Share via


Security Roles

4/8/2010

Security roles determine access to Windows Mobile device resources. The security role is based on the message origin and how the message is signed.

Security roles are also used with certificates to enforce security settings that were configured by using security policies. **

The following table lists common roles.

Role Decimal value Description

SECROLE_NONE

0

No role assignment.

SECROLE_OPERATOR

4

Mobile Operator role.

Assigned to OTA wireless application protocol (WAP) Client Provisioning messages that are signed by the mobile operator's network PIN (IMSI in GSM; ESN+SPC in CDMA).

If the operator is not the manager of the phone or device, the settings that the operator is trying to access determine the permissions associated with this role.

The mobile operator can determine whether this role and the SECROLE_OPERATOR_TPS role require the same permissions.

SECROLE_MANAGER

8

Manager role.

Highest level of authority.

Assigned to use-authenticated messages by default.

Provides permissions to change all of the settings on the device.

Operators need to decide what operations will be allowed in this role.

SECROLE_USER_AUTH

16

Windows Mobile Professional and Windows Mobile Classic: User Authenticated role.

This role is obtained through the user interface (UI), remote API (RAPI), perimeter security, WAP user-PIN-signed messages, the root store, and the SPC store. This role is assigned to the following types of messages:

  • User PIN-signed WAP push messages.
  • Messages received through the Remote API (RAPI) by default.

The permissions associated with this role are determined by the settings that the user requires access to if the user is not the manager of the device.

SECROLE_ENTERPRISE

32

Enterprise IT Administrator role.

The Enterprise role allows IT administrators to manage specific device settings, such as wiping a device, setting password requirements, and managing certificates.

Example of use: Using this role with the Message Authentication Retry Number policy allows the Enterprise IT Professional to change the policy setting.

SECROLE_USER_UNAUTH

64

User Unauthenticated Role.

Assigned to unsigned WAP push messages. This role provides permissions to install a Home screen or ring tones.

SECROLE_OPERATOR_TPS

128

Trusted Provisioning Server.

Assigned to WAP messages that come from a Push Initiator that is authenticated (SECROLE_PPG_AUTH) by a trusted Push Proxy Gateway (SECROLE_TRUSTED_PPG), and where the Uniform Resource Identifier (URI) of the Push Initiator corresponds to the URI of the Trusted Provisioning Server (TPS) on the device.

The mobile operator can determine whether this role and the SECROLE_OPERATOR role require the same permissions.

SECROLE_KNOWN_PPG

256

Known Push Proxy Gateway.

Messages assigned this role indicate that the device knows the address to the Push Proxy Gateway.

SECROLE_TRUSTED_PPG

512

Device Trusted Push Proxy Gateway.

Messages assigned this role indicate that the Push Proxy Gateway is known and trusted by the device.

Since WAP secure push is not supported, the Push Proxy Gateway is not currently authenticated. The address of the Push Proxy Gateway is compared with the trusted Push Proxy Gateway address stored on the device.

SECROLE_PPG_AUTH

1024

Push Initiator Authenticated.

Messages assigned this role indicate that the Push Initiator is authenticated by the Push Proxy Gateway. This role implies that the device trusts the Push Proxy Gateway (SECROLE_TRUSTED_PPG).

This role depends on presence and value of the "Push-Flag" header value of the WAP push message. SECROLE_PPG_AUTH is assigned to the message when “Push-Flag: 1” is in the header. When "Push-Flag: 3" is in the header, both SECROLE_PPG_AUTH and SECROLE_PPG_TRUSTED are assigned to the message.

SECROLE_PPG_TRUSTED

2048

Trusted Push Proxy Gateway.

Messages assigned this role indicate that the content sent by the Push Initiator is trusted by the Push Proxy Gateway. This role implies that the device trusts the Push Proxy Gateway (SECROLE_TRUSTED_PPG).

This role depends on presence and value of the "Push-Flag" header value of the WAP push message. SECROLE_PPG_TRUSTED is assigned to the message when “Push-Flag: 2” is in the header. When "Push-Flag: 3" is in the header, both SECROLE_PPG_AUTH and SECROLE_PPG_TRUSTED are assigned to the message.

SECROLE_ANY_PUSH_SOURCE

4096

Push Router.

Messages received by the push router will be assigned to this role.

Note

The Metabase Configuration Service Provider is set to the Manager role by default. Changing this role could elevate privileges, making the metabase less secure.

See Also

Concepts

Windows Mobile Device Security Model

Other Resources

RAPI Restricted Mode Security