So, I'm running 9.0 SP2. Here is what I want to be able to do. I would like to give users different access to different scopes. So for instance, we have someone who needs basically all access to all of our workstations. This person needs to be able to see inventory of our servers. This person can not have access to deploy software, RC, patch, etc our servers. How do you do this? I tried giving an AD group a role of "Workstation Administrators" which was scoped out to all of our workstations and gave more or less full access to the desktops. I logged in and everything worked fine, except servers weren't visible (as expected). I then added the user to a "Server Inventory" group which I scoped to all server and then gave it the role of inventory. So the user was in two groups that had the correct rights/scopes added. What I found was that the scopes and rights seem to be addative. I expected that when they overlapped, but since I was scoping the roles, I had hoped they would only add when they both applied to the same computer.
Is there anyway to give the same person different access levels to different scopes?