I'm currently contracting with a large health organization that recently implemented SCCM 2007 (decision made before my start date). Only after implementation did they realize the hurt they were in for, as they have about 4 different levels of access they wanted to deploy.
In the end, the only option was to give everyone more access than they should have, and then create a custom console. I've spent months coding this custom console from scratch, and have it integrated with A.D. groups so the technician only sees the options he should (even though, in truth, he has much more security behind the scenes).
I wish I could have taken a photo of the clients' faces as I explained to them:
"Yes, I know this is a Microsoft product, but no you can't dole out permissions based on group membership."
"No, grouping your applications by 'Site-Licensed' and 'Single-Licensed' doesn't by you anything. SCCM is unaware of sub-collections, so any collection you want them to have access to you will have to manually grant that access. I'm sorry you have almost 400 collections."
"Yes, I know it is a Microsoft product, and I know they pretty much invented inheritance. They did not choose to make use of it in this product."
Keep Up with TechRepublic