As part of our service optimization model we are trying to extend the software distribution (Group Based) and Reporting to our Service Desk folks.Having worked with SCCM 2012 RBAC I was of the impression that this is fairly simple. However, I have been hearing that we cant give partial/role based access to a group of operators. Which is really shocking for me! And we are about to open a PMR as well. However, before we do that, please could someone let me know if we can implement this using IEM. Basically this is what we would want the SD to do;
i) Add workstations to Application Installation Groups (already created). They could have view access but not delete
ii) Generate a report about the status of the deployment.
When you talk about application installation, are you talking about specific computers getting manually put into specific groups just for the installation of specific software? What is the mechanism by which the service desk would be driven to add a PC to a group?
I would probably give the service desk access to Web Reports and then I would have the Application Installation Groups be based on active directory group membership. Service Desk staff could add computers to an Active Directory group and then the computer would receive the software once it has updated its computer group relevance.
SD wouldntnt be having access to AD anytime sooner going by the present design, is there no option available through IEM. We have the same option already available for other support groups.
Have you thought about creating console operator accounts but denying access to creating actions and giving them RW access to the site that contains the relevant application installation groups?
I believe you could give Service Desk staff console operators access to all machines, but only read access to a single custom site that only contains tasks that set settings which cause the computers to join groups for software deployment.
Do the Service Desk staff only need to manipulate computers after a ticket is created? You could have a script that checks the computers referenced in open tickets and then makes ONLY those computers available to the service desk staff in the console. This would further limit their scope.
In my opinion, BigFix has pretty good options for delegation, multi-tenancy, etc…