Security Roles
Security roles are assigned to over-the-air (OTA) messages and determine which Windows Mobile device resources the message has access to. The security role is based on the message origin and how the message is signed. See Security Role Settings for the list of possible security roles.
Security Roles are also used with certificates to enforce security settings that were configured by using Security Policies. You can add or update the security roles for a specific certificate by using the CertificateStore Configuration Service Provider.
Security Roles for Smartphones
On Smartphones, security roles are checked and enforced. Configuration Manager ensures that the XML document has sufficient permission to change the specified registry key. For more information, see Effect of Device Management Policies on the OTA Process.
The following table lists common roles for Smartphones.
| Role | Decimal value |
|---|---|
| SECROLE_MANAGER | 8 |
| SECROLE_OEM | 2 |
| SECROLE_OPERATOR | 4 |
| SECROLE_OPERATOR_TPS | 128 |
| SECROLE_PPG_TRUSTED | 2048 |
| SECROLE_PPG_AUTH | 1024 |
| SECROLE_TRUSTED_PPG | 512 |
| SECROLE_KNOWN_PPG | 256 |
| SECROLE_USER_AUTH | 16 |
| SECROLE_USER_UNAUTH | 64 |
| SECROLE_NONE | 0 |
Security Roles for Pocket PC
On Windows Mobile-based Pocket PC Phone Edition, the different levels of access to the resources of a device are enforced by the metabase, which is a repository of resources available for over-the-air (OTA) provisioning with associated access control rights. Pocket PC does no certificate checking for installation or execution of applications. Every application on Pocket PC has access to the entire system.
Every Pocket PC call into Configuration Manager has a role mask assigned, which determines its access to the system. All OTA configuration calls get role masks based on security policy settings and how the OTA message was signed.
In general, applications on Pocket PC have access to all system resources. On the device, all security roles are assigned to an application such that the application is automatically installed or automatically runs.
The following table lists common roles for Pocket PC Phone Edition.
| Role | Decimal value |
|---|---|
| SECROLE_MANAGER | 8 |
| SECROLE_OEM | 2 |
| SECROLE_OPERATOR | 4 |
| SECROLE_OPERATOR_TPS | 128 |
| SECROLE_USER_AUTH | 16 |
| SECROLE_USER_UNAUTH | 64 |
For more information about the decimal value for specific roles, see the access-role table in Metabase Configuration Service Provider.
See Also
Security Policies and Roles | Application Trust Levels | Metabase Provisioning | Modifying the Security Policy Provisioning Document
Send feedback on this topic to the authors.
© 2005 Microsoft Corporation. All rights reserved.