SCCM 2012 Collection Permissions in Configuration Manager 2012 Posted November 20, 2019 · Report reply On 11/22/2014 at 12:37 AM, FromTheUnderground said: I found a solution that works for my environment. I created a collection "All Imported Systems" that lists all computers that have been manually imported. I then created a collection for each of our area admins (based on OU permissions within AD) and created a security role specifically to these newly created collections. I got the idea from Michael Lucero - Austin from another forum. "Here is a solution that should work for you. Perform this on a test account with only the security role you are going to change for your users in question. Create a new collection that is a copy of your collection limiting collection mentioned above. Set the limiting collection of this new collection to something other than the limiting collection it defaults to, which is the copied collection. Select the collections to which you wish to grant Add Resource permissions to and set their limiting collection to this new collection. Within your Administrative user or group properties, specify this new limiting collection and the collections you wish to allow Add Resource permissions under the "Associate assigned security roles with specific security scopes and collections - don't forget to add your security scope. Apply the changes and test - don't forget to restart the console of your test account. This does a couple things - it allows the Add Resource function to the specific collections you wish for the specific Administrative user/group you wish. It does NOT allow modify on the limiting collection. And it separates the specific collections you tag as being modifiable by the specified group. We had the same issue in our environment - need a specific group to be able to Add Resource to a single specific collection which was being limited by the All Workstations collection. Allowing modify to the All Workstations collection allowed modifications to any collection limited by All Workstations. So I came up with the solution above, tested against my test accounts and it works as I needed. Hopefully this will solve your issue and give you some options going forward." Bit confused.. I have "Collection1" which is limited to "All Systems". One Task sequence is advertised to "Collection1". Can I give permissions to "user1" only on "Collection1", to add/remove systems?