Credential Rings are not assigned to a Management Group, but rather to a User Profile (e.g. a console user). When Patch Manager is installed there is one User Profile created, the "Default User". That profile is assigned the <Default> Credential Ring. In the absence of any additional user profiles, ALL console users will be assigned to the "Default User" profile, and thus be assigned the <Default> Credential Ring.
In effect, a Credential Ring is designed to identify which resources that a given console user is authorized to access/manage, by virtue of possessing a credential with permissions to that resource.
If the console user is a member of the Enterprise Administators security role, then they can change their assigned Credential Ring in their own User Profile at will. In this way you can define multiple credential rings, one for each domain, and the console user can select the necessary Credential Ring to use while working within that domain.
Otherwise, the conventional practice would be the one you have already observed as successful -- a single Credential Ring is populated with all of the needed credentials for the several domains and systems. Patch Manager will match the appropriate credential to be used based on the target's membership in domains/workgroups/orgUnits or hostname (where a Computer rule is used).
While I understand your answer, the documetation leads me to believe differently. However that's just my opinion. It's also misleading that when you view scopes in the console, it shows specific credential rings associated with resources for that domain and resources managed by a particular managment group, yet since I only have one user profile(default) it never uses them when running tasks against those resources. This would lead me to believe that when any tasks are being run on resources covered by that scope it will use the credential ring associated with it. But this isn't true unless you are signing in as a user who has that credential ring associated with it.
Thanks for the response, it definately helped me to understand this feature more.
We're very interested in your opinions and how the documentation has impacted your understanding. If we need to improve the documentation, we definitely want to do so.
As for viewing "Scopes" in the console, if you could post an image (or email me a screenshot) of what you're looking at, that would help. I'm not aware of any place in the console where Credential Rings are associated with Management Groups, because there is, in fact, no association between the two at all.
Credentials are associated with Resources, because it's the membership in a resource (i.e. domain, workgroup, orgUnit) that is used to identify which credential (among a collection of credentials in a Credential Ring) are to be used to authenticate with any given target system. Since you only have one User Profile (the "Default User"), then you, de facto, only have one Credential Ring that will ever be active at any given time -- whatever Credential Ring is currently assigned to that "Default User" profile (which is the <Default> Credential Ring at installation).
Let's take a walk through the logic flow. A user logs onto a console session. If that user has a defined User Profile for their logon, then they'll be managed by the configuration of that User Profile; otherwise, the user's console session is managed by the "Default User" profile. A Credential Ring is assigned to a User Profile; ergo, only one Credential Ring can be active for any given console user at any time -- whichever Credential Ring is assigned in the effective User Profile for that console user. The Credential Ring contains one or more Credentials, which are used to allow that console user to impersonate the identity of an authorized administrative user. Credentials are mapped to one or more Resource rule (Domain, Workgroup, OrgUnit, Computer, WSUS Server). When a connection is initiated to a target system, the application processes the collection of resources rules in the active Credential Ring to determine which Credential to use to authenticate the WMI connection to that system. Resource rules are matched from most specific to least, in general one of these pathways:
- Computer -> OrgUnit -> Domain -> Default
- Computer -> Workgroup -> Default
- WSUS Server -> Default
When a rule is matched, that credential is used to authenticate with the target system.