// =================================================================== // Title: User-Security MOF specification 2.4 // Filename: CIM_UserSec24.mof // Version: 2.4 // Release: 0 // Date: 08/08/2000 // Description: These object classes define the user and security // model for CIM and includes classes needed to represent // users, groups and organizational entities as well as // security services and authentication and authorization // information. // The object classes below are listed in an order that // avoids forward references. Required objects, defined // by other working groups, are omitted. // =================================================================== // Author: DMTF User and Security Working Group // Date: 14 March 2000 - Version 2.3 // // 09 June 2000 - ERRATA to Version 2.3 creating V2.4 // - CR493a, Correction of Antecedent/Dependent references // References are reversed from the original 2.3 model // - CR497: Corrections to antecedent/dependent references // 1. ElementAsUser should run between an ME and a UsersAccess. Both // references are ME in the MOF. UsersAccess is the Dependent reference. // // 2. ManagesAccount should subclass from Dependency. // // 3. ServiceUsesSecurityService - antecedent and dependent are backwards. // SecurityService should be the antecedent and Service the dependent. // // 4. SecurityServiceForSystem - should subclass from ProvidesServiceToElement. // // 5. UsersCredentials - The antecedent and dependent references are // backwards. The UsersAccess is dependent on the Credentials - the // credentials are the antecedent. // // 6. The change in UsersCredentials affects PublicPrivateKeyPair, since it // inherits from UsersCredentials. // // 7. CAHasPublicCertificate - The antecedent and dependent references are // backwards. The CA USES the public certificate - therefore, it is dependent // on the certificate. // // 8. AuthenticateForUse - The antecedent and dependent are backwards // The association "provides an AthenticationService with the // AuthenticationRequirement it needs to do its job". AuthenticationService // is Dependent on the Requirement. // // 9. RequireCredentialsFrom - Antecedent and dependent are backwards. The // requirement is for a specific credential mgmt service - the service has no // dependencies at all on the requirement. // // 10. AuthenticationTarget - Clarification that the "target" is // dependent on the requirement to protect it. // // 11. AuthorizedUse - The antecedent and dependent are backwards since // the description says that the association "provides an AuthorizationService // with the AccessControlInformation it needs to do its job". // AuthorizationService is Dependent on the ACI. // // 21 June 2000 - ERRATA to Version 2.3 creating Version 2.4 // - CR515: CIM Account keys. CIM_Account currently has two local keys, Name and UserID. // The intent was to have CreationClassName and Name as keys where name could be // set to a value equal to the UserID or to some other value, e.g., a DN from a // directory. // // =================================================================== // =================================================================== // === Pragmas === // =================================================================== #pragma Locale ("en_US") // ================================================================== // === Data class definitions === // ================================================================== // ================================================================== // Group // ================================================================== [Description ( "The Group class is used to collect ManagedElements into groups. " "This class is defined so as to incorporate commonly-used LDAP " "attributes to permit implementations to easily derive this " "information from LDAP-accessible directories. This class's " "properties are a subset of a related class, " "OtherGroupInformation, which defines all the group properties " "and in array form for directory compatibility." ) ] class CIM_Group : CIM_Collection { [Key, MaxLen (256), Description ( "CreationClassName indicates the name of the class or the " "subclass used in the creation of an instance. When used " "with the other key properties of this class, this property " "allows all instances of this class and its subclasses to " "be uniquely identified.")] string CreationClassName; [Key, MaxLen (1024), Description ( "The Name property defines the label by which the object is " "known. In the case of an LDAP-derived instance, the Name " "property value may be set to the distinguishedName of the " "LDAP-accessed object instance.")] string Name; [MaxLen (128), Description ( "The BusinessCategory property may be used to describe the " "kind of business activity performed by the members of the " "group.")] string BusinessCategory; [Required, Description ( "A Common Name is a (possibly ambiguous) name by which the " "group is commonly known in some limited scope (such as an " "organization) and conforms to the naming conventions of the " "country or culture with which it is associated.")] string CommonName; }; // ================================================================== // OtherGroupInformation // ================================================================== [Description ( "The OtherGroupInformation class provides additional information " "about an associated Group instance. This class is defined so as " "to incorporate commonly-used LDAP attributes to permit " "implementations to easily derive this information from " "LDAP-accessible directories.") ] class CIM_OtherGroupInformation : CIM_ManagedElement { [Key, MaxLen (256), Description ( "CreationClassName indicates the name of the class or the " "subclass used in the creation of an instance. When used " "with the other key properties of this class, this property " "allows all instances of this class and its subclasses to " "be uniquely identified.")] string CreationClassName; [Key, MaxLen (1024), Description ( "The Name property defines the label by which the object is " "known. In the case of an LDAP-derived instance, the Name " "property value may be set to the distinguishedName of the " "LDAP-accessed object instance.")] string Name; [Description ( "In the case of an LDAP-derived instance, the ObjectClass " "property value(s) may be set to the objectClass attribute " "values.")] string ObjectClass[]; [MaxLen (128), Description ( "The BusinessCategory property may be used to describe the " "kind of business activity performed by the members of the " "group.")] string BusinessCategory[]; [Description ( "A Common Name is a (possibly ambiguous) name by which the " "group is commonly known in some limited scope (such as an " "organization) and conforms to the naming conventions of the " "country or culture with which it is associated.")] string CommonName[]; [MaxLen (1024), Description ( "The Descriptions property values may contain human-readable " "descriptions of the object. In the case of an LDAP-derived " "instance, the description attribute may have multiple values " "that, therefore, cannot be placed in the inherited " "Description property.")] string Descriptions[]; [Description ( "The name of an organization related to the group.")] string OrganizationName[]; [Description ( "The name of an organizational unit related to the group.")] string OU[]; [Description ( "The Owner property specifies the name of some object that " "has some responsibility for the group. In the case of an " "LDAP-derived instance, a property value for Owner may be a " "distinguishedName of owning persons, groups, roles, etc.")] string Owner[]; [Description ( "In the case of an LDAP-derived instance, the See Also " "property specifies distinguishedName of other Directory " "objects which may be other aspects (in some sense) of the " "same real world object.")] string SeeAlso[]; }; // ================================================================== // Role // ================================================================== [Description ( "The Role object class is used to represent a position or set of " "responsibilities within an organization, organizational unit or " "system administration scope and is filled by a person or persons " "(or non-human entities represented by ManagedSystemElement " "subclasses) that may be explicitly or implicitly members of this " "collection subclass. The class is defined so as to incorporate " "commonly-used LDAP attributes to permit implementations to " "easily derive this information from LDAP-accessible directories. " "The members of a role are frequently called role occupants. " "This class's properties are a subset of a related class, " "OtherRoleInformation, which