Device Protection with Microsoft

Endpoint Manager and Microsoft

Defender for Endpoint

Module 02 : Role Based Access

Control (RBAC)

Microsoft Services
Microsoft Confidential V04.21-2010
Module Overview
• RBAC Fundamentals
• RBAC Reporting Overview
• RBAC Report Parameters
• Implementing RBAC in Queries
• Lab 02: Implementing RBAC
Module 02: Role Based Access
Control

RBAC Fundamentals

Microsoft Confidential
RBAC Fundamentals
Role-based Access Control (RBAC) is based
on the security roles, security scopes, and
collections assigned to a user/group in
Configuration Manager. Security
Roles
RBAC security applies to the Configuration
Manager console and Configuration Manager
reports. User/
group

Security
Collections
Scopes
RBAC Fundamentals
RBAC in Configuration Manager

What actions? Which objects? Where?

Security Role Scope (Group) Collection
Object + Permissions Permissions to specific Which Resources?
objects and folders

• Role: Application • Scope: Desktop

• Collection: Desktop
Administrator
Machines
• Object: Package,
Application, App Group
• Permissions: Read,
Modify, Delete, Run
Report
RBAC Fundamentals
Security Roles (15 built-in roles)
• A group of security permissions assigned to
users/groups
• Defines the actions a user/group can perform
• Create Custom Security Roles based on a built-in
role
• Import Security Roles from another hierarchy
• Import Security Roles from roles created and
exported using RBA Viewer application
• Best practice is to provide the least privileges that
are necessary for a role
RBAC Fundamentals
Using RBA Viewer tool
• Located in ‘\CD.Latest\SMSSETUP\Tools\ServerTools\
RBAViewer.exe’
• Allows you to view the user experience of a role
• Modify/create and Export custom role as XML
• Must have Full Administrator, Read-only Analyst, or Security
Administrator role rights to use the tool
• The account running the tool must be assigned to All security
scope and All collections
• To analyze report folder security, user must have Microsoft
SQL Server access
• To analyze report drill through, user must run this tool on the
site with reporting services point installed
RBAC Fundamentals
Security Scopes
• Provide access to securable objects (applications, packages, boundaries, etc.)
• All Securable objects must be assigned to a security scope
• A scope can contain multiple securable objects
• Each securable object could be a part of multiple scopes
• Two built-in security scopes:
• All – Grants access to all
scopes. Objects cannot be
assigned to this scope
• Default – Used for all objects,
by default. Could be
assigned/unassigned
• Create custom security scopes
RBAC Fundamentals
Security Scopes: Objects that can be Scoped
• Alert subscriptions
• Applications and packages
• Folders (1906 and later)
• Boot images
• Driver packages
• Boundary groups
• Configuration items
• Custom client settings
• DP and DP groups
• Global conditions
• Migration jobs
• OS images
• OS installation packages
• Packages
• Queries
• Sites
• Software metering rules
• Software update groups
• Software updates packages
• Task sequence packages
• Windows CE device setting items and packages
RBAC Fundamentals
Security Scopes: Objects not limited with Scopes
• Active Directory forests
• Administrative users
• Alerts
• Antimalware policies
• Boundaries
• Computer associations
• Default client settings
• Deployment templates
• Device drivers
• Exchange Server connector
• Migration site-to-site mappings
• Mobile device enrollment profiles
• Security roles
• Security scopes
• Site addresses
• Site system roles
• Software titles
• Software updates
• Status messages
• User device affinities
RBAC Fundamentals
Collections
• Grouping of user or computer resources
• Collections are used to limit administrative users with certain resources
• If administrative users have permissions to a collection, they also have permissions to
collections that are limited to that collection
• Collections can be created for various scenarios
Some examples:
 Functional
 Geographic
 Security and business process
 Organizational alignment
• Collections cannot be included in a
Security Scope
Module 02: Role Based Access
Control

RBAC Reporting Overview

Microsoft Confidential
RBAC Reporting Overview
Report Access
• Native reports in Configuration Manager utilize RBAC.
• Access to Reports is granted though Security Roles.
• Security Roles provide access to only reports available for
that role. Security
• Users in multiple roles can have access to more reports. Roles
• Create Custom roles for more customized access.
• Default Role Read-only Analyst can run all reports. Securi
ty Collec
User/
Scope tions
group

s
RBAC Reporting Overview
Report Security Control
• Security Rights based on Role Assignment.

• Security set on folders in Report Manager.

• Security policies are automatically re-applied every 10 minutes to the
report folders in SSRS.
RBAC Reporting Overview
Securing Report Content
• Queries in the native Configuration Manager reports are fully
enabled for RBAC.
• Ability to secure reports based on Security Scope.
• Ability to secure reported content based on Collections.
Module 02: Role Based Access
Control

RBAC Report Parameters

Microsoft Confidential
RBAC Report Parameters
Built-in Report Parameters

@UserTokenSIDs

@UsersSIDs

DataSetAdminID
RBAC Report Parameters
@UserTokenSIDs

• Contains SID of the user running the

report.
• Internal Report Parameter.
• Uses SSRS Function to obtain SID.
• .NET Assembly as a part of
SrsResources.dll used from Report
Server.
• Value is used in the DataSetAdminID
dataset.
RBAC Report Parameters
@UserSIDs
• Internal report parameter.
• Contains AdminID of user’s RBAC
Accounts.
• Value is provided by the
DataSetAdminID dataset.
• Used in RBAC queries.
RBAC Report Parameters
DataSetAdminID
• Uses the @UserTokenSIDs report parameter.
• Returns comma separated value (csv) of AdminIDs.
• Used to populate the @UserSIDs parameter.
• Users the fn_rbac_GetAdminIDsfromUserSIDs function.
Module 02: Role Based Access
Control

Implementing RBAC in Queries

Microsoft Confidential
Implementing RBAC in Queries
RBAC Functions
• Table-Valued Functions that return SQL table
data.
• Functions exists for each Reporting View.
• Identified by fn_rbac prefix.
• Functions automatically created for all custom
Inventory classes.
Implementing RBAC in Queries
Using Functions in Queries
• You can convert a query based on views to a query based on
RBAC functions.
• Replace v_ with fn_rbac_:
• SQL Reporting View: v_CIAssignment
• RBAC Function: fn_rbac_CIAssignment
• Placed in a standard SELECT statement.
• Requires parameter of either the AdminID
or use ‘disabled’.
• AdminID is associated to user or group
added to ConfigMgr.
Implementing RBAC in Queries
Identifying the AdminID:
• AdminID stored in RBAC_Admins table.
• Users can be associated with more than one ID due to Group
Membership.
• dbo.fn_rbac_GetAdminIDsfromUserSIDs is used to obtain ID for
all users or groups.
Implementing RBAC in Queries
Build T-SQL Query:
• Create Query using RBAC:
• Use the ‘disabled’
parameter to Test Query
for accuracy
Knowledge Measure
o What does a Security Scope accomplish?
o What is the default Security Role that has access to all Reports?
o What is the purpose of a Security Role?
o Is it possible to limit administrative users with a collections in a
specific folders?
Module Summary
• Role Based Access Control (RBAC) allows control over the
function’s administrators can perform, and where they are
allowed to perform them.
• RBAC is a combination of Roles (what actions the
administrator can perform) and Scopes (where the
administrator can perform those actions).
• Custom reports can have RBAC controls implemented.
Lab 02: Implementing RBAC

Exercise 1: Configure RBA

security objects.

Exercise 2: Verify user.

© 2015 Microsoft Corporation. All rights reserved.