Microsoft System Center Configuration Manager 2007 security is implemented in several layers. Windows provides security for the operating system and network. Windows Management Instrumentation (WMI) is used to provide secure access to the SMS Provider WMI objects. For more information, see the MSDN documentation, http://go.microsoft.com/fwlink/?LinkId=110414.

Object Security

Configuration Manager 2007 uses WMI to provide secure access to the SMS Provider objects.

The SMS Provider enforces Configuration Manager object security when you access Configuration Manager objects through the Configuration Manager console or through a program that accesses Configuration Manager through WMI. The SMS Provider compares the user who is attempting to access the Configuration Manager object to the Configuration Manager security permissions on that Configuration Manager object, to determine whether the user has the right to access or change the object.

The following SMS Provider classes can be secured by using WMI:

To view the available rights for Configuration Manager objects, see Classes and Instances for Object Security in Configuration Manager (http://go.microsoft.com/fwlink/?LinkId=111709).

Objects Classes

You can set rights for classes of objects by creating an SMS_UserClassPermissions object. This allows you to specify the user and the rights you want to give to that user for every object of the class type, for example, all Configuration Manager packages. For more information, see How to Set User Security Rights for a Class of Configuration Manager Objects.

Object Instances

You can set rights for individual object instances by creating a SMS_UserInstancePermissions object. This allows you to specify the user and the rights that you want to give to that user for an individual object, for example, an individual package (SMS_Package).

For more information, see How to Set User Security Rights for a Configuration Manager Object.

Role-Based Security

Using the SMS_UserClassPermission and SMS_UserInstance permission, you can easily set up role-based security for sets of users within a domain. For example, you can specify that all members of the Domain Users group can edit packages. You can specify that specific users can edit only the packages that they create. You can allow an administrator to manage all collections or just one. For each security object or object type, you can grant a number of different permissions. This precision gives you great control over who can access Configuration Manager object types and who can access specific information in the Configuration Manager site database.

For more information, see Security Server WMI Classes.

Viewing Object Rights

The following two classes can be used to view user rights:

  • http://go.microsoft.com/fwlink/?LinkId=44411   Each instance of this class represents a particular right for a particular user or group on a particular instance. This class is useful for display purposes because the rights are already parsed into a form that you can read, but it takes more scripting to achieve the same results as the SMS_UserInstancePermissions class.

  • http://go.microsoft.com/fwlink/?LinkId=44413   Each instance of this class represents a particular right for a particular user or group for a particular class. The class is useful for display purposes because the rights are already parsed into a form that you can read, but it takes more scripting to achieve the same results as the SMS_UserClassPermissions class.

System Resource (SMS_R_System) as a Secured Resource

Secured resources are resources (the SMS_R_* classes) that require collection read rights to be viewed. If the user has class-level collection read rights, the user can see all the instances of a secured resource. If the user only has instance-level read rights to certain collections, the user only has rights to see resources that are a members of those collections. SMS_R_User and SMS_R_UserGroup , SMS_R_System (the system resource) are secured resources.

Inventory instances (SMS_G_System_*) are secured similarly with the read resource verb. If a user has class-level rights, that user can see inventory data belonging to all resources. If the user does not have class-level rights, the user can only see inventory data for inventory that belongs to resources that are members of collections to which the user has instance-level read resource rights. Conversely, if a user has read resource rights to a collection, a user can see the inventory data for the members of that collection. This has not been affected by the change in security to SMS_R_System. Read resource rights cannot be granted to a user without granting read rights. When a user does not have the appropriate class-level collection rights, resource security is enforced through collection limiting.

Sensitive Information

The security of sensitive information such as product keys and credentials used by your application is your responsibility.

Information sent to the provider using DCOM should be encrypted with the authentication level set to packet privacy. The managed provider sets the authentication to packet privacy and you do not need to explicitly set it in your code. When using VBScript, you must set the authentication in your code. For more information, see How to Connect to an SMS Provider in Configuration Manager by Using WMI.

See Also


Send comments about this topic to Microsoft.