While having a conversation today about security scopes I realized that I didn’t know the complete list of places that you could actually configure the Security Scope on objects. I didn’t see any list posted on any of the System Center sites so I started digging through the console.
Security Scopes are part of the Role Based Access (RBA). Combined with roles, as shown in the diagram below, the user will gain access to various objects and areas within SCCM.
A SCCM scope encompasses the objects that a user can manipulate. SCCM 2012 ships with just two security scopes, but you can create new ones as needed. Objects in SCCM can be tagged with one or more of these scopes.
If you navigate to security scopes via Administration>Security>Security Scopes> you can see the different scopes that are defined. Other than the name, if it’s in use and the description, you can’t see much else about this. As shown above the scope has various things associated with it but you don’t see it here. In trying to fine tune the users rights, the blend of the Role and Scope, we looked into what are all the various scopes you can set. As stated, you can’t see here in the Security Scopes area.
You can see some of the objects you can set the Security Scope on by clicking the Wunderbars in the bottom left of the console, and then clicking the different elements in the navigation pane in the left middle of the console. Since each item in the navigation and results pane, the center view, are context sensitive, they populate different options along the ribbon at the top of the pane. You can find some of the scopes there. However, if you don’t have objects under certain areas in the navigation pane, then you won’t see them in the results pane and not know that you can set the Security Scope for them.
An example of this can probably be see by looking at Cloud Subscription, probably because you don’t have anything in there if you are just starting off with ConfigMgr. Notice when you click on the Cloud Subscription in navigation, the context ribbon doesn’t have anything about the security scope. Now navigate to someplace that you probably do have settings. Pick client settings or Software Update Group. When you click on one of those items under navigation, and then an item in the results pane, you will see the Set Security Scope context item on the ribbon.
So where can you see all of these different objects that you can set the security scope on if you don’t have everything populated? You can navigate to Administration>Security>Security Roles. View the properties of the built-in Role Full Administrator. Here you can view the full list of object classes that you can set the permissions for by expanding the [+]. Every place that you can set the Security Scope can been seen under each object class.
This is a list of all the different class objects that you can set the Security Scope on and how you can navigate to each item:
|Object Class||Navigation||Alert Subscription||Monitoring>Alerts>Alert Subscription|
|Application||Software Library>Application Management>Packages||Boot Image Package||Software Library>Operating Systems>Boot Images|
|Boundary Group||Administration>Hierarchy Configuration>Boundary Group|
|Client Agent Setting||Administration>Client settings|
|Cloud Subscription||Administration>Hierarchy Configuration>Cloud|
|Configuration Item||Assets and Compliance>Compliance Settings>Configuration Items|
|Configuration Policy||Assets and Compliance>Compliance Settings>Configuration Baselines?|
|Distribution Point||Administration>Distribution Points|
|Distribution Point||Administration>Distribution Point Groups|
|Driver Package||Software Library>Operating Systems>Driver Packages|
|Global Condition||Software Library>Application Management>Global Condition|
|Set Security Scope||Administration>Security>Security Scopes – Access to Scopes in general?|
|Operating System Image||Software Library>Operating Systems>Operating System Images|
|Operating System Installation Package||Software Library>Operating Systems>Operating System Installers|
|Package||Software Library>Application Management>Package|
|Site||Administration>Site Configuration>Sites – General access to sites?|
|Software Metering Rule||Assets and Compliance>Software Metering|
|Software Update Group||Software Library>Software Updates>Software Update Groups>Software Update Groups|
|Software Update Package||Software Library>Software Updates>Deployment Packages|
|Task Sequence Package||Software Library>Operating Systems>Task Sequences|
|Virtual Environment||Software Library>Application Management>App-V Virtual Environments|
|Windows CE Device Settings Item|
|Windows CE Device Settings Package|
|Windows Firewall Policy||Assets and Compliance>Endpoint Protection>Windows Firewall Policies|