cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Role-Based Administration Provides “Show Me” Behavior in Configuration Manager 2012 Beta 2
By
Yvette O'Meally
Published Sep 07 2018 08:05 PM 173 Views
Yvette O'Meally
Microsoft
‎Sep 07 2018 08:05 PM

Role-Based Administration Provides “Show Me” Behavior in Configuration Manager 2012 Beta 2

‎Sep 07 2018 08:05 PM
First published on CloudBlogs on Jun, 08 2011

[Today’s post is provided by Lilian Xuan ]

Every person who uses the Configuration Manager 2007 console has to work with a complicated tree that has more than fifty nodes and hundreds of actions, even if they have permission to operate on just one node. Instead of this experience, how cool would it be to have your own console based on your assigned role? Configuration Manager 2012 provides this capability with role-based administration and what we call “Show Me” in the Configuration Manager console.

What is “Show Me”?

“Show Me” is the Configuration Manager behavior that shows the administrative user only what is relevant to them. Instead of seeing all workspaces, nodes, and objects when you run the Configuration Manager console, you see only those that you need to see, based on your job role. Role-based administration in Configuration Manager hides any workspaces, nodes, and objects that you do not need to see.

Why “Show Me”?

Imagine that you have one key chain with 10 keys attached to it. One of them is to the door of your office and you don’t use the other nine keys. What would you do? Bring the whole key chain and find your office key from 10 keys, every day? I would pick out the key to my office and bring it with me, leaving the other nine at home (or throw them away).

“Show Me” in the Configuration Manager console lets you leave those keys at home that you don’t use, and bring only the one key that you need. As an example, let’s assume that you have been assigned the role-based administration security role of Asset Manager, because your job role is to collect and report on software licenses by using the Asset Intelligence feature. When you run the Configuration Manager console, would you prefer to see everything, or only objects that are relevant to this role?

Without the “Show Me” behavior, you see all the workspaces and nodes, as shown in the following picture:

Note: This is prerelease UI and is subject to change

With “Show Me”, only the relevant workspaces and nodes are shown, as in the next picture, where you can no longer see the Software Library workspace or the Configuration Items node.

Note: This is prerelease UI and is subject to change

Benefits of “Show Me”:

  • Automatic custom Configuration Manager console.
  • Shows the administrative user only the objects and actions that they need to perform their job.
  • The reduced display makes it easier and more efficient for administrative users to manage Configuration Manager.

How “Show Me” works

“Show Me” behavior is the result of configuring role-based administration in Configuration Manager 2012.  First, your Windows user account is granted access to the Configuration Manager console as an administrative user.  Then, when your account opens the Configuration Manager console, only the nodes and objects that you have permission to manage are displayed.  Objects you do not have permission to view or manage are hidden.  This is controlled by the association of security roles, security scopes, and collections to your administrative user configuration:

  • Security roles define the actions, or permissions, you have for different object types. For example, a security scope can grant an associated user the right to create, deploy, and delete an application.  Access and visibility to the following are controlled by security role configurations:
    • Workspaces
    • Console nodes and folders
    • The type of objects that you can access
    • Available actions for accessible objects (such as which actions are displayed on the ribbon)
  • Security scopes are sets of objects. Each securable object in Configuration Manager 2012 must be assigned to at least one security scope. When you are associated with a security scope, you gain access to manage the specific objects that are assigned to that security scope.
  • Collection associations determine which collections are displayed when you take actions such as deploying content or viewing a list of collections.

Shown, Hidden, or Disabled

With the “Show Me” experience, administrative users might see different behaviors for objects in the Configuration Manager console. These behaviors include objects that are shown and accessible, shown but disabled, or hidden from view:

Shown

  • All objects:  All objects are shown when an administrative user has permission to manage them. If this is a node or folder, parent objects in that workspace are also displayed.

Hidden

  • Workspace: A workspace is hidden if the administrative user doesn’t have any permissions to view or operate any node in that workspace.
  • Node: A node is hidden if the administrative user doesn’t have permissions to create, modify, delete, view, or configure anything in that node.
  • Object: Objects are hidden if the object is not in a security scope associated with the administrative user.  Objects are also hidden when the security roles do not provide any permissions to this object type.
  • Action: Actions are hidden if the administrative user doesn’t have permission to operate the specific action for the object. Permissions to take actions on objects are granted by the administrative users’ associated security roles.

Disabled

  • Action:   There are two scenarios when an object or action is disabled (not available).

1)  First, you might have permissions to an object and specific actions, but the action is displayed as disabled. The action is shown as disabled because the action is not currently available, but might become available if prerequisites are met or changed.

For example, in the following picture, the action Enable or Disable Asset Intelligence Synchronization Point is disabled because the Asset Intelligence synchronization point is not installed. However,  when the Asset Intelligence synchronization point is installed, the administrative user’s assigned security roles grants them permissions to enable or disable this site system role.

Note: This is prerelease UI and is subject to change

2)  Second, you might have permissions for some objects, but not the selected object.  This can occur when you are associated with multiple security roles, and your role-based administration configuration associates your associated security roles with specific security scopes or collections.

Troubleshooting Tips

When you use the “Show Me” behavior, watch out for these commonly reported issues:

  1. You can’t see the workspaces, nodes or actions that you expect to see.
    Solution: Make sure that your administrative user account is associated with a security role that grants permissions to the correct object types.
  2. You can’t see the objects that you expect to see in the console:
    Solution: Make sure that your administrative user account is associated with the correct security scopes and collections.

You can also use the following two logs files to troubleshoot Configuration Manager console problems:

  • <smsprovider setup dir>LogsSMSProv.log
  • <adminconsole setup dir>AdminUILogSmsAdminUI.log

For information about configuring role-based administration, see Configure Role-Based Administration in Configuration Manager 2012 in the Configuration Manager 2012 TechNet library

-- Lilian Xuan

This posting is provided "AS IS" with no warranties and confers no rights.

0 Likes
Like
Version history
Last update:
‎Sep 07 2018 08:05 PM
Updated by: