A customer recently wanted to create a security right in Configuration Manager that allowed a user to create packages; both physical and virtual whilst restricting access to the other components in the console.
At first glance this seems a fairly trivial task – create a group and add it as an user security right in SCCM, then assign the required classes – in this case;
- Collection – Read
- Package – Full
This had the desired effect for physical packages however the option to create a virtual application package was gone. 🙁
Several minutes of adding each class one at a time found that the ‘Site’ class with ‘Read’ and ‘Manage SQL Commands’ is required to display the option to create a virtual package. This complicates things a little as it allows users to make changes to certain attributes in the ‘Site Settings’ section – to mitigate this I added instance security rights to the primary site node giving the group I had created no permissions.