One of the truly nice features of Configuration Manager 2012 is the ability to define roles and scopes and assign these to users or groups. While trying to setup a delegation/security model in Configuration Manager 2007 was possible it was also an exercise in frustration.
For an introduction to RBA please refer to
An interesting aspect of RBA is that the console reflects the settings – that is the user is only shown what is accessible.
Microsoft has released a very nice tool – RBA viewer as part of the Configuration Manager 2012 Toolkit (ConfigMgr2012_Toolkit_RTM_1028.exe) found on http://www.microsoft.com/en-us/download/details.aspx?id=29265
RBA Viewer allow you to see the rights for a given role and see how the console looks.
The image above shows the default Endpoint Protection Manager role. Please notice that clicking on the various UI elements will show you what is available for the role. That is clicking on Device Collections will show elements available to the role. Very nice.
Notice how you can change the individual rights of the role by simply checking the right. This way you can use the tool to actually model the roles you need. If you make multiple roles you can analyze the similarity of your roles to existing ones.
In the screenshot above I am comparing the Infrastructure Administrator role to the other roles to see which ones are similar.
You can export the roles to an .xml file and import it into Configuration Manager 2012
The RBA Viewer is a great tool for examining the existing roles and understanding how RBA works. The ability to quickly see how the admin UI (the console) looks for a role is a real timesaver.