I have come up with a way to carve out Collection security in SCCM 2007. I have been using this tool I wrote for about a year in production already with great results. During my last SCCM RAP I showed the Microsoft Engineer how it worked and he thought it was really cool and suggested that I post it on myITforum.
The code consists of a few SQL Procedures and SQL Functions that need to be created. But what is different about my SQL is that I use Recursion so that no matter how many collections you create or how deep they are my code will always permission them. Also, once the SQL is put in place the Admins never need to go back into the SQL code to modify anything, it is all done through the SCCM console.
Basically with what I wrote you can use AD groups to grant permissions to collections. Each person can then create their own sub collections and then when my SQL kicks off it permissions it for the rest of the group (and only that group).
Download instructions (PDF): Lenny’s Security Slicer (173.1k)