Registering user as an Admin for device

Damir Dobric Posts

Next talks:



Follow me on Twitter: #ddobric




The BizTalk RFID provides a security mechanism called device-level security. Users who are registered as device admins (entity admins) are by default permitted to execute all methods of DeviceManagerProxy class.

By obtaining the instance of this class the one can perform any administrative operation on device and execute any sync command. Sometimes it is also required (or in general possible) to execute some sync commands by using of device manager proxy instance, which are not necessarily an administrative task. In this case the caller does not have to be a device-admin, but sotemies it should. For example, following
example shows how to execute command by using of the proxy class:

DeviceManagerProxy proxy = new DeviceManagerProxy(m_Host);
Guid connId = proxy.OpenConnection("mydevice");
proxy.ExecuteCommandForConnection("mydevice", "source", connId, cmd);

Depending on what 'cmd' is, admin permission can be required or not. For none-administrative tasks I use rather following example:

using (DeviceConnection connection = new DeviceConnection("Host", "Device"))

  Command cmd = connection.ExecuteCommand(null, rfidCommand, null);

  . . .

Following picture illustrates how to add a user in the list of device administrators.
image image

To get a feeling what methods are implemented in DeviceManagerProxy, here is a list of all methods:


    public sealed class DeviceManagerProxy : ProxyBase, IDeviceManager

        public DeviceManagerProxy();

        public DeviceManagerProxy(string host);

        public void AddDevice(DeviceDefinition device, string parentDeviceGroup, bool addInOfflineMode);

        public void AddDeviceEntitySecurityRecord(string deviceEntity, string accountName, DeviceEntitySecurityPrivilege privilege);

        public FirmwareComparisonInformation CheckFirmwareCompatibility(string deviceName, string firmwareLocation);

        public void CheckpointDevice(string deviceName);

        public void CloseConnection(string deviceName, Guid connectionId);

        public void CreateDeviceGroup(DeviceGroupDefinition deviceGroupDefinition, string parentDeviceGroupName);

        public void DeleteDevice(string deviceName);

        public void DeleteDeviceGroup(string deviceGroup);

        public void DisableDevice(string deviceName);

        public void EnableDevice(string deviceName);

        public Command ExecuteCommandForConnection(string deviceName, string sourceName, Guid connectionId, Command command);

        public Command ExecuteDedicatedCommand(string deviceName, Command command);

        public DeviceDefinition[] GetAllDevices();

        public Collection<DeviceGroupDefinition> GetAllSubDeviceGroups(string deviceGroup);

        public string[] GetAllSubDevices(string deviceGroup);

        public DeviceStatus GetCurrentDeviceStatus(string deviceName);

        public DeviceDefinition GetDevice(string deviceName);

        public Collection<DeviceCapability> GetDeviceCapabilities(string deviceName);

        public DeviceEntitySecurity GetDeviceEntitySecurity(string deviceEntity);

        public Dictionary<PropertyKey, RfidDevicePropertyMetadata>

        GetDevicePropertyMetadata(string deviceName, string propertyGroupName);

        public DeviceStatus[] GetDeviceStatus(string[] deviceNames);

        public DeviceVersion GetDeviceVersion(DeviceVersionInfo info);

        public Collection<DeviceVersionInfo> GetDeviceVersionInfos(string deviceName);

        public DeviceVersion[] GetLatestDeviceVersions(string[] deviceNames);

        public Collection<TagPrintedEvent> GetPrintStatus(string deviceName);

        public string[] GetPropertyGroupNames(string deviceName);

        public bool GetSecurityInheritance(string deviceEntity);

        public Dictionary<string, PropertyProfile> GetSources(string deviceName);

        public void KillConnection(string deviceName);

        public void MoveEntityToDeviceGroup(string sourceDeviceEntity, string targetDeviceGroup);

        public Guid OpenAdministrationConnection(string deviceName);

        public Guid OpenConnection(string deviceName);

        public void RebootDevice(string deviceName);

        public void RemoveDeviceEntitySecurityRecord(string deviceEntity,
        string accountName, DeviceEntitySecurityPrivilege privilege);

        public void RemoveSecurityInheritance(string deviceEntity, bool copyEffectivePermissions);

        public void RenameDevice(string oldName, string newName);

        public void RenameDeviceGroup(string oldDeviceGroupName, string newDeviceGroupName);

        public void SetSecurityInheritance(string deviceEntity);

        public void UpdateDevice(DeviceDefinition device, bool includeAuthInfoInUpdate);

        public void UpdateDeviceGroup(DeviceGroupDefinition deviceGroupDefinition);

        public PropertyProfile ValidateConnection(UserDeviceInformation deviceInfo, AuthenticationInformation authInfo);


Related article:

Posted Jul 20 2008, 03:19 PM by Damir Dobric


kalyanaj wrote re: Registering user as an Admin for device
on 07-29-2008 4:49

Hi Damir,

Would like to comment/clarify on a couple issues mentioned in this post:

1) The above post seems to incorrectly indicate that you need admin privileges to use ANY of the DeviceManagerProxy operations even if it is not an admin task.  Actually, admin privileges are needed only for state changing operations; a non-admin caller can perform any of the other operations: e.g. executing a command to print tags or executing a command to get property etc. can be done by a non-admin user.  

2) Also, on a similar note, DeviceConnection can be used for both admin and non-admin tasks.  For e.g. you can use DeviceConnection.SetProperty() provided the caller has admin rights on the device.

In fact, for synchronous command execution, it is recommended to use DeviceConnection over DeviceManagerProxy (DeviceConnection internally uses DeviceManagerProxy) and you can do both admin and non-admin operations using it.

To summarize:

Any operation that can potentially affect/change the state of the device requires the caller to have administrative privileges on the device.  Having administrative privilege on a device means that atleast one of the following should be true:

a) The caller is a member of the builtin administrators group (OR)

b) The caller's account is a member of the device's custom administrator list (To view/modify this using RFID Manager, right click on a device -> Security).  This account also should be added to the RFID_USER group on the server machine.

Once this has been setup, one can use DeviceConnection.OpenConnection() and execute the required operation.



Microsoft BizTalk RFID team.

Damir Dobric wrote re: Registering user as an Admin for device
on 08-10-2008 12:29

I would like to reference to this Kalyan's post, which is related to our discussion about required admin permissions: is a .Net Community Blog powered by daenet GmbH.