SMS generally relies on other technologies to enforce security. For example, SMS sets security on file shares and then relies on the operating system to authenticate accounts and allow only correct accounts to access the shares. SMS itself enforces security only when you access an SMS object through the SMS Provider. The SMS Provider enforces SMS object security when you access SMS objects through the SMS Administrator console or through a program that accesses SMS through WMI. The SMS Provider compares the user who is attempting to access the SMS object to the SMS security permissions on that SMS object, to determine whether the user has the right to access or change the object.
You can use SMS scripting to grant permissions on an SMS object to a single user or to user groups within a domain. For example, you can specify that all members of the Domain Users group can edit packages. You can specify that specific users can edit only the packages that they create. You can allow an administrator to manage all collections or just one. For each security object or object type, you can grant a number of different permissions. This granularity gives you great control over who can access SMS object types and who can access specific information in the SMS site database.
The following example demonstrates how to grant read rights and how to modify rights to a user group for all collections at the instance level.
For more information, see the security topics in the SMS 2003 SDK.
To set security rights for an SMS object
Connect to an SMS Provider, and get the SWbemServices object.
Retrieve all available collections, and set for Junior Administrators' access rights to read and modify:
SMSJuniorAdmins="DOMAIN\SMS Junior Admins" Set colCollections = objSWbemServices.ExecQuery("Select * From SMS_Collection") For Each objCollection In colCollections 'Ignore this special collection. If (objCollection.CollectionID <> "COLLROOT") AND objCollection.OwnedByThisSite Then WScript.Echo vblf & objCollection.Name & " " & objCollection.CollectionID AlreadySet = False Set colRights = objSWbemServices.ExecQuery("Select * From SMS_UserInstancePermissionNames WHERE ObjectKey=1 AND InstanceKey='" & objCollection.CollectionID & "'") For Each objRight in colRights WScript.Echo " " & objRight.Username + " " & objRight.PermissionName If objRight.Username = SMSJuniorAdmins Then AlreadySet=True Next If Not AlreadySet Then Set objNewRight = objSWbemServices.Get("SMS_UserInstancePermissions").SpawnInstance_() objNewRight.UserName = SMSJuniorAdmins objNewRight.ObjectKey = 1 'collections objNewRight.InstanceKey = objCollection.CollectionID objNewRight.InstancePermissions = 1+2 'just Read and Modify objNewRight.Put_ WScript.Echo " The junior administrators now have read and modify access to this collection." End If End If Next
Compiling the Code
- Requires an SMS 2003 Site Server.
Adding the same rights at the class level is easier but increases the security risk because it allows administrators to perform tasks that are not intended for them.