Setting Namespace Security When the Namespace is Created
The Managed Object Format (MOF) file that creates a namespace can also define the security descriptors for the namespace by including the NamespaceSecuritySDDL qualifier with the security descriptor in security descriptor definition language (SDDL) format.
You can use NamespaceSecuritySDDL to secure any namespace. You can also use this qualifier in a simple MOF file to alter the security descriptor on an existing namespace. The SDDL string is processed by WMI to establish the namespace security but is not stored as a string. If no security descriptor is specified, the default security is used. For more information, see Setting Namepace Security Descriptors.
The following procedure sets the security descriptor for the root\MyNamespace namespace. The SDDL string sets the owner and group to authenticated users and specifies a discretionary access control list (DACL) that is inherited by child namespaces. The DACL allows the user the right to read data, execute methods, write data to provider classes and use remote access: WBEM_ENABLE, WBEM_METHOD_EXECUTE, WBEM_WRITE_PROVIDER, WBEM_REMOTE_ACCESS. For more information, see Access to WMI Namespaces.
To set a namespace DACL
- Create a Managed Object Format (MOF) file or modify your existing MOF file that defines the namespace to add the NamespaceSecuritySDDL qualifier with the SDDL string.
The following code example shows the namespace to be modified is root\MyNamespace and the file is named MyNamespace_security.mof.
Be aware that the SDDL string is case-sensitive: the letters must be capitalized.
The following code example shows the letters "o" and "g" in the SDDL string as lowercase and will cause Mofcomp.exe to return an error.
- Run Mofcomp.exe to compile the MOF file.
In C++, use the IMoFCompiler methods.
- If your attempt to set the namespace DACL fails, consider the following error messages:
Error Description WBEM_E_INVALID_PARAMETER There is no inherited DACL. Alternately, the caller has violated the DACL or the SD in the parent namespace. WBEM_E_ACCESS_DENIED The caller does not have permission to update the SDDL in MOF.
- Setting Namespace Security Descriptors
- Namespace Access Rights Constants
- Namespace ACE Flag Constants
- Changing Access Security on Securable Objects
Build date: 10/15/2013