BizTalk RFID enables you to set device-level security permissions. You can specify a local or domain user as the administrator for a device by performing the following steps:
-
In RFID Manager, expand RFID Services Administration, expand your machine name, and then click Devices.
-
Right-click the name of the device, and then click Security.
-
In the ContosoTestDevice - Security dialog box, click Add, and specify the local or domain user as the administrator. This account must either be an administrator on the BizTalk RFID server or belong to the RFID Service Account group.
-
Click OK, and then click Close.
Devices are grouped and organized into device groups. Applying security at the level of the device group is analogous to the folder and file model in Windows file systems.
Every device has an “effective security,” the measure of security that is achieved after inheriting settings from parent device groups and device security settings.
.gif) Note |
|---|
|
By default, a device within a group will inherit the security settings applied to the group. However, you can choose to apply customized settings for each device.
|
A user belonging to the Administrators group in a computer (administrator), or the administrator of a device (entity administrator) can perform these actions:
-
Any synchronous command that affects the physical state of the device
-
Disabling device connections
-
Enabling and disabling the device
-
Any device manager operation that affects the logical device definition
A user belonging to the RFID_USER group, but not an administrator for the device or computer, can use only device-related commands that do not alter the state of the device.
All possible device operations are allowed for members of the Entity Administrators and the Administrators groups.
.gif) Important |
|---|
|
The entity administrator must be a member of the RFID User (RFID_USER) group. An entity administrator who does not belong to the RFID User group cannot execute any commands or call a method in the DeviceManagerProxy class.
|
| Note |
|---|
|
Membership in a local group does not take effect until the current user logs off and then logs back on. Therefore, if you notice that adding a user to the RFID_USER group does not seem to give the user the required privileges, log off and log back on.
|
A user who is an entity administrator, and is also part of the RFID User group, can call all DeviceManagerProxy method calls except the following:
-
AddDevice
-
CreateDeviceGroup
-
MoveEntityToDeviceGroup
The following table describes the actions that various roles can perform on a device or device group, and the corresponding permissions that are required.
|
Privilege
|
Role
|
Remarks
|
|---|
|
Create a device group.
|
Administrator*
|
Top-level entity that affects many devices.
|
|
Create a device.
|
Administrator
|
This is a system-wide change. Only an administrator can add a device. The DG_ADMIN for the parent device group does not have privileges to add a device.
|
|
Update device group membership (MoveEntityToDeviceGroup).
|
Administrator
|
Adding or removing a device from a device group might affect another device group
|
|
Set the access control for a device group or device.
|
Entity administrator
Administrator
|
Only an administrator or entity administrator can change the access control list (ACL).
|
|
Send a synchronous command to any device in a device group that does not change the state of the device.
|
Member of the RFID User group (RFID_USER),
Administrator
|
Members of the RFID User group (RFID_USER) automatically qualify as device users for all devices.
|
|
Set properties on a device (or actions that change the state of the device).
|
Entity administrator, Administrator
|
—
|
|
Send synchronous commands to a device that do not change the state of the device.
|
Member of the RFID User group (RFID_USER)
Administrator
|
—
|
* In the table, "Administrator" indicates a member of the group of administrators on the computer (Built-In\Administrator).