0% found this document useful (0 votes)
71 views29 pages

Device Protection With Microsoft Endpoint Manager and Microsoft Defender For Endpoint - Module 02 - Role Based Access Control

This document discusses role-based access control (RBAC) in Microsoft Endpoint Manager. It covers RBAC fundamentals including security roles, scopes, and collections that define what actions users can perform and on which objects. The document also discusses RBAC reporting, including how reports use RBAC parameters and functions to secure report content and queries based on a user's role, scope, and collections. It provides an overview of implementing RBAC in queries using RBAC functions and identifying the administrator ID. The lab exercises have users configure RBAC security objects and verify their access.

Uploaded by

Luke Whiteman
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
71 views29 pages

Device Protection With Microsoft Endpoint Manager and Microsoft Defender For Endpoint - Module 02 - Role Based Access Control

This document discusses role-based access control (RBAC) in Microsoft Endpoint Manager. It covers RBAC fundamentals including security roles, scopes, and collections that define what actions users can perform and on which objects. The document also discusses RBAC reporting, including how reports use RBAC parameters and functions to secure report content and queries based on a user's role, scope, and collections. It provides an overview of implementing RBAC in queries using RBAC functions and identifying the administrator ID. The lab exercises have users configure RBAC security objects and verify their access.

Uploaded by

Luke Whiteman
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 29

Device Protection with Microsoft

Endpoint Manager and Microsoft


Defender for Endpoint

Module 02 : Role Based Access


Control (RBAC)

Microsoft Services
Microsoft Confidential V04.21-2010
Module Overview
• RBAC Fundamentals
• RBAC Reporting Overview
• RBAC Report Parameters
• Implementing RBAC in Queries
• Lab 02: Implementing RBAC
Module 02: Role Based Access
Control

RBAC Fundamentals

Microsoft Confidential
RBAC Fundamentals
Role-based Access Control (RBAC) is based
on the security roles, security scopes, and
collections assigned to a user/group in
Configuration Manager. Security
Roles
RBAC security applies to the Configuration
Manager console and Configuration Manager
reports. User/
group

Security
Collections
Scopes
RBAC Fundamentals
RBAC in Configuration Manager

What actions? Which objects? Where?


Security Role Scope (Group) Collection
Object + Permissions Permissions to specific Which Resources?
objects and folders

• Role: Application • Scope: Desktop


• Collection: Desktop
Administrator
Machines
• Object: Package,
Application, App Group
• Permissions: Read,
Modify, Delete, Run
Report
RBAC Fundamentals
Security Roles (15 built-in roles)
• A group of security permissions assigned to
users/groups
• Defines the actions a user/group can perform
• Create Custom Security Roles based on a built-in
role
• Import Security Roles from another hierarchy
• Import Security Roles from roles created and
exported using RBA Viewer application
• Best practice is to provide the least privileges that
are necessary for a role
RBAC Fundamentals
Using RBA Viewer tool
• Located in ‘\CD.Latest\SMSSETUP\Tools\ServerTools\
RBAViewer.exe’
• Allows you to view the user experience of a role
• Modify/create and Export custom role as XML
• Must have Full Administrator, Read-only Analyst, or Security
Administrator role rights to use the tool
• The account running the tool must be assigned to All security
scope and All collections
• To analyze report folder security, user must have Microsoft
SQL Server access
• To analyze report drill through, user must run this tool on the
site with reporting services point installed
RBAC Fundamentals
Security Scopes
• Provide access to securable objects (applications, packages, boundaries, etc.)
• All Securable objects must be assigned to a security scope
• A scope can contain multiple securable objects
• Each securable object could be a part of multiple scopes
• Two built-in security scopes:
• All – Grants access to all
scopes. Objects cannot be
assigned to this scope
• Default – Used for all objects,
by default. Could be
assigned/unassigned
• Create custom security scopes
RBAC Fundamentals
Security Scopes: Objects that can be Scoped
• Alert subscriptions • OS images
• Applications and packages • OS installation packages
• Folders (1906 and later) • Packages
• Boot images • Queries
• Driver packages • Sites
• Boundary groups • Software metering rules
• Configuration items • Software update groups
• Custom client settings • Software updates packages
• DP and DP groups • Task sequence packages
• Global conditions • Windows CE device setting items and packages
• Migration jobs
RBAC Fundamentals
Security Scopes: Objects not limited with Scopes
• Active Directory forests • Migration site-to-site mappings
• Administrative users • Mobile device enrollment profiles
• Alerts • Security roles
• Antimalware policies • Security scopes
• Boundaries • Site addresses
• Computer associations • Site system roles
• Default client settings • Software titles
• Deployment templates • Software updates
• Device drivers • Status messages
• Exchange Server connector • User device affinities
RBAC Fundamentals
Collections
• Grouping of user or computer resources
• Collections are used to limit administrative users with certain resources
• If administrative users have permissions to a collection, they also have permissions to
collections that are limited to that collection
• Collections can be created for various scenarios
Some examples:
 Functional
 Geographic
 Security and business process
 Organizational alignment
• Collections cannot be included in a
Security Scope
Module 02: Role Based Access
Control

