We have over 80 SCCM Departmental Admins that only manage their respective systems within their department plus, as the Site Admin, I provide (Public) Applications/Packages for them to deploy (Not Distribute). I have been able to configure the Collection Scope to limit the systems they manage but I have not been able to setup the roles and Security Scope for the Departmental Admins so they have the permissions to do everything a Full Administrator can do except for change Site Settings, plus only Deploy the Public packages I create for them but not Distribute them.

Any suggestions?

   

Hi

You can select the deafult scope or can also create a custom scope & assign that scope under Security Scope option. As far as role is concerned, if you want that other users cannot change site setting then don't give any permission under Site section except read. For deployment, you need to provide below rights under Collections section in a custom role

Deploy Application-Yes

Deploy Client Setting-Yes

Deploy Packages-Yes

Read-Yes

Read Resource-Yes

Under Deployments & Package section in that custom role, give Read permissions only.

I hope this will help.

Thanks for the reply but this really doesn't help. I have created all kinds of custom roles and scopes and no matter how I configure the role permissions and then associate both Security Scope and Collection Scope to a User/Group Account, I can't prevent the Departmental Admins from Distributing the Public Scoped packages and applications I create for them. Here is what I did:

1. Created a Public Scope and a Public Role (Read Only) then went to each Public package and application and made sure they were set to the Public Scope using the "Set Scope" option.
2. Created a Departmental Admin Role (Full except for Read only on Site) and a Departmental Scope.
3. I then created a Root Departmental Collection using a membership rule based on "System Resource.System OU Name"
4. Via the Administrative Users node, I added the Departmental AD Group then associated the Departmental Admin Scope with the specific Departmental security scope and Departmental Collection.
5. I also associated the Public Role with the specific Public security scope to the Departmental AD Group.

I highlighted specific since I thought the "Associate assigned security role with specific security scopes and collections" radio button meant that only those role permissions would apply to the specific scope and collections?

The problem I am seeing is, the Departmental Admins role has the Copy to Distribution Point permission so they can Distribute the packages and applications they create within their Departmental Scope, but for some reason, they can also Distribute the Public packages which are associated only to the Public Scope and the Public Role which does not have the Copy to Distribution Point permission.

Hopefully I've explained this well enough for others to understand. I just want the Departmenal Admins to be able to Deploy the Public packages and apps to their collections....and not have the ability to Add a DP to a Public package or app or re-Distribute them.

  

2. Created a Departmental Admin Role (Full except for Read only on Site) and a Departmental Scope.

  

This step is doing the damage. You need to create a role which should have only the required permissions i.e. deploy permissions.

Hi

Refer below snap shot & configure the same setting for package. Just ignore the permission setting mentioned in my earlier reply.

None of your suggestions are working so I'm starting to think you still don't clearly understand the problem I am trying to solve. You keep talking about Deploy permissions with Applications and Packages but I am not having a problem with Deployments. I'm talking about the Distribution of those Applications and Packages with is controlled by the "Distribution" object class and more specifically, the "Copy to Distribution Point" permission which seems to "cross the streams" when it comes to Security Scope.     

Hi

I'm sorry if you think like so. Anyways I just replicated your case into my environment. I just created a new role with the permissions mentioned in my last reply (refer snap shot). Once I logged into SCCM console with that user, "Distribute Content" option is grayed out for the applications & packages present in SCCM console.

I think this is what you want.

It's odd that I am unable to reproduce your results in my environment. I find the "Copy to Distribution Point" permission under the Distribution class controls whether the "Distribute Content" is grayed out or not and the "Read" permission under the Distribution class controls whether you can even see the Distribution Points to distribute to. I also determined the "Modify" permission under the Package and Application class determines whether you see the "Update Distribution Points". Perhaps I am doing something wrong but I still think we are talking about 2 different issues so I will wait for others to reply. The Departmental Admins have the ability to create their own Packages and Applications within their scope and Distribute their packages and Apps to a Distribution Point but I don't want them to have the ability to Distribute the Public Scoped Packages and Applications I create for them to a Distribution Point. I've already tried separating two DP's in separate scope (Departmental Scope and Public Scope) but that still doesn't prevent them from re-distributing the public packages and apps to their Departmental Scoped Distribution Point. In summary, once I give the user the "Copy to Distribution Point" permission, they can Distribute Content for any Package and Application instance they can see (Read).  

Has there been any further progress on this?  Our environment is similar to scarneol's and we are experiencing this issue as well. Here's what I have done to replicate the issue:

1. Create a custom security role (DPAccessRole) containing the permissions "Distribution Point: Copy to Distribution Point" and "Distribution Point: Read"
2. Create a Security Scope named "Dept1"
3. Set the "Dept1" Security Scope on the distribution point
4. Create an AD security group (dept1-sccm-admins) and grant it:
 -"Read-only Analyst" security role over "All" security scopes and the "All Systems" and "All Users and User Groups" collections.
 -"DPAccessRole" over "Dept1" security scope and the "All Desktops" collection.
 (see image below)
 
 

In this scenario members of dept1-sccm-admins can distribute and remove applications which DO NOT have the dept1 Security Scope set and are not associated with the "All Desktops" collection from distribution points.

I'm having exactly the same problem. Did anyone ever get a solution?

• Edited by ZebulonS Wednesday, September 04, 2013 3:34 PM

Yes, I know this is an old post, but Im trying to clean them up. Did you solve this problem, if so what was the solution?

Since no one has answer this post, I recommend opening  a support case with CSS as they can work with you to solve this problem.