Managing Security Using Device Manager 2011

5/4/2012

This section provides information about how Device Manager 2011 uses the Configuration Manager 2007 security model.

Note

If you change user permissions and want the new permissions to be effective immediately, restart the Common Components Service. To restart the service enter the following Services Snap-in command: net start “EDM Common Components Service”. For more information about how to use the Services Snap-in commands, see Start, stop, pause, resume, or restart a service on TechNet. Otherwise the new permissions take effect in 60 minutes.

By default, the only accounts that have permissions to all the objects in the Configuration Manager console are the Configuration Manager installation account that was used to run Configuration Manager setup and the local system administrator account. You must explicitly add other accounts and grant them permissions to the Configuration Manager objects. If the accounts are not already a member of the SMS Admins group, you must grant them WMI permissions to run the Configuration Manager console.

Note

If you encounter issues using Configuration Manager security rights, use the local system administrator account that was provided during Configuration Manager installation.

Hardware Inventory

When you enable hardware inventory to use collections and reports, use the standard security rights for inventory as documented in Configuration Manager Help. For more information, see Overview of Configuration Manager Object Security and WMI on TechNet.

Note

Users who create a collection create an instance of a collection object and are automatically assigned Read, Modify, and Delete instance permissions for that collection. These permissions may not match the class rights you have set for Device Manager 2011 collections. To make sure they match, expand Computer Management, click Collections, expand All Windows Embedded Devices, right click the new collection, click Properties, and then click the Security tab. Update permissions as needed. For more information, see the Security Rights Property Pages in Configuration Manager Help.

Device Configuration

You need specific permissions to use the Configuration Manager console to create configuration items and configuration packages and assign them to collections. The following table shows the permissions that are required to perform a specific task across each security rights class.

Task Advertisement Collection Device Setting Item Package Task Sequence Package

Create a configuration item

Not applicable

Read

Read, Create, Modify

Create

Not applicable

View a configuration item

Not applicable

Read

Read

Create

Not applicable

Modify a configuration item properties

Not applicable

Not applicable

Read, Create, Modify, Delete

Not applicable

Not applicable

Import a configuration item

Not applicable

Not applicable

Read, Create, Modify

Not applicable

Not applicable

Export a configuration item

Not applicable

Not applicable

Read

Not applicable

Not applicable

Create a configuration package

Not applicable

Not applicable

Read, Create, Modify

Not applicable

Not applicable

Assign a configuration package to a collection

Create, Read

Read, Advertise

Distribute, Read

Read, Create, Modify

Read, Create, Modify

Add/Delete/Modify configuration items from a configuration package

Not applicable

Not applicable

Read, Create, Modify, Delete

Not applicable

Not applicable

Modify a configuration package properties

Not applicable

Advertise

Read, Create, Delete, Modify

Read, Delete, Modify

Read, Delete, Modify

Delete a configuration item

Not applicable

Not applicable

Read, Modify, Delete

Not applicable

Not applicable

Delete a configuration package

Read, Modify, Delete

Advertise

Read, Modify, Delete

Read, Modify, Delete

Read, Modify, Delete

View a configuration package

Not applicable

Not applicable

Read

Not applicable

Not applicable

Duplicate a package

Not applicable

Not applicable

Read, Create, Modify

Not applicable

Not applicable

Write Filters

You need specific permissions to use the New Advertisement with Write Filter Handling Wizard to create and delete advertisements with write filter support. The following table shows the permissions that are required to perform a specific task across each security rights class.

Task Advertisement Collection Package Task Sequence Package

Create advertisement

Create

Read

Read

Create

Delete advertisement

Create

Read

Read

Create

Device Imaging

You need specific permissions to use the Device Imaging feature and the Device Manager 2011 UI. The following table shows the permissions that are required to perform a specific task across each security rights class.

Task OS Install Package Collection

View device imaging status summary

Read

Read (to use the Device Manager 2011 UI)

View device imaging request status list

Read

Read (to use the Device Manager 2011 UI)

Open and modify device imaging request

Read (to use the Device Manager 2011 UI) and Modify

Read, Advertise

Run home page summary

Read (to use the Device Manager 2011 UI) and Administer

None

Create device imaging request

Read (to use the Device Manager 2011 UI) and Create

Read

Delete device imaging request

Read (to use the Device Manager 2011 UI) and Delete

None

Suspend, resume, or terminate device imaging request

Read, Modify, and Administer

Read

Begin device imaging request

Read (to use the Device Manager 2011 UI), Modify, and Administer

Read