SOLVED administrative permissions in the console

[Kave70]

We have a help desk technician that needs access to the systems section of the console, but not the user section.
In our AD the tech has no rights to any sort of user administration.
The right click tools we use has options to disable accounts and change passwords of users.

1- Can this tech change these, if he's not granted these permissions in AD?
2- How would we change the console permissions to not show the user section? I found how to limit to certain collections, but not sore how to limit to seeing only devices, and not user objects?
Currently his security roles are application manager, remote tools operator and Read-only analyst. The Read-only analyst description says can view all Configuration manager objects. This is probably where we need to change, but not sure how to do this.
3- When we do make these changes, can the tech still see the logged on user? (we would like him to be able to do this)

Any guidance is appreciated- I'm confused with the user part
Karen

 

[Kave70]

 

[Youssef Saad]

You need to create a personalized security scope and specify the collection which will be available for the tech team, and when you give the user permission to access in the console, you choose the concerned security scope.

 

[Kave70]

I understand what you're saying, just having trouble executing it. Would all users be a collection?

Also, if I do this, will the tech still be able to see the currently logged on user? This is important - we use this feature all day long.
I appreciate any feedback. I'm reading, but have questions.

 

[Edy]

you can remove the defaults and then just add the Collection you want to grant permission to. As an example, you can add All Windows Workstation Collection only.

 

[Kave70]

I think I got it- thanks for helping.
I logged on as a technician and can still see who it logged on, but the user section comes up empty. This is exactly what I needed.
Thanks!