In the Configuration Manager console, click Administration.

In the Administration workspace, expand Security, and click Security Roles.

Use one of the following processes to create the new security role:

• To create a new custom security role perform the following actions:
  
  
  1. Select an existing security role to use as the source for the new security role.
     
     
  2. On the Home tab, in the Security Role group, click Copy. This creates a copy of the source security role.
     
     
  3. In the Copy Security Role wizard, specify a Name for the new custom security role.
     
     
  4. In Security operation assignments, expand each Security Operations node to display the available actions.
     
     
  5. To change the setting for a security operation, click the drop-down arrow in the Value column, and then select either Yes or No.
     
     
  6. After you configure the permissions, click OK to save the new security role.
     
     
• To import a security role that was exported from another Configuration Manager 2012 hierarchy, perform the following actions:
  
  
  1. On the Home tab, in the Create group, click Import Security Role.
     
     
  2. Specify the .xml file that contains the security role configuration that you will import, and click Open to complete the procedure and save the security role.
     
     

     Note
     After you import a security role, you can edit the security role properties to change the object permissions that are associated with the security role.

In the Configuration Manager console, click Administration.

In the Administration workspace, expand Security, and click Security Roles.

Select the custom security role that you want to modify.

On the Home tab, in the Properties group, click Properties.

Select the Permissions tab.

In Security operation assignments, expand each Security Operations node to display the available actions.

To change the setting for a security operation, click the drop-down arrow in the Value column, and then select either Yes or No.

When you have finished configuring security operation assignments, click OK to save the new security role.

In the Configuration Manager console, click Administration.

In the Administration workspace, expand Security, and click Security Scopes.

On the Home tab, in the Create group, click Create Security Scope.

In the Create Security Scope wizard, specify a Security scope name for the new security scope.

Click OK to save the new security scope.

In the Configuration Manager console, select an object that supports assignment to a security scope.

On the Home tab, in the Classify group, click Set Security Scopes.

In the Set Security Scopes dialog box, select or clear the security scopes that this object is associated with. Each object that supports security scopes must be assigned to at least one security scope.

Click OK to save the assigned security scopes.

Note
When you create a new object, the object can be assigned to multiple security scopes. To modify the number of security scopes associated with the object, you must change this assignment after the object is created.

In the Configuration Manager console, click Administration.

In the Administration workspace, expand Security, and then click Administrative Users.

On the Home tab, in the Create group, click Add User or Group.

Click Browse and then select the user account or group to use for this new administrative user.

Note
For console-based administration, only domain users or security groups can be specified as an administrative user.

For Associated security roles, click Add to open a list of the available security roles, select the check box for one or more security roles, and then click OK.

Select one of the following two options to define the securable object behavior for the new user:

• All securable objects that are relevant to their associated security roles: This option associates the administrative user with the All security scope and the root level built-in collections for All Systems, and All Users and User Groups. Access to objects is defined by the security roles assigned to the user. New objects that are created by this administrative user are assigned to the Default security scope.
  
  
• Only securable objects in specified security scopes or collections: By default, this option associates the administrative user to the same security scopes and collections that are associated with the account that you used to create the new administrative user. This option supports the addition or removal of security scopes and collections to customize the administrative scope of the user.
  
  

Important

The preceding options associate each assigned security scope and collection to each security role assigned to the administrative user. A third option, Only securable objects as determined by the security roles of the administrative user, can be used to associate individual security roles to specific security scopes and collections. This third option is available after you create the new user, when you modify the administrative user.

Depending upon your selection in step 6, take the following action:

• If you selected All securable objects that are relevant to their associated security roles, click OK to complete this procedure.
  
  
• If you selected Only securable objects in specified security scopes or collections, you can click Add to select additional collections and security scopes, or select one or more objects from the list and click Remove to remove them. Click OK to complete this procedure.
  
  

In the Configuration Manager console, click Administration.

In the Administration workspace, expand Security, and click Administrative Users.

Select the administrative user that you want to modify.

On the Home tab, in the Properties group, click Properties.

Select the Security Scope tab to view the current configuration for securable objects for this user.

