Configuring a high secure SCOM Management Group with the least amount of privileges possible can be challenging. Thanks to my colleagues Kevin Holman and Sergio Carrilho there is an excellent document which describes all accounts and their required access rights: SCOM Security Account Matrix
Please be aware, that you also assign the SDK/DAS service account to the SCOM Administrator role. If you don’t do that, you will see several 26319 Events in the Operations Manager Event log and some strange behaviors in the SCOM console (e.g. you can’t reset any SCOM monitor).