1 krisbash 1.1 // Copyright (c) 2008 DMTF. All rights reserved.
2 [Version ( "2.20.0" ),
3 UMLPackagePath ( "CIM::User::Privilege" ),
4 Description (
5 "Privilege is the base class for all types of activities which "
6 "are granted or denied by a Role or an Identity. Whether an "
7 "individual Privilege is granted or denied is defined using the "
8 "PrivilegeGranted boolean. Any Privileges not specifically "
9 "granted are assumed to be denied. An explicit deny (Privilege "
10 "Granted = FALSE) takes precedence over any granted Privileges. \n"
11 "\n"
12 "The association of subjects (Roles and Identities) to "
13 "Privileges is accomplished using policy or explicitly via the "
14 "associations on a subclass. The entities that are protected "
15 "(targets) can be similarly defined. \n"
16 "\n"
17 "Note that Privileges may be inherited through hierarchical "
18 "Roles, or may overlap. For example, a Privilege denying any "
19 "instance Writes in a particular CIM Server Namespace would "
20 "overlap with a Privilege defining specific access rights at an "
21 "instance level within that Namespace. In this example, the "
22 krisbash 1.1 "AuthorizedSubjects are either Identities or Roles, and the "
23 "AuthorizedTargets are a Namespace in the former case, and a "
24 "particular instance in the latter." )]
25 class CIM_Privilege : CIM_ManagedElement {
26
27 [Key, Override ( "InstanceID" ),
28 Description (
29 "Within the scope of the instantiating Namespace, "
30 "InstanceID opaquely and uniquely identifies an instance "
31 "of this class. In order to ensure uniqueness within the "
32 "NameSpace, the value of InstanceID SHOULD be constructed "
33 "using the following \'preferred\' algorithm: \n"
34 "<OrgID>:<LocalID> \n"
35 "Where <OrgID> and <LocalID> are separated by a colon "
36 "\':\', and where <OrgID> MUST include a copyrighted, "
37 "trademarked or otherwise unique name that is owned by "
38 "the business entity creating/defining the InstanceID, or "
39 "is a registered ID that is assigned to the business "
40 "entity by a recognized global authority. (This is "
41 "similar to the <Schema Name>_<Class Name> structure of "
42 "Schema class names.) In addition, to ensure uniqueness "
43 krisbash 1.1 "<OrgID> MUST NOT contain a colon (\':\'). When using "
44 "this algorithm, the first colon to appear in InstanceID "
45 "MUST appear between <OrgID> and <LocalID>. \n"
46 "<LocalID> is chosen by the business entity and SHOULD "
47 "not be re-used to identify different underlying "
48 "(real-world) elements. If the above \'preferred\' "
49 "algorithm is not used, the defining entity MUST assure "
50 "that the resultant InstanceID is not re-used across any "
51 "InstanceIDs produced by this or other providers for this "
52 "instance\'s NameSpace. For DMTF defined instances, the "
53 "\'preferred\' algorithm MUST be used with the <OrgID> "
54 "set to \'CIM\'." )]
55 string InstanceID;
56
57 [Description (
58 "Boolean indicating whether the Privilege is granted "
59 "(TRUE) or denied (FALSE). The default is to grant "
60 "permission." )]
61 boolean PrivilegeGranted = true;
62
63 [Description (
64 krisbash 1.1 "An enumeration indicating the activities that are "
65 "granted or denied. These activities apply to all "
66 "entities specified in the ActivityQualifiers array. The "
67 "values in the enumeration are straightforward except for "
68 "one, 4=\"Detect\". This value indicates that the "
69 "existence or presence of an entity may be determined, "
70 "but not necessarily specific data (which requires the "
71 "Read privilege to be true). This activity is exemplified "
72 "by \'hidden files\'- if you list the contents of a "
73 "directory, you will not see hidden files. However, if "
74 "you know a specific file name, or know how to expose "
75 "hidden files, then they can be \'detected\'. Another "
76 "example is the ability to define search privileges in "
77 "directory implementations." ),
78 ValueMap { "1", "2", "3", "4", "5", "6", "7", "..", "16000.." },
79 Values { "Other", "Create", "Delete", "Detect", "Read",
80 "Write", "Execute", "DMTF Reserved", "Vendor Reserved" },
81 ArrayType ( "Indexed" ),
82 ModelCorrespondence { "CIM_Privilege.ActivityQualifiers" }]
83 uint16 Activities[];
84
85 krisbash 1.1 [Description (
86 "The ActivityQualifiers property is an array of string "
87 "values used to further qualify and specify the "
