Share via

Determining the Security Policies and Roles on a Device

  • Article

4/8/2010

Before you change security policies, you need to determine what the current policies are on the device. You do this by:

  1. Query the current security policies on the device. To do this, you use the SecurityPolicy Configuration Service Provider.
  2. Use the query response to determine the actual policies and roles. The value that is returned for each policy is a decimal representation of all of the roles that can access the policy.

The following sections show an example of XML code that uses the SecurityPolicy Configuration Service Provider to query a device, an example of the return values that may be received, and an example of how to interpret the values returned to determine the current roles for each policy.

For information about the provisioning file syntax for different OMA Client Provisioning versions, see OMA Client Provisioning Files.

Querying the Security Policies

The following code example shows how to query the security policy on a device.

Note

This example is for OMA Client Provisioning. For an example of XML for OMA DM, see Querying a Security Policy Example for OMA DM.

<wap-provisioningdoc>
 <characteristic type="SecurityPolicy">
   <!--AutoRun Policy:-->  <parm-query name="2"/>
   <!--Perimeter Security:-->  <parm-query name="10"/>
   <!--RAPI:-->  <parm-query name="4097"/>
   <!--Unsigned CABs:-->  <parm-query name="4101"/>
   <!--Unsigned APPs:-->  <parm-query name="4102"/>
   <!--Unsigned Themes:-->  <parm-query name="4103"/>
   <!--TPS:-->  <parm-query name="4104"/>
   <!--Message Authentication:-->  <parm-query name="4105"/>
   <!--Service Loading:-->  <parm-query name="4108"/>
   <!--Service Indication:-->  <parm-query name="4109"/>
   <!--Unauthenticated Messages:-->  <parm-query name="4110"/>
   <!--OTA Provisioning:-->  <parm-query name="4111"/>
   <!--WSP Push:-->  <parm-query name="4113"/>
   <!--Grant Manager:-->  <parm-query name="4119"/>
   <!--Grant User Authenticated:-->  <parm-query name="4120"/>
   <!--DRM Support:-->  <parm name="4129"/>
 </characteristic>
</wap-provisioningdoc>

Query Response

The following example shows the response to the query. This example is for OMA Client Provisioning.

<wap-provisioningdoc>
 <characteristic type="SecurityPolicy">
   <!--AutoRun Policy:-->  <noparm name="2"/>
   <!--RAPI:-->  <parm name="4097" value="2"/>
   <!--Unsigned CABs:-->  <parm name="4101" value="16"/>
   <!--Unsigned APPs:-->  <parm name="4102" value="1"/>
   <!--Unsigned Themes:-->  <parm name="4103" value="64"/>
   <!--TPS:-->  <parm name="4104" value="1"/>
   <!--Message Authentication:-->  <parm name="4105" value="3"/>
   <!--Service Loading:-->  <parm name="4108" value="2048"/>
   <!--Service Indication:-->  <parm name="4109" value="3072"/>
   <!--Unauthenticated Messages:-->  <parm name="4110"
     value="64"/>
   <!--OTA Provisioning:-->  <parm name="4111" value="3732"/>
   <!--WSP Push:-->  <parm name="4113" value="1"/>
   <!--Grant Manager:-->  <parm name="4119" value="16"/>
   <!--Grant User Authenticated:-->  <parm name="4120" value="16"/>
   <!--DRM Support:-->  <parm name="4129" value="140"/>
   </characteristic>
</wap-provisioningdoc>

Determining the current policies and roles on a device

To understand the results of this response, you must look at the values returned in relation to the policy IDs as shown in Security Policies and Security Policy Settings.

For example, the response has the following values:

   <!--OTA Provisioning:-->  <parm name="4111" value="3732"/>

In this example:

  • The parm name refers to the security policy setting as described in Security Policies. In this example, 4111 refers to OTA management.
  • The returned parm value for this setting is 3732. This value is the sum of all the decimal values for the Security Roles that are enabled for the policy (in this case, for OTA management). The decimal values of the Security Roles are described in Security Roles.

The following table shows the default roles for OTA management as described in Security Policy Settings, and their associated values as described in Security Roles.

Role Decimal value

SECROLE_OPERATOR_TPS

128

SECROLE_PPG_TRUSTED

2048

SECROLE_PPG_AUTH

1024

SECROLE_TRUSTED_PPG

512

SECROLE_USER_AUTH

16

SECROLE_MANAGER

8

SECROLE_OPERATOR

4

The following list shows how you would use these values to determine the actual policies and roles on the device:

  1. Adding these decimal values together. In this example, it results in a value of 3728 (128 + 2048 + 1024 + 512 + 16 +4 = 3728).

    Note

    OEMs may change the values from the default settings.

  2. Subtracting this number (3728) from the value that was returned (3732) leaves a decimal value of 4 (3732-3728=4).
    Look at the decimal values in Security Roles. The SECROLE_OPERATOR setting has a decimal value of 4. Therefore, the SECROLE_OPERATOR policy is also valid on this device.

See Also

Reference

SecurityPolicy Configuration Service Provider

Concepts

Provisioning Security Settings

Other Resources

Security Policy Settings
Perimeter Security