Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Beginner
945 Views

Minimum permissions required for SCS Add-on for SCCM 2012

Jump to solution

Page 19 of the installation guide for the SCS Add-on for SCCM lists the SCCM permissions required for Management Controller Discovery. The guide states that you have to give the "Domain Computers" group the built-in "Operations Administrator" role in SCCM and assign that role to all collections and the default security scope. That is crazy! Those permissions give any domain computer account the ability to do anything in SCCM except for change security settings. While I'm sure that a domain computer isn't going to launch the SCCM console and do something, any user who was able to elevate to the domain computer's context would be able to do so.

Does anyone have a minimal list of permissions required for the SCS Add-on to work with SCCM?

Thanks,

--Russel Riley

0 Kudos

Accepted Solutions
Highlighted
Beginner
23 Views

Hey Russel,

I too thought those rights were a bit 'excessive'. I have created a custom security role that has only basic read permissions to a minimal set of objects (e.g. Resources and Collection and Site). The only greater than read access that I granted was on the 'Collection' object, where it receives the following permissions:

Control AMT

Provision AMT

Read

Read Resource

Remote Control

So far this has worked fine for me, and may even be more permissive than is needed. I also applied these permissions to a filtered collection containing only Intel Provisioned AMT systems (some of our systems are SCCM provisioned and thus these rights are not needed).

Hope this helps.

View solution in original post

0 Kudos
1 Reply
Highlighted
Beginner
24 Views

Hey Russel,

I too thought those rights were a bit 'excessive'. I have created a custom security role that has only basic read permissions to a minimal set of objects (e.g. Resources and Collection and Site). The only greater than read access that I granted was on the 'Collection' object, where it receives the following permissions:

Control AMT

Provision AMT

Read

Read Resource

Remote Control

So far this has worked fine for me, and may even be more permissive than is needed. I also applied these permissions to a filtered collection containing only Intel Provisioned AMT systems (some of our systems are SCCM provisioned and thus these rights are not needed).

Hope this helps.

View solution in original post

0 Kudos