defines all the group properties " "and in array form for directory compatibility. ")] class CIM_Role : CIM_Collection { [Key, MaxLen (256), Description ( "CreationClassName indicates the name of the class or the " "subclass used in the creation of an instance. When used " "with the other key properties of this class, this property " "allows all instances of this class and its subclasses to " "be uniquely identified.")] string CreationClassName; [Key, MaxLen (1024),Description ( "The Name property defines the label by which the object is " "known. In the case of an LDAP-derived instance, the Name " "property value may be set to the distinguishedName of the " "LDAP-accessed object instance.")] string Name; [MaxLen (128), Description ( "This property may be used to describe the kind of business " "activity performed by the members (role occupants) in the " "position or set of responsibilities represented by the Role. " )] string BusinessCategory; [Required, Description ( "A Common Name is a (possibly ambiguous) name by which the " "role is commonly known in some limited scope (such as an " "organization) and conforms to the naming conventions of the " "country or culture with which it is associated.")] string CommonName; }; // ================================================================== // OtherRoleInformation // ================================================================== [Description ( "The OtherRoleInformation class is used to provide additional " "information about an associated Role instance. This class is " "defined so as to incorporate commonly-used LDAP attributes to " "permit implementations to easily derive this information from " "LDAP-accessible directories.") ] class CIM_OtherRoleInformation : CIM_ManagedElement { [Key, MaxLen (256), Description ( "CreationClassName indicates the name of the class or the " "subclass used in the creation of an instance. When used " "with the other key properties of this class, this property " "allows all instances of this class and its subclasses to " "be uniquely identified.")] string CreationClassName; [Key, MaxLen (1024),Description ( "The Name property defines the label by which the object is " "known. In the case of an LDAP-derived instance, the Name " "property value may be set to the distinguishedName of the " "LDAP-accessed object instance.")] string Name; [Description ( "In the case of an LDAP-derived instance, the ObjectClass " "property value(s) may be set to the objectClass attribute " "values.")] string ObjectClass[]; [MaxLen (128), Description ( "This property may be used to describe the kind of business " "activity performed by the members (role occupants) in the " "position or set of responsibilities represented by the Role. " )] string BusinessCategory[]; [Description ( "A Common Name is a (possibly ambiguous) name by which the " "role is commonly known in some limited scope (such as an " "organization) and conforms to the naming conventions of the " "country or culture with which it is associated.")] string CommonName[]; [MaxLen (1024), Description ( "The Descriptions property values may contain human-readable " "descriptions of the object. In the case of an LDAP-derived " "instance, the description attribute may have multiple values " "that, therefore, cannot be placed in the inherited " "Description property.")] string Descriptions[]; [MaxLen (128), Description ( "This property is used for the role occupants' telegram " "service.")] string DestinationIndicator[]; [Description ( "The role occupants' facsimile telephone number.")] string FacsimileTelephoneNumber[]; [MaxLen (16), Description ( "The role occupants' International ISDN number.")] string InternationaliSDNNumber[]; [Description ( "The name of an organizational unit related to the role.")] string OU[]; [MaxLen (128), Description ( "The Physical Delivery Office Name property specifies the name " "of the city, village, etc. where a physical delivery office " "is situated.")] string PhysicalDeliveryOfficeName[]; [Description ( "The Postal Address property values specify the address " "information required for the physical delivery of postal " "messages by the postal authority to the role occupants.")] string PostalAddress[]; [MaxLen (40), Description ( "The Postal Code property specifies the postal code for the " "role occupants. If this value is present it will be part of " "the object's postal address.")] string PostalCode[]; [MaxLen (40), Description ( "The Post Office Box property specifies the Post Office Box " "by which the role occupants will receive physical postal " "delivery. If present, the property value is part of the " "object's postal address.")] string PostOfficeBox[]; [Description ( "The Preferred Delivery Method property specifies the " "role occupants' preferred method to be used for contacting " "them in their role.")] string PreferredDeliveryMethod; [Description ( "This property specifies a postal address suitable for receipt " "of telegrams or expedited documents, where it is necessary to " "have the recipient accept delivery.")] string RegisteredAddress[]; [Description ( "In the case of an LDAP-derived instance, the See Also " "property specifies distinguishedName of other Directory " "objects which may be other aspects (in some sense) of the " "same real world object.")] string SeeAlso[]; [Description ( "The State or Province Name property specifies a state or " "province." )] string StateOrProvince[]; [MaxLen (128), Description ( "The Street Address property specifies a site for the local " "distribution and physical delivery in a postal address, i.e. " "the street name, place, avenue, and the number." )] string Street[]; [MaxLen (32), Description ( "The Telephone Number property specifies a telephone number of " "the role occupants, e.g. + 44 582 10101)." )] string TelephoneNumber[]; [Description ( "The Teletex Terminal Identifier property specifies the " "Teletex terminal identifier (and, optionally, parameters) for " "a teletex terminal associated with the role occupants." )] string TeletexTerminalIdentifier[]; [Description ( "The Telex Number property specifies the telex number, country " "code, and answerback code of a telex terminal for the " "role occupants." )] string TelexNumber[]; [MaxLen (15), Description ( "An X.121 address for the role occupants.")] string X121Address[]; }; // ================================================================== // OrganizationalEntity // ================================================================== [Abstract, Description ( "OrganizationalEntity is an abstract class from which classes " "that fit into an organizational structure are derived.") ] class CIM_OrganizationalEntity : CIM_ManagedElement { }; // ================================================================== // Organization // ================================================================== [Description ( "The Organization class is used to represent an organization such " "as a corporation or other autonomous entity. The class is " "defined so as to incorporate commonly-used LDAP attributes to " "permit implementations to easily derive this information from " "LDAP-accessible directories. This class's properties are a " "subset of a related class, OtherOrganizationInformation, which " "defines all the group properties and in array form for " "directory compatibility.") ] class CIM_Organization : CIM_OrganizationalEntity { [Key, MaxLen (256), Description ( "CreationClassName indicates the name of the class or the " "subclass used in the creation of an instance. When used " "with the other key properties of this class, this property " "allows all instances of this class and its subclasses to " "be uniquely identified.")] string CreationClassName; [Key, MaxLen (1024),Description ( "The Name property defines the label by which the object is " "known. In the case of an LDAP-derived instance, the Name " "property value may be set to the distinguishedName of the " "LDAP-accessed object instance.")] string Name; [MaxLen (128), Description ( "This property describes the kind of business performed by an " "organization.")] string BusinessCategory; [Description ( "The organization's facsimile telephone number.")] string FacsimileTelephoneNumber; [Description ( "This property contains the name of a locality, such as a " "city, county or other geographic region.")] string LocalityName; [Description ( "Based on RFC1274, the mail box addresses for the organization " "as defined in RFC822.")] string Mail; [Required, Description ( "The name of the organization.")] string OrganizationName; [Description ( "The Postal Address property values specify the address " "information required for the physical delivery of postal " "messages by the