DSC icon indicating copy to clipboard operation
DSC copied to clipboard
verified publisher icon PowerShell

`_scope` canonical property

Open SteveL-MSFT opened this issue 7 months ago • 7 comments

Summary of the new feature / enhancement

There may be sufficient resources that can act on the user or the system such that it makes sense to have this well-defined vs different for different resources.

_scope: [currentUser | allUsers]

Does allUsers also mean system or should that be a separate value? If not specified, expectation is default is currentUser. Are there other scopes that should be considered?

Proposed technical implementation details (optional)

No response

SteveL-MSFT avatar May 22 '25 00:05 SteveL-MSFT

I don't like that from a configuration authoring or enacting experience. To me when you have CurrentUser that's the process running, and the configuration should be as invariable as possible. So if we could specify the user (and having the tool like winget resolve that variable at runtime) or allUsers that's fine, but if you read CurrentUser, then you start making assumptions as to what process the configuration is running as...

gaelcolas avatar May 22 '25 13:05 gaelcolas

Canonical properties should be applicable to all resources. _exist makes sense in the context of all resources. _scope does not due to the resource not having a concept of scope or that scope may have more than just those two values. For example, npm has three scopes project, user, global. If the canonical property is used that will conflict and cause user confusion.

This issue is better served by creating best practice documentation of using a Scope property and recommended values but should not enforced in code.

ThomasNieto avatar May 22 '25 19:05 ThomasNieto

@gaelcolas if you have a config that applies to specific users, but run from a higher level process (like LocalSystem or NetworkService), then you'd have a resource that takes a user (probably SID on Windows). However, this scenario is for winget type tools that can run in the context of the current user or as an elevated user where the latter is expected to apply system wide.

@ThomasNieto Canonical isn't the same as Common Parameters in PowerShell in that they aren't expected to apply everywhere, but where they DO apply, they MUST conform to the defined syntax and semantics.

What canonical properties resolves is resource1 has a Scope property with different (or even same enum values) than resource2, but they have different meanings.

SteveL-MSFT avatar May 23 '25 22:05 SteveL-MSFT

Based on WG discussion, in the case that we have an LCM/Agent scenario running as LocalSystem, for example, then currentUser means that account and if the intent is to target a different use (like RunAs), then we can extend _scope to also accept runAs which is an object that contains a credential, for example.

SteveL-MSFT avatar Jul 16 '25 19:07 SteveL-MSFT

Does it make sense for LocalSystem to ever act as current user? Should it not always do all users/machine installs? Writing shortcuts and to HKCU does not make sense for LocalSystem.

whindsaks avatar Jul 16 '25 21:07 whindsaks

The WG discussed this, we agreed on a _scope canonical property with values User and Machine

SteveL-MSFT avatar Aug 20 '25 19:08 SteveL-MSFT

Implemented _scope in one of my resources. Did we land on User being the default?

ThomasNieto avatar Nov 01 '25 01:11 ThomasNieto