Export (0) Print
Expand All

How to Set User Security Rights for a Class of Configuration Manager Objects

System Center

Updated: October 28, 2009

Applies To: System Center Configuration Manager 2007, System Center Configuration Manager 2007 R2, System Center Configuration Manager 2007 R3, System Center Configuration Manager 2007 SP1, System Center Configuration Manager 2007 SP2

To set user security rights for a class of Microsoft System Center Configuration Manager 2007 objects by using the managed SMS Provider, you create and populate a SMS_UserClassPermissions object. You have to provide the class, the new class permission (read, modify, delete, and so on), and the user that the permission applies to.

For more information about Configuration Manager 2007 object rights, see Classes and Instances for Object Security in Configuration Manager (http://go.microsoft.com/fwlink/?LinkID=111709).

For more information about setting rights for individual Configuration Manager objects, see How to Set User Security Rights for a Configuration Manager Object.

To set user security rights for a class of Configuration Manager objects

  1. Set up a connection to the SMS Provider. For more information, see About the SMS Provider in Configuration Manager.

  2. Using the connection object you obtain in step one, create an SMS_UserClassPermissions object.

  3. With the SMS_UserClassPermissions object, set the UserName property to the user name that you want to set permissions for.

  4. Set the ObjectKey to the object type that you want to set permissions for. For more information, see SMS_UserClassPermissions.

  5. Set the ClassPermissions property to the required permissions.

  6. Commit the SMS_UserClassPermissions object.

Example

The following example gives modify access to all collections for the supplied user.

For information about calling the sample code, see Calling Configuration Manager Code Snippets.


Sub SetSecurityForCollections(connection, userName)

    Dim permissions
    On Error Resume Next
    
    ' Create the user class permissions object.
    Set permissions = connection.Get("SMS_UserClassPermissions").SpawnInstance_()
    If Err.Number<>0 Then
        Wscript.Echo "Couldn't get class permissions object"
        Exit Sub
    End If
     
    permissions.UserName = userName
    permissions.ObjectKey = 1 'collections
    permissions.ClassPermissions = 3 ' Read and modify
    
    permissions.Put_
    If Err.Number<>0 Then
        Wscript.Echo "Couldn't commit class permissions"
        Exit Sub
    End If
End Sub
public void SetSecurityForCollections(WqlConnectionManager connection, string userName)
{
    try
    {
        IResultObject permissions = connection.CreateInstance("SMS_UserClassPermissions");
        permissions["UserName"].StringValue = userName;
        permissions["ObjectKey"].IntegerValue = 1; //Collections
        permissions["ClassPermissions"].IntegerValue = (int)UserClassPermissions.Modify;
        permissions.Put();
    }
    catch (SmsException ex)
    {
        Console.WriteLine("Failed to set permissions. Error: " + ex.Message);
        throw;
    }
}

This example method has the following parameters:

 

Parameter Type Description

connection

Managed: WqlConnectionManager

VBScript:SWbemServices

A valid connection to the SMS Provider.

userName

Managed: String

VBScript: String

The user name to give permissions to.

Compiling the Code

The C# sample requires the following:

Namespaces

System

System.Collections.Generic

System.ComponentModel

Microsoft.ConfigurationManagement.ManagementProvider

Microsoft.ConfigurationManagement.ManagementProvider.WqlQueryEngine

Assembly

microsoft.configurationmanagement.managementprovider

adminui.wqlqueryengine

Robust Programming

The Configuration Manager exceptions that can be raised are SmsConnectionException and SmsQueryException. These can be caught together with SmsException.

Security

Adding the same rights at the class level is easier, but it increases the security risk because it allows administrators to perform tasks that they are not intended to perform.

See Also

Show:
© 2014 Microsoft