Security Roles
4/8/2010
Security roles determine access to Windows Mobile device resources. The security role is based on the message origin and how the message is signed.
Security roles are also used with certificates to enforce security settings that were configured by using security policies. **
The following table lists common roles.
Role | Decimal value | Description |
---|---|---|
SECROLE_NONE |
0 |
No role assignment. |
SECROLE_OPERATOR |
4 |
Mobile Operator role. Assigned to OTA wireless application protocol (WAP) Client Provisioning messages that are signed by the mobile operator's network PIN (IMSI in GSM; ESN+SPC in CDMA). If the operator is not the manager of the phone or device, the settings that the operator is trying to access determine the permissions associated with this role. The mobile operator can determine whether this role and the SECROLE_OPERATOR_TPS role require the same permissions. |
SECROLE_MANAGER |
8 |
Manager role. Highest level of authority. Assigned to use-authenticated messages by default. Provides permissions to change all of the settings on the device. Operators need to decide what operations will be allowed in this role. |
SECROLE_USER_AUTH |
16 |
Windows Mobile Professional and Windows Mobile Classic: User Authenticated role. This role is obtained through the user interface (UI), remote API (RAPI), perimeter security, WAP user-PIN-signed messages, the root store, and the SPC store. This role is assigned to the following types of messages:
The permissions associated with this role are determined by the settings that the user requires access to if the user is not the manager of the device. |
SECROLE_ENTERPRISE |
32 |
Enterprise IT Administrator role. The Enterprise role allows IT administrators to manage specific device settings, such as wiping a device, setting password requirements, and managing certificates. Example of use: Using this role with the Message Authentication Retry Number policy allows the Enterprise IT Professional to change the policy setting. |
SECROLE_USER_UNAUTH |
64 |
User Unauthenticated Role. Assigned to unsigned WAP push messages. This role provides permissions to install a Home screen or ring tones. |
SECROLE_OPERATOR_TPS |
128 |
Trusted Provisioning Server. Assigned to WAP messages that come from a Push Initiator that is authenticated (SECROLE_PPG_AUTH) by a trusted Push Proxy Gateway (SECROLE_TRUSTED_PPG), and where the Uniform Resource Identifier (URI) of the Push Initiator corresponds to the URI of the Trusted Provisioning Server (TPS) on the device. The mobile operator can determine whether this role and the SECROLE_OPERATOR role require the same permissions. |
SECROLE_KNOWN_PPG |
256 |
Known Push Proxy Gateway. Messages assigned this role indicate that the device knows the address to the Push Proxy Gateway. |
SECROLE_TRUSTED_PPG |
512 |
Device Trusted Push Proxy Gateway. Messages assigned this role indicate that the Push Proxy Gateway is known and trusted by the device. Since WAP secure push is not supported, the Push Proxy Gateway is not currently authenticated. The address of the Push Proxy Gateway is compared with the trusted Push Proxy Gateway address stored on the device. |
SECROLE_PPG_AUTH |
1024 |
Push Initiator Authenticated. Messages assigned this role indicate that the Push Initiator is authenticated by the Push Proxy Gateway. This role implies that the device trusts the Push Proxy Gateway (SECROLE_TRUSTED_PPG). This role depends on presence and value of the "Push-Flag" header value of the WAP push message. SECROLE_PPG_AUTH is assigned to the message when “Push-Flag: 1” is in the header. When "Push-Flag: 3" is in the header, both SECROLE_PPG_AUTH and SECROLE_PPG_TRUSTED are assigned to the message. |
SECROLE_PPG_TRUSTED |
2048 |
Trusted Push Proxy Gateway. Messages assigned this role indicate that the content sent by the Push Initiator is trusted by the Push Proxy Gateway. This role implies that the device trusts the Push Proxy Gateway (SECROLE_TRUSTED_PPG). This role depends on presence and value of the "Push-Flag" header value of the WAP push message. SECROLE_PPG_TRUSTED is assigned to the message when “Push-Flag: 2” is in the header. When "Push-Flag: 3" is in the header, both SECROLE_PPG_AUTH and SECROLE_PPG_TRUSTED are assigned to the message. |
SECROLE_ANY_PUSH_SOURCE |
4096 |
Push Router. Messages received by the push router will be assigned to this role. |
Note
The Metabase Configuration Service Provider is set to the Manager role by default. Changing this role could elevate privileges, making the metabase less secure.
See Also
Concepts
Windows Mobile Device Security Model