Now the most complex part of the job!<\/p>\n
Of course, it works as-is, but what if your tool works only on a device that has a client and a user select a non-client one?<\/p>\n
And what if one user is not allowed to modify a parameter your tool has to change?<\/p>\n
It will be frustrating for him to see the option but received an error message as soon as he tries to use it. Especially if you build a complex tool that requires a lot of input that will finally fail at the last step.<\/p>\n
The first case is quite simple to cover. Just add 2 lines to your XML file:<\/p>\n
<MatchPattern>True<\/MatchPattern>\n<MatchValueToTest>##SUB:IsClient##<\/MatchValueToTest><\/pre>\nNow your menu item will only be available if the device selected has his “IsClient” parameter sets to “True”, otherwise it will be greyed out!<\/p>\n
Debug view is of good help to determine which properties you can rely on.<\/p>\n
Attention! You can’t rely on all properties with this method! For example, you can’t rely safely on the “IsActive” or “ClientActiveStatus” properties as they are available only if the device is a client of your SCCM infrastructure. If you set a filter on one of these properties and the user selects a device that is not a client, the SCCM console will simply crash trying to check a value of an inexistent property!<\/p>\n
To handle this, you have to create a new function in your assembly to check the validity of the device instead, Like this one:<\/p>\n
public static bool checkIfIsActive(object sender, ScopeNode scopeNode, ActionDescription action, ResultObjectBase resultObject)\n{\n int isActive = 0;\n try\n {\n isActive = ((IResultObject)resultObject).Properties[\"ClientActiveStatus\"].IntegerValue;\n }\n catch(NullReferenceException)\n {\n return false;\n }\n\n if (isActive == 1)\n {\n return true;\n }else\n {\n return false;\n }\n}<\/pre>\nThen you can use another way to filter by calling your function and grey out your menu if it returns a “false” value. Your XML file will look close to this:<\/p>\n
<ActionDescription Class=\"AssemblyType\" DisplayName=\"show collections\" MnemonicDisplayName=\"show collections\" Description=\"Shows the list of collection IDs this device is member of\">\n <ImagesDescription>\n <ResourceAssembly>\n <Assembly>C:\\Program Files (x86)\\myCompany\\myextension\\MyFirstExtension.dll<\/Assembly>\n <Type>MyFirstExtension.Properties.Resources.resources<\/Type>\n <\/ResourceAssembly>\n <ImageResourceName>collinfo<\/ImageResourceName>\n <\/ImagesDescription>\n <ShowOn>\n <string>ContextMenu<\/string>\n <string>DefaultHomeTab<\/string>\n <\/ShowOn>\n <ActionAssembly>\n <Assembly>C:\\Program Files (x86)\\myCompany\\myextension\\MyFirstExtension.dll<\/Assembly>\n <Type>MyFirstExtension.DeviceTools<\/Type>\n <Method>deviceCollections<\/Method>\n <\/ActionAssembly>\n <ActionStateAssembly><\/strong>\n <Assembly>C:\\Program Files (x86)\\myCompany\\myextension\\MyFirstExtension.dll<\/Assembly><\/strong>\n <Type>MyFirstExtension.DeviceTools<\/Type><\/strong>\n <Method>checkIfIsActive<\/Method>\n <\/strong><\/ActionStateAssembly><\/strong>\n<\/ActionDescription><\/pre>\nNow just imagine that you want to propose this tool to users that are allowed to add to modify boundaries. Sound’s crazy? Yes, I know! But that’s just an example.<\/p>\n
Explanation In the SDK wasn’t so clear to me and gave me headaches for several hours. This is what I finally understood. Don’t hesitate to let me know if I am wrong.<\/p>\n
There are two ways to place access permissions on your tool: ClassPermissions and InstancePermissions.<\/p>\n
Concretely, if you limit access to a “collection tool” for those who have read permission on SMS_Collection using “InstancePermissions”, it will be available to users who got the rights specifically on the currently selected object.<\/p>\n
On the other hand, using “ClassPermissions” will make this tool available if the user has the “generic” Read permission on collections.<\/p>\n
Not clear? Here are some use-cases.<\/p>\n
\n
- Target: a collection.