88 "privileges granted or denied. For example, it is used to "
89 "specify a set of files for which \'Read\'/\'Write\' "
90 "access is permitted or denied. Or, it defines a class\' "
91 "methods that may be \'Executed\'. Details on the "
92 "semantics of the individual entries in "
93 "ActivityQualifiers are provided by corresponding entries "
94 "in the QualifierFormats array." ),
95 ArrayType ( "Indexed" ),
96 ModelCorrespondence { "CIM_Privilege.Activities",
97 "CIM_Privilege.QualifierFormats" }]
98 string ActivityQualifiers[];
99
100 [Description (
101 "Defines the semantics of corresponding entries in the "
102 "ActivityQualifiers array. An example of each of these "
103 "\'formats\' and their use follows: \n"
104 "- 2=Class Name. Example: If the authorization target is "
105 "a CIM Service or a Namespace, then the "
106 krisbash 1.1 "ActivityQualifiers entries can define a list of classes "
107 "that the authorized subject is able to create or delete. \n"
108 "- 3=<Class.>Property. Example: If the authorization "
109 "target is a CIM Service, Namespace or Collection of "
110 "instances, then the ActivityQualifiers entries can "
111 "define the class properties that may or may not be "
112 "accessed. In this case, the class names are specified "
113 "with the property names to avoid ambiguity - since a CIM "
114 "Service, Namespace or Collection could manage multiple "
115 "classes. On the other hand, if the authorization target "
116 "is an individual instance, then there is no possible "
117 "ambiguity and the class name may be omitted. To specify "
118 "ALL properties, the wildcard string \"*\" should be "
119 "used. \n"
120 "- 4=<Class.>Method. This example is very similar to the "
121 "Property one, above. And, as above, the string \"*\" may "
122 "be specified to select ALL methods. \n"
123 "- 5=Object Reference. Example: If the authorization "
124 "target is a CIM Service or Namespace, then the "
125 "ActivityQualifiers entries can define a list of object "
126 "references (as strings) that the authorized subject can "
127 krisbash 1.1 "access. \n"
128 "- 6=Namespace. Example: If the authorization target is a "
129 "CIM Service, then the ActivityQualifiers entries can "
130 "define a list of Namespaces that the authorized subject "
131 "is able to access. \n"
132 "- 7=URL. Example: An authorization target may not be "
133 "defined, but a Privilege could be used to deny access to "
134 "specific URLs by individual Identities or for specific "
135 "Roles, such as the \'under 17\' Role. \n"
136 "- 8=Directory/File Name. Example: If the authorization "
137 "target is a FileSystem, then the ActivityQualifiers "
138 "entries can define a list of directories and files whose "
139 "access is protected. \n"
140 "- 9=Command Line Instruction. Example: If the "
141 "authorization target is a ComputerSystem or Service, "
142 "then the ActivityQualifiers entries can define a list of "
143 "command line instructions that may or may not be "
144 "\'Executed\' by the authorized subjects. \n"
145 "- 10=SCSI Command, using a format of \'CDB=xx[,Page=pp]\'. "
146 "For example, the ability to select the VPD page of the "
147 "Inquiry command is encoded as \'CDB=12,Page=83\' in the "
148 krisbash 1.1 "corresponding ActivityQualifiers entry. A \'*\' may be "
149 "used to indicate all CDBs or Page numbers. \n"
150 "- 11=Packets. Example: The transmission of packets is "
151 "permitted or denied by the Privilege for the target (a "
152 "ComputerSystem, ProtocolEndpoint, Pipe, or other "
153 "ManagedSystemElement)." ),
154 ValueMap { "2", "3", "4", "5", "6", "7", "8", "9", "10",
155 "11", "..", "16000.." },
156 Values { "Class Name", "<Class.>Property", "<Class.>Method",
157 "Object Reference", "Namespace", "URL",
158 "Directory/File Name", "Command Line Instruction",
159 "SCSI Command", "Packets", "DMTF Reserved",
160 "Vendor Reserved" },
161 ArrayType ( "Indexed" ),
162 ModelCorrespondence { "CIM_Privilege.ActivityQualifiers" }]
163 uint16 QualifierFormats[];
164
165 [Description (
166 "The RepresentsAuthorizationRights flag indicates whether "
167 "the rights defined by this instance should be "
168 "interpreted as rights of Subjects to access Targets or "
169 krisbash 1.1 "as rights of Subjects to change those rights on/for "
170 "Targets." )]
171 boolean RepresentsAuthorizationRights = false;
172
173
174 };
|