O R G A N I C / F E R T I L I Z E R: sms security

Feb 17, 2005

sms security

UPDATE: here's a solution - http://marcusoh.blogspot.com/2005/09/update-on-systems-management-server.html

i'd really like to outline how thoughtless sms security is for an enterprise. without some fanciful scripting, you're really up against a wall trying to delegate permissions. let's take the average company that has split responsibilities of desktop software deployment from the sms infrastructure. here's the scenario:

  • workstations are clients
  • servers are clients

so the first thing you decide is that you want to prevent a desktop jockey from deploying software to a server accidentally by some malformed collection query. in order to do this, you create a collection of only workstations as the root. now here's the problem. if you give desktop jockey the rights to create collections under this collection, there's no way to propagate, for example, the limiting collection (root) by default. this is really where things break down. there is no inheritance in a child collection as defined by the root collection. security doesn't inherit nor does collection limiters. so instead of adding folders to the sms admin console - let's concentrate on adding usable, desired functionality.