SCCM 2012 R2 comes with 15 built-in roles. For most of you, this is plenty to fulfill your needs. However if you have custom needs, it’s possible to create your own.
When creating your first role, you may be lost in all those security rights.
Instead of doing your role directly in the console, I suggest to use the Role-based Administration Modelling and Auditing Tool which is available in the SCCM 2012 toolkit.
This tool helps administrators to model and audit RBA configurations. It’s graphical, you can compare your custom based role with the built-in ones. You can see right away the impact visually in the console.
Here’s an example. Let’s say I have someone in the company that need read access on the Application and packages only. Sure you can use the Read-Only Analyst role but this would let the user “see” much more than you want.
Let’s open the tool :
At first, the tool start with the “Full Administrator role”
Let’s select “Security Role” and choose Read only assist. The tools apply Read only to all nodes.
For our example, Let’s uncheck all but Applications and Packages and only check Read.
Click on Analyse. You’ll automatically sees what the user will see on the right pane. The user will see only Application and Package which is what we want.
You can also compare your role with the build-in ones by selecting the Similarity tab
Once you’re satisfied with your role you can click Export. A .xml files will be created, you can now use this .xml in the SCCM console.
Right click Security Roles and select Import Security role. Assign your user to your new role and you’re done !
Microsft has also release a Matrix of Role-Based Administration Permissions for ConfigMgr 2012 which can be useful for understanding build-in roles.