Quick Question on Security Roles RRS feed

  • Question

  • Quick question on security roles and administrative users:

    If a user is assigned to 2 different security roles and they have conflicting settings - which ones wins?  One of those roles in question is "Full Administrator" so will that win out or will the more restrictive, "deny" rules win out?  I'm accustomed to the more restrictive winning out but wanted to be 100% sure, especially since this will involve users who are already Full Admins.  Thanks for your help!

    Thursday, February 13, 2014 5:52 PM


  • From Technet:

    Role-based administration does not support an explicit deny action on security roles, security scopes, or collections assigned to an administrative user. Instead, configure security roles, security scopes, and collections to grant permissions to administrative users. If users do not have permissions to objects by use of these role-based administration elements, they might have only partial access to some objects, for example they might be able to view, but not modify specific objects. However, you can use collection membership to exclude collections from a collection that is assigned to an administrative user.


    Paul | sccmentor.wordpress.com

    • Proposed as answer by Garth JonesMVP Saturday, February 22, 2014 3:05 PM
    • Marked as answer by Garth JonesMVP Saturday, March 1, 2014 3:42 PM
    Friday, February 14, 2014 5:12 PM