# Manage Security Scopes

*Applies to: Patch My PC Publisher*\
*Available at level: All Custom Products, All Products, Vendor, Product*
\
*Available on tab: ConfigMgr Apps*

## Overview

The **Manage Security Scopes** option allows you to control which ConfigMgr security scopes are applied to applications created by the Publisher.

<figure><img src="https://3773699522-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MX7dvS0r_4fc0AikgJS%2Fuploads%2FoJUfKtgsMt0RlgOYQ6tj%2Fimage.png?alt=media&#x26;token=d8e55cd1-d06a-45b4-ba5d-9392efe442e9" alt="Manage Security Scopes" width="478"><figcaption></figcaption></figure>

During each synchronization, the Publisher applies the selected security scopes to any applications it creates in ConfigMgr. This ensures applications are visible and manageable only by administrators who have access to the assigned scopes.

The list of available security scopes is pulled directly from your ConfigMgr environment. You can refresh the list using the refresh button in the top right corner.&#x20;

<figure><img src="https://3773699522-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MX7dvS0r_4fc0AikgJS%2Fuploads%2FmM5hpTE8muut35DitWCi%2Fimage.png?alt=media&#x26;token=ab7f2105-d4b5-45c4-9b3d-1333c2e5d1e1" alt="Selecting a Security Scope" width="450"><figcaption></figcaption></figure>

The list supports filtering using the **Filter items** field, and the visible columns can be customized by right-clicking the column headers.

## Enforce Security Scopes

You can optionally enable **Enforce selected security scopes**.

When enforcement is enabled, the Publisher ensures that only the selected scopes remain assigned to the application. If additional scopes are added manually in the ConfigMgr console, the Publisher will remove those scopes during the next synchronization.

This option is useful when you want to maintain strict control over application visibility and prevent scope drift caused by manual changes.

{% hint style="warning" %}
**Important**

When the Publisher runs on the ConfigMgr site server, no additional permissions are required. The Local System account already has the necessary rights to read and assign security scopes.

Additional permissions are required only when the Publisher is installed on a remote server and connects to ConfigMgr.

If you are using a custom ConfigMgr security role for the Publisher in a remote deployment, that role must include the following permissions:

* Application > Set Security Scope
* Security Scopes > Read

If you are using the Patch My PC security role that is created when [configuring the SMS Provider](https://docs.patchmypc.com/publisher-reference/configure-the-sms-provider-connection#option-2-import-security-roles) integration, these permissions are already included.
{% endhint %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.patchmypc.com/patch-my-pc-publisher/customizations-right-click-options/manage-security-scopes.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.