| title | Role-Based Administration |
|---|---|
| description | This section provides topics about programmatically managing role-based administration in Configuration Manager. |
| ms.date | 09/20/2016 |
| ms.subservice | sdk |
| ms.topic | article |
| ms.collection | tier3 |
This section provides topics about programmatically managing role-based administration in Configuration Manager.
Note
For more information, see Fundamentals of role-based administration.
Role-based administration security rights are applied to a domain user or a security group. In Configuration Manager security rights are replicated to all sites in the hierarchy. You can use any single site to change the security rights of a user or security group and it will be automatically replicated to all other sites in that same hierarchy.
Security consists of two basic concepts: security roles and security scopes.
A security role in Configuration Manager grants permissions to the types of objects a user can interact with, and the actions they can perform with those objects. Configuration Manager provides multiple built-in security roles.
A security scope in Configuration Manager establishes security restrictions between the user and object instances. The permissions the user will have with that object instance are determined by their assigned security roles.
Domain users and security groups can be granted access to Configuration Manager. The permissions set on an administrator consist of a combination of a security role and scope. A scope is applied to a role that the administrator has. It can never be applied independently of the role.