postal authority to the organization.")] string PostalAddress[]; [MaxLen (40), Description ( "The Postal Code property specifies the postal code of the " "organization. If this value is present it will be part of " "the object's postal address.")] string PostalCode; [Description ( "The State or Province Name property specifies a state or " "province." )] string StateOrProvince; [MaxLen (32), Description ( "The Telephone Number property specifies a telephone number of " "the organization, e.g. + 44 582 10101)." )] string TelephoneNumber; }; // ================================================================== // OtherOrganizationInformation // ================================================================== [Description ( "The OtherOrganizationInformation class is used to provide " "additional information about an associated Organization instance. " "This class is defined so as to incorporate commonly-used LDAP " "attributes to permit implementations to easily derive this " "information from LDAP-accessible directories.") ] class CIM_OtherOrganizationInformation : CIM_ManagedElement { [Key, MaxLen (256), Description ( "CreationClassName indicates the name of the class or the " "subclass used in the creation of an instance. When used " "with the other key properties of this class, this property " "allows all instances of this class and its subclasses to " "be uniquely identified.")] string CreationClassName; [Key, MaxLen (1024),Description ( "The Name property defines the label by which the object is " "known. In the case of an LDAP-derived instance, the Name " "property value may be set to the distinguishedName of the " "LDAP-accessed object instance.")] string Name; [Description ( "In the case of an LDAP-derived instance, the ObjectClass " "property value(s) may be set to the objectClass attribute " "values.")] string ObjectClass[]; [MaxLen (128), Description ( "This property describes the kind of business performed by an " "organization.")] string BusinessCategory[]; [MaxLen (1024), Description ( "The Descriptions property values may contain human-readable " "descriptions of the object. In the case of an LDAP-derived " "instance, the description attribute may have multiple values " "that, therefore, cannot be placed in the inherited " "Description property.")] string Descriptions[]; [MaxLen (128), Description ( "This property is used for the organization's telegram " "service.")] string DestinationIndicator[]; [Description ( "The organization's facsimile telephone number.")] string FacsimileTelephoneNumber[]; [MaxLen (16), Description ( "The organization's International ISDN number.")] string InternationaliSDNNumber[]; [Description ( "Uniform Resource Identifier with optional label as defined in " "RFC2079.")] string LabeledURI[]; [Description ( "This property contains the name of a locality, such as a " "city, county or other geographic region.")] string LocalityName[]; [Description ( "Based on RFC1274, the mail box addresses for the organization " "as defined in RFC822.")] string Mail[]; [Description ( "The manager for the organization. In the case of an " "LDAP-derived instance, the Manager property value may contain " "the distinguishedName of the Manager.")] string Manager[]; [Description ( "The name of the organization.")] string OrganizationName[]; [Description ( "Based on RFC1274, this property may be used for electronic " "mail box addresses other than RFC822 and X.400.")] string OtherMailbox[]; [MaxLen (128), Description ( "The Physical Delivery Office Name property specifies the name " "of the city, village, etc. where a physical delivery office " "is situated.")] string PhysicalDeliveryOfficeName[]; [Description ( "The Postal Address property values specify the address " "information required for the physical delivery of postal " "messages by the postal authority to the organization.")] string PostalAddress[]; [MaxLen (40), Description ( "The Postal Code property specifies the postal code of the " "organization. If this value is present it will be part of " "the object's postal address.")] string PostalCode[]; [MaxLen (40), Description ( "The Post Office Box property specifies the Post Office Box " "by which the organization will receive physical postal " "delivery. If present, the property value is part of the " "object's postal address.")] string PostOfficeBox[]; [Description ( "The Preferred Delivery Method property specifies the " "organization's preferred method to be used for communicating " "with it.")] string PreferredDeliveryMethod; [Description ( "This property specifies a postal address suitable for receipt " "of telegrams or expedited documents, where it is necessary to " "have the recipient accept delivery.")] string RegisteredAddress[]; [Description ( "This property value is for use by X.500 clients in " "constructing search filters.")] string SearchGuide[]; [Description ( "In the case of an LDAP-derived instance, the See Also " "property specifies distinguishedName of other Directory " "objects which may be other aspects (in some sense) of the " "same real world object.")] string SeeAlso[]; [Description ( "The State or Province Name property specifies a state or " "province." )] string StateOrProvince[]; [MaxLen (128), Description ( "The Street Address property specifies a site for the local " "distribution and physical delivery in a postal address, i.e. " "the street name, place, avenue, and the number." )] string Street[]; [MaxLen (32), Description ( "The Telephone Number property specifies a telephone number of " "the organization, e.g. + 44 582 10101)." )] string TelephoneNumber[]; [Description ( "The Teletex Terminal Identifier property specifies the " "Teletex terminal identifier (and, optionally, parameters) for " "a teletex terminal associated with the organization." )] string TeletexTerminalIdentifier[]; [Description ( "The Telex Number property specifies the telex number, country " "code, and answerback code of a telex terminal for the " "organization." )] string TelexNumber[]; [Octetstring, Description ( "An image of the organization logo")] string ThumbnailLogo[]; [Description ( "A unique identifier that may be assigned in an environment to " "differentiate between uses of a given named organization " "instance.")] string UniqueIdentifier[]; [Octetstring, Description ( "In the case of an LDAP-derived instance, the UserPassword " "property may contain an encrypted password used to access " "the organization's resources in a directory." )] string UserPassword[]; [MaxLen (15), Description ( "An X.121 address for the organization.")] string X121Address[]; }; // ================================================================== // OrgUnit // ================================================================== [Description ( "The OrgUnit class is used to represent a sub-unit of an " "organization such a division or department. The class is " "defined so as to incorporate commonly-used LDAP attributes to " "permit implementations to easily derive this information from " "LDAP-accessible directories. This class's properties are a " "subset of a related class, OtherOrgUnitInformation, which " "defines all the group properties and in array form for " "directory compatibility. ") ] class CIM_OrgUnit : CIM_OrganizationalEntity { [Key, MaxLen (256), Description ( "CreationClassName indicates the name of the class or the " "subclass used in the creation of an instance. When used " "with the other key properties of this class, this property " "allows all instances of this class and its subclasses to " "be uniquely identified.")] string CreationClassName; [Key, MaxLen (1024),Description ( "The Name property defines the label by which the object is " "known. In the case of an LDAP-derived instance, the Name " "property value may be set to the distinguishedName of the " "LDAP-accessed object instance.")] string Name; [MaxLen (128), Description ( "This property describes the kind of business performed by an " "organizational unit.")] string BusinessCategory; [Description ( "The organizational unit's facsimile telephone number.")] string FacsimileTelephoneNumber; [Description ( "This property contains the name of a locality, such as a " "city, county or other geographic region.")] string LocalityName; [Required, Description ( "The name of the organizational unit.")] string OU; [Description ( "The Postal Address property values specify the address " "information required for the physical delivery of postal " "messages by the postal authority to the organizational unit." )] string PostalAddress[]; [MaxLen (40), Description ( "The Postal Code property specifies the postal code of the " "organizational unit. If this value is present it will be " "part of the object's postal address.")] string