Navigate through Administration –> Security –> Administrative Users –> OSD Manager India.
2. Right-click on the OSD Manager India administrative User and click on Properties.
3. Go to the second tab, Security Roles, and click on the “Add” button at the bottom to add the new security role “Read Only Analyst”
4. Go to the “Security Scopes” tab and select the option called “Associate Assigned Security Roles with Specific Security Scopes and Collections”
5. Click on the Read-Only Analyst security role and Edit.
6. Removed the security Scope called India
7. We have added a security Scope called Default. Why? Will this give the OSD Manager India more rights? NO. It won’t because we allow only “Read-Only Analyst” access to the OSD Manager India users. How can we do that? Associate the “Read-Only Analyst” role with the “Default” security Scope. Click the OK button two times.
Results
Launch Console with “OSD Manager India”.
1. “Task Sequence” is viewable
2. “OSD Manager India” doesn’t have an EDIT option for global “Task Sequence”.
3. “OSD Manager India” user can create “Deployments”
We are on WhatsApp. To get the latest step-by-step guides and news updates, Join our Channel. Click here –HTMD WhatsApp.
Author
Anoop C Nair has been Microsoft MVP from 2015 onwards for 10 consecutive years! He is a Workplace Solution Architect with more than 22+ years of experience in Workplace technologies. He is also a Blogger, Speaker, and leader of the Local User Group Community. His main focus is on Device Management technologies like SCCM and Intune. He writes about technologies like Intune, SCCM, Windows, Cloud PC, Windows, Entra, Microsoft Security, Career, etc..