Hello, http://social.technet.microsoft.com/Forums/en-US/configmgrgeneral/thread/407a46bd-e6a9-4bab-8b18-f00ee91f2910 If I add the right "Create Collections" automatically the users are able to Create a Collection with the Users/Groups they would like, but if they have to add one later the option (the yellow star) is not available ON "All Instances" which is fine but only on the instance which is not expected. They have : Advertise, delete, delete Resource, Manage management controllers, Modify, Modify collection setting, Modify resource and Read on the Collection "Instance" Any rights to be added somewhere else? Thanks, DomSystem Center Operations Manager 2007 / System Center Configuration Manager 2007 R2 / Forefront Client Security / Forefront Identity Manager

I'm not sure if I'm reading the post correctly but from what I understand if you are providing permissions to a user or group to a collection 'instance' then those permissions will only apply to that specific instance that is created and not all instances. In the example you have given when those people that have permissions to a specific collection instance create a subcollection, then the permissions are only going to be available to be set on that subcollection instance. They don't have permissions on 'All instances' because they've only been given a specific collection instance permissions and therefore won't be able to modify permissions on 'all instances' (which would apply to every collection at the site)

Hello - All the privilege rights are already given to the users, why don't you give view permissions as well. That may solve the issue? See, more details http://technet.microsoft.com/en-us/library/bb680648.aspx Anoop C Nair

" they have to add one later the option (the yellow star)" Just so I understand what exactly the problem is... You have removed the Class right Modify to collections. You have added the Class right Create and Delegate to Collections Console User Bob is able to create a new instance, and in the security panel add a group of his teammates for his line of business. From that moment on, for that specific instance, he and his teammates on that specific collection, can use the yellow star. Console User Bob does NOT have Class, nor Instance rights on another collection to "modify". He does have Class Read. I would 100% expect that he would never be able to modify that collection instance, i.e., the yellow star is grayed out for him. To summarize, the Class right of Create is to create a whole new collection. Not to add a collection query to an existing collection--that's the modify right. If I am not understanding the symptoms of the problem you are seeing, please describe it differently. Standardize. Simplify. Automate.

I'm not sure if I'm reading the post correctly but from what I understand if you are providing permissions to a user or group to a collection 'instance' then those permissions will only apply to that specific instance that is created and not all instances. In the example you have given when those people that have permissions to a specific collection instance create a subcollection, then the permissions are only going to be available to be set on that subcollection instance. They don't have permissions on 'All instances' because they've only been given a specific collection instance permissions and therefore won't be able to modify permissions on 'all instances' (which would apply to every collection at the site) Correct I am assigning Permissions on instances ONLY. Thanks, DomSystem Center Operations Manager 2007 / System Center Configuration Manager 2007 R2 / Forefront Client Security / Forefront Identity Manager

" they have to add one later the option (the yellow star)" Just so I understand what exactly the problem is... You have removed the Class right Modify to collections. You have added the Class right Create and Delegate to Collections Console User Bob is able to create a new instance, and in the security panel add a group of his teammates for his line of business. From that moment on, for that specific instance, he and his teammates on that specific collection, can use the yellow star. Standardize. Simplify. Automate. Hi Sherry, on the Collections (General) they have for their group: Advertise, Create, Delegate, Modify, Modify Collection Setting, Read. They have on the Site Class : Read, Modify They see All Collections. They are able to Create Collection, Add a User in the Security Panel but not able to change the rights.(All items appeards with a padlock). On Properties on Existing Collection just created they could Add/Change Delete, Modify and Read not Advertise which has a padlock... Thanks, Dom System Center Operations Manager 2007 / System Center Configuration Manager 2007 R2 / Forefront Client Security / Forefront Identity Manager