ConfigMgr Tools: RBAViewer
In this post I will start looking at the tools available along with ConfigMgr 2012. The first set of tools is part of the official toolkit, which is available from Microsoft. Like the SMS 2003 and ConfigMgr 2007 counterparts the updated version contains some great tools to help with your systems management story.
First thing is first you can download the toolkit from the Microsoft download site: http://www.microsoft.com/en-us/download/details.aspx?id=36213
Once you have downloaded them, you can install them by extracting the MSI from the self-extracting executable. By default you will find the tools installed here: C:\Program Files (x86)\Configmgr 2012 Toolkit SP1, you can of course change them to whatever you wish.
In this post I will be looking at the RBAViewer or the Role Based Access Viewer. You will find it in the ServerTools directory. Double click the RBAViewer.exe and you will be presented with a screen that looks like the following.
As you can tell in the right hand pane you have a view which looks like the console just not as elegant! Down the left you have the different permissions available and when you expand them out you will see the individual permissions in each category such as create, delete, deploy and so on.
When you click the Based on drop down you can select the built-in security roles. This will modify the check boxes to match the role(s) you have selected. The first feature of the RBAViewer that is really useful is the Similarity tab. For example, I have selected the Operating System Deployment Manager role and then also ticked the Global Condition check box. Now when you press the Analyze button and then select the Similarity tab you will get something similar to the following screen shot.
I have clicked two of the roles shown here. What this tool does it match up your selected permissions to a built-in role. From the time I have spent with customers I have usually found only a few cases where we need a custom role. We can usually fit the required permissions into a single built-in role or a combination of two roles. Remember the beauty of RBA in ConfigMgr is that we can assign a user multiple roles to build up a set of permissions.
What this screen shot tells us is that from the permissions we selected the built-in roles are best matching in the order shown. When you click a role you will get some information on the compatibility of the role. For instance the Operating System Deployment Manager role shares 97 of the permissions we selected and our role needs an extra 5 permissions. The Operations Manager role tells us it covers all the permissions we need but it also contains and extra 193 permissions which are irrelevant to our selection.
From this position you can now click the AdminConsole tab which will show you how the console will look. You can see I added Global Conditions and this is selected in the screen shot, you can also see that the Operating System Deployment Manager does not have the Software Update Groups node which is missing, this is also reflected in the console view.
The right side pane shows us which actions are available for a selected node within a specific workspace. When you have perfected your role you can click Export which will enable you to save a XML file. You can then import this in the console by visiting the Administration workspace, then expanding the Security node and selecting Security Roles.
When the role is imported you can see it in the console and then it is free to assign to administrators. The following screen shot verifies the Global Condition permissions are selected in our custom role.
The final section of this tool is the Run As section, which you can load by clicking the play button looking icon, which is highlighted in this screen shot.
You can see from here, you can simply enter the DOMAIN\Username of the person whose permissions you want to check. When you expand the username you can see which roles the user has and by expanding once more you will see what security scopes and collections this user can see.
Hopefully you have learnt how useful this tool can be, not just for debugging user access problems but also for designing and testing your roles without implementing them.