SCCM Permissions

You do not need a Configuration Manager Console to work with the SCCM Application Manager. However, the SCCM Application Manager is an administrative tool that allows you to create, edit, or delete different SCCM objects. Therefore, the following administrative permissions are required within SCCM:

• Application: Read; Modify; Delete; Set Security Scope; Create; Approve; Move Object; Modify Folder; Run Report; Modify Report
• Collection: Read; Modify; Delete; Remote Control; Modify Resource; Delete Resource; Create; View Collected File; Read Resource; Move Object; Deploy Packages; Audit Security; Deploy Client Settings; Modify Folder; Enforce Security; Deploy Antimalware Policies; Deploy Applications; Modify Collection Setting; Deploy Configuration Items; Deploy Task Sequences; Control AMT; Provision AMT; Deploy Software Updates; Deploy Configuration Policies; Modify Client Status Alert
• Distribution Point: Read; Copy to Distribution Point
• Distribution Point Group: Read; Copy to Distribution Point
• Package: Read; Modify; Delete; Set Security Scope; Create; Move Object; Modify Folder; Run Report; Modify Report
• Role: Read
• Site: Read
• Folder (required from version 1906): Read; Modify; Delete; Create
• And of course: The current user must not be limited to instances of the objects that are related to the assigned security roles.

The easiest way to grant these rights is to import a security role from within the Configuration Manager Console:

The following XML file can be used to import this security role:

<SMS_Roles>
	<SMS_Role CopiedFromID="SMS0001R" RoleName="SCCM Application Manager" RoleDescription="SCCM Application Manager Security Role">
		<Operations>
			<Operation GrantedOperations="1342176935" ObjectTypeID="1" />
			<Operation GrantedOperations="805446679" ObjectTypeID="2" />
			<Operation GrantedOperations="1" ObjectTypeID="6" />
			<Operation GrantedOperations="1" ObjectTypeID="27" />
			<Operation GrantedOperations="805448727" ObjectTypeID="31" />
			<Operation GrantedOperations="9" ObjectTypeID="42" />
			<Operation GrantedOperations="9" ObjectTypeID="43" />
			<Operation GrantedOperations="1031" ObjectTypeID="226" /> <!-- Ab Version 1906 erforderlich -->
		</Operations>
	</SMS_Role>
</SMS_Roles>

Then, create a new user or group within the Configuration Manager Console to which the new security role and the security scope all instances of the objects [...] are assigned:

With the button Check SCCM Permissions you can check at any time whether the required permissions have been assigned.