One more quick ConfigMgr Role-Based Administration (RBA) tip. I’ve already published a series of posts about RBA Gotchas and troubleshooting tips here. This is again a quick and short post related to RBA and Security Scopes.
When you have a multi-tiered hierarchy (something similar to the setup which I’ve mentioned in my previous posts and referred above), you’ll have to spend some time while doing the design of security role, security scopes in SCCM 2012.
Here is the scenario. When “Application Administrator” (Default Security Role comes with CM 2012) tries to “create requirement” for new app model –> deployment type then he could not find any of the default condition drop down list.
So just give a background, these conditions you see in create requirement window are nothing but “Global Conditions“.
For example “Total Physical Memory” is one of the default condition or global condition.
Why Application Administrator is NOT able to create or add requirement for deployment type? So basically, the point is Global Conditions are securable objects and we can assign security scopes to each global condition.
In my scenario, the global condition/s security scope settings are never changed to the customized scope. All the global conditions are assigned to the “Default” scope hence application administrator couldn’t locate the conditions in the “Create Requirement” window.
Solution was to assign correct security scope/s for all global conditions.