SMS generally relies on other technologies to enforce security. For example, SMS sets security on file shares and then relies on the operating system to authenticate accounts and allow only correct accounts to access the shares. SMS itself enforces security only when you access an SMS object through the SMS Provider. The SMS Provider enforces SMS object security when you access SMS objects through the SMS Administrator console or through a program that accesses SMS through WMI. The SMS Provider compares the user who is attempting to access the SMS object to the SMS security permissions on that SMS object, to determine whether the user has the right to access or change the object.

You can use SMS scripting to grant permissions on an SMS object to a single user or to user groups within a domain. For example, you can specify that all members of the Domain Users group can edit packages. You can specify that specific users can edit only the packages that they create. You can allow an administrator to manage all collections or just one. For each security object or object type, you can grant a number of different permissions. This granularity gives you great control over who can access SMS object types and who can access specific information in the SMS site database.

The following example demonstrates how to grant read rights and how to modify rights to a user group for all collections at the instance level.

For more information, see the security topics in the SMS 2003 SDK.

To set security rights for an SMS object

  1. Connect to an SMS Provider, and get the SWbemServices object.

  2. Retrieve all available collections, and set for Junior Administrators' access rights to read and modify:

    SMSJuniorAdmins="DOMAIN\SMS Junior Admins"
    Set colCollections = objSWbemServices.ExecQuery("Select * From SMS_Collection")
    For Each objCollection In colCollections
    	'Ignore this special collection.
    	If (objCollection.CollectionID <> "COLLROOT") AND objCollection.OwnedByThisSite Then
    	 WScript.Echo vblf & objCollection.Name & "  " & objCollection.CollectionID
    	 AlreadySet = False
    	 Set colRights = objSWbemServices.ExecQuery("Select * From SMS_UserInstancePermissionNames WHERE ObjectKey=1 AND InstanceKey='" & objCollection.CollectionID & "'")
    	 For Each objRight in colRights
    		 WScript.Echo "  " & objRight.Username + "  " & objRight.PermissionName
    	 If objRight.Username = SMSJuniorAdmins Then AlreadySet=True
    	 If Not AlreadySet Then
    		Set objNewRight = objSWbemServices.Get("SMS_UserInstancePermissions").SpawnInstance_()
    		objNewRight.UserName = SMSJuniorAdmins
    		objNewRight.ObjectKey = 1 'collections
    		objNewRight.InstanceKey = objCollection.CollectionID
    		objNewRight.InstancePermissions = 1+2 'just Read and Modify
    	WScript.Echo "  The junior administrators now have read and modify access to this collection."	 
    	End If
    	End If

Compiling the Code

  • Requires an SMS 2003 Site Server.


Adding the same rights at the class level is easier but increases the security risk because it allows administrators to perform tasks that are not intended for them.

See Also