To modify the securable object behavior, select a new option for securable object behavior. After you change this configuration, reference the appropriate procedure for further guidance to configure security scopes and collections, and security roles for this user.

Click OK to complete the procedure.

In the Configuration Manager console, click Administration.

In the Administration workspace, expand Security, and click Administrative Users.

Select the administrative user that you want to modify.

On the Home tab, in the Properties group, click Properties.

Select the Security Scopes tab to confirm that the user is configured for All securable objects that are relevant to their associated security roles.

To modify the assigned security roles, select the Security Roles tab.

• To assign additional security roles to this user, click Add, select the check box for each additional security role that you want to assign, and then click OK.
  
  
• To remove security roles, select one or more security roles from the list, and then click Remove.
  
  

To modify the securable object behavior, select the Security Scopes tab and select a new option for the securable object behavior. After you change this configuration, reference the appropriate procedure for further guidance to configure security scopes and collections, and security roles for this user.

Note
When the securable object behavior is set to All securable objects that are relevant to their associated security roles, you cannot add or remove specific security scopes and collections.

Click OK to complete this procedure.

In the Configuration Manager console, click Administration.

In the Administration workspace, expand Security, and click Administrative Users.

Select the administrative user that you want to modify.

On the Home tab, in the Properties group, click Properties.

Select the Security Scopes tab to confirm that the user is configured for Only securable objects in specified security scopes or collections.

To modify the assigned security roles, select the Security Roles tab.

• To assign additional security roles to this user, click Add, select the check box for each additional security role that you want to assign, and then click OK.
  
  
• To remove security roles, select one or more security roles from the list, and then click Remove.
  
  

To modify the security scopes and collections associated with security roles, select the Security Scopes tab.

• To associate new security scopes or collections with all security roles that are assigned to this user, click Add and select one of the four options. If you select Security Scope or Collection, select the check box for one or more objects to complete that selection, and then click OK.
  
  
• To remove a security scope or collection, select the object, and then click Remove.
  
  

Click OK to complete this procedure.

In the Configuration Manager console, click Administration.

In the Administration workspace, expand Security, and click Administrative Users.

Select the administrative user that you want to modify.

On the Home tab, in the Properties group, click Properties.

Select the Security Scopes tab to confirm that the user is configured for Only securable objects in specified security scopes or collections.

To modify the assigned security roles, select the Security Roles tab.

• To assign additional security roles to this user, click Add. On the Add Security Role dialog box, select one or more available security roles, click Add, and select an object-type to associate with the selected security roles. If you select Security Scope or Collection, select the check box for one or more objects to complete that selection, and then click OK.
  
  

  Note
  You must configure at least a one security scope before the selected security roles can be assigned to the user. When you select multiple security roles, each security scope and collection that you configure is associated with each of the selected security roles.

• To remove security roles, select one or more security roles from the list, and then click Remove.
  
  

To modify the security scopes and collections associated with a specific security role, select the Security Scopes tab, select the security role, and then click Edit.

• To associate new objects with this security role, click Add, and select an object-type to associate with the selected security roles. If you select Security Scope or Collection, select the check box for one or more objects to complete that selection, and then click OK.
  
  

  Note
  You must configure at least a one security scope.

• To remove a security scope or collection that is associated with this security role, select the object, and then click Remove.
  
  
• When you have finished modifying the associated objects, click OK.
  
  

Click OK to complete this procedure.

Caution
When a security role grants an administrative user the collection deployment permission, that user can distribute objects from any security scope for which they have object read/deploy permissions, even if that security scope is associated with a different security role.

In the Configuration Manager console, click Administration.

In the Administration workspace, expand Security and click Accounts to view the accounts that are configured for Configuration Manager.

To change the password for an account that is configured for Configuration Manager, select the account.

On the Home tab, in the Properties group, click Properties.

Click Set to open the Windows User Account dialog box and specify the new password for Configuration Manager to use for the account.

Note
The password that you specify must match the password that is specified for the account in Active Directory Users and Computers.

Click OK to complete the procedure.