Collection membership permissions and logging
Please allow us to configure permissions so that individuals can only do direct include or removal of individual machines instead of allowing query based or other collections to be added too. Additionally greater logging of not just that the collection was modified but how it was modified. Most solutions I see out there require a customer scripted or web front end approach which adds complexity to support etc.
Stewart Pollock commented
The granular control of collection permissions seems to be a critical issue to me. It's not possible to grant users rights to add computers to individual collections without also giving them rights to modify the collection properties which means it's easy for a user to, for example, add another collection to which they have permissions as a member.We have had incidents in our environment where a user has done this and lead to a software deployment being targeted to thousands of machines in error.This was first logged in 2016, surprised to see it has had no activity