SCCM Folder RBAC Permission Setup Guide

In this video blog, we are going to learn about the new feature “set security scopes for folders (SCCM Folder RBAC Permission),” which got introduced in SCCM 1906 technical preview. I’m sure this feature will be there in the production version of as SCCM 1906.

I have a couple of others SCCM RBAC related posts, which will give you more details about an end to end SCCM RBAC implementation scenario. More information in the following post.

SCCM Folders are Securable Objects

Until now, SCCM admins are not able to control the visibility of SCCM folders from other admins. There was no option to hide folders from other admins. SCCM Folder RBAC Permission.

The SCCM folders will be visible in their console, but they won’t be able to see the objects (Applications, Packages, Collections, Task Sequences, etc.) inside the folders. This behavior was because of the objects inside the folder where securable objects.

SCCM Folder Permission
SCCM Folder Permission

This SCCM RBAC behavior created some confusion for the admins. Moreover, in some scenarios, admins started using wrong folders to place their associated applications or packages. Because the folders were not securable object, we cannot control the access of those folders anyone can put their applications packages or task sequences into wrong folders.

Microsoft is resolving this issue by making folders as a securable object. Now you can control the access of the folders within your administrators using set security scope option in essence Yum console. You can see more details in the below section of this post.

How to Control SCCM Folder Access Using set security scopes Option

SCCM 1906 onwards you can control the folder access within SCCM console. You can decide which admin should have access to which folder. As an example, in the above video, you can see, I have created folders depending on the location or offices. So, you can provide access to a particular folder if you have an admin from that specific office or site.

Remember you must create security scopes depending on the location as I have shown in the video. If you already have implemented SCCM RBAC, then security scopes should be in place already.

Steps to Implement SCCM Folder RBAC Permissions

SCCM Folder RBAC Permissions
SCCM Folder RBAC Permissions

The following steps will help you to set up permissions to SCCM folders (SCCM Folder RBAC).

  • In the SCCM console, right-click on a folder.
    • For example, right-click a folder under the Applications, Packages, Software Updates, Collections, or Task Sequences node.
  • Select Folder and click on Set Security Scopes option.
  • Choose the security scopes you want to apply then click OK.
  • OR If you’re already in the folder (applications, collections, Task Sequences folders), you can also click on Set Security Scopes in the ribbon.


1 thought on “SCCM Folder RBAC Permission Setup Guide”

  1. Anoop,

    Any chance you have figured out how to assign a security scope to multiple folders? I am in the middle of a huge SCCM migration involving 5 different SCCM servers migrating to 1 infrastructure. I have a need to scope out different areas in the console so that one team cannot see the other teams items. I would like to apply a specific security scope to all sub folders within a specific folder path. I have seen how this can be done for all applications or collections in a folder path using cmdlet Add-CMObjectSecurityScope , but not the folders itself. If I can not script, I have to done thousands of folders, one at a time.


Leave a Comment