Thanks. I’ve tried that and I don’t think I can get the behavior I want.
I need the packagers to be able to always read all packages , also those they don’t have change access anymore (not their scope) AND always to read their collections. But since ‘deploy’ is linked to collections and removing a scope isn’t removing “deploy” for any application, there is no way to revoke that access when they still have read access to collections and applications Scope isn’t doing anything for that. Btw: the same is true for “move” package and “distribute content”. Move access once means always move access despite the current scope. MS should have made “deploy” depending on the actual deployable object and not (only) to the collection to deploy to and more granular. It’s a good start but not enough. In AD that would mean that once change access to a single gpo was revoked, they can still deploy to any OU. Not making sense either. I’d prefer to be wrong. Am I? I haven’t’ figured a way to do what I want. -R From: [email protected] [mailto:[email protected]] On Behalf Of CESAR.ABREG0 Sent: Freitag, 13. Februar 2015 15:01 To: [email protected] Subject: Re: [mssms] RBAC: Deploy action linked to Collection not making sense You mean 'packager role'. 1. Creat a collection name 'pkg USA servers' limited to 'all systems' 2. Create a scope, give it a generic name since it can be for many purpose. 3. Creat a new role to limit your 'action' permission. 4. Add user/group, add ONLY the scope and collection you created. 5. Select the built-in role or one you created. In this scenario, the users would only have access to objects in 'pkg USA server' and collections limited to it. In essence, the collection 'pkg USA servers' can be empty, the user would have access to deploy but not objects would be affected. Cesar A. Meaning is NOT in words, but inside people! Dr. Myles Munroe. On Feb 13, 2015, at 1:27 AM, Roland Janus <[email protected] <mailto:[email protected]> > wrote: Actually I don’t know what you mean exactly with “scoped to an empty collection”. Can you elaborate? The goal is: Allow deployment of applications only while they have the scope “packagers”. Have read access to everything (basically), especially all applications. -roland From: [email protected] <mailto:[email protected]> [mailto:[email protected]] On Behalf Of CESAR.ABREG0 Sent: Donnerstag, 12. Februar 2015 22:00 To: [email protected] <mailto:[email protected]> Subject: Re: [mssms] RBAC: Deploy action linked to Collection not making sense Though I see your point. That would depends to the objects you scope the role for. It can actually be scoped to an empty collection. Cesar A. Meaning is NOT in words, but inside people! Dr. Myles Munroe. On Feb 12, 2015, at 12:51 PM, Roland Janus <[email protected] <mailto:[email protected]> > wrote: I disagree. Basically there is no useful method to prevent deploying any app as soon as they have access to any collection especially considering packagers. From: [email protected] <mailto:[email protected]> [mailto:[email protected]] On Behalf Of elsalvoz Sent: Donnerstag, 12. Februar 2015 15:47 To: [email protected] <mailto:[email protected]> Subject: Re: [mssms] RBAC: Deploy action linked to Collection not making sense Just went through that at latest gig. Those activities can only be executed onto collection. Kinda makes sense. Cesar On Feb 12, 2015 12:27 AM, "Roland Janus" <[email protected] <mailto:[email protected]> > wrote: Have you noticed that the deploy and move action for an application is linked to a collection instead of the application object itself? I have a packager role and a packager scope. There are also collections for them and that’s the only thing they can touch. Almost.. They can create apps, collections within their limits and deploy to them. Once an admin changes the scope of a package, removes “packagers” leaving “default”, there edit/delete etc. access is revoked. But they still can “deploy”, because that action is linked to a collection and not what would make sense to me to the application. I mean the object to control is the application, not the collection, why would “deploy” be part of an collection? Shouldn’t deploy always be linked to the object to the deploy and not what to deploy TO? So “deploy” for all classes (app, packages, settings etc.)? Does that make sense to you? I could remove read only access, then they wouldn’t see it anymore, hence can’t deploy, but I want them to be able to see live apps. Is there a way around that? -Roland
