Security Roles

  • Article

Send Feedback

Security roles determine access to Windows Mobile-based device resources. The security role is based on the message origin and how the message is signed.

Security roles are also used with certificates to enforce security settings that were configured by using security policies. You can add or update the security roles for a specific certificate by using the Certificate Store Configuration Service Provider.

The following table lists common roles.

Role Decimal value Description
SECROLE_NONE 0 No role assignment.
SECROLE_OEM 2 Equipment manufacturer role.
SECROLE_OPERATOR 4 Assigned to OTA messages that are signed by the mobile operator's network PIN (IMSI in GSM; ESN+SPC in CDMA).

OTA messages include wireless application protocol (WAP) push messages, Service Loading (SL), and Service Indication (SI) messages.

If the operator is not the manager of the phone or device, the settings that the operator is trying to access determine the permissions associated with this role.

The mobile operator can determine whether this role and the SECROLE_OPERATOR_TPS role require the same permissions.
SECROLE_MANAGER 8 Highest level of authority.

Assigned to use-authenticated messages by default.

Provides permissions to change all of the settings on the device.

Operators need to decide what operations will be allowed in this role.
SECROLE_USER_AUTH 16 User Authenticated.

Assigned to the following types of messages:

  • User PIN-signed WAP push messages.
  • Messages received through the Remote API (RAPI) by default.

The permissions associated with this role are determined by the settings that the user requires access to if the user is not the manager of the device.

PPC: User Authenticated role. This role is obtained through the user interface (UI), remote API (RAPI), perimeter security, WAP user-PIN-signed messages, the root store, and the SPC store. This role is assigned to the following types of messages:

  • User-PIN-signed WAP push messages
  • Messages received through RAPI by default

The permissions associated with this role are determined by the settings that the user requires access to if he or she is not the manager of the device.
SECROLE_USER_UNAUTH 64 User Unauthenticated.

Assigned to unsigned WAP push messages. This role provides permissions to install a Home/Today screen or ring tones.
SECROLE_OPERATOR_TPS 128 Trusted Provisioning Server.

Assigned to WAP messages that come from a Push Initiator that is authenticated (SECROLE_PPG_AUTH) by a trusted Push Proxy Gateway (SECROLE_TRUSTED_PPG), and where the Uniform Resource Identifier (URI) of the Push Initiator corresponds to the URI of the Trusted Provisioning Server (TPS) on the device.

The mobile operator can determine whether this role and the SECROLE_OPERATOR role require the same permissions..
SECROLE_KNOWN_PPG 256 Known Push Proxy Gateway.

Messages assigned this role indicate that the device knows the address to the Push Proxy Gateway.
SECROLE_TRUSTED_PPG 512 Device Trusted Push Proxy Gateway.

Messages assigned this role indicate that the Push Proxy Gateway is known and trusted by the device.

Since WAP secure push is not supported, the Push Proxy Gateway is not currently authenticated. The address of the Push Proxy Gateway is compared with the trusted Push Proxy Gateway address stored on the device.
SECROLE_PPG_AUTH 1024 Push Initiator Authenticated.

Messages assigned this role indicate that the Push Initiator is authenticated by the Push Proxy Gateway. This role implies that the device trusts the Push Proxy Gateway (SECROLE_TRUSTED_PPG).
SECROLE_PPG_TRUSTED 2048 Trusted Push Proxy Gateway.

Messages assigned this role indicate that the content sent by the Push Initiator is trusted by the Push Proxy Gateway. This role implies that the device trusts the Push Proxy Gateway (SECROLE_TRUSTED_PPG).

Note   The Metabase Configuration Service Provider is set to the Manager role by default. Changing this role could elevate privileges, making the metabase less secure.

Applies to Windows Mobile 5.0 AKU2.0 (build number 14847) and later

The following table shows the additional security roles that apply to AKU2.

Role Decimal value Description
SECROLE_ENTERPRISE 32 Enterprise IT Administrator role.

See Also

Windows Mobile-based Device Security Model

Send Feedback on this topic to the authors

Feedback FAQs

© 2006 Microsoft Corporation. All rights reserved.