SCCM 2012: Security Scopes

While having a conversation today about security scopes I realized that I didn’t know the complete list of places that you could actually configure the Security Scope on objects. I didn’t see any list posted on any of the System Center sites so I started digging through the console.

Security Scopes are part of the Role Based Access (RBA). Combined with roles, as shown in the diagram below, the user will gain access to various objects and areas within SCCM.

A SCCM scope encompasses the objects that a user can manipulate. SCCM 2012 ships with just two security scopes, but you can create new ones as needed. Objects in SCCM can be tagged with one or more of these scopes.

SCCM Security Venn Diagram

SCCM Security Venn Diagram

​If you navigate to security scopes via Administration>Security>Security Scopes> you can see the different scopes that are defined. Other than the name, if it’s in use and the description, you can’t see much else about this. As shown above the scope has various things associated with it but you don’t see it here. In trying to fine tune the users rights, the blend of the Role and Scope, we looked into what are all the various scopes you can set. As stated, you can’t see here in the Security Scopes area.

You can see some of the objects you can set the Security Scope on by clicking the Wunderbars in the bottom left of the console, and then clicking the different elements in the navigation pane in the left middle of the console. Since each item in the navigation and results pane, the center view, are context sensitive, they populate different options along the ribbon at the top of the pane. You can find some of the scopes there. However, if you don’t have objects under certain areas in the navigation pane, then you won’t see them in the results pane and not know that you can set the Security Scope for them.

An example of this can probably be see by looking at Cloud Subscription, probably because you don’t have anything in there if you are just starting off with ConfigMgr. Notice when you click on the Cloud Subscription in navigation, the context ribbon doesn’t have anything about the security scope. Now navigate to someplace that you probably do have settings. Pick client settings or Software Update Group. When you click on one of those items under navigation, and then an item in the results pane, you will see the Set Security Scope context item on the ribbon.

So where can you see all of these different objects that you can set the security scope on if you don’t have everything populated? You can navigate to Administration>Security>Security Roles. View the properties of the built-in Role Full Administrator. Here you can view the full list of object classes that you can set the permissions for by expanding the [+]. Every place that you can set the Security Scope can been seen under each object class.

This is a list of all the different class objects that you can set the Security Scope on and how you can navigate to each item:


Object Class Navigation
Alert Subscription Monitoring>Alerts>Alert Subscription
Application Software Library>Application Management>Packages
Boot Image Package Software Library>Operating Systems>Boot Images
Boundary Group Administration>Hierarchy Configuration>Boundary Group
Client Agent Setting Administration>Client settings
Cloud Subscription Administration>Hierarchy Configuration>Cloud
Configuration Item Assets and Compliance>Compliance Settings>Configuration Items
Configuration Policy Assets and Compliance>Compliance Settings>Configuration Baselines?
Distribution Point Administration>Distribution Points
Distribution Point Administration>Distribution Point Groups
Driver Package Software Library>Operating Systems>Driver Packages
Global Condition Software Library>Application Management>Global Condition
Set Security Scope Administration>Security>Security Scopes – Access to Scopes in general?
Operating System Image Software Library>Operating Systems>Operating System Images
Operating System Installation Package Software Library>Operating Systems>Operating​ System Installers
Package Software Library>Application Management>Package
Query Monitoring>Queries
Site Administration>Site Configuration>Sites – General access to sites?
Software Metering Rule Assets and Compliance>Software Metering
Software Update Group Software Library>Software Updates>Software Update Groups>Software Update Groups
Software Update Package Software Library>Software Updates>Deployment Packages
Task Sequence Package Software Library>Operating Systems>Task Sequences
Virtual Environment Software Library>Application Management>App-V Virtual Environments
Windows CE Device Settings Item
Windows CE Device Settings Package
Windows Firewall Policy Assets and Compliance>Endpoint Protection>Windows Firewall Policies



Leave a Reply