This explains how you can grant local site admins different rights to global applications and deployment using Role Based Access control – RBAC.

Two sets of AD Groups are needed where one is used to grant the rights to create own deployment objects and the other to deploy existing ones without being able to modify them. The admins would be added to both.

Two sets of Security scopes are also needed, one for creating own deployment objects and the other to deploy existing objects.

Two sets of Administrative Users in SCCM, again one for creating own deployment objects and the other to deploy existing objects. (In each Administrative User you link the AD group to the Security Scope, limiting collection and Security Role.)

In the create Administrative Users wizard remove the Default Security Scope, "All Systems" and "All Users" collections, add the Security Scope, your limiting collection and Security Role like this using your own naming convention:

Example object names:

AD Group

Security Scope

Administrative User

Security Role

CrtDeployObj

CrtDeployObj

CrtDeployObj

Application Administrator

UseExistingObj

UseExistingObj

UseExistingObj

Application Deployment Manager

Now they can create their own deployment objects that will automatically get the “CrtDeployObj” Security scope.

To allow them to deploy Existing objects you can right click the object and select "Set Security Scope", tick the "UseExistingObj".

Anonymous