Security Views in Configuration Manager
Updated: October 27, 2014
Applies To: System Center 2012 Configuration Manager, System Center 2012 Configuration Manager SP1, System Center 2012 R2 Configuration Manager
The security views in Configuration Manager contain information about the permissions that are granted to users and user groups to perform operations on secured Configuration Manager object classes and instances, such as collections, applications, deployments, and more.
Security Views
Security views can be used to query for Configuration Manager class or instance permissions for secured objects. In each SQL view, class and instance permission values are listed as a decimal value that is the result of converting bit fields reserved for each security right. More information can be found in the next section. The security views are described in the following table.
Security view |
Description |
|---|---|
v_SecuredObject |
Describes the different types of objects in the Configuration Manager system that can be secured, such as collections, applications, deployments, Wi-Fi and VPN profiles, client settings and many more. The view lists the Configuration Manager objects by object ID and name. The view can be joined to the other security views by using the ObjectTypeID or ObjectTypeName columns. |
v_AllItems |
Lists all securable objects in the Configuration Manager site by name. It is unlikely that this view will be joined to other views. |
V_CategoryPermissions |
Lists, for each object type, the permissions for each Configuration Manager collection. The view can be joined to the other security views by using the AdminID column. |
Configuration Manager Secured Objects
Class and instance permissions can be set on more than 20 secured objects in Configuration Manager. These Configuration Manager secured objects and their associated object keys are listed in the following table.
Object key |
Object Name |
|---|---|
1 |
Collection |
2 |
Package |
4 |
Status message |
6 |
Site |
7 |
Query |
9 |
Software metering rule |
11 |
Configuration items |
14 |
OS install package |
15 |
Deployment template |
16 |
Deployment |
17 |
Computer association |
18 |
OS image |
19 |
Boot image package |
20 |
Task sequence package |
21 |
Device setting package |
22 |
Device setting item |
23 |
Driver package |
24 |
Deployment package |
25 |
Device driver |
26 |
Asset intelligence software list |
27 |
Security roles |
28 |
Site administrator settings |
29 |
Categories |
30 |
Alerts |
31 |
Applications |
32 |
Global conditions |
33 |
User device affinity |
34 |
Authorization settings |
36 |
Device enrollment |
37 |
Software updates |
38 |
Client settings |
40 |
Migration site mapping |
41 |
Migration jobs |
42 |
Distribution points |
43 |
Distribution point groups |
44 |
Inventory reporting |
45 |
Boundaries |
46 |
Boundary groups |
47 |
Endpoint Protection |
48 |
Configuration policies |
49 |
Windows Firewall settings |
50 |
Microsoft Intune subscription |
52 |
User state management |
53 |
Windows Firewall policies |
54 |
Windows Azure subscription |
55 |
Settings for Windows RT side loading keys |
56 |
Wi-Fi profiles |
57 |
VPN profiles |
58 |
Client authentication certificate settings |
59 |
Remote connection profiles |
60 |
Trusted root certificate settings |
200 |
Configuration data assignments |
201 |
Deployments |
202 |
Client settings |
203 |
Virtual environments |
How to Interpret Decimal Permission Values
In the security views, there are decimal values that equate to a specific class or instance permissions. Each individual permission uses one of 28 bits. The following table lists each of these permissions, the bit that is used, and the decimal value of that bit.
Permission name |
Bit value |
Bit position |
Decimal value |
|---|---|---|---|
Read |
1 |
1 |
1 |
Modify |
10 |
2 |
2 |
Delete |
100 |
3 |
4 |
Distribute |
1000 |
4 |
8 |
Create Child |
10000 |
5 |
16 |
Use remote tools |
100000 |
6 |
32 |
Advertise |
1000000 |
7 |
64 |
Modify resource |
10000000 |
8 |
128 |
Administer |
100000000 |
9 |
256 |
Delete resource |
1000000000 |
10 |
512 |
Create |
10000000000 |
11 |
1024 |
View collected files |
100000000000 |
12 |
2048 |
Read resource |
1000000000000 |
13 |
4096 |
Delegate |
10000000000000 |
14 |
8192 |
Meter |
100000000000000 |
15 |
16384 |
Manage SQL commands |
1000000000000000 |
16 |
32768 |
Manage status filters |
10000000000000000 |
17 |
65536 |
Manage folders |
100000000000000000 |
18 |
131072 |
Network access |
1000000000000000000 |
19 |
262144 |
Import computer entry |
10000000000000000000 |
20 |
524288 |
Create task sequence media |
100000000000000000000 |
21 |
1048576 |
Modify collection setting |
1000000000000000000000 |
22 |
2097152 |
Manage OSD and ISV Proxy Certificates |
10000000000000000000000 |
23 |
4194304 |
Recover user state |
100000000000000000000000 |
24 |
8388608 |
Manage management controllers |
1000000000000000000000000 |
25 |
16777216 |
View management controllers |
10000000000000000000000000 |
26 |
33554432 |
Manage Asset Intelligence |
100000000000000000000000000 |
27 |
67108864 |
View Asset Intelligence |
1000000000000000000000000000 |
28 |
134217728 |
To interpret a permission value, you can convert the decimal value to binary and use the preceding table to get the specific permissions. To help understand this process, see the following examples.
Decimal Conversion Example 1
In the v_SecuredObject view, the SMS_Site secured object has a value of 638983 in the AvailableInstancePermissions column. To find out what this means, first convert the decimal number to binary. This equates to 10011100000000000111, in which the 1st, 2nd, 3rd, 15th, 16th, 17th, and 20th bits are used. Use the bit values from the preceding table to calculate the values in the following table. When the decimal values are added, they will total the initial 638983 value.
Permission Name |
Binary Position |
Decimal Value |
|---|---|---|
Read |
1 |
1 |
Modify |
2 |
2 |
Delete |
3 |
4 |
Meter |
15 |
16384 |
Manage SQL commands |
16 |
32768 |
Manage status filters |
17 |
65536 |
Import computer entry |
20 |
524288 |
Decimal Conversion Example 2
In the v_SecuredObject view, the SMS_Collection secured object has a value of 52435687 in the AvailableInstancePermissions column. This decimal number results in 11001000000001101011100111 when converted to binary. This is interpreted as shown in the following table.
Permission Name |
Binary Position |
Decimal value |
|---|---|---|
Read |
1 |
1 |
Modify |
2 |
2 |
Delete |
3 |
4 |
Use remote tools |
6 |
32 |
Advertise |
7 |
64 |
Modify resource |
8 |
128 |
Delete resource |
10 |
512 |
View collected files |
12 |
2048 |
Read resource |
13 |
4096 |
Modify collection setting |
22 |
2097152 |
Manage management controllers |
25 |
16777216 |
View management controllers |
26 |
33554432 |
Role Based Administration Views
The following table described the role based administration views in the Configuration Manager database.
v_Roles |
Lists all available security roles at the Configuration Manager site. Includes information about whether the role is built-in, who created the role, the role name and description, and more. It is unlikely that this view will be joined to other views. |
v_Admins |
Returns all administrative users (ie. those who appear in the Administrative Users node under Security in the Administration workspace) This view can be joined to other views by using the AdminID column. |
v_SecuredObjectTypes |
Lists the various Configuration Manager objects that can be secured by role based administration. It is unlikely that this view will be joined to other views. |
v_SecuredScopePermissions |
Lists each user of the Configuration Manager site and the security roles they are associated with. This view can be joined to other views by using the AdminID column. |