Administer

All secured object classes, applicable updates summary instances

Assign or remove any user security rights for a class of objects or for individual object types in that class to yourself or to any other user.

You must explicitly grant other rights appropriate to the object type. Granting the Administer right to a user does not automatically give the user Create, Modify, or Delete rights for that object type.

Advertise

Collection object classes and instances

Advertise to a collection. Subcollections to the collection are also advertised to, even if the administrator does not have the Advertise right on the subcollections.

This right does not grant the ability to create advertisements — that requires Create right on the advertisement object type.

Create

All secured object classes, applicable updates summary instances

Create an instance of an object type.

Create task sequence media

Task sequence package class

Create stand-alone and capture CD task sequence media.

Delegate

All classes except Status, applicable updates summary instances

Grant rights for any instances created by the user. The only rights that can be granted are rights the user has directly (not through group membership or at the class level).

Delete

All secured object classes and instances (except status message instances)

Delete an instance of an object type. (Deleting an advertisement requires Advertise rights on the collection receiving the advertisement and Read rights on the package containing the advertised program, in addition to Delete rights on the advertisement.)

Delete Resource

Collection object class and instances

Delete a resource from a collection.

Distribute

The following collection objects:

• Boot image Package
  
  
• Configuration items
  
  
• Device setting Package
  
  
• Driver package
  
  
• OS image
  
  
• OS Install package
  
  
• Package
  
  
• And deployment package instances
  
  

Send objects to distribution points. You must also have Modify and Read on a package to add the package to a distribution point.

Import computer entry

Site object class

Run the Import Computer Information wizard to specify client computers that are permitted to use the PXE boot process for operating system deployment.

Manage folders

The following class objects:

advertisement

computer association

configuration items

Deployment package

device driver

device setting package

driver package

OS image

OS Install package

Package

query

report

software metering rule

task sequence package

Create, modify, and delete folders under the node

Manage OSD and ISV Proxy certificates

Site object class

Create or import a user authentication certificate, including the private key, so the following deployment methods can temporarily loan the client a certificate to communicate with the management point.

• Bootable media
  
  
• PXE service point
  
  

Manage the certificates required for clients supported by Independent Software Vendors (ISVs) to communicate with management points in native mode.

Manage SQL Commands

Site object class and instances

Create, modify, and delete site maintenance SQL commands.

Note
To add, delete, or modify a SQL command, you must have the Modify right to the site object. To delete SQL commands, you must also have the Administer right to the site object.

Manage Status Filters

Site object class and instances

Create, modify, and delete status filter rules.

Note
To add, delete, or modify a status filter, you must have the Modify right to the site object.

Meter

Site object class and instances

Apply software metering rules to the site.

Modify

All secured object classes and instances (except status message class and instances, and computer association class and instances which cannot be modified)

Modify an instance of an object type.

Modify collection setting

Collection object class and instances

Create and modify maintenance windows, collection variables, collection-specific restart settings, and collection-specific policy polling intervals on collection objects.

Modify Resource

Collection object class and instances

Modify a resource in a collection. You must also have Modify Resource on any collection containing a conflicting record to reconcile the conflicting records that appear in the Conflicting Records node.

Network access

Configuration item object class and instances

Define network access protection (NAP) policy on the configuration item.

Read

All secured object classes and instances (except status message instances)

View an instance and its properties.

Read Resource

Collection object class and instances.

Read a resource in a collection. Resource Explorer can be used on the resource to view hardware inventory and software inventory data. If the administrator does not have this right at the class level, all the collections he creates must be collection limited to collections he already has rights to.

Use Remote Tools

Collection object class and instances

Use Remote Tools on a resource.

View Collected Files

Collection object class and instances

View the files collected from a client. Resource Explorer can be used on the resource to view collected files.

View recovery information

Computer association instance objects

View the recovery key and state location for user state data that is managed by a computer association.