General - Security settings
The architecture of SCCM Manager provides various ways to control access to its services and to various SCCM objects.
Control Panel
A user group permission can be defined in each function group and subordinate plug-in. This results in only those areas being displayed in the SCCM Manager for which the respective user group has authorization. These security settings only become active once the Enable Security option has been activated.
Multiple groups can be specified, separated by |. Example: Domain\Group1|Domain\Group2|Domain\Group3
In addition, the wildcard character * can be used to achieve dynamic group authorization. Example: Domain\Prefix-*-Postfix
Note that some plugins can be integrated multiple times with different configurations, allowing for particularly granular permission control.
Computer Scoping
Group-based computer filtering can be enabled in the web.config configuration file of the web service. The configuration parameter for this is ComputerFilterEnabled. The group permissions are set in the UserPermissions.xml configuration file.
Client authentication
This functionality is required if communication to clients is to take place across domains or if the server is not entered as the local administrator on the clients to be managed. One user with administrator privileges can be specified per domain. For more information, see Configuration / Web Service / Credentials.
SOAP-Header Security
So that only certain applications can interact with the SCCM Web Service, it is possible to switch on SOAP header security. This results in access only being possible with a specific SOAP header. This header can be generated with the enclosed class library SCCMWebService.Token.dll. It is also necessary to adapt the configuration file Token.xml. For more information, seesee API / Web Service API.