SCSM SDK Adventures – Trickle down User Role Security

Getting started with development using the Systems Center Service Manager (SCSM) SDK can be overwhelming.  Thankfully there are plenty of great resources that go over the basics.   In this post I am going to go over an extension of the basic functionality of connecting to the management server using specific user credentials. I will then demonstrate how this ensures that User Role Security trickles down to the custom implementation.

For beginners, here is a post that demonstrates some basic functionality:

To expand on the connection code, we have the capability of connecting to the management server with specific user credentials. Here is the code in C#:

var settings = new EnterpriseManagementConnectionSettings("localhost");
settings.UserName = "MyUserName";
settings.Domain = "MyDomain";
settings.Password = new System.Security.SecureString(); 

foreach (char letter in new char[] { 'M', 'y', 'P', 'a', 's', 's', 'w', 'o', 'r', 'd' })

var group = new EnterpriseManagementGroup(settings);

In my own development I ran into a snag with this implementation. What if you specified the NetBIOS Name upon installation which is different than the FQDN? Using the FQDN will cause the following exception:

Microsoft.EnterpriseManagement.Common.UnauthorizedAccessEnterpriseManagementException: The user does not have sufficient permission to perform the operation. ---> System.ServiceModel.Security.SecurityNegotiationException: The caller was not authenticated by the service. ---> System.ServiceModel.FaultException: The request for security token could not be satisfied because authentication failed.

In this case you will need to use the NetBIOS name instead of the the FQDN for the Domain property of the EnterpriseManagementConnectionSettings.

You may be asking, “Why do I need to connect as a specific user in the first place?” Of course security is likely the top answer. Not only do we want to make sure our users are valid but implementing our connection in this manner also allows security set up within Service Manager to trickle down.

For instance lets say you need a listing of available Service Request Templates. We know that the Template availability can be set by the User Role in the console by going to Administration > Security > User Roles.

Consider the following code:

.....establish connection using variable called "group" ..... 

ManagementPackClass mpc = group.EntityTypes.GetClass(new Guid("04b69835-6343-4de2-4b19-6be08c612989"));

foreach (ManagementPackObjectTemplate mpot in group.Templates.GetObjectTemplates())
         var mptpType = group.EntityTypes.GetTypeProjection(mpot.TypeID.Id); 
         if (mptpType != null && Equals(mptpType.TargetType, mpc)) 
                  //do something with each template 

If we connect to the management server without specifying user credentials all templates will be returned. However, if we make the same call while connected with specific user credentials only the templates visible to the user’s role will be returned.

Without out any additional development we have now ensured that User Role Security for templates is implemented in our custom implementation.

Enjoy SCSM and happy coding!

Ready to transform your SCSM experience? View all of the exciting SCSM apps Cireson has to offer.

Group learning about SCSM

Experience Teams Ticketing Today

Start your 14-day free trial of Tikit. No credit card required.