Security roles determine access to Windows Mobile-based device resources. The security role is based on the message origin and how the message is signed.
Security roles are also used with certificates to enforce security settings that were configured by using security policies. You can add or update the security roles for a specific certificate by using the Certificate Store Configuration Service Provider.
The following table lists common roles.
|SECROLE_NONE||0||No role assignment.|
|SECROLE_OEM||2||Equipment manufacturer role.|
|SECROLE_OPERATOR||4||Assigned to OTA messages that are signed by the mobile operator's network PIN (IMSI in GSM; ESN+SPC in CDMA).
OTA messages include wireless application protocol (WAP) push messages, Service Loading (SL), and Service Indication (SI) messages.
If the operator is not the manager of the phone or device, the settings that the operator is trying to access determine the permissions associated with this role.
The mobile operator can determine whether this role and the SECROLE_OPERATOR_TPS role require the same permissions.
|SECROLE_MANAGER||8||Highest level of authority.
Assigned to use-authenticated messages by default.
Provides permissions to change all of the settings on the device.
Operators need to decide what operations will be allowed in this role.
Assigned to the following types of messages:
The permissions associated with this role are determined by the settings that the user requires access to if the user is not the manager of the device.
PPC: User Authenticated role. This role is obtained through the user interface (UI), remote API (RAPI), perimeter security, WAP user-PIN-signed messages, the root store, and the SPC store. This role is assigned to the following types of messages:
The permissions associated with this role are determined by the settings that the user requires access to if he or she is not the manager of the device.
Assigned to unsigned WAP push messages. This role provides permissions to install a Home/Today screen or ring tones.
|SECROLE_OPERATOR_TPS||128||Trusted Provisioning Server.
Assigned to WAP messages that come from a Push Initiator that is authenticated (SECROLE_PPG_AUTH) by a trusted Push Proxy Gateway (SECROLE_TRUSTED_PPG), and where the Uniform Resource Identifier (URI) of the Push Initiator corresponds to the URI of the Trusted Provisioning Server (TPS) on the device.
The mobile operator can determine whether this role and the SECROLE_OPERATOR role require the same permissions..
|SECROLE_KNOWN_PPG||256||Known Push Proxy Gateway.
Messages assigned this role indicate that the device knows the address to the Push Proxy Gateway.
|SECROLE_TRUSTED_PPG||512||Device Trusted Push Proxy Gateway.
Messages assigned this role indicate that the Push Proxy Gateway is known and trusted by the device.
Since WAP secure push is not supported, the Push Proxy Gateway is not currently authenticated. The address of the Push Proxy Gateway is compared with the trusted Push Proxy Gateway address stored on the device.
|SECROLE_PPG_AUTH||1024||Push Initiator Authenticated.
Messages assigned this role indicate that the Push Initiator is authenticated by the Push Proxy Gateway. This role implies that the device trusts the Push Proxy Gateway (SECROLE_TRUSTED_PPG).
|SECROLE_PPG_TRUSTED||2048||Trusted Push Proxy Gateway.
Messages assigned this role indicate that the content sent by the Push Initiator is trusted by the Push Proxy Gateway. This role implies that the device trusts the Push Proxy Gateway (SECROLE_TRUSTED_PPG).
Note The Metabase Configuration Service Provider is set to the Manager role by default. Changing this role could elevate privileges, making the metabase less secure.
Applies to Windows Mobile 5.0 AKU2.0 (build number 14847) and later
The following table shows the additional security roles that apply to AKU2.
|SECROLE_ENTERPRISE||32||Enterprise IT Administrator role.|
Send Feedback on this topic to the authors