Microsoft System Center Configuration Manager 2007 security is implemented in several layers. Windows provides security for the operating system and network. Windows Management Instrumentation (WMI) is used to provide secure access to the SMS Provider WMI objects. For more information, see the MSDN documentation, http://go.microsoft.com/fwlink/?LinkId=110414.
Object Security
Configuration Manager 2007 uses WMI to provide secure access to the SMS Provider objects.
The SMS Provider enforces Configuration Manager object security when you access Configuration Manager objects through the Configuration Manager console or through a program that accesses Configuration Manager through WMI. The SMS Provider compares the user who is attempting to access the Configuration Manager object to the Configuration Manager security permissions on that Configuration Manager object, to determine whether the user has the right to access or change the object.
The following SMS Provider classes can be secured by using WMI:
- SMS_Collection Server
WMI Class
- SMS_Package
Server WMI Class
- SMS_Advertisement Server
WMI Class
- SMS_StatusMessage Server
WMI Class
- SMS_Site
Server WMI Class
- SMS_Query
Server WMI Class
- SMS_Report
Server WMI Class
- SMS_MeteredProductRule
Server WMI Class
- SMS_ConfigurationItem
Server WMI Class
- SMS_OperatingSystemInstallPackage
Server WMI Class
- SMS_Template
Server WMI Class
- SMS_UpdatesAssignment
Server WMI Class
- SMS_StateMigration
Server WMI Class
- SMS_ImagePackage Server
WMI Class
- SMS_BootImagePackage
Server WMI Class
- SMS_TaskSequencePackage
Server WMI Class
- SMS_DeviceSettingPackageItem
Server WMI Class
- SMS_DeviceSettingItem
Server WMI Class
- SMS_DriverPackage Server
WMI Class
- SMS_SoftwareUpdatesPackage
Server WMI Class
- SMS_Driver
Server WMI Class
To view the available rights for Configuration Manager objects, see Classes and Instances for Object Security in Configuration Manager (http://go.microsoft.com/fwlink/?LinkId=111709).
Objects Classes
You can set rights for classes of objects by creating an SMS_UserClassPermissions object. This allows you to specify the user and the rights you want to give to that user for every object of the class type, for example, all Configuration Manager packages. For more information, see How to Set User Security Rights for a Class of Configuration Manager Objects.
Object Instances
You can set rights for individual object instances by creating a SMS_UserInstancePermissions object. This allows you to specify the user and the rights that you want to give to that user for an individual object, for example, an individual package (SMS_Package).
For more information, see How to Set User Security Rights for a Configuration Manager Object.
Role-Based Security
Using the SMS_UserClassPermission and SMS_UserInstance permission, you can easily set up role-based security for sets of users within a domain. For example, you can specify that all members of the Domain Users group can edit packages. You can specify that specific users can edit only the packages that they create. You can allow an administrator to manage all collections or just one. For each security object or object type, you can grant a number of different permissions. This precision gives you great control over who can access Configuration Manager object types and who can access specific information in the Configuration Manager site database.
For more information, see Security Server WMI Classes.
Viewing Object Rights
The following two classes can be used to view user rights:
- http://go.microsoft.com/fwlink/?LinkId=44411 Each
instance of this class represents a particular right for a
particular user or group on a particular instance. This class is
useful for display purposes because the rights are already parsed
into a form that you can read, but it takes more scripting to
achieve the same results as the SMS_UserInstancePermissions
class.
- http://go.microsoft.com/fwlink/?LinkId=44413 Each
instance of this class represents a particular right for a
particular user or group for a particular class. The class is
useful for display purposes because the rights are already parsed
into a form that you can read, but it takes more scripting to
achieve the same results as the SMS_UserClassPermissions
class.
System Resource (SMS_R_System) as a Secured Resource
Secured resources are resources (the SMS_R_* classes) that require collection read rights to be viewed. If the user has class-level collection read rights, the user can see all the instances of a secured resource. If the user only has instance-level read rights to certain collections, the user only has rights to see resources that are a members of those collections. SMS_R_User and SMS_R_UserGroup , SMS_R_System (the system resource) are secured resources.
Inventory instances (SMS_G_System_*) are secured similarly with the read resource verb. If a user has class-level rights, that user can see inventory data belonging to all resources. If the user does not have class-level rights, the user can only see inventory data for inventory that belongs to resources that are members of collections to which the user has instance-level read resource rights. Conversely, if a user has read resource rights to a collection, a user can see the inventory data for the members of that collection. This has not been affected by the change in security to SMS_R_System. Read resource rights cannot be granted to a user without granting read rights. When a user does not have the appropriate class-level collection rights, resource security is enforced through collection limiting.
Sensitive Information
The security of sensitive information such as product keys and credentials used by your application is your responsibility.
Information sent to the provider using DCOM should be encrypted with the authentication level set to packet privacy. The managed provider sets the authentication to packet privacy and you do not need to explicitly set it in your code. When using VBScript, you must set the authentication in your code. For more information, see How to Connect to an SMS Provider in Configuration Manager by Using WMI.
See Also
Send comments about this topic to Microsoft.