lovnet

浏览: 6966046 次
性别:
来自: 武汉

最近访客更多访客>>

u012363178

jx_colin

MauerSu

wangyy

博主相关

博客

微博

相册

留言

关于我

文章分类

全部博客 (7414)

社区版块

存档分类

2013-03 ( 20)
2013-02 ( 53)
2013-01 ( 90)
更多存档...

SMS脚本节选五:为SMS对象设置安全权限

脚本 Security Access Microsoft ASP

SMS generally relies on other technologies to enforce security. For example, SMS sets security on file shares and then relies on the operating system to authenticate accounts and allow only correct accounts to access the shares. SMS itself enforces security only when you access an SMS object through the SMS Provider. The SMS Provider enforces SMS object security when you access SMS objects through the SMS Administrator console or through a program that accesses SMS through WMI. The SMS Provider compares the user who is attempting to access the SMS object to the SMS security permissions on that SMS object, to determine whether the user has the right to access or change the object.

You can use SMS scripting to grant permissions on an SMS object to a single user or to user groups within a domain. For example, you can specify that all members of the Domain Users group can edit packages. You can specify that specific users can edit only the packages that they create. You can allow an administrator to manage all collections or just one. For each security object or object type, you can grant a number of different permissions. This granularity gives you great control over who can access SMS object types and who can access specific information in the SMS site database.

The following example demonstrates how to grant read rights and how to modify rights to a user group for all collections at the instance level.

For more information, see the security topics in the <linktext xmlns="http://ddue.schemas.microsoft.com/authoring/2003/5"></linktext>SMS 2003 SDK.

To set security rights for an SMS object

<content xmlns="http://ddue.schemas.microsoft.com/authoring/2003/5"></content>
Connect to an SMS Provider, and get the SWbemServices object.

Retrieve all available collections, and set for Junior Administrators' access rights to read and modify:

SMSJuniorAdmins="DOMAIN\SMS Junior Admins"
Set colCollections = objSWbemServices.ExecQuery("Select * From SMS_Collection")
For Each objCollection In colCollections
    'Ignore this special collection.
    If (objCollection.CollectionID <> "COLLROOT") AND objCollection.OwnedByThisSite Then
       WScript.Echo vblf & objCollection.Name & "  " & objCollection.CollectionID
       AlreadySet = False
       Set colRights = objSWbemServices.ExecQuery("Select * From SMS_UserInstancePermissionNames WHERE ObjectKey=1 AND InstanceKey='" & objCollection.CollectionID & "'")
       For Each objRight in colRights
           WScript.Echo "  " & objRight.Username + "  " & objRight.PermissionName
       If objRight.Username = SMSJuniorAdmins Then AlreadySet=True
       Next
       If Not AlreadySet Then
          Set objNewRight = objSWbemServices.Get("SMS_UserInstancePermissions").SpawnInstance_()
          objNewRight.UserName = SMSJuniorAdmins
          objNewRight.ObjectKey = 1 'collections
          objNewRight.InstanceKey = objCollection.CollectionID
          objNewRight.InstancePermissions = 1+2 'just Read and Modify
          objNewRight.Put_
      WScript.Echo "  The junior administrators now have read and modify access to this collection."       
      End If
    End If
Next

Compiling the Code // 编译代码的注意事项

要求SMS 2003 站点服务器.

Security

Adding the same rights at the class level is easier but increases the security risk because it allows administrators to perform tasks that are not intended for them.

如果本页上的SMS 2003的SDK连接不可用，则前往下面地址进行查阅（在线）：

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/smssdk03/hh/sms/usingsms_secSecurity.asp

分享到：