This section provides information about how Device Manager 2011 uses the Configuration Manager 2007 security model. By default, the only accounts that have permissions to all the objects in the Configuration Manager console are the Configuration Manager installation account that was used to run Configuration Manager setup and the local system administrator account. You must explicitly add other accounts and grant them permissions to the Configuration Manager objects. If the accounts are not already a member of the SMS Admins group, you must grant them WMI permissions to run the Configuration Manager console.
Note: |
---|
If you encounter issues using Configuration Manager security rights, use the local system administrator account that was provided during Configuration Manager installation. |
When you enable hardware inventory to use collections and reports, use the standard security rights for inventory as documented in Configuration Manager Help. For more information, see Overview of Configuration Manager Object Security and WMI.
You need specific permissions to use the Configuration Manager console to create configuration items and configuration packages and assign them to collections. The following table shows the permissions that are required to perform a specific task across each security rights class.
Task |
Advertisement |
Collection |
Device Setting Item |
Package |
Task Sequence Package |
Create a configuration item |
Not applicable |
Read |
Read, Create, Modify |
Create |
Not applicable |
View a configuration item |
Not applicable |
Read |
Read |
Create |
Not applicable |
Modify a configuration item properties |
Not applicable |
Not applicable |
Read, Create, Modify, Delete |
Not applicable |
Not applicable |
Import a configuration item |
Not applicable |
Not applicable |
Read, Create, Modify |
Not applicable |
Not applicable |
Export a configuration item |
Not applicable |
Not applicable |
Read |
Not applicable |
Not applicable |
Create a configuration package |
Not applicable |
Not applicable |
Read, Create, Modify |
Not applicable |
Not applicable |
Assign a configuration package to a collection |
Create, Read |
Read, Advertise |
Distribute, Read |
Read, Create, Modify |
Read, Create, Modify |
Add/Delete/Modify configuration items from a configuration package |
Not applicable |
Not applicable |
Read, Create, Modify, Delete |
Not applicable |
Not applicable |
Modify a configuration package properties |
Not applicable |
Advertise |
Read, Create, Delete, Modify |
Read, Delete, Modify |
Read, Delete, Modify |
Delete a configuration item |
Not applicable |
Not applicable |
Read, Modify, Delete |
Not applicable |
Not applicable |
Delete a configuration package |
Read, Modify, Delete |
Advertise |
Read, Modify, Delete |
Read, Modify, Delete |
Read, Modify, Delete |
View a configuration package |
Not applicable |
Not applicable |
Read |
Not applicable |
Not applicable |
Duplicate a package |
Not applicable |
Not applicable |
Read, Create, Modify |
Not applicable |
Not applicable |
You need specific permissions to use the New Advertisement with Write Filter Handling Wizard to create and delete advertisements with write filter support. The following table shows the permissions that are required to perform a specific task across each security rights class.
Task |
Advertisement |
Collection |
Package |
Task Sequence Package |
Create advertisement |
Create |
Read |
Read |
Create |
Delete advertisement |
Create |
Read |
Read |
Create |
You need specific permissions to use the Device Imaging feature and the Device Manager 2011 UI. The following table shows the permissions that are required to perform a specific task across each security rights class.
Task |
OS Install Package |
Collection |
View device imaging status summary |
Read |
Read (to use the Device Manager 2011 UI) |
View device imaging request status list |
Read |
Read (to use the Device Manager 2011 UI) |
Open and modify device imaging request |
Read (to use the Device Manager 2011 UI) and Modify |
Read, Advertise |
Run home page summary |
Read (to use the Device Manager 2011 UI) and Administer |
None |
Create device imaging request |
Read (to use the Device Manager 2011 UI) and Create |
Read |
Delete device imaging request |
Read (to use the Device Manager 2011 UI) and Delete |
None |
Suspend, resume, or terminate device imaging request |
Read, Modify, and Administer |
Read |
Begin device imaging request |
Read (to use the Device Manager 2011 UI), Modify, and Administer |
Read |