2.9.3 Security of Managed Data
Regardless of the particular protocol that is used for remote access, the CIMOM restricts access to the underlying managed objects. To restrict access, SDDL strings are assigned to a particular CIM namespace, which requires appropriate access rights for any user to access data in a namespace. For example, the security descriptor can enable a particular user to read data from a namespace, but not to modify it. In that case, the user would be allowed to retrieve a managed object but not to set a value on that managed object.
The various access rights that a particular user or group can define are specified in [MS-WMI] section 5.2.To query or change the security descriptor that are associated with a particular namespace, the GetSD and SetSD methods of the __SystemSecurity class are required to be used, as specified in [MS-WMI] sections 3.1.4.3.22 and 3.1.4.3.23.
To query or change the security descriptor associated with a particular namespace by using the WSMAN protocol, you can set the Action URI to appropriately reference the __SystemSecurity class and desired method to invoke the GetSD and SetSD methods of the __SystemSecurity class, as specified in [MS-WSMAN] section 3.1.4.
To query or change the security descriptor that is associated with a particular namespace by using the WSMV protocol, you can set the Action URI to appropriately reference the __SystemSecurity class and desired method to invoke the GetSD and SetSD methods of the __SystemSecurity class, as specified in [MS-WSMV] section 3.1.4.
Additionally, a CIMOM can employ any arbitrary additional, implementation-specific security restrictions and access checks. This system does not define any added security measures and relies on the CIMOM implementation. Modifications that one member protocol applies to a namespace's security descriptors are visible to other member protocols.
Servers typically restrict the set of resources that clients can view or modify.