RBAC Reporting Overview

Microsoft Confidential
RBAC Reporting Overview
Report Access
• Native reports in Configuration Manager utilize RBAC.
• Access to Reports is granted though Security Roles.
• Security Roles provide access to only reports available for
that role. Security
• Users in multiple roles can have access to more reports. Roles
• Create Custom roles for more customized access.
• Default Role Read-only Analyst can run all reports. Securi
ty Collec
User/
Scope tions
group

s
RBAC Reporting Overview
Report Security Control
• Security Rights based on Role Assignment.

• Security set on folders in Report Manager.


• Security policies are automatically re-applied every 10 minutes to the
report folders in SSRS.
RBAC Reporting Overview
Securing Report Content
• Queries in the native Configuration Manager reports are fully
enabled for RBAC.
• Ability to secure reports based on Security Scope.
• Ability to secure reported content based on Collections.
Module 02: Role Based Access
Control

RBAC Report Parameters

Microsoft Confidential
RBAC Report Parameters
Built-in Report Parameters

@UserTokenSIDs

@UsersSIDs

DataSetAdminID
RBAC Report Parameters
@UserTokenSIDs

• Contains SID of the user running the


report.
• Internal Report Parameter.
• Uses SSRS Function to obtain SID.
• .NET Assembly as a part of
SrsResources.dll used from Report
Server.
• Value is used in the DataSetAdminID
dataset.
RBAC Report Parameters
@UserSIDs
• Internal report parameter.
• Contains AdminID of user’s RBAC
Accounts.
• Value is provided by the
DataSetAdminID dataset.
• Used in RBAC queries.
RBAC Report Parameters
DataSetAdminID
• Uses the @UserTokenSIDs report parameter.
• Returns comma separated value (csv) of AdminIDs.
• Used to populate the @UserSIDs parameter.
• Users the fn_rbac_GetAdminIDsfromUserSIDs function.
Module 02: Role Based Access
Control

Implementing RBAC in Queries

Microsoft Confidential
Implementing RBAC in Queries
RBAC Functions
• Table-Valued Functions that return SQL table
data.
• Functions exists for each Reporting View.
• Identified by fn_rbac prefix.
• Functions automatically created for all custom
Inventory classes.
Implementing RBAC in Queries
Using Functions in Queries
• You can convert a query based on views to a query based on
RBAC functions.
• Replace v_ with fn_rbac_:
• SQL Reporting View: v_CIAssignment
• RBAC Function: fn_rbac_CIAssignment
• Placed in a standard SELECT statement.
• Requires parameter of either the AdminID
or use ‘disabled’.
• AdminID is associated to user or group
added to ConfigMgr.
Implementing RBAC in Queries
Identifying the AdminID:
• AdminID stored in RBAC_Admins table.
• Users can be associated with more than one ID due to Group
Membership.
• dbo.fn_rbac_GetAdminIDsfromUserSIDs is used to obtain ID for
all users or groups.
Implementing RBAC in Queries
Build T-SQL Query:
• Create Query using RBAC:
• Use the ‘disabled’
parameter to Test Query
for accuracy
Knowledge Measure
o What does a Security Scope accomplish?
o What is the default Security Role that has access to all Reports?
o What is the purpose of a Security Role?
o Is it possible to limit administrative users with a collections in a
specific folders?
Module Summary
• Role Based Access Control (RBAC) allows control over the
function’s administrators can perform, and where they are
allowed to perform them.
• RBAC is a combination of Roles (what actions the
administrator can perform) and Scopes (where the
administrator can perform those actions).
• Custom reports can have RBAC controls implemented.
Lab 02: Implementing RBAC

Exercise 1: Configure RBA


security objects.

Exercise 2: Verify user.


© 2015 Microsoft Corporation. All rights reserved.

You might also like