Support for Role Based Access Control (RBAC) was introduced in Shopping 5.1 to take advantage of the Limiting Collections and RBAC administration features introduced in System Center Configuration Manager 2012:

  • Limiting Collections govern which devices and users can have applications deployed to them and therefore visible in Shopping
  • Security scopes which govern which administrative users are able to access Configuration Manager objects including applications, devices, users, collections and sites, and therefore manageable in Shopping

In the Shopping Web:

  • The ability for a user to view and search for legacy and machine-centric applications is based on the their machine being a member of the Device Limiting Collection used by each application's Shopping deployment collection
  • The ability for a user to view and search for user-centric applications is based on the their account being a member of the User Limiting Collection used by each application's Shopping deployment collection
  • The Limiting Collections used by Shopping deployment collections are determined by how Shopping receivers are configured

In the Shopping Web Administration pages:

  • The ability for a Shopping administrator to manage applications is based on the their access to applications in Configuration Manager (Software Library - Overview - Application Management - Applications)
  • The ability for a Shopping administrator to manage devices and users is based on their access to collections in Configuration Manager (Assets and Compliance - Overview - Device/User Collections)

In the Shopping Admin Console:

  • The ability for Shopping administrator to manage applications is based on the their access to applications in Configuration Manager (Software Library - Overview - Application Management - Applications)
  • The ability for Shopping administrator to manage sites is based on the their access to sites in Configuration Manager (Administration - Overview - Site Configuration - Sites)

Features

FunctionalityFeatureNotes
Shopping home page
Filtering
Shopping has additional filters to support RBAC.
  • Non-SMS applications (and their banners) are not filtered and will continue to be visible
  • Any legacy or machine centric app-model application (and its banners) is displayed if the machine accessing Shopping Web is in the device collection that is assigned to a Configuration Manager administrator who has the same scope as the application
  • Any user centric app-model application (and its banner) is displayed if the user accessing Shopping Web is in the user collection that is assigned to a Configuration Manager administrator who shares the same scope as the application
The same visibility rules apply to applications in categories and to search results.
Shopping basketSearching for devices or usersAdministrators can only manage devices and users based on their Configuration Manager collections.
Re-installationSearching for devicesAdministrators can only manage devices and users based on their Configuration Manager collections.
Copy configurationSearching for devicesAdministrators can only manage devices and users based on their Configuration Manager collections.
Uninstall applicationsSearching for devicesAdministrators can only manage devices and users based on their Configuration Manager collections.
BannersCreating or editingBanners can be created or edited:
  • For all OS deployment and non-SMS applications
  • Only for those legacy SMS or machine-centric app model applications that are available on the machine (see Shopping home page)
  • Only for those user-centric app model applications that are available to the logged-on user (see Shopping home page)

Setting up RBAC in the Shopping Admin console

Visibility of applications and sites for Shopping administrators is limited by their associated security scope. For example, to configure RBAC in the Shopping Admin console:

  1. Ensure that you have updated preference settings related to WQL and RBAC in Shopping Admin Console. If you haven't already, do it now.
  2. In Configuration Manager:
    1. Create a new security scope, for instance AcmeScopeA.
    2. Assign AcmeScopeA to AcmeAdmin only
    3. Associate AcmeScopeA with two applications, for example Acme AppA and Acme AppB
    4. AcmeSiteA has been assigned AcmeScopeA.

Now that the configuration is done, we're going to use the AcmeAdmin account to:

  1. Create new applications.
    1. Run the Shopping Admin console as AcmeAdmin.
    2. Create a new Configuration Manager application with the new application creation wizard.
    3. Both applications (Acme AppA and AppB) are available in the Package and Program/Application list.
    4. Choose Acme AppA and complete the wizard to create ShoppingAcmeAppA.
  2. Import existing applications.
    • If AcmeAdmin is importing new applications, they'll only see Acme AppA.
    • If AcmeAdmin is importing all applications, they'll see both Acme AppA and Acme AppB.
    • Administrators who do not have a mapping in their security scope for AcmeScopeA will not see any of the Acme applications to import.
  3. List applications.
    1. Run the Shopping Admin console as AcmeAdmin.
    2. Navigate to the Applications section.
    3. Only ShoppingAcmeAppA is visible to AcmeAdmin.
    4. Administrators who do not have a mapping in their security scope for AcmeScopeA will not see the ShoppingAcmeAppA application.
  4. View site nodes.
    1. Run the Shopping Admin console as AcmeAdmin.
    2. Navigate to the Sites section.
    3. Only AcmeSiteA is visible to AcmeAdmin.
    4. Administrators who do not have a mapping in their security scope for AcmeScopeA will not see AcmeSiteA.
     
These behaviors are identical for Configuration Manager packages and task sequences.

Enabling RBAC

  1. You must have a Configuration Manager 2012 environment.
  2. Update the following preferences in Shopping Admin Console settings:
    • WQL Support Enabled=TRUE
    • RBAC Support Enabled=TRUE

In Configuration Manager, update the following Security configuration:

  • Each Shopping administrator must be a Configcuration Manger administrative user with at least the Read-only Analyst role. Set the security scope and collections set for each administrator or group of administrators. Do this for the default Shopping admin account, which is the AD account or group specified in the Shopping console settings.
  • Configcuration Manager applications must have the same scope as the administrators managing them.
  • Shopping Receiver service accounts configured according to general Prerequisites, but with All instances of the objects that are related to the assigned security roles option selected in the Security Scopes tab.
  • The service account (identity) used by the Shopping Web application pools has the Read-only Analyst role and must have the All instances of the objects that are related to the assigned security roles option selected in the Security Scopes tab.
  • The computer account of the Shopping Web application server has the Read-only Analyst role and must have the All instances of the objects that are related to the assigned security roles option selected in the Security Scopes tab.

