This is intended to address the scenario where there are multiple groups of users who are responsible for different groups of computers but will be performing the same actions on their scope of resources.
Since security roles are additive, two roles are needed per user.
By doing this the overhead is greatly limited. Make adjustments to the first role to define what actions they can take in the console and make adjustments to the second role to define what computers each role can access.
Then when users are added they are added to two roles, one for the group of computers they are to manage and the other for the types of actions they can take on those computers.
Computer access is handled in the Organizational Views and Groups area. The most common location for this is the Organizational Groups created by an Active Directory Import.
For the purposes of this document, we will assume we are using Organizational Groups that are based on an imported Active Directory OU structure.
Note: This document assumes that a Trustee import has already been done through the Microsoft Active Direcory Import page to have users to add to the groups.
To access only a particular OU
For this example, we will focus on Patch but any desired role could be cloned to achieve the same result.
For patch rights role we are removing rights to computers as they will get them from the role created in the first step
Add a user to both of the newly created roles and test
Create additional roles as defined in the first step for as many groups of users as needed.
Note: Tested on ITMS 8.0 and above.