By default, the Configuration Manager 2007 administrator has all rights for each object class or instance, but this can be modified and new administrators can be added with restricted rights wherever the properties of the object has a Security tab.
Configuring security rights is most commonly used to configure and control delegated administration, where selected administrators have just enough security rights to perform their job and no more, adhering to the security best practice of least privilege. For example, administrators can view Configuration Manager NAP policies but not modify or delete them. For more information about configuring security rights in Configuration Manager, see Overview of Configuration Manager Object Security and WMI and How to Assign Rights for Objects to Users and Groups.
For more information about delegated administration and how role separation can be used with Network Access Protection in Configuration Manager, see Determine Administrator Roles and Processes for Network Access Protection.
You can set the following security rights on both the Network Access Protection node and the Policies node:
- Administer
- Create
- Delegate
- Delete
- Distribute
- Manage folders
- Modify
- Network Access
- Read
 Note |
|---|
| The Distribute and Manage folders rights are not applicable to Network Access Protection. |
To configure these security rights, perform the following steps:
- Right-click either the Network Access Protection node or
the Policies node.
- Click Properties, and then click Security.
- Configure the security rights you require, and then click
OK.