Setting up a Role in SMS for Specific Collections

SMS Rights are a pain to work with. (don't think so? Well then stop reading!) For instance, Giving a user or group rights for specific collections, becomes a tricky situation (I say this because rights are not inherited, so when you try to create roles with less than super admin access, it gets sticky.

Role for a specific collection, or set of collections.

Assign class rights for the following: Advertise, Create, Manage Folders, and Delegate.

Assign the following instance rights for the collections you wish the role to have access to: Read, Modify, Delete. (Each collection, and one of those collections must contain some computers!)

If you do this with a hierarchy for example, you would have the top level collection with the computers which the role can manage. Then anyone in that role can manage only that collection of computers. Every time they make a new collection, they will be forced to limit their query to that top level collection with the computers in it.

If necessary, remove the users instance rights for other collections.

Any collection which they can see, they can advertise to.

The user who creates a collection, must use their delegate right to grant rights to others in the role.

Comments

Post a Comment

Popular posts from this blog

SMS "Program failed (run time exceeded)" 10070

When a program fails due to error 10070, it does so because the Run Time was Exceeded. SMS Allows a program to run for 12 hours, afterwhich it will issue the failed status message if the program hasn't completed successfully. Note: The Maximum allowed run time within program properties is generally a guide for users running the program themselves, and is not enforced.
Read more

SMS "Waiting for User Condition" 10036

Status Message ID 10036, or "Waiting for User Condition" can occasionally grind advertisements to a halt. Make sure the environment and user condition settings for a particular program have been configured appropriately and are not excluding a large portion of your intended audience. Related Articles SMS WQL for All Clients where Last Status is Waiting for User Condition SMS Status Message ID's
Read more

SMS "Waiting for content" 10035

Status Message ID 10035, or "Waiting for content" is a common error which can drive you up the wall when testing a package deployment. Have you checked your site boundaries? Often a client is located in a IP Subnet which hasn't been configured within Site or Roaming Boundaries. Has the software been deployed to the clients local DPs? Check the reports and console, make sure the package has been deployed and is available to the clients. Is the advertisement configured for download and execute? Check the DP, make sure BITS is enabled, and the web site is functioning properly. Have you checked the logs? Start with the cas.log and execmgr.log on the client computer. Related Articles Clients do not send a status message when an advertised program is disabled in Systems Management Server 2003 SMS Status Message ID's
Read more