Topic last updated -- November 2007

You can assign Microsoft System Center Configuration Manager 2007 security rights to users in several different ways.

However, before the assigned rights can take effect, the user must be a member of the SMS Admins local group on the computer running the SMS Provider. If you use the Manage ConfigMgr Users Wizard, and if the SMS Provider is installed on the site server, then the wizard automatically adds the users to the SMS Admins group. If you use any other method to grant user rights, or if the SMS Provider is not installed on the site server, then you must manually add the user to the group.

Note
You must have Modify permission for the Site security object class or instance to perform this procedure.
Note
Read is required for all other rights. If you do not select Read, Configuration Manager 2007 enables it by default. Removing Read removes all other rights.
Note
The console might not refresh automatically. If you do not see the right or user you added, on the Action menu, click Refresh.

To assign a security right to an existing object

  1. In the Configuration Manager console, navigate to System Center Configuration Manager / Site Database / Security Rights / Rights.

  2. Right-click Rights, click New, and then click either Class Security Right or Instance Security Right.

  3. In the New Class Security Right Wizard or the New Instance Security Right Wizard, specify a user or group name and then select the rights you want the user to have.

  4. Verify that the user is a member of the SMS Admins group.

To copy rights from an existing user or group

  1. In the Configuration Manager console, navigate to System Center Configuration Manager / Site Database / Security Rights / Users.

  2. In the details pane, right-click the user you want to copy from and then click Clone ConfigMgr User.

  3. In the Clone ConfigMgr User box, enter a new user or group and select Class security rights, Instance security rights, or both.

  4. Click OK.

To manage multiple rights with the Manage ConfigMgr Users Wizard

  1. In the Configuration Manager console, navigate to System Center Configuration Manager / Site Database / Security Rights.

  2. .Right-click Security Rights and then click Manage ConfigMgr Users.

  3. On the Welcome to the ConfigMgr User Wizard page, click Next.

  4. On the User Name page, select Modify an existing user to change the Configuration Manager 2007 rights that have already been assigned to a user or group, or enter a new user or group name in the Add a new user box. Click Next.

    Note
    After adding the new rights to the user or group, if the SMS Provider is installed on the site server, then the ConfigMgr User Wizard attempts to add the user or group to the SMS Admins group. SMS Admins is a local group and is subject to the rules for Windows groups. For example, a local group cannot be added to a local group. If you specify a local group in the ConfigMgr User Wizard, you must find an alternate way to ensure membership in the SMS Admins group for all users who need rights to the Configuration Manager 2007 console, or grant permissions equivalent to the SMS Admins group.
  5. On the User Rights page, select either Add another right or modify an existing one, or Copy rights from an existing ConfigMgr user or user group. Click Next.

  6. If you selected Add another right or modify an existing one, on the Add a Right page, select the class for you want to assign rights. If you want to restrict the user or group to a specific instance of the class, select an instance. The Rights box will change depending on the Class and Instance you select. The default is to assign rights to All Instances. Click Next and the proceed to step 8.

  7. If you selected Copy rights from an existing ConfigMgr user or user group, on the Copy Rights page, select the Source User you want to copy from and then click Next.

    Note
    The rights of the user or group you are copying from will replace all of the rights currently assigned to the user or group you are copying to.
  8. On the User Rights page, select The listed rights are sufficient, or continue to add or copy rights as described in step 5. Click Next.

    Note
    To delete a right, select it in the Rights list and then click the delete button.
  9. On the Summary page, verify that the rights to be modified and then click Next to apply the modifications or Previous to change the settings.

  10. On the Confirmation page, verify that the wizard completed successfully and then click Close.

To verify the security rights for a user

  1. In the Configuration Manager console, navigate to System Center Configuration Manager / Site Database / Security Rights / Users.

  2. In the details pane, right-click the user you want to verify and then click User Security Rights.

  3. In the User Security Rights dialog box, click the Rights arrow to see the rights By Class, By Instance, or by Both Class and Instance.

  4. To modify an existing class or instance, click Modify and then modify the rights.

  5. To add a new class or instance, click and then select one of the following:

    • Class to start the New Class Security Right Wizard

    • Instance to start the New Instance Security Right Wizard

    • Manage ConfigMgr Users Wizard to start the Manage ConfigMgr Users Wizard

  6. Click Close.

  7. You can also navigate to System Center Configuration Manager / Site Database / Security Rights / Rights and then locate the user

To verify the security rights assigned to a class or instance

  1. In the Configuration Manager console, navigate to System Center Configuration Manager / Site Database / Security Rights / Rights.

  2. In the details pane, locate the class or instance.

Note
You can sort the columns by clicking the column headings. You can search the columns by typing text in the Look for: box, and clicking Find Now. You can restrict your search to specific columns by clicking the in arrow.

See Also