A user or user group limiting rule (previously known as a scope) restricts a user or user group to running actions against a specified subset of users or devices. This type of limiting rule can be used, for example, to give a Help Desk group permission to run actions against only workstation devices.
You can limit a user/group to running actions against one or more of the following:
- Active Directory - domain, OU, group
- Configuration Manager - site, device collection, user collection, user group
Add or Edit a User or User Group Limiting Rule
To add or edit a limiting rule for an existing user or group:
1. On the Permissions page, click the Edit icon to the right of the user or group.
2. Under Assigned Roles, select a role.
3. Enable the Limit this user to specific objects option.
4. Select a Configuration Manager or Active Directory Service Connection.
5. Select the objects against which the user or group can run actions. For example, you can choose specific Configuration Manager collections and/or Active Directory OUs.
NOTE: You must apply the limiting rule separately for each service connection.
6. Click Save.
User/Group Limiting Rule Notes
- A limiting rule that creates a subset of users will not impact actions related to devices.
- A limiting rule that creates a subset of devices will not impact actions related to users.
- If a user or group is included in multiple user/group limiting rules, the user's/group's limiting rules will be an aggregate of all the applied limiting rules.
- If multiple limiting rules are set for a user or group, only one limiting rule needs to be true in order for the validation to pass. For example, if a user is in the limiting rule group, limiting rules applied to the group will also apply to the user.
- Recast Builder actions are permissioned separately. If an action is a Device Action Type or User Action Type, the device or user value must pass validation. If the action is a Generic Action Type, it will remain without a limiting rule.
Remove a User or User Group Limiting Rule
To remove a user or group limiting rule:
1. On the Permissions page, click the Edit icon to the right of the user.
2. Under Assigned Roles, select a role.
3. Disable the Limit this user to specific objects option.
4. Click Save.