Professional Documents
Culture Documents
Microsoft Services
Microsoft Confidential V04.21-2010
Module Overview
• RBAC Fundamentals
• RBAC Reporting Overview
• RBAC Report Parameters
• Implementing RBAC in Queries
• Lab 02: Implementing RBAC
Module 02: Role Based Access
Control
RBAC Fundamentals
Microsoft Confidential
RBAC Fundamentals
Role-based Access Control (RBAC) is based
on the security roles, security scopes, and
collections assigned to a user/group in
Configuration Manager. Security
Roles
RBAC security applies to the Configuration
Manager console and Configuration Manager
reports. User/
group
Security
Collections
Scopes
RBAC Fundamentals
RBAC in Configuration Manager
Microsoft Confidential
RBAC Reporting Overview
Report Access
• Native reports in Configuration Manager utilize RBAC.
• Access to Reports is granted though Security Roles.
• Security Roles provide access to only reports available for
that role. Security
• Users in multiple roles can have access to more reports. Roles
• Create Custom roles for more customized access.
• Default Role Read-only Analyst can run all reports. Securi
ty Collec
User/
Scope tions
group
s
RBAC Reporting Overview
Report Security Control
• Security Rights based on Role Assignment.
Microsoft Confidential
RBAC Report Parameters
Built-in Report Parameters
@UserTokenSIDs
@UsersSIDs
DataSetAdminID
RBAC Report Parameters
@UserTokenSIDs
Microsoft Confidential
Implementing RBAC in Queries
RBAC Functions
• Table-Valued Functions that return SQL table
data.
• Functions exists for each Reporting View.
• Identified by fn_rbac prefix.
• Functions automatically created for all custom
Inventory classes.
Implementing RBAC in Queries
Using Functions in Queries
• You can convert a query based on views to a query based on
RBAC functions.
• Replace v_ with fn_rbac_:
• SQL Reporting View: v_CIAssignment
• RBAC Function: fn_rbac_CIAssignment
• Placed in a standard SELECT statement.
• Requires parameter of either the AdminID
or use ‘disabled’.
• AdminID is associated to user or group
added to ConfigMgr.
Implementing RBAC in Queries
Identifying the AdminID:
• AdminID stored in RBAC_Admins table.
• Users can be associated with more than one ID due to Group
Membership.
• dbo.fn_rbac_GetAdminIDsfromUserSIDs is used to obtain ID for
all users or groups.
Implementing RBAC in Queries
Build T-SQL Query:
• Create Query using RBAC:
• Use the ‘disabled’
parameter to Test Query
for accuracy
Knowledge Measure
o What does a Security Scope accomplish?
o What is the default Security Role that has access to all Reports?
o What is the purpose of a Security Role?
o Is it possible to limit administrative users with a collections in a
specific folders?
Module Summary
• Role Based Access Control (RBAC) allows control over the
function’s administrators can perform, and where they are
allowed to perform them.
• RBAC is a combination of Roles (what actions the
administrator can perform) and Scopes (where the
administrator can perform those actions).
• Custom reports can have RBAC controls implemented.
Lab 02: Implementing RBAC