\nRequired rights: read collection.
\nThere you can rely on “InstancePermissions”. Collections are instances of the securable class SMS_Collection, then you can rely on Instance’s permission.<\/li>\n- Target: a collection.
\nRequired rights: read boundarygroups (why not?) It seems obvious that you can’t<\/strong> rely on “InstancePermissions” because you’re working on a SMS_Collection instance, not on a boundarygroup instance. So you must use “ClassPermissions” instead.<\/li>\n- Target: a workstation.
\nRequired rights: modify workstation settings to change variables values and add devices to a collection.
\nThis is the trickiest one ^^ ! No other choice than using “ClassPermissions” because a workstation is an instance of SMS_R_SYSTEM Class which is not<\/strong> one of the securable class! The required modify permission is placed on the SMS_Collection Class and is named “Modify Resource”<\/li>\n<\/ol>\nHope this will make things clearer to you!<\/p>\n
Sadly, the SDK provides only information about permission bits regarding the SMS_Collection class. Fortunately, all information can be found in the SCCM database with a simple query.<\/p>\n
As I’m a nice guy, you will find just here an XLS sheet with the information extracted from an SCCM 2012 R2 database and the query I ran to get them.<\/p>\n
RCT-right-mgmt<\/a>\u00a0(xlsx)<\/p>\n
It’s time to use all that.<\/p>\n
If you just copy-paste the code sample from the SDK you will face the same issue as I did: it doesn’t work! There is a missing information: InstancePermission and ClassPermissions must be surrounded by a <SecurityConfiguration> tag.<\/p>\n
Here are two samples for use-case 1 and 3:<\/p>\n
Case 1:<\/p>\n
<SecurityConfiguration>\n <InstancePermissions>\n <SecurityFlagsDetailDescription BitName=\"Read\" BitValue=\"1\" DependsOn=\"1\" \/>\n <\/InstancePermissions>\n<\/SecurityConfiguration><\/pre>\nCase 3:<\/p>\n
<SecurityConfiguration>\n <ClassPermissions>\n <ActionSecurityDescription ClassObject=\"SMS_Collection\" RequiredPermissions=\"2\" \/>\n <ActionSecurityDescription ClassObject=\"SMS_Collection\" RequiredPermissions=\"128\" \/>\n <\/ClassPermissions>\n<\/SecurityConfiguration><\/pre>\nOf course, you can mix ClassPermission and InstancePermission in a single SecurityConfiguration section.<\/p>\n","protected":false},"excerpt":{"rendered":"
Security and filtering Now the most complex part of the job! Of course, it works as-is, but what if your tool works only on a device that has a client and a user select a non-client one? And what if one user is not allowed to modify a parameter your tool has to change? It … Continue reading “Part 4 – Security and filtering”<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"parent":0,"menu_order":0,"comment_status":"open","ping_status":"closed","template":"","meta":{"_sitemap_exclude":false,"_sitemap_priority":"","_sitemap_frequency":""},"_links":{"self":[{"href":"https:\/\/brunocm.azurewebsites.net\/index.php?rest_route=\/wp\/v2\/pages\/19"}],"collection":[{"href":"https:\/\/brunocm.azurewebsites.net\/index.php?rest_route=\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/brunocm.azurewebsites.net\/index.php?rest_route=\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/brunocm.azurewebsites.net\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/brunocm.azurewebsites.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=19"}],"version-history":[{"count":1,"href":"https:\/\/brunocm.azurewebsites.net\/index.php?rest_route=\/wp\/v2\/pages\/19\/revisions"}],"predecessor-version":[{"id":87,"href":"https:\/\/brunocm.azurewebsites.net\/index.php?rest_route=\/wp\/v2\/pages\/19\/revisions\/87"}],"wp:attachment":[{"href":"https:\/\/brunocm.azurewebsites.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=19"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}