How to Create a New Security Role

The administrative assignments for a user or security group are defined by the roles and security scopes assigned to that user or security group. The Windows Management Instrumentation (WMI) SMS_Admin class contains all the administrators defined in Configuration Manager. The security roles for an admin are in the SMS_Admin.Roles property and the security scopes for an admin are in the SMS_Admin.Categories property. Both of these properties expose an array of strings which correspond to the identifier of the role or security scope. Both properties are also marked as lazy and are read-only.

Important
Lazy properties are never retrieved with the class instance if the class instance was loaded from a query. The object must be directly accessed from WMI. Generally the WMI provider will supply a Get method that will accept a query path to the object.

To create a new Security Role

Set up a connection to the SMS Provider.
Create an instance of the SMS_Role WMI class.
Set the required properties, including a new role name and the original security role to copy.
Get an instance of the original SMS_Role WMI class.
Copy the role permissions from the original security role to the new security role. This is similar to the Admin Console functionality when creating a new security role and not strictly required to create the security role.
Save the new security role.

Example

The following example creates a new security role:

C#	Copy Code
public void CreateRole(WqlConnectionManager connection, string roleName, string originalRoleID) { // Create a new security role instance. IResultObject newRole = connection.CreateInstance("SMS_Role"); // Set the required properties. // Note: RoleDescription is not required, but convenient. newRole.Properties["RoleName"].StringValue = roleName; newRole.Properties["CopiedFromID"].StringValue = originalRoleID; newRole.Properties["RoleDescription"].StringValue = roleName + " Description"; // Get the original role instance. IResultObject originalRole = connection.GetInstance(@"SMS_Role.RoleID='" + originalRoleID + "'"); // Copy the original role permissions to the new security role. newRole.SetArrayItems("Operations", originalRole.GetArrayItems("Operations")); // Save the new security role. newRole.Put(); }

Copy Code

public void CreateRole(WqlConnectionManager connection, string roleName, string originalRoleID)
{
	// Create a new security role instance.
	IResultObject newRole = connection.CreateInstance("SMS_Role");

	// Set the required properties.
	// Note: RoleDescription is not required, but convenient.
	newRole.Properties["RoleName"].StringValue = roleName;
	newRole.Properties["CopiedFromID"].StringValue = originalRoleID;
	newRole.Properties["RoleDescription"].StringValue = roleName + " Description";

	// Get the original role instance.
	IResultObject originalRole = connection.GetInstance(@"SMS_Role.RoleID='" + originalRoleID + "'");

	// Copy the original role permissions to the new security role.
	newRole.SetArrayItems("Operations", originalRole.GetArrayItems("Operations"));

	// Save the new security role.
	newRole.Put();
}

The example method has the following parameters:

Parameter	Type	Description
connection	Managed: WqlConnectionManager	A valid connection to the SMS Provider.
roleName	Managed: String	A name for the new role.
originalRoleID	Managed: String	The identifier of the original security role.

Compiling the Code

The C# example requires:

Namespaces

Microsoft.ConfigurationManagement.ManagementProvider

Microsoft.ConfigurationManagement.ManagementProvider.WqlQueryEngine

System

Assembly

adminui.wqlqueryengine

microsoft.configurationmanagement.managementprovider

mscorlib

Robust Programming

For more information about error handling, see About Configuration Manager Errors.