Configuring application visability with RBAC

Visibility of an application in the Shopping Web Portal is governed by the Limiting Collection used for the application's Shopping deployment collection, as well as other visibility rules such as permissions and computer categories.  The limiting collection is determined by a Shopping RBAC mapping for the Shopping administrator who created the Shopping application, or by the default limiting collection if an RBAC mapping does not exist for that administrator.

Default limiting collections

When a Shopping Receiver creates a collection for deploying an application it needs to specify its limiting collection.  By default that is either All Systems or All Users and User Groups.  These defaults allow ConfigMgr administrators who have Shopping deployment collections in their scope to add any devices or users to them, which may be contrary to the principles of how ConfigMgr administrators have implemented ConfigMgr RBAC, therefore Shopping provides a way to specify alternative limiting collections.

Shopping Receivers can be configured to use alternative default limiting collections for their Shopping deployment collections.  The following values are configurable in the Receiver config file.

  • RootDeviceCollectionId
  • RootDeviceCollectionName
  • RootUserCollectionId
  • RootUserCollectionName

For RBAC to work correctly, we must define limiting collections for application specific deployment collections. When creating a deployment collection, the Shopping receiver service checks for Configuration Manager administrative users who have the same security scope as the application, looks-up the tb_RbacMapping table for a device collection and uses that as the limiting collection if one is found. If one isn't found, it will use the collections defined in the configuration file. If you are a Shopping central administrator who is not a Configuration Manager administrative user or not mapped then the default limiting collection will be used.

When RBAC is used, a mapping table can be used to configure which limiting collection is used by each Configuration Manager administrative user. When creating a deployment collection, the Shopping receiver service checks for the first administrative user who has the same security scope as the application.

For Configuration Manager AppModel applications, the Receiver on the CAS is responsible for creating the Shopping deployment collections.  For Configuration Manager legacy package deployments, the Receivers on client primary sites must be configured.

To configure RBAC for the Shopping Receiver:

  1. Ensure that you have set WQL Support Enabled and  RBAC Support Enabled settings to True in Shopping Admin Console settings.
  2. In SCCM:
    1. Assign AcmeScopeA to AcmeAdmin only
    2. Associate AcmeScopeA with an application, for example Acme AppA
    3. Create a new device collection, for example AcmeCollectionA, to limit the deployment collection for Acme AppA.
    4. Update the membership of AcmeCollectionA to include the device where the application will be shopped.
    5. Associate AcmeCollectionA to AcmeAdmin.

Limit the collection on the Shopping Web

  1. Log-on to the Shopping Web as the Shopping central administrator.
  2. On the Administration tab, go to Manage RBAC Mappings.
  3. Choose Device Collections as Collection Type.
  4. From the list box, choose AcmeAdmin to populate the Collections list.
  5. From the available collections, select AcmeCollectionA.
  6. Click Save to preserve the AcmeAdmin-AcmeCollectionA collection mapping.

Create a new application

  1. Run the Shopping Admin Console as AcmeAdmin
  2. Create a new Config Manager application using Acme AppA.
  3. The deployment collection (AppA_Install_Device_Shopping) has AcmeCollectionA as its limiting collection and is only visible to other Shopping administrators if the collection is associated with their account.

The same is true for user centric applications where the collection is a User Collection.

Limiting collections for administrative users

In order to create deployment collections, the Shopping receiver needs a limiting collection.The keys (used if RBAC is not defined) that define the limiting collection in its configuration file are:

  • RootDeviceCollectionId
  • RootDeviceCollectionName
  • RootUserCollectionId
  • RootUserCollectionName

For RBAC to work correctly, we need to define limiting collections for application specific deployment collections. When creating a deployment collection, the Shopping receiver service checks for ConfigMgr Administrative users who have the same security scope as the application, looks-up the tb_RbacMapping table for a device collection and uses that as the limiting collection if one is found. If one isn't found, it will use the collections defined in the configuration file.  If you are a Shopping Central Administrator who is not a ConfigMgr Administrative user or not mapped then the default limiting collection will be used.

Mappings between users and limiting collections are configured in Manage RBAC Mappings on the Administration tab. This feature requires WQL Support Enabled and  RBAC Support Enabled settings to be set as True in Shopping Admin Console settings. The mapping option is visible to all Shopping Central Administrators. 

 Manage RBAC mappings menu

Creating a mapping

To create a mapping to a device or user collection:

  1. Choose either Device Collection or User Collection.
  2. In Users, select an administrative user account.
  3. In Collections, select the collection you want as a limiting collection to associate with the administrative user account. This mapping is written to the tb_RbacMapping table.
  4. Click Save.

 Managing RBAC mappings

Deleting a mapping

To delete an existing mapping:

  1. In Users select the administrative user account with a currently set mapping
  2. In Collections select the collection you want to remove from the mapping
  3. Click Remove.