5.2 Index of Security Parameters
The server MUST secure access to each CIM namespace by using security descriptors<88> as specified in [MS-DTYP].
The server MUST use the DCOM identity of the caller against the security descriptor of the namespace to grant or deny the access.
The access mask that controls the security principal rights contains the following specific rights, which are interpreted as specified in the table.
|
Constants |
Value |
Meaning |
|---|---|---|
|
WBEM_ENABLE |
0x1 |
Grants the security principal read permissions. |
|
WBEM_FULL_WRITE |
0x4 |
Grants the security principal to write to classes and instances. |
|
WBEM_METHOD_EXECUTE |
0x2 |
Grants the security principal to execute methods. |
|
WBEM_PARTIAL_WRITE_REP |
0x8 |
Grants the security principal to update or delete CIM instances that are static. |
|
WBEM_REMOTE_ENABLE |
0x20 |
Grants the security principal to remotely access the server. |
|
WBEM_WRITE_PROVIDER |
0x10 |
Grants the security principal to update or delete CIM instances that are dynamic. |
|
READ_CONTROL |
0x20000 |
Allows the security principal to read the security descriptor of CIM namespace. |
|
WRITE_DAC |
0x40000 |
Allows the security principal to modify the security descriptor of CIM namespace. |
In order to change the namespace security descriptor, a client MUST use the Windows Management Instrumentation Remote Protocol and the required CIM object encoding, as specified in [MS-WMIO]. To query or change the security descriptor, the __SystemSecurity class methods GetSD and SetSD defined in section 2.2.30 MUST be used. To manage the namespace security, the __SystemSecurity class MUST be implemented at the top level of every namespace. The GetSD and SetSD methods are invoked as specified in sections 3.1.4.3.22 and 3.1.4.3.23.
If the event object that is delivered to the WMI server (as specified in 3.2.4.2.1) contains a non-null SECURITY_DESCRIPTOR as specified in 2.2.4.2, the server MUST secure access to the event object by using access controls specified in the security descriptor. The access mask that controls the security principal rights has the following specific rights, which are interpreted as specified in the following table.
|
Constants |
Value |
Meaning |
|---|---|---|
|
WBEM_RIGHTS_PUBLISH |
0x80 |
Grants the security principal permission to send events to the WMI server as specified in 3.2.4.2.1. |
|
WBEM_RIGHT_SUBSCRIBE |
0x40 |
Grants the security principal permission to receive the event object using the IWbemServices::ExecNotificationQuery or IWbemServices::ExecNotificationQueryAsync method call. If this permission is not granted, the client can make IWbemServices::ExecNotificationQuery or IWbemServices::ExecNotificationQueryAsync calls, but the event is not delivered. |