Managing Security Using Device Manager 2011
5/4/2012
This section provides information about how Device Manager 2011 uses the Configuration Manager 2007 security model.
Note
If you change user permissions and want the new permissions to be effective immediately, restart the Common Components Service. To restart the service enter the following Services Snap-in command: net start “EDM Common Components Service”. For more information about how to use the Services Snap-in commands, see Start, stop, pause, resume, or restart a service on TechNet. Otherwise the new permissions take effect in 60 minutes.
By default, the only accounts that have permissions to all the objects in the Configuration Manager console are the Configuration Manager installation account that was used to run Configuration Manager setup and the local system administrator account. You must explicitly add other accounts and grant them permissions to the Configuration Manager objects. If the accounts are not already a member of the SMS Admins group, you must grant them WMI permissions to run the Configuration Manager console.
Note
If you encounter issues using Configuration Manager security rights, use the local system administrator account that was provided during Configuration Manager installation.
Hardware Inventory
When you enable hardware inventory to use collections and reports, use the standard security rights for inventory as documented in Configuration Manager Help. For more information, see Overview of Configuration Manager Object Security and WMI on TechNet.
Note
Users who create a collection create an instance of a collection object and are automatically assigned Read, Modify, and Delete instance permissions for that collection. These permissions may not match the class rights you have set for Device Manager 2011 collections. To make sure they match, expand Computer Management, click Collections, expand All Windows Embedded Devices, right click the new collection, click Properties, and then click the Security tab. Update permissions as needed. For more information, see the Security Rights Property Pages in Configuration Manager Help.
Device Configuration
You need specific permissions to use the Configuration Manager console to create configuration items and configuration packages and assign them to collections. The following table shows the permissions that are required to perform a specific task across each security rights class.
Task | Advertisement | Collection | Device Setting Item | Package | Task Sequence Package |
---|---|---|---|---|---|
Create a configuration item |
Not applicable |
Read |
Read, Create, Modify |
Create |
Not applicable |
View a configuration item |
Not applicable |
Read |
Read |
Create |
Not applicable |
Modify a configuration item properties |
Not applicable |
Not applicable |
Read, Create, Modify, Delete |
Not applicable |
Not applicable |
Import a configuration item |
Not applicable |
Not applicable |
Read, Create, Modify |
Not applicable |
Not applicable |
Export a configuration item |
Not applicable |
Not applicable |
Read |
Not applicable |
Not applicable |
Create a configuration package |
Not applicable |
Not applicable |
Read, Create, Modify |
Not applicable |
Not applicable |
Assign a configuration package to a collection |
Create, Read |
Read, Advertise |
Distribute, Read |
Read, Create, Modify |
Read, Create, Modify |
Add/Delete/Modify configuration items from a configuration package |
Not applicable |
Not applicable |
Read, Create, Modify, Delete |
Not applicable |
Not applicable |
Modify a configuration package properties |
Not applicable |
Advertise |
Read, Create, Delete, Modify |
Read, Delete, Modify |
Read, Delete, Modify |
Delete a configuration item |
Not applicable |
Not applicable |
Read, Modify, Delete |
Not applicable |
Not applicable |
Delete a configuration package |
Read, Modify, Delete |
Advertise |
Read, Modify, Delete |
Read, Modify, Delete |
Read, Modify, Delete |
View a configuration package |
Not applicable |
Not applicable |
Read |
Not applicable |
Not applicable |
Duplicate a package |
Not applicable |
Not applicable |
Read, Create, Modify |
Not applicable |
Not applicable |
Write Filters
You need specific permissions to use the New Advertisement with Write Filter Handling Wizard to create and delete advertisements with write filter support. The following table shows the permissions that are required to perform a specific task across each security rights class.
Task | Advertisement | Collection | Package | Task Sequence Package |
---|---|---|---|---|
Create advertisement |
Create |
Read |
Read |
Create |
Delete advertisement |
Create |
Read |
Read |
Create |
Device Imaging
You need specific permissions to use the Device Imaging feature and the Device Manager 2011 UI. The following table shows the permissions that are required to perform a specific task across each security rights class.
Task | OS Install Package | Collection |
---|---|---|
View device imaging status summary |
Read |
Read (to use the Device Manager 2011 UI) |
View device imaging request status list |
Read |
Read (to use the Device Manager 2011 UI) |
Open and modify device imaging request |
Read (to use the Device Manager 2011 UI) and Modify |
Read, Advertise |
Run home page summary |
Read (to use the Device Manager 2011 UI) and Administer |
None |
Create device imaging request |
Read (to use the Device Manager 2011 UI) and Create |
Read |
Delete device imaging request |
Read (to use the Device Manager 2011 UI) and Delete |
None |
Suspend, resume, or terminate device imaging request |
Read, Modify, and Administer |
Read |
Begin device imaging request |
Read (to use the Device Manager 2011 UI), Modify, and Administer |
Read |