How to Remove an Object Association with a Security Scope

  • Article

 

Applies To: System Center 2012 Configuration Manager, System Center 2012 Configuration Manager SP1, System Center 2012 R2 Configuration Manager

Removing a security scope from an object instance is as simple as deleting the Windows Management Instrumentation (WMI) SMS_SecuredCategoryMembership class instance. However, object instances must have at least one security scope associated with them. The last object instance can never be removed. Every object is created with the Default security scope, and if all other security scopes are to be removed from an object instance, the Default should be added to it before removal.

Important

You must have administrative rights to the scope and the object you are removing it from. If you do not have the correct permissions, removing a scope from that object instance will fail. Removing the last scope from an object will be unsuccessful and will fail.

Tip

To remove multiple objects to a scope, use the RemoveMemberships Method in Class SMS_SecuredCategoryMembership.

To remove a security scope from an object

  1. Set up a connection to the SMS Provider.

  2. Determine the object’s key property identifier.

  3. Determine the object type identifier.

  4. Determine the scope identifier.

  5. Find an instance of the SMS_SecuredCategoryMembership WMI class that matches the .

  6. Delete the instance.

Example

The following code example removes a scope identifier from a package:

Sub RemoveObjectScope(connection, scopeId, objectKey, objectTypeId)

    Dim assignment

    ' Find the existing scope assignement that matches our parameters.
    Set assignment = connection.Get("SMS_SecuredCategoryMembership.CategoryID='" & scopeId & "',ObjectKey='" & objectKey & "',ObjectTypeId=" & objectTypeId)

    If (assignment Is Nothing) Then
        Err.Raise 1, "RemoveObjectScope", "Unable to find matching scope, object, and object type."
    Else
        assignment.Delete_
    End If
End Sub

public void RemoveObjectScope(WqlConnectionManager connection, string scopeId, string objectKey, int objectTypeId)
{
    // Find the existing scope assignement that matches our parameters.
     IResultObject assignment = connection.GetInstance("SMS_SecuredCategoryMembership.CategoryID='" + scopeId + "',ObjectKey='" + objectKey + "',ObjectTypeID=" + objectTypeId.ToString());

   // Make sure we found the scope.
    if (assignment == null)
        throw new System.Exception("Unable to find matching scope, object, and object type.");
    else
        assignment.Delete();
}

The example method has the following parameters:

Parameter

Type

Description

connection

  • Managed: WqlConnectionManager

  • VBScript: SWbemServices

A valid connection to the SMS Provider.

scopeId

String

The identifier of the security scope.

objectKey

String

The key property value of the object.

objectTypeId

Integer

The type identifier of the object referenced in the objectKey parameter.

Compiling the Code

The C# example requires:

Namespaces

Microsoft.ConfigurationManagement.ManagementProvider

Microsoft.ConfigurationManagement.ManagementProvider.WqlQueryEngine

Assembly

adminui.wqlqueryengine

microsoft.configurationmanagement.managementprovider

See Also

SMS_SecuredCategoryMembership Server WMI Class
How to Create a New Security Scope
How to Delete a Security Scope
How to Associate an Object with a Security Scope
SMS_SecuredCategory Server WMI Class