SCCM Permissions

You do not need a Configuration Manager Console to work with the SCCM Application Manager . However, the SCCM Application Manager is an administrative tool that allows you to create, edit, or delete different SCCM objects. Therefore, the following administrative permissions are required within SCCM:

• Application: Read; Modify; Delete; Set Security Scope; Create; Approve; Move Object; Modify Folder; Run Report; Modify Report
• Collection: Read; Modify; Delete; Remote Control; Modify Resource; Delete Resource; Create; View Collected File; Read Resource; Move Object; Deploy Packages; Audit Security; Deploy Client Settings; Modify Folder; Enforce Security; Deploy Antimalware Policies; Deploy Applications; Modify Collection Setting; Deploy Configuration Items; Deploy Task Sequences; Control AMT; Provision AMT; Deploy Software Updates; Deploy Configuration Policies; Modify Client Status Alert
• Distribution Point: Read; Copy to Distribution Point
• Distribution Point Group: Read; Copy to Distribution Point
• Package: Read; Modify; Delete; Set Security Scope; Create; Move Object; Modify Folder; Run Report; Modify Report
• Role: Read
• Site: Read
• Folder (required from version 1906) : Read; Modify; Delete; Create
• And of course: The current user must not be limited to instances of the objects that are related to the assigned security roles.

The easiest way to grant these rights is to import a security role from within the Configuration Manager Console:

The following XML file can be used to import this security role:

Then, create a new user or group within the Configuration Manager Console to which the new security role and the security scope all instances of the objects [. ] are assigned:

With the button Check SCCM Permissions you can check at any time whether the required permissions have been assigned.