PostalCode; [Description ( "The State or Province Name property specifies a state or " "province." )] string StateOrProvince; [MaxLen (32), Description ( "The Telephone Number property specifies a telephone number of " "the organizational unit, e.g. + 44 582 10101)." )] string TelephoneNumber; }; // ================================================================== // OtherOrgUnitInformation // ================================================================== [Description ( "The OtherOrgUnitInformation class is used to provide " "additional information about an associated OrgUnit instance. " "This class is defined so as to incorporate commonly-used LDAP " "attributes to permit implementations to easily derive this " "information from LDAP-accessible directories.") ] class CIM_OtherOrgUnitInformation : CIM_ManagedElement { [Key, MaxLen (256), Description ( "CreationClassName indicates the name of the class or the " "subclass used in the creation of an instance. When used " "with the other key properties of this class, this property " "allows all instances of this class and its subclasses to " "be uniquely identified.")] string CreationClassName; [Key, MaxLen (1024),Description ( "The Name property defines the label by which the object is " "known. In the case of an LDAP-derived instance, the Name " "property value may be set to the distinguishedName of the " "LDAP-accessed object instance.")] string Name; [Description ( "In the case of an LDAP-derived instance, the ObjectClass " "property value(s) may be set to the objectClass attribute " "values.")] string ObjectClass[]; [MaxLen (128), Description ( "This property describes the kind of business performed by an " "organizational unit.")] string BusinessCategory[]; [MaxLen (1024), Description ( "The Descriptions property values may contain human-readable " "descriptions of the object. In the case of an LDAP-derived " "instance, the description attribute may have multiple values " "that, therefore, cannot be placed in the inherited " "Description property.")] string Descriptions[]; [MaxLen (128), Description ( "This property is used for the organizational unit's telegram " "service.")] string DestinationIndicator[]; [Description ( "The organizational unit's facsimile telephone number.")] string FacsimileTelephoneNumber[]; [MaxLen (16), Description ( "The organizational unit's International ISDN number.")] string InternationaliSDNNumber[]; [Description ( "This property contains the name of a locality, such as a " "city, county or other geographic region.")] string LocalityName[]; [Description ( "The name of the organizational unit.")] string OU[]; [MaxLen (128), Description ( "The Physical Delivery Office Name property specifies the name " "of the city, village, etc. where a physical delivery office " "is situated.")] string PhysicalDeliveryOfficeName[]; [Description ( "The Postal Address property values specify the address " "information required for the physical delivery of postal " "messages by the postal authority to the organizational unit." )] string PostalAddress[]; [MaxLen (40), Description ( "The Postal Code property specifies the postal code of the " "organizational unit. If this value is present it will be " "part of the object's postal address.")] string PostalCode[]; [MaxLen (40), Description ( "The Post Office Box property specifies the Post Office Box " "by which the organizational unit will receive physical " "postal delivery. If present, the property value is part of " "the object's postal address.")] string PostOfficeBox[]; [Description ( "The Preferred Delivery Method property specifies the " "organizational unit's preferred method to be used for " "communicating with it.")] string PreferredDeliveryMethod; [Description ( "This property value is for use by X.500 clients in " "constructing search filters.")] string SearchGuide[]; [Description ( "In the case of an LDAP-derived instance, the See Also " "property specifies distinguishedName of other Directory " "objects which may be other aspects (in some sense) of the " "same real world object.")] string SeeAlso[]; [Description ( "The State or Province Name property specifies a state or " "province." )] string StateOrProvince[]; [MaxLen (128), Description ( "The Street Address property specifies a site for the local " "distribution and physical delivery in a postal address, i.e. " "the street name, place, avenue, and the number." )] string Street[]; [MaxLen (32), Description ( "The Telephone Number property specifies a telephone number of " "the organizational unit, e.g. + 44 582 10101)." )] string TelephoneNumber[]; [Description ( "The Teletex Terminal Identifier property specifies the " "Teletex terminal identifier (and, optionally, parameters) for " "a teletex terminal associated with the organizational unit." )] string TeletexTerminalIdentifier[]; [Description ( "The Telex Number property specifies the telex number, country " "code, and answerback code of a telex terminal for the " "organization." )] string TelexNumber[]; [Octetstring, Description ( "In the case of an LDAP-derived instance, the UserPassword " "property may contain an encrypted password used to access " "the organizational unit's resources in a directory." )] string UserPassword[]; [MaxLen (15), Description ( "An X.121 address for the organization.")] string X121Address[]; }; // ================================================================== // UserEntity // ================================================================== [Abstract, Description ( "UserEntity is an abstract class that represents users.") ] class CIM_UserEntity : CIM_OrganizationalEntity { }; // ================================================================== // Person // ================================================================== [Description ( "The Person object class is used to represent people. The class " "is defined so as to incorporate commonly-used LDAP attributes to " "permit implementations to easily derive this information from " "LDAP-accessible directories. This class's properties are a " "subset of a related class, OtherPersonInformation, which " "defines all the group properties and in array form for " "directory compatibility. ") ] class CIM_Person : CIM_UserEntity { [Key, MaxLen (256), Description ( "CreationClassName indicates the name of the class or the " "subclass used in the creation of an instance. When used " "with the other key properties of this class, this property " "allows all instances of this class and its subclasses to " "be uniquely identified.")] string CreationClassName; [Key, MaxLen (1024),Description ( "The Name property defines the label by which the object is " "known. In the case of an LDAP-derived instance, the Name " "property value may be set to the distinguishedName of the " "LDAP-accessed object instance.")] string Name; [MaxLen (128), Description ( "This property describes the kind of business performed by an " "organization.")] string BusinessCategory; [Required, Description ( "A Common Name is a (possibly ambiguous) name by which the " "role is commonly known in some limited scope (such as an " "organization) and conforms to the naming conventions of the " "country or culture with which it is associated.")] string CommonName; [Description ( "Based on inetPrgPerson, the Employee Number property " "specifies a numeric or an alphanumeric identifier assigned to " "a person.")] string EmployeeNumber; [Description ( "Based on inetOrgPerson, the Employee Type property is used to " "identify the employer to employee relationship. Typical " "values used may include 'Contractor', 'Employee', 'Intern', " "'Temp', 'External', and 'Unknown' but any value may be used." )] string EmployeeType; [Description ( "The person's facsimile telephone number.")] string FacsimileTelephoneNumber; [MaxLen (32), Description ( "Based on RFC1274, the Home Phone property specifies a home " "telephone number for the person, e.g. + 44 582 10101)." )] string HomePhone; [Description ( "The Home Postal Address property values specify the home " "address information required for the physical delivery of " "postal messages by the postal authority.")] string HomePostalAddress[]; [Description ( "From inetOrgPerson, the JPEG Phto property values may be used " "for one or more images of a person using the JPEG File " "Interchange Format.")] string JPEGPhoto; [Description ( "This property contains the name of a locality, such as a " "city, county or other geographic region.")] string LocalityName; [Description ( "Based on RFC1274, the mail box addresses for the person " "as defined in RFC822.")] string Mail; [Description ( "The person's manager within the organization. In the case of " "an LDAP-derived instance, the Manager