Setting security on namespace creation

The Managed Object Format (MOF) file that creates a namespace can also define the security descriptors for the namespace by including the NamespaceSecuritySDDL qualifier with the security descriptor in security descriptor definition language (SDDL) format.

You can use NamespaceSecuritySDDL to secure any namespace. You can also use this qualifier in a simple MOF file to alter the security descriptor on an existing namespace. The SDDL string is processed by WMI to establish the namespace security but is not stored as a string. If no security descriptor is specified, the default security is used. For more information, see Setting Namepace Security Descriptors.

The following procedure sets the security descriptor for the root\MyNamespace namespace. The SDDL string sets the owner and group to authenticated users and specifies a discretionary access control list (DACL) that is inherited by child namespaces. The DACL allows the user the right to read data, execute methods, write data to provider classes and use remote access: WBEM_ENABLE, WBEM_METHOD_EXECUTE, WBEM_WRITE_PROVIDER, WBEM_REMOTE_ACCESS. For more information, see Access to WMI Namespaces.

To set a namespace DACL

1. Create a Managed Object Format (MOF) file or modify your existing MOF file that defines the namespace to add the NamespaceSecuritySDDL qualifier with the SDDL string.

   The following code example shows the namespace to be modified is root\MyNamespace and the file is named MyNamespace_security.mof.

   #pragma autorecover
   #pragma namespace("\\\\.\\root")
   [NamespaceSecuritySDDL ("O:BAG:BAD:(A;CI;0x60003;;;WD)")]
   Instance of __Namespace
   {
     Name = "MyNamespace";
   };
   

2. Be aware that the SDDL string is case-sensitive: the letters must be capitalized.

   The following code example shows the letters "o" and "g" in the SDDL string as lowercase and will cause Mofcomp.exe to return an error.

   #pragma autorecover
   #pragma namespace("\\\\.\\root")
   [NamespaceSecuritySDDL("o:BAg:BAD:(A;CI;0x60003;;;WD)")] 
   Instance of __Namespace
   {
     Name = "MyNamespace";
   };
   

3. Run Mofcomp.exe to compile the MOF file.

   c:\mofcomp MyNamespace_security.mof

   In C++, use the IMoFCompiler methods.

4. If your attempt to set the namespace DACL fails, consider the following error messages:

   Error	Description
   WBEM_E_INVALID_PARAMETER	There is no inherited DACL. Alternately, the caller has violated the DACL or the SD in the parent namespace.
   WBEM_E_ACCESS_DENIED	The caller does not have permission to update the SDDL in MOF.

    

Related topics

Setting Namespace Security Descriptors

Namespace Access Rights Constants

Namespace ACE Flag Constants

Changing Access Security on Securable Objects