The idea of this blog post is identical to my blog post about the permissions required to use Resultant Client Settings that I did a couple of weeks ago. I’m also thinking about making this something recurring, as I noticed that the role based administration model sometimes reacts a bit different then, at least, I would expect. For those following me on Twitter, this blog post will be an extended version of a tweet I posted last week. This blog post will explain a bit more about the situation, as that was a bit hard in a tweet of 140 characters. Also, this blog is a lot easier to find for future references.
In this blog post I’ll explain what permissions are required to use the Edit Primary Users option and the Edit Primary Devices option. This option allows the administrator to configure the primary user of a device and to configure the primary device of a user. Keep in mind that providing the administrator with the minimum rights required to use these options, it does not mean that the administrator can add every user, or every device. In the form, that allows the administrator to add a primary user (or a primary device), it is also possible to search ALL users (or ALL devices), but this search is limited to the collections that the administrator is scoped to.
Now the key thing of this blog post, the minimal permissions required to use the Edit Primary Users option and the Edit Primary Devices option. There will be a small surprise between the required permissions. To provide an administrator with the minimal rights required for using these options, use the following list:
- Collection – Read, Read Resource;
- Without the read permissions the collections node will not show. The read resource permissions are only required to also show the members of a collection.
- User Device Affinities – Read, Modify, Delete and Create.
- Without the combination of the read, modify, delete and create permissions the Edit Primary Users option and the Edit Primary Devices option will not show.
The surprise in the required permissions is the fact that the read, modify, delete and create permission are required. It’s difficult to explain that all these permission are required to allow the usage of the Edit Primary Users option and the Edit Primary Devices option. Basically, there is the ability to differentiate the permissions on configuring and modifying the user device affinity, but it’s all or nothing at the moment, at least via the console. This is not always the ideal situation. That’s why I filed a DCR on the connect site. If you would like to see this addressed in a future release, or in a hotfix, or just want to give it a small spotlight, this is the link where you can vote: https://connect.microsoft.com/ConfigurationManagervnext/feedback/details/994950