I am trying to set up the correct permissions for Applications creation, modification, and deployment. We have a central IT area that builds Applications for our entire organization to use. We also have distributed IT around the organization that takes care of each department. We have maybe a dozen of these IT groups.

We have site licenses for a lot of our applications so our central IT department builds these applications for all distributed IT areas to use. We only want the distributed IT areas to be able to deploy the applications, nothing else.  The issue is that the each distributed IT area has specialized software that only needs to be distributed to their managed computers. Is there a way to allow these distributed IT areas to have deploy only access to the central IT applications but have full modify, retire, delete permissions to applications they create? I have only found a way to give the distributed areas full access to all applications or deploy permissions with create only.  Create only does not allow the distributed IT area to modify or delete their application.

I would think there was a way and I am just missing it.

You will need to use SCOPE for this. 

If you make them application administrator and assign the group with the specific scope they will only be able to create/modified application that belong to these SCOPE.

And to make sure they can only deploy to the computer you want you need to make sure you have the proper limiting collection assign to them.

2 nice blog about security

http://blogs.technet.com/b/configurationmgr/archive/2014/01/21/how-to-use-collections-roles-and-scope-to-limit-access-in-system-center-2012-configuration-manager.aspx

http://www.techrepublic.com/blog/data-center/microsoft-sccm-2012-understand-role-based-access-control/

• Edited by Frederick Dicaire 18 hours 11 minutes ago
• Proposed as answer by Jörgen NilssonMVP 18 hours 7 minutes ago
• Marked as answer by FlyingV1982 17 hours 20 minutes ago

Thank you for the links.  I had started down the correct path but I think I was making it more complicated than what it actually is.  I just tested it again using the links as reference and I am able to get the results I was looking for.