Querying RBAC

-- Permissions within SCCM

select

 p.ObjectKey

, p.ObjectTypeID

, p.GrantedOperations

--, case (p.GrantedOperations & 0x00000001) when 0 then 'No' else 'Yes' end as [Collection - Read]

--, case (p.GrantedOperations & 0x00004000) when 0 then 'No' else 'Yes' end as [Collection - Deploy Packages]

--, case (p.GrantedOperations & 0x00100000) when 0 then 'No' else 'Yes' end as [Collection - Deploy Applications]

--, case (p.GrantedOperations & 0x04000000) when 0 then 'No' else 'Yes' end as [Collection - Deploy Software Updates]

--, case (p.GrantedOperations & 0x00800000) when 0 then 'No' else 'Yes' end as [Collection - Deploy Task Sequence]

, a.AdminID

, a.LogonName

, a.DisplayName

, a.IsGroup

from RBAC_InstancePermissions p

inner join RBAC_Admins a on a.AdminID = p.AdminID

where

--p.ObjectTypeID = 1 and

a.LogonName = 'ZZZ\_cmoorehead'

 


select * from INFORMATION_SCHEMA.TABLES where TABLE_NAME like 'RBAC%'

select * from RBAC_AdminExtendedData -- Empty

select * from RBAC_ChangeNotification -- Empty

select * from RBAC_EnabledAccounts -- one row NT AUTHORITY\NETWORK SERVICE

select * from RBAC_ObjectOperations -- lookup - bitflags of operations

select * from RBAC_SecuredObjectTypes -- lookup - Object Type Descriptions

select * from RBAC_ObjectOperationDeps -- some soft of lookup? 

select * from RBAC_Admins -- Administrative Users

select * from RBAC_Categories -- Security Scopes

select * from RBAC_Roles -- Security Roles

select * from RBAC_CategoryMemberships where CategoryID = 'XXX0002C' -- Objects in Security Scopes, category ID is security scope

select * from RBAC_ExtendedPermissions where AdminID = 167773 -- Matches Admin + Role + Scope, or Admin + Role + Collection

select * from RBAC_ExtendedPermissions where ScopeID = 'XXX0002C'

select * from RBAC_InstancePermissions where AdminID = 167773 -- Admin permissions to objects

select * from RBAC_InstancePermissions where ObjectTypeID = 2

select * from RBAC_RoleOperations -- bitflag of granted operations to roles, can find "Create Package" permission

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s