# Manage Security Scopes

*Applies to: Patch My PC Publisher*\
*Available at level: All Custom Products, All Products, Vendor, Product*
\
*Available on tab: ConfigMgr Apps*

## Overview

The **Manage Security Scopes** option allows you to control which ConfigMgr security scopes are applied to applications created by the Publisher.

<figure><img src="https://3773699522-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MX7dvS0r_4fc0AikgJS%2Fuploads%2FoJUfKtgsMt0RlgOYQ6tj%2Fimage.png?alt=media&#x26;token=d8e55cd1-d06a-45b4-ba5d-9392efe442e9" alt="Manage Security Scopes" width="478"><figcaption></figcaption></figure>

During each synchronization, the Publisher applies the selected security scopes to any applications it creates in ConfigMgr. This ensures applications are visible and manageable only by administrators who have access to the assigned scopes.

The list of available security scopes is pulled directly from your ConfigMgr environment. You can refresh the list using the refresh button in the top right corner.&#x20;

<figure><img src="https://3773699522-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MX7dvS0r_4fc0AikgJS%2Fuploads%2FmM5hpTE8muut35DitWCi%2Fimage.png?alt=media&#x26;token=ab7f2105-d4b5-45c4-9b3d-1333c2e5d1e1" alt="Selecting a Security Scope" width="450"><figcaption></figcaption></figure>

The list supports filtering using the **Filter items** field, and the visible columns can be customized by right-clicking the column headers.

## Enforce Security Scopes

You can optionally enable **Enforce selected security scopes**.

When enforcement is enabled, the Publisher ensures that only the selected scopes remain assigned to the application. If additional scopes are added manually in the ConfigMgr console, the Publisher will remove those scopes during the next synchronization.

This option is useful when you want to maintain strict control over application visibility and prevent scope drift caused by manual changes.

{% hint style="warning" %}
**Important**

When the Publisher runs on the ConfigMgr site server, no additional permissions are required. The Local System account already has the necessary rights to read and assign security scopes.

Additional permissions are required only when the Publisher is installed on a remote server and connects to ConfigMgr.

If you are using a custom ConfigMgr security role for the Publisher in a remote deployment, that role must include the following permissions:

* Application > Set Security Scope
* Security Scopes > Read

If you are using the Patch My PC security role that is created when [configuring the SMS Provider](https://docs.patchmypc.com/publisher-reference/configure-the-sms-provider-connection#option-2-import-security-roles) integration, these permissions are already included.
{% endhint %}