1 Reply Latest reply on Apr 23, 2014 12:02 PM by Joel.Nolan.PSU

    Minimum permissions required for SCS Add-on for SCCM 2012

    RusselRiley

      Page 19 of the installation guide for the SCS Add-on for SCCM lists the SCCM permissions required for Management Controller Discovery. The guide states that you have to give the "Domain Computers" group the built-in "Operations Administrator" role in SCCM and assign that role to all collections and the default security scope. That is crazy! Those permissions give any domain computer account the ability to do anything in SCCM except for change security settings. While I'm sure that a domain computer isn't going to launch the SCCM console and do something, any user who was able to elevate to the domain computer's context would be able to do so.

       

      Does anyone have a minimal list of permissions required for the SCS Add-on to work with SCCM?

       

      Thanks,

       

      --Russel Riley

        • 1. Re: Minimum permissions required for SCS Add-on for SCCM 2012
          Joel.Nolan.PSU

          Hey Russel,

           

          I too thought those rights were a bit 'excessive'. I have created a custom security role that has only basic read permissions to a minimal set of objects (e.g. Resources and Collection and Site). The only greater than read access that I granted was on the 'Collection' object, where it receives the following permissions:

           

          Control AMT

          Provision AMT

          Read

          Read Resource

          Remote Control

           

          So far this has worked fine for me, and may even be more permissive than is needed. I also applied these permissions to a filtered collection containing only Intel Provisioned AMT systems (some of our systems are SCCM provisioned and thus these rights are not needed).

           

          Hope this helps.