Configuration Manager Role-Based Administration
This section provides topics about programmatically managing role-based administration in System Center Configuration Manager.
General information about Role-Based Administration can be found in the Documentation for System Center Configuration Manager under Fundamentals of role-based administration for System Center Configuration Manager.
About role-based administration
Role-based administration security rights are applied to a domain user or a security group. In Configuration Manager security rights are replicated to all sites in the hierarchy. You can use any single site to change the security rights of a user or security group and it will be automatically replicated to all other sites in that same hierarchy.
Security consists of two basic concepts: security roles and security scopes.
A security role in Configuration Manager grants permissions to the types of objects a user can interact with, and the actions they can perform with those objects. Configuration Manager provides multiple built-in security roles.
A security scope in Configuration Manager establishes security restrictions between the user and object instances. The permissions the user will have with that object instance are determined by their assigned security roles.
Administrative Users and Security Groups
Domain users and security groups can be granted access to Configuration Manager. The permissions set on an administrator consist of a combination of a security role and scope. A scope is applied to a role that the administrator has. It can never be applied independently of the role.