ConfigMgr: Security Roles (Built-In)

Owned by Robert Morrell
Last updated: Apr 06, 2022 by Sarah Nguyen (Deactivated)
3 min read

Microsoft System Center Configuration Manager (ConfigMgr) is a systems management software product developed by Microsoft for managing large groups of computers running the Microsoft Windows operating system.

Faculty and staff can learn about built-in security roles for Microsoft System Center Configuration Management Console (ConfigMgr). 

Security Role Descriptions

Users can gain access to Microsoft System Center Configuration Manager (ConfigMgr) at UCONN via Custom Security Roles. See the sections below for an overview of each role. 

Application Administrator 

An Application Administrator grants permissions to perform both the Application Deployment Manager role and the Application Author role. Administrative users who are associated with this role can also do the following:

  • Manage queries

  • View site settings

  • Manage collections

  • Edit settings for user device affinity

  • Manage App-V virtual environments

Application Author

An Application Author grants permissions to create, modify, and retire applications. Administrative users who are associated with this role can also manage the following:

  • Applications

  • Packages

  • App-V virtual environments

Application Deployment Manager

An Application Deployment Manager grants permissions to deploy applications. Administrative users who are associated with this role can do the following:

  • View a list of applications

  • Manage deployments for the following:

    • Applications

    • Alerts

    • Templates and packages

    • Programs

Administrative users who are associated with this role can also view the following:

  • Collections and their members

  • Status messages

  • Queries

  • Conditional delivery rules

  • App-V virtual environments

Asset Manager

An Asset Manager grants permissions to manage the following:

  • Asset Intelligence Synchronization Point

  • Asset Intelligence reporting classes

  • Software inventory

  • Hardware inventory

  • Metering rules

Company Resource Access Manager

A Company Resource Access Manager grants permissions to create, manage, and deploy company resource access profiles like:

  • Wi-Fi

  • VPN

  • Exchange ActiveSync email

  • Certificate profiles to users and devices

Compliance Settings Manager

A Compliance Settings Manager grants permissions to define and monitor Compliance Settings. Administrative users associated with this role can

  • Create, modify, and delete configuration items and baselines

  • Deploy configuration baselines to collections

  • Initiate compliance evaluation

  • Initiate remediation for non-compliant computers

Endpoint Protection Manager

An Endpoint Protection Manager grants permissions to define and monitor security policies. Administrative users who are associated with this role can do the following:

  • Create, modify and delete Endpoint Protection policies

  • Deploy Endpoint Protection policies to collections

  • Create and modify Alerts

  • Monitor Endpoint Protection status

Full Administrator

A Full Administrator grants all permissions in Configuration Manager. The administrative user who first creates a new Configuration Manager installation is associated with this security role, all scopes, and all collections.

Infrastructure Administrator

An Infrastructure Administrator grants permissions to create, delete, and modify the Configuration Manager server infrastructure and to perform migration tasks.

Operating System Deployment Manager

An Operating System Development Manager grants permissions to create operating system images and deploy them to computers. Administrative users who are associated with this role can manage the following:

  • Operating system upgrade packages and images

  • Task sequences

  • Drivers

  • Boot images

  • State migration settings

Operations Administrator

An Operations Administrator grants permissions for all actions in Configuration Manager except for the permissions that are required to manage security. These permissions include managing administrative users, security roles, and security scopes.

Read-Only Analyst

A Read Only-Analyst grants permissions to view all Configuration Manager objects.

Remote Tools Operator

A Remote Tools Operator grants permissions to run and audit the remote administration tools that help users resolve computer issues. Administrative users that are associated with this role can run the following:

  • Remote Control, Remote Assistance, and Remote Desktop from the Configuration Manager console

  • Out of Band Management console

  • AMT power control options

Security Administrator

A Security Administrator grants permissions to add and remove administrative users and to associate administrative users with security roles, collections, and security scopes. Administrative users who are associated with this role can also create, modify, and delete security roles and their assigned security scopes and collections.

Software Update Manager

A Software Update Manager grants permissions to define and deploy software updates. Administrative users who are associated with this role can manage the following:

  • Software update groups

  • Deployments

  • Deployment templates

Related Articles