Configuration Manager Role-Based Administration
Updated: November 1, 2013
Applies To: System Center 2012 Configuration Manager, System Center 2012 Configuration Manager SP1, System Center 2012 R2 Configuration Manager
This section provides topics about programmatically managing role-based administration in System Center 2012 R2 Configuration Manager.
General information about Role-Based Administration can be found in the Documentation Library for System Center 2012 Configuration Manager under Planning for Role-Based Administration.
Role-based administration security rights are applied to a domain user or a security group. In Configuration Manager security rights are replicated to all sites in the hierarchy. You can use any single site to change the security rights of a user or security group and it will be automatically replicated to all other sites in that same hierarchy.
Security consists of two basic concepts: security roles and security scopes.
A security role in Configuration Manager grants permissions to the types of objects a user can interact with, and the actions they can perform with those objects. Configuration Manager provides multiple built-in security roles.
A security scope in Configuration Manager establishes security restrictions between the user and object instances. The permissions the user will have with that object instance are determined by their assigned security roles.
Domain users and security groups can be granted access to Configuration Manager. The permissions set on an administrator consist of a combination of a security role and scope. A scope is applied to a role that the administrator has. It can never be applied independently of the role.