I have done some FEP installations now and a couple of questions always turn up like how to delegate permissions in the SCCM console for the FEP integration as there isn’t a new security delegation option created for it when installing the plugin for the SCCM Admin Console. I did some research for the different components and came to the following conclusion.
The following permissions control the different areas/functions in the Forefront add-in to the SCCM Console.
|Component||Object Class||Admin Permissions|
|Access to the FEP Dashboard||Collection||Administer, Advertise, Create, Delete, Delete resource, Modify, Modify Collection Settings, Modify resource, Read, Read resource|
|FEP Reports||Managed in SQL Reporting Services||Browse permissions|
|FEP Policies||Package &Advertisement||Package = Administer, Create, Delete, Distribute, Manage Folders, Modify, ReadAdvertisement = Create, Delete, Manage Folders, Modify, Read|
|FEP Alerts||Site||Administer, Manage Status filter, Modify, Read|
|FEP Baselines||Configuration Items||Create, Delete, Distribute, Manage Folders, Modify, Read|
If an administrator only needs permissions to view the different components, Read permissions on the different objects are enough. Then the administrator can for instance see the policies but cannot create new ones or modify the existing ones.
Today before I posted this post I found that this excellent article was published yesterday about how to create a custom MMC and delegate permissions in SCCM to manage the FEP integration, it is really good! You should check it out
My conclusion is also that there is actually no good way of delegating only administration of FEP itself in the console. The link above shows the steps needed for delegating administrative permissions and creating a custom MMC. However, there is no way to stop the FEP admin from launching the full SCCM admin console and then have access to a lot more than just FEP.
So does this mean that SCCM administrators will now become the FEP administrators as well in the future? In some cases I believe so as knowledge in SCCM in needed.