# Permissions

*Applies to: Patch My PC Publisher*

## ConfigMgr Security Role

The Publisher can create, manage, update and delete applications in ConfigMgr as well as perform other functions like triggering a Software Update Point (SUP) sync. The following permisisons are required in ConfigMgr to accomplish these tasks:-

* **Application:** Read, Modify, Delete, Set Security Scope, Create, Move Object, Modify Folder
* **Distribution Point:** Read, Copy to Distribution Point
* **Distribution Point Group:** Read, Copy to Distribution Point Group
* **Folder Class:** Read, Modify, Create
* **Security Scopes:** Read
* **Site:** Read
* **Software Updates:** Read, Modify

<figure><img src="https://3773699522-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MX7dvS0r_4fc0AikgJS%2Fuploads%2FvbGZUWEzmxDrZKB9soc0%2Fimage.png?alt=media&#x26;token=68fb6f5f-eb25-407d-8116-11b1bac49221" alt="" width="563"><figcaption><p>Patch My PC Service runs under the SYSTEM context</p></figcaption></figure>

The *PatchMyPCService*, shown in the image above, will run in the SYSTEM context by default. If the Publisher is installed on the ConfigMgr Site Server, no further consideration is required as the SYSTEM account already has the access it requires. If Patch My PC Publisher is being installed on a remote server, the Computer$ account of that server will need the permissions outlined above.

{% hint style="info" %}
**Note**

During a scheduled sync, these operations are performed under the context of the Logon account specified on the **PatchMyPCService**. By default, this will be **SYSTEM**. Tasks performed manually in the Publisher will be performed under the context of the currently logged on user.
{% endhint %}

More details can be found in the following KB, including how to create a custom Security Role to grant these permissions.

{% embed url="<https://patchmypc.com/kb/permissions-required-sccm-base-installation/#h-automatically-create-the-configuration-manager-security-role-for-the-patch-my-pc-publisher>" %}

## Content Source Folder

To create, manage and update third-party application content in ConfigMgr, the Publisher will need at least **Modify** permission on both the SMB share and NTFS folder that you specify as the Source Folder during configuration.

<figure><img src="https://3773699522-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MX7dvS0r_4fc0AikgJS%2Fuploads%2FCDsszlruSo9Uqvy2knSR%2Fimage.png?alt=media&#x26;token=d40f6498-4b1f-4fc1-8e64-e5db3986d21a" alt="ConfigMgr Content Source Folder" width="563"><figcaption></figcaption></figure>

Connections to the application source UNC path are performed using the computer account of the server because the Publisher service runs in the SYSTEM context. This applies whether content is being created, updated, or cleaned up. Because of this, the computer account must be granted the appropriate permissions at both the **SMB share** level and the **NTFS** folder level.

The minimum required permission is **Modify**. This allows the Publisher to create folders, write application content, update files during application revisions, and remove content when applications are deleted.

In this example, the Publisher is installed on **BB-CM1**, and the application source folder is hosted on **BB-APP1**. Because the Publisher accesses the content over SMB, all file operations authenticate as **BB-CM1$**.

To ensure application creation and management works correctly, **BB-CM1$** must be granted Modify permissions on the SMB share and the underlying NTFS folder on **BB-APP1**. Without these permissions, application creation, updates, or cleanup operations will fail.

<figure><img src="https://3773699522-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MX7dvS0r_4fc0AikgJS%2Fuploads%2FtrD8HxUmkBqb8wz4LZ9U%2Fimage.png?alt=media&#x26;token=3d2bfb1e-bcda-48b4-8f1c-493aabe786cf" alt="NTFS and SMB Permissions" width="533"><figcaption></figcaption></figure>

{% hint style="info" %}
**Note**

The Publisher automatically creates a root **Applications** folder in the configured UNC source path. The name of this folder is not configurable.
{% endhint %}

All application content generated by the Publisher is stored beneath this folder, with vendor and product specific subdirectories created automatically as applications are published.

<figure><img src="https://3773699522-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MX7dvS0r_4fc0AikgJS%2Fuploads%2FyShWrvlCS1o8K3YJthze%2Fimage.png?alt=media&#x26;token=acbf56b1-b081-423a-a3d0-b163a8866f7a" alt="Source Folder Structure" width="563"><figcaption></figcaption></figure>

{% hint style="success" %}
**Tip**

Each application version is stored in its own UniqueID folder. This results in multiple UniqueID folders under a single application folder, allowing the Publisher to track individual application versions and manage application lifecycles correctly.

Application content is stored using the following structure: SourceFolder\Applications\Vendor\Application\UniqueID

When application retention is enabled, retained application content UniqueID folders are moved into a **Retained Apps** folder under SourceFolder\Applications\Vendor\Application.
{% endhint %}

{% hint style="warning" %}
**Important**

The Applications folder structure is critical to the Publisher operations. The Publisher evaluates both the ConfigMgr database object and the corresponding content directories when making decisions about application retention, upgrades, and lifecycle management.&#x20;

Manually modifying, moving, or deleting folders within this structure can cause inconsistencies between ConfigMgr and the content source, which may lead to unexpected behavior or management issues later.
{% endhint %}

For more information, see: [Connection and Source Options](https://docs.patchmypc.com/patch-my-pc-publisher/administration/configmgr-apps/options/connection-and-source-options).


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.patchmypc.com/patch-my-pc-publisher/publisher-requirements/configmgr-requirements/permissions.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.