property value may " "contain the distinguishedName of the Manager.")] string Manager; [MaxLen (32), Description ( "Based on RFC1274, the Mobile Phone property specifies a " "mobile telephone number for the person, e.g. + 44 582 10101)." )] string Mobile; [Description ( "The name of an organizational unit related to the person.")] string OU; [MaxLen (32), Description ( "Based on RFC1274, the Pager property specifies a pager " "telephone number for the person, e.g. + 44 582 10101).")] string Pager; [Description ( "The Postal Address property values specify the address " "information required for the physical delivery of postal " "messages by the postal authority to the person.")] string PostalAddress[]; [MaxLen (40), Description ( "The Postal Code property specifies the postal code of the " "organization. If this value is present it will be part of " "the object's postal address.")] string PostalCode; [Description ( "Based on inetOrgPerson, the person's preferred written or " "spoken language.")] string PreferredLanguage; [Description ( "Based on RFC1274, the Secretary property may be used to " "specify a secretary for the person. In the case of an " "LDAP-derived object instance, the value may be a " "distinguishedName.")] string Secretary; [Description ( "The State or Province Name property specifies a state or " "province." )] string StateOrProvince; [Required, Description ( "The Surname property specifies the linguistic construct that " "normally is inherited by an individual from the individual's " "parent or assumed by marriage, and by which the individual is " "commonly known.")] string Surname; [MaxLen (32), Description ( "The Telephone Number property specifies a telephone number of " "the organization, e.g. + 44 582 10101)." )] string TelephoneNumber; [Description ( "The Title property may be used to specify the person's " "designated position or function of the object within an " "organization, e.g., Manager, Vice-President, etc.")] string Title; }; // ================================================================== // OtherPersonInformation // ================================================================== [Description ( "The OtherPersonInformation class is used to provide " "additional information about an associated Person instance. " "This class is defined so as to incorporate commonly-used LDAP " "attributes to permit implementations to easily derive this " "information from LDAP-accessible directories.") ] class CIM_OtherPersonInformation : CIM_UserEntity { [Key, MaxLen (256), Description ( "CreationClassName indicates the name of the class or the " "subclass used in the creation of an instance. When used " "with the other key properties of this class, this property " "allows all instances of this class and its subclasses to " "be uniquely identified.")] string CreationClassName; [Key, MaxLen (1024),Description ( "The Name property defines the label by which the object is " "known. In the case of an LDAP-derived instance, the Name " "property value may be set to the distinguishedName of the " "LDAP-accessed object instance.")] string Name; [Description ( "In the case of an LDAP-derived instance, the ObjectClass " "property value(s) may be set to the objectClass attribute " "values.")] string ObjectClass[]; [Octetstring, Description ( "The Audio property may be used to store an audio clip of the " "person.")] string Audio[]; [MaxLen (128), Description ( "This property describes the kind of business performed by an " "organization.")] string BusinessCategory[]; [MaxLen (128), Description ( "The Car License property is used to record the values of the " "vehicle license or registration plate associated with an " "individual.")] string CarLicense[]; [Description ( "A Common Name is a (possibly ambiguous) name by which the " "role is commonly known in some limited scope (such as an " "organization) and conforms to the naming conventions of the " "country or culture with which it is associated.")] string CommonName[]; [Description ( "The Country Name property specifies a country as defined in " "ISO 3166.")] string CountryName[]; [Description ( "Based on inetOrgPerson, the Department Number is a code for " "department to which a person belongs. This can be strictly " "numeric (e.g., 1234) or alphanumeric (e.g., ABC/123).")] string DepartmentNumber[]; [MaxLen (1024), Description ( "The Descriptions property values may contain human-readable " "descriptions of the object. In the case of an LDAP-derived " "instance, the description attribute may have multiple values " "that, therefore, cannot be placed in the inherited " "Description property.")] string Descriptions[]; [MaxLen (128), Description ( "This property is used for the organization's telegram " "service.")] string DestinationIndicator[]; [Description ( "Based on inetOrgPerson, the Display Name property values are " "used when displaying an entry.")] string DisplayName[]; [Description ( "Based on inetPrgPerson, the Employee Number property " "specifies a numeric or an alphanumeric identifier assigned to " "a person.")] string EmployeeNumber; [Description ( "Based on inetOrgPerson, the Employee Type property is used to " "identify the employer to employee relationship. Typical " "values used may include 'Contractor', 'Employee', 'Intern', " "'Temp', 'External', and 'Unknown' but any value may be used." )] string EmployeeType[]; [Description ( "The person's facsimile telephone number.")] string FacsimileTelephoneNumber[]; [Description ( "Based on liPerson, the GenerationQualifier property specifies " "a name qualifier that represents the person's generation " "(e.g., JR., III, etc.).")] string GenerationQualifier[]; [Description ( "The Given Name property is used for the part of a person's " "name that is not their surname nor their middle name.")] string GivenName[]; [Description ( "Based on liPerson, the Home Fax property specifies the " "person's facsimile telephone number at home.")] string HomeFax[]; [MaxLen (32), Description ( "Based on RFC1274, the Home Phone property specifies a home " "telephone number for the person, e.g. + 44 582 10101)." )] string HomePhone[]; [Description ( "The Home Postal Address property values specify the home " "address information required for the physical delivery of " "postal messages by the postal authority.")] string HomePostalAddress[]; [Description ( "Based on inetOrgPerson, the Initials property specifies the " "first letters of the person's name, typically the property " "values will exclude the first letter of the surname.")] string Initials[]; [MaxLen (16), Description ( "The person's International ISDN number.")] string InternationaliSDNNumber[]; [Description ( "From inetOrgPerson, the JPEG Phto property values may be used " "for one or more images of a person using the JPEG File " "Interchange Format.")] string JPEGPhoto[]; [Description ( "Uniform Resource Identifier with optional label as defined in " "RFC2079.")] string LabeledURI[]; [Description ( "This property contains the name of a locality, such as a " "city, county or other geographic region.")] string LocalityName[]; [Description ( "Based on RFC1274, the mail box addresses for the person " "as defined in RFC822.")] string Mail[]; [Description ( "The person's manager within the organization. In the case of " "an LDAP-derived instance, the Manager property value may " "contain the distinguishedName of the Manager.")] string Manager[]; [Description ( "Based on liPerson, the middle name of the person.")] string MiddleName[]; [MaxLen (32), Description ( "Based on RFC1274, the Mobile Phone property specifies a " "mobile telephone number for the person, e.g. + 44 582 10101)." )] string Mobile[]; [Required, Description ( "The name of the person's organization.")] string OrganizationName[]; [Description ( "Based on RFC1274, the OrganizationalStatus property specifies " "a category by which a person is often referred to within an " "organization. Examples of usage in academia might include " "undergraduate student, researcher, lecturer, etc.")] string OrganizationalStatus[]; [Description ( "Based on RFC1274, this property may be used for electronic " "mail box addresses other than RFC822 and X.400.")] string OtherMailbox[]; [Description ( "The name of an organizational unit related to the person.")] string OU[]; [MaxLen (32), Description ( "Based on RFC1274, the Pager property specifies a pager " "telephone number for the person, e.g. + 44 582 10101).")] string Pager[]; [Description ( "Based on liPerson, the PersonalTitle property may be used to " "specify the person's personal title such as Mr., Ms., Dr., " "Prof. etc.")] string PersonalTitle[]; [Octetstring, Description ( "Based on RFC1274, the Photo property may be used to specify a " "photograph for the person encoded in G3 fax as explained in " "recommendation T.4, with an ASN.1 wrapper to make it " "compatible with an X.400 BodyPart as defined in X.420.")] string Photo[]; [MaxLen (128), Description ( "The Physical Delivery Office Name property specifies the name " "of the city, village, etc. where a physical delivery office " "is situated.")] string PhysicalDeliveryOfficeName[]; [Description ( "The Postal Address property values specify the address " "information required for the physical delivery of postal " "messages by the postal authority to the person.")] string PostalAddress[]; [MaxLen (40), Description ( "The Postal Code property specifies the postal code of the " "organization. If this value is present it will be part of " "the object's postal address.")] string PostalCode[]; [MaxLen (40), Description ( "The Post Office Box property specifies the Post Office Box " "by which the person will receive physical postal delivery. " "If present, the property value is part of the object's postal " "address.")] string PostOfficeBox[]; [Description ( "The Preferred Delivery Method property specifies the " "preferred method to be used for contacting the person.")] string PreferredDeliveryMethod; [Description ( "Based on inetOrgPerson, the person's preferred written or " "spoken language.")] string PreferredLanguage; [Description ( "This property specifies a postal address suitable for receipt " "of telegrams or expedited documents, where it is necessary to " "have the recipient accept delivery.")] string RegisteredAddress[]; [Description ( "Based on RFC1274, the Room Number property specifies the room " "number for the person.")] string RoomNumber[]; [Description ( "Based on RFC1274, the Secretary property may be used to " "specify a secretary for the person. In the case of an " "LDAP-derived object instance, the value may be a " "distinguishedName.")] string Secretary[]; [Description ( "In the case of an LDAP-derived instance, the See Also " "property specifies distinguishedName of other Directory " "objects which may be other aspects (in some sense) of the " "same real world object.")] string SeeAlso[]; [Description ( "The State or Province Name property specifies a state or " "province." )] string StateOrProvince[]; [MaxLen (128), Description ( "The Street Address property specifies a site for the local " "distribution and physical delivery in a postal address, i.e. " "the street name, place, avenue, and the number." )] string Street[]; [Description ( "The Surname property specifies the linguistic construct that " "normally is inherited by an individual from the individual's " "parent or assumed by marriage, and by which the individual is " "commonly known.")] string Surname[]; [MaxLen (32), Description ( "The Telephone Number property specifies a telephone number of " "the organization, e.g. + 44 582 10101)." )] string TelephoneNumber[]; [Description ( "The Teletex Terminal Identifier property specifies the " "Teletex terminal identifier (and, optionally, parameters) for " "a teletex terminal associated with the organization." )] string TeletexTerminalIdentifier[]; [Description ( "The Telex Number property specifies the telex number, country " "code, and answerback code of a telex terminal for the " "organization." )] string TelexNumber[]; [Octetstring, Description ( "A small image of the person's organization logo")] string ThumbnailLogo[]; [Octetstring, Description ( "A small image of the person.")] string ThumbnailPhoto[]; [Description ( "The Title property may be used to specify the person's " "designated position or function of the object within an " "organization, e.g., Manager, Vice-President, etc.")] string Title[]; [Description ( "Based on RFC1274, the UserID property may be used to specify " "a computer system login name.")] string UserID[]; [Description ( "A unique identifier that may be assigned in an environment to " "differentiate between uses of a given named person instance." )] string UniqueIdentifier[]; [Octetstring, Description ( "Based on inetOrgPerson and for directory compatibility, the " "User Certificate property may be used to specify a public key " "certificate for the person.")] string UserCertificate[]; [Octetstring, Description ( "In the case of an LDAP-derived instance, the UserPassword " "property may contain an encrypted password used to access " "the person's resources in a directory." )] string UserPassword[]; [Octetstring, Description ( "Based on inetOrgPerson and for directory compatibility, the " "UserPKCS12 property value may be used to provides a format " "for exchange of personal identity information. The property " "values are PFX PDUs stored as Octetstrings.")] string UserPKCS12[]; [Octetstring, Description ( "Based on inetOrgPerson, the User S/MIME Certificate property " "may be used to specify the person's an S/MIME (RFC1847) " "signed message with a zero-length body. It contains the " "entire certificate chain and the signed attribute that " "describes their algorithm capabilities. If available, this " "property is preferred over the UserCertificate property for " "S/MIME applications.")] string UserSMIMECertificate[]; [MaxLen (15), Description ( "An X.121 address for the organization.")] string X121Address[]; [Octetstring, Description ( "An X.500 specified unique identifier that may be assigned in " "an environment to differentiate between uses of a given named " "person object instance.")] string X500UniqueIdentifier[]; }; // ================================================================== // UsersAccess // ================================================================== [Description ( "The UsersAccess object class is used to specify a system user " "that permitted access to system resources. The ManagedElement " "that has access to system resources (represented in the model in " "the ElementAsUser association) may be a person, a service, a " "service access point or any collection thereof. Whereas the " "Account class represents the user's relationship to a system " "from the perspective of the security services of the system, the " "UserAccess class represents the relationships to the systems " "independent of a particular system or service.") ] class CIM_UsersAccess: CIM_UserEntity { [Key, MaxLen (256), Description ( "CreationClassName indicates the name of the class or the " "subclass used in the creation of an instance. When used " "with the other key properties of this class, this property " "allows all instances of this class and its subclasses to " "be uniquely identified.")] string CreationClassName; [Key, MaxLen (256),Description ( "The Name property defines the label by which the object is " "known.")] string Name; [Key, Description ( "The ElementID property uniquely specifies the ManagedElement " "object instance that is the user represented by the " "UsersAccess object instance. The ElementID is formatted " "similarly to a model path except that the property-value " "pairs are ordered in alphabetical order (US ASCII lexical " "order).")] string ElementID; [Description ( "Biometric information used to identify a person. The " "property value is left null or set to 'N/A' for non-human " "user or a user not using biometric information for " "authentication."), Values { "N/A", "Other", "Facial", "Retina", "Mark", "Finger", "Voice", "DNA-RNA", "EEG"} ] uint16 Biometric[]; }; // ================================================================== // Credential // ================================================================== [Abstract, Description ( "Subclasses of CIM_Credential define materials, " "information, or other data which are used to prove the " "identity of a CIM_UsersAccess to a particular " "CIM_SecurityService. Generally, there may be some shared " "information, or credential material which is used to " "identify and authenticate ones self in the process of " "gaining access to, or permission to use, an Account. " "Such credential material may be used to authenticate a " "users access identity initially, as done by a " "CIM_AuthenticationService (see later), and additionally on " "an ongoing basis during the course of a connection or " "other security association, as proof that each received " "message or communication came from the owning user access of " "that credential material.") ] class CIM_Credential:CIM_ManagedElement { }; // ================================================================== // PublicKeyCertificate // ================================================================== [Description ( "A CIM_PublicKeyCertificate represents a credential issued " "by Certificate Authority (CA) to a particular " "CIM_UsersAccess, which ties, using cryptographic technology, " "the identity of the Principal (called the Subject) and the " "public key of a public/private key pair. The public key " "certificate is signed by the Certificate Authority, who " "certifies that the identity and public key properly go " "together. Proof of control and access to the private key " "to which the public key in the certificate corresponds may " "be used by authentication services to authenticate " "communications with the Users Access. Refer to the ITU/CCITT " "X.509 standard as an example of such certificates.") ] class CIM_PublicKeyCertificate:CIM_Credential { [Propagated ("CIM_System.CreationClassName"), Key, MaxLen (256), Description ("Scoping System")] string SystemCreationClassName; [Propagated ("CIM_System.Name"), Key, MaxLen (256),Description ("Scoping System")] string SystemName; [Propagated ("CIM_CertificateAuthority.CreationClassName"), Key, MaxLen (256), Description ("Scoping Service")] string ServiceCreationClassName; [Propagated ("CIM_CertificateAuthority.Name"), Key, MaxLen (256), Description ("Scoping Service")] string ServiceName; [Key, MaxLen (256), Description ( "Certificate subject identifier used in forming the key")] string Subject; [Description ("The DER-encoded raw public key."), Octetstring ] uint8 PublicKey[]; }; // ================================================================== // KerberosTicket // ================================================================== [Description ( "A CIM_KerberosTicket represents a credential issued by a " "particular Kerberos Key Distribution Center (KDC) " "to a particular CIM_UsersAccess as the result of a " "successful authentication process. There are two types of " "tickets that a KDC may issue to a Users Access - a " "TicketGranting ticket, which is used to protect and " "authenticate communications between the Users Access and the " "KDC, and a Session ticket, which the KDC issues to two " "Users Access to allow them to communicate with each other. " ) ] class CIM_KerberosTicket:CIM_Credential { [Propagated ("CIM_System.CreationClassName"), Key, MaxLen (256), Description ("Scoping System")] string SystemCreationClassName; [Propagated ("CIM_System.Name"), Key, MaxLen (256),Description ("Scoping System")] string SystemName; [Key, MaxLen (256), Propagated ("CIM_KerberosKeyDistributionCenter.CreationClassName"), Description ("Scoping Service")] string ServiceCreationClassName; [Propagated ("CIM_KerberosKeyDistributionCenter.Name"), Key, MaxLen (256), Description ("Scoping Service. The Kerberos KDC Realm of " "CIM_KerberosTicket is used to record the security " "authority, or Realm, name so that tickets issued by " "different Realms can be separately managed and enumerated.")] string ServiceName; [Key, MaxLen (256), Description ("The name of the service for " "which this ticket is used.")] string AccessesService; [Key, MaxLen (256), Description ( "RemoteID is the name by which the user is known at " "the KDC security service.")] string RemoteID; datetime Issued; datetime Expires; [Description ( "The Type of CIM_KerberosTicket is used to indicate whether " "the ticket in question was issued by the Kerberos Key " "Distribution Center (KDC) to support ongoing communication " "between the Users Access and the KDC (TicketGranting), or was " "issued by the KDC to support ongoing communication between " "two Users Access (Session) (neither being the KDC acting in " "its capacity as the KDC). " ), Values {"Session", "TicketGranting"}] uint16 Type[]; }; // ================================================================== // SharedSecret // ================================================================== [Description ( "CIM_SharedSecret is the secret shared between a Users Access " "and a particular SharedSecret security service. Secrets " "may be in the form of a password used for initial " "authentication, or as with a session key, used as part of " "a message authentication code to verify that a message " "originated by the pricinpal with whom the secret is shared. " "It is important to note that SharedSecret is not just the " "password, but rather is the password used with a particular " "security service.")] class CIM_SharedSecret:CIM_Credential { [Propagated ("CIM_System.CreationClassName"), Key, MaxLen (256), Description ("Scoping System")] string SystemCreationClassName; [Propagated ("CIM_System.Name"), Key, MaxLen (256),Description ("Scoping System")] string SystemName; [Key, MaxLen (256), Propagated ("CIM_SharedSecretService.CreationClassName"), Description ("Scoping Service")] string ServiceCreationClassName; [Propagated ("CIM_SharedSecretService.Name"), Key, MaxLen (256), Description ("Scoping Service")] string ServiceName; [Key, MaxLen (256), Description ( "RemoteID is the name by which the user is known at " "the remote secret key authentication service.")] string RemoteID; [Description ( "secret is the secret known by the Users Access.")] string secret; [Description ( "algorithm names the transformation algorithm, if any, used " "to protect passwords before use in the protocol. For " "instance, Kerberos doesn't store passwords as the shared " "secret, but rather, a hash of the password.")] string algorithm; [Description ( "protocol names the protocol with which the SharedSecret is " "used.")] string protocol; }; // ================================================================== // Account // ================================================================== [Description ( "CIM_Account is the information held by a SecurityService " "to track identity and privileges managed by that service. " "Common examples of an Account are the entries in a UNIX " "/etc/passwd file. Several kinds of security services use " "various information from those entries - the /bin/login " "program uses the account name ('root') and hashed password " "to authenticate users, and the file service, for instance, " "uses the UserID field ('0') and GroupID field ('0') to " "record ownership and determine access control privileges " "on files in the file system. This class is defined so as " "to incorporate commonly-used LDAP attributes to permit " "implementations to easily derive this information from " "LDAP-accessible directories.") ] class CIM_Account:CIM_LogicalElement { [Propagated ("CIM_System.CreationClassName"), Key, MaxLen (256), Description ("Scoping System")] string SystemCreationClassName; [Propagated ("CIM_System.Name"), Key, MaxLen (256),Description ("Scoping System")] string SystemName; [Key, MaxLen (256), Description ( "CreationClassName indicates the name of the class or the " "subclass used in the creation of an instance. When used " "with the other key properties of this class, this property " "allows all instances of this class and its subclasses to " "be uniquely identified.")] string CreationClassName; [Key, Override("Name"), MaxLen (1024), Description ( "The Name property defines the label by which the object is " "known. The value of this property may be set to be the same " "as that of the UserID property or, in the case of an " "LDAP-derived instance, the Name property value may be set to " "the distinguishedName of the LDAP-accessed object instance.")] string Name; [MaxLen (256), Description ( "UserID is the value used by the SecurityService to " "represent identity. For an authentication service, the " "UserID may be the name of the user, or for an authorization " "service the value which serves as a handle to a mapping of " "the identity.") ] string UserID; [Description ( "In the case of an LDAP-derived instance, the ObjectClass " "property value(s) may be set to the objectClass attribute " "values.")] string ObjectClass[]; [MaxLen (1024), Description ( "The Descriptions property values may contain human-readable " "descriptions of the object. In the case of an LDAP-derived " "instance, the description attribute may have multiple values " "that, therefore, cannot be placed in the inherited " "Description property.")] string Descriptions[]; [Description ( "Based on RFC1274, the host name of the system(s) for which " "the account applies. The host name may be a fully-qualified " "DNS name or it may be an unqualified host name.")] string Host[]; [Description ( "This property contains the name of a locality, such as a " "city, county or other geographic region.")] string LocalityName[]; [Required, Description ( "The name of the organization related to the account.")] string OrganizationName[]; [Description ( "The name of an organizational unit related to the account.")] string OU[]; [Description ( "In the case of an LDAP-derived instance, the See Also " "property specifies distinguishedName of other Directory " "objects which may be other aspects (in some sense) of the " "same real world object.")] string SeeAlso[]; [Octetstring, Description ( "Based on inetOrgPerson and for directory compatibility, the " "User Certificate property may be used to specify a public key " "certificate for the person.")] string UserCertificate[]; [Octetstring, Description ( "In the case of an LDAP-derived instance, the UserPassword " "property may contain an encrypted password used to access " "the person's resources in a directory." )] string UserPassword[]; }; // ================================================================== // SecurityService // ================================================================== [ Abstract, Description ( "CIM_SecurityService ...") ] class CIM_SecurityService:CIM_Service { }; // ================================================================== // AccountManagementService // ================================================================== [Description ( "CIM_AccountManagementService creates, manages, and if necessary " "destroys Accounts on behalf of other SecuritySerices.") ] class CIM_AccountManagementService:CIM_SecurityService { }; // ================================================================== // AuthenticationService // ================================================================== [Description ( "CIM_AuthenticationService verifies users' identities through " "some means. These services are decomposed into a subclass that " "provides credentials to users and a subclass that provides for " "the verification of the validity of a credential and, perhaps, " "the appropriateness of its use for access to target resources. " "The persistent state information used from one such verification " "to another is maintained in an Account for that Users Access on " "that AuthenticationService.") ] class CIM_AuthenticationService:CIM_SecurityService { }; // ================================================================== // VerificationService // ================================================================== [Description ( "CIM_VerificationService is the authentication service that " "verifies a credential for use and may also verify the " "appropriateness of a particular credential in conjunction with a " "particular target resource.")] class CIM_VerificationService:CIM_AuthenticationService { }; // ================================================================== // CredentialManagementService // ================================================================== [Description ( "CIM_CredentialManagementService issues credentials and manages " "the credential lifecycle.") ] class CIM_CredentialManagementService:CIM_AuthenticationService { }; // ================================================================== // CertificateAuthority // ================================================================== [Description ( "CIM_CertificateAuthority is a security service (credential" " management service) which signs, " "using cryptographic means, a certificate which it issues, " "binding a public key and the identity of the User Access who " "has the private key associated with the public key.") ] class CIM_CertificateAuthority:CIM_CredentialManagementService { [Description ( "The CAPolicyStatement describes what care is taken by the " "CertificateAuthority when signing a new certificate. " "The CAPolicyStatment may be a dot-delimited ASN.1 OID " "string which identifies to the formal policy statement.") ] string CAPolicyStatement; [Description ( "A CRL, or CertificateRevocationList, is a " "list of certificates which the CertificateAuthority has " "revoked and which are not yet expired. Revocation is " "necessary when the private key associated with the public " "key of a certificate is lost or compromised, or when the " "person for whom the certificate is signed no longer is " "entitled to use the certificate."), Octetstring ] string CRL[]; string CRLDistributionPoint[]; }; // ================================================================== // KerberosKeyDistributionCenter // ================================================================== [Description ( "CIM_KerberosKeyDistributionCenter ...") ] class CIM_KerberosKeyDistributionCenter:CIM_CredentialManagementService { [Override ("Name"), Description ("The Realm served by this KDC.")] string Name; [Description ("The version of Kerberos supported by this " "service."), Values {"V4", "V5", "DCE", "MS"} ] uint16 Protocol[]; }; // ================================================================== // Notary // ================================================================== [Description ( "CIM_Notary is an AuthenticationService (credential " "management service) which compares the " "biometric characteristics of a person with the " "known characteristics of an Users Access, and determines " "whether the person is the UsersAccess. An example is " "a bank teller who compares a picture ID with the person " "trying to cash a check, or a biometric login service that " "uses voice recognition to identify a user.") ] class CIM_Notary:CIM_CredentialManagementService { [Description ( "The types of biometric information which this " "Notary can compare."), Values { "N/A", "Other", "Facial", "Retina", "Mark", "Finger", "Voice", "DNA-RNA", "EEG"} ] uint16 Comparitors; [Description ( "The SealProtocol is how the decision of the Notary is " "recorded for future use by parties who will rely on its " "decision. For instance, a drivers licence frequently " "includes tamper-resistent coatings and markings to protect " "the recorded decision that a driver, having various " "biometric characteristics of height, weight, hair and eye " "color, using a particular name, has features represented in " "a photograph of their face.")] string SealProtocol; [Description ( "CharterIssued documents when the Notary is first " "authorized, by whoever gave it responsibility, to perform " "its service.")] datetime CharterIssued; [Description ( "CharterExpired documents when the Notary is no longer " "authorized, by whoever gave it responsibility, to perform " "its service.")] datetime CharterExpired; }; // ================================================================== // SharedSecretService // ================================================================== [Description ( "CIM_SharedSecretService is a service which ascertains " "whether messages received are from the Principal with whom " "a secret is shared. Examples include a login service, " "which proves identity on the basis of knowledge of the " "shared secret, and a transport integrity service (like " "Kerberos provides) which includes a message authenticity " "code which proves each message in the messsage stream came " "from someone who knows the shared secret session key.")] class CIM_SharedSecretService:CIM_CredentialManagementService { [MaxLen (256), Description ( "The Algorithm used to convey the shared secret, such as " "HMAC-MD5,or PLAINTEXT.") ] string Algorithm; [Description ( "The Protocol supported by the SharedSecretService.")] string Protocol; }; // ================================================================== // AuthorizationService // ================================================================== [Description ( "CIM_AuthorizationService determines whether a user, by " "association with an Account used by the AuthorizationService, is " "permitted access a resource or set of resources.") ] class CIM_AuthorizationService:CIM_SecurityService { }; // ================================================================== // AuthenticationRequirement // ================================================================== [Description ( "CIM_AuthenticationRequirement provides, through its " "associations, the authentication requirements for access to " "system resources. For a particular set of target resources, the " "AuthenticationService may require that credentials be issued by " "a specific CredentialManagementService. The " "AuthenticationRequirement class is weak to the system (e.g., " "Computer System or Administrative Domain) for which the " "requirements apply.")] class CIM_AuthenticationRequirement : CIM_LogicalElement { [Key, MaxLen (256), Propagated ("CIM_System.CreationClassName"), Description ("Hosting system creation class name")] string SystemCreationClassName; [Key, MaxLen (256), Propagated ("CIM_System.Name"), Description ("Hosting system name")] string SystemName; [Key, MaxLen (256), Description ( "CreationClassName indicates the name of the class or the " "subclass used in the creation of an instance. When used " "with the other key properties of this class, this property " "allows all instances of this class and its subclasses to " "be uniquely identified.")] string CreationClassName; [Key, MaxLen (256), Override ("Name"), Description ( "The Name property defines the unique label, in the context of