# Insights Configuration Manager Permission requirements

*Applies to: Patch My PC Advanced and Patch Insights*

For various Configuration Manager **console actions** and **features** to work, the accounts running the IIS App Pools need to have permissions to connect to your SMS Provider Server. 

{% hint style="info" %}
Please note, the "Patch My PC Actions" are our custom actions and require the use of our Inventory Extensions.

You can find detailed instructions here: [Inventory Extensions Custom Client Actions](https://docs.patchmypc.com/patch-my-pc-insights/advanced-insights-inventory-extensions/insights-custom-client-actions).
{% endhint %}

<figure><img src="https://3773699522-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MX7dvS0r_4fc0AikgJS%2Fuploads%2F07waEKbDHLp12WBorVBZ%2FPermissions%20Example.png?alt=media&#x26;token=268a2563-ad62-4ee0-a4b5-2eb97be69bc9" alt=""><figcaption><p>Highlighted actions all require permission on your SMS Provider Server</p></figcaption></figure>

{% hint style="info" %}
Note: If you installed Advanced Insights on an SMS Provider Server then you may not have to configure any permissions for this to work.
{% endhint %}

By default, the **IIS App Pools** run under the local computer account of your Advanced Insights Server.&#x20;

<figure><img src="https://3773699522-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MX7dvS0r_4fc0AikgJS%2Fuploads%2FTB34DKMxC4whJMgXZJcs%2Fimage.png?alt=media&#x26;token=8fee4fd4-6067-46ed-a568-20c9c09f696b" alt=""><figcaption></figcaption></figure>

***

### ⚙ Add the IIS Pool Account To ConfigMgr Security Role

1. Open the ConfigMgr console and navigate to **Administration** > **Security** > **Administrative Users** > click **Add User or Group**
2. Choose the User/Computer account running your IIS App Pools. In our example we are adding the local computer account of our server named "SCCM"
3. Assign them the **Operations Administrator** role[ (or optionally a custom role)](#use-a-custom-security-role-optional)

<figure><img src="https://3773699522-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MX7dvS0r_4fc0AikgJS%2Fuploads%2FdCbWt7wlJpsLp1ugVJE6%2Fimage.png?alt=media&#x26;token=c352ee5a-0b45-4d2b-8604-068a768f45b6" alt=""><figcaption></figcaption></figure>

***

### ⚙ Use a Custom Security Role (<mark style="color:yellow;">Optional</mark>)

If you wish to adhere to the "Principle of Least Privilege" then you can download the XML file below and import it as a security role into ConfigMgr. This role grants the lowest possible privileges.

{% file src="<https://3773699522-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MX7dvS0r_4fc0AikgJS%2Fuploads%2Fkfbid6lvqLAbueVS61SD%2FPatch%20My%20PC%20Advanced%20Insights%20Client%20Actions%20and%20Collections.zip?alt=media&token=e8239c95-3d6a-4956-b900-92c15b3d869e>" %}

To import the security role XML file, open the ConfigMgr console and navigate to **Administration** > **Security** > **Security Roles** > click **Import Security Role**.

<figure><img src="https://3773699522-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MX7dvS0r_4fc0AikgJS%2Fuploads%2FUDCN4t0recrw5cNQjgcR%2Fimage.png?alt=media&#x26;token=0b048952-1e8e-4e0b-aab9-306594d483dc" alt=""><figcaption></figcaption></figure>

***

### ⚙Allow RPC traffic (<mark style="color:yellow;">If using remote server</mark>)

If you are using a remote Advanced Insights server there are these requirements to use any console actions or features:

* The Remote Procedure Call (RPC) service must be running
* Firewall must allow RPC Traffic (TCP ports: **135**, **RPC dynamic ports (49152–65535)**

Details on how to configure a firewall rule to allow this traffic can be found here:&#x20;

<https://learn.microsoft.com/en-us/windows/win32/wmisdk/connecting-to-wmi-remotely-starting-with-vista>