Intel vPro® Platform
Intel Manageability Forum for Intel® EMA, AMT, SCS & Manageability Commander
2823 Discussions

Minimum permissions required for SCS Add-on for SCCM 2012

RRile
Beginner
1,382 Views

Page 19 of the installation guide for the SCS Add-on for SCCM lists the SCCM permissions required for Management Controller Discovery. The guide states that you have to give the "Domain Computers" group the built-in "Operations Administrator" role in SCCM and assign that role to all collections and the default security scope. That is crazy! Those permissions give any domain computer account the ability to do anything in SCCM except for change security settings. While I'm sure that a domain computer isn't going to launch the SCCM console and do something, any user who was able to elevate to the domain computer's context would be able to do so.

Does anyone have a minimal list of permissions required for the SCS Add-on to work with SCCM?

Thanks,

--Russel Riley

0 Kudos
1 Solution
JNola3
Beginner
460 Views

Hey Russel,

I too thought those rights were a bit 'excessive'. I have created a custom security role that has only basic read permissions to a minimal set of objects (e.g. Resources and Collection and Site). The only greater than read access that I granted was on the 'Collection' object, where it receives the following permissions:

Control AMT

Provision AMT

Read

Read Resource

Remote Control

So far this has worked fine for me, and may even be more permissive than is needed. I also applied these permissions to a filtered collection containing only Intel Provisioned AMT systems (some of our systems are SCCM provisioned and thus these rights are not needed).

Hope this helps.

View solution in original post

0 Kudos
1 Reply
JNola3
Beginner
461 Views

Hey Russel,

I too thought those rights were a bit 'excessive'. I have created a custom security role that has only basic read permissions to a minimal set of objects (e.g. Resources and Collection and Site). The only greater than read access that I granted was on the 'Collection' object, where it receives the following permissions:

Control AMT

Provision AMT

Read

Read Resource

Remote Control

So far this has worked fine for me, and may even be more permissive than is needed. I also applied these permissions to a filtered collection containing only Intel Provisioned AMT systems (some of our systems are SCCM provisioned and thus these rights are not needed).

Hope this helps.

0 Kudos
Reply