Determining the Security Policies and Roles on a Device
Before you change security policies, you need to determine what the current policies are on the device. You do this by:
- Query the current security policies on the device. To do this, you use the SecurityPolicy Configuration Service Provider.
- Use the query response to determine the actual policies and roles. The value that is returned for each policy is a decimal representation of all of the roles that can access the policy.
The following sections show an example of XML code that uses the SecurityPolicy Configuration Service Provider to query a device, an example of the return values that may be received, and an example of how to interpret the values returned to determine the current roles for each policy.
Querying the Security Policies
The following code example shows how to query the security policy on a device.
Note This example is for OMA Client Provisioning. For an example of XML for OMA DM, see Querying a Security Policy Example for OMA DM.
<wap-provisioningdoc>
<characteristic type="SecurityPolicy">
<! — AutoRun Policy: — > <parm-query name="2"/>
<! — Perimeter Security: — > <parm-query name="10"/>
<! — RAPI: — > <parm-query name="4097"/>
<! — Unsigned CABs: — > <parm-query name="4101"/>
<! — Unsigned APPs: — > <parm-query name="4102"/>
<! — Unsigned Themes: — > <parm-query name="4103"/>
<! — TPS: — > <parm-query name="4104"/>
<! — Message Authentication: — > <parm-query name="4105"/>
<! — WAP Signed Message: — > <parm-query name="4107"/>
<! — Service Loading: — > <parm-query name="4108"/>
<! — Service Indication: — > <parm-query name="4109"/>
<! — Unauthenticated Messages: — > <parm-query name="4110"/>
<! — OTA Provisioning: — > <parm-query name="4111"/>
<! — WSP Push: — > <parm-query name="4113"/>
<! — Grant Manager: — > <parm-query name="4119"/>
<! — Grant User Authenticated: — > <parm-query name="4120"/>
<! — DRM Support: — > <parm name="4129"/>
</characteristic>
</wap-provisioningdoc>
Query Response
The following example shows the response to the query. This example is for OMA Client Provisioning.
<wap-provisioningdoc>
<characteristic type="SecurityPolicy">
<! — AutoRun Policy: — > <noparm name="2"/>
<! — RAPI: — > <parm name="4097" value="2"/>
<! — Unsigned CABs: — > <parm name="4101" value="16"/>
<! — Unsigned APPs: — > <parm name="4102" value="1"/>
<! — Unsigned Themes: — > <parm name="4103" value="64"/>
<! — TPS: — > <parm name="4104" value="1"/>
<! — Message Authentication: — > <parm name="4105" value="3"/>
<! — WAP Signed Message: — > <parm name="4107" value="3204"/>
<! — Service Loading: — > <parm name="4108" value="2048"/>
<! — Service Indication: — > <parm name="4109" value="3072"/>
<! — Unauthenticated Messages: — > <parm name="4110"
value="64"/>
<! — OTA Provisioning: — > <parm name="4111" value="3732"/>
<! — WSP Push: — > <parm name="4113" value="1"/>
<! — Grant Manager: — > <parm name="4119" value="16"/>
<! — Grant User Authenticated: — > <parm name="4120" value="16"/>
<! — DRM Support: — > <parm name="4129" value="140"/>
</characteristic>
</wap-provisioningdoc>
Determining the current policies and roles on a device
To understand the results of this response, you must look at the values returned in relation to the policy IDs as shown in Security Policies and Security Policy Settings.
For example, the response has the following values:
<! — OTA Provisioning: — > <parm name="4111" value="3732"/>
In this example:
- The parm name refers to the security policy setting as described in Security Policiess. In this example, 4111 refers to OTA management.
- The returned parm value for this setting is 3732. This value is the sum of all the decimal values for the Security Roles that are enabled for the policy (in this case, for OTA management). The decimal values of the Security Roles are described in Security Roles.
The following table shows the default roles for OTA management as described in Security Policy Settings, and their associated values as described in Security Roles.
Role | Decimal value |
---|---|
SECROLE_OPERATOR_TPS | 128 |
SECROLE_PPG_TRUSTED | 2048 |
SECROLE_PPG_AUTH | 1024 |
SECROLE_TRUSTED_PPG | 512 |
SECROLE_USER_AUTH | 16 |
SECROLE_MANAGER | 8 |
SECROLE_OPERATOR | 4 |
The following list shows how you would use these values to determine the actual policies and roles on the device:
Adding these decimal values together. In this example, it results in a value of 3728 (128 + 2048 + 1024 + 512 + 16 +4 = 3728).
Note OEMs may change the values from the default settings.
Subtracting this number (3728) from the value that was returned (3732) leaves a decimal value of 4 (3732-3728=4).
Look at the decimal values in Security Roles. The SECROLE_OPERATOR setting has a decimal value of 4. Therefore, the SECROLE_OPERATOR policy is also valid on this device.
See Also
Customizing Security Settings | Security Policy Settings | SecurityPolicy Configuration Service Provider| Provisioning Security Settings | Perimeter Security
Send Feedback on this topic to the authors