I'm in the process of trying to create a (for lack of a better word) Sub-Administrator role using Config Mgr 2012 SP1 that will allow a few select administrators the ability to manage antimalware policies, software updates and run reports on their respective device collections. So far I've created a custom security role that has accomplished everything I want, but I've run into an interesting issue. When one admin creates an antimalware policy it's viewable (and thus modifiable) by other admins and my ultimate goal is to only allow the admins access to their respective antimalware policies.
According to the technet documentation (http://technet.microsoft.com/en-us/library/hh508780.aspx) this should be possible by using security scopes on the policies, however I can't seem to find an option to specify security scopes. I also tried using the powershell Cmdlet Set-CMAntiMalwarePolicy, which according to the documentation has a property for setting the security scope, however when I run the powershell command I receive an error that the property doesn't exist. I event went as far as listing all of the properties of the Cmdlet and the security scope property was missing there as well.
To add to my confusion, I was almost certain this was possible before we upgraded to SP1. In my initial testing, I had two users that when they created their antimalware policies, those policies were only visible to them and me because I'm a "Full Administrator".
Am I missing something, or is this just not possible and the documentation is incorrect?
These are the permissions I've given as they pertain to the antimalware policies:
Read, Modify, Create, Read Default, Run Report