SCCM permissions

The SCCM Rollout Manager (strictly speaking the SCCM Rollout Worker) presents an administrative Tool, which lets you create, edit or delete different SCCM objects. That is why, just like working with the Configuration Manager Console, following administrative permissions within SCCM are needed:

  • Application: Reading; editing; deleting; determining a security sector; creating; authorizing; moving objects; editing folders; executing reports; editing reports
  • Collection: Reading; editing; deleting; remote access; editing ressources; deleting ressources; creating; displaying gathered data; reading ressources; moving objects; deploying packages; monitoring security; deploying client settings; editing folders; force security; deploying anti-malware guidelines; deploying applications; editing collection settings; deploying configuration elements; deploying task sequences; control AMT; deploying AMT; deploying software updates; deploying configuration guidelines; editing client status warning
  • Distribution point: Reading; copying onto distribution point
  • Distribution point group: Reading; copying onto distribution point
  • Package: Reading; editing; deleting; determining a security sector; creating; moving objects; editing folders
  • Role: Reading
  • Site: Reading

Important: The current user must not be limited to an instance of objects which are referring to the assigned security role.

The provision of these permissions can be done most easily through importing a security role within the Configuration Manager Console. For the import of said security role the following XML file can be used:

<SMS_Roles>
				<SMS_Role CopiedFromID="SMS0001R" RoleName="SCCM Rollout Manager" RoleDescription="SCCM Rollout Manager Security Role">
				<Operations>
				<Operation GrantedOperations="1342176935" ObjectTypeID="1" />
				<Operation GrantedOperations="805446679" ObjectTypeID="2" />
				<Operation GrantedOperations="1" ObjectTypeID="6" />
				<Operation GrantedOperations="1" ObjectTypeID="27" />
				<Operation GrantedOperations="805448727" ObjectTypeID="31" />
				<Operation GrantedOperations="25" ObjectTypeID="42" />
				<Operation GrantedOperations="1049631" ObjectTypeID="43" />
				</Operations>
				</SMS_Role>
		</SMS_Roles>

A new user (group) is then created within the Configuration Manager console, to which the aforementioned security role and the security area All instances of the objects[...] are assigned.

 SQL permissions

The Components of the SCCM Rollout Manager require the following SQL database roles within the SCCM database:
  • db_datareader
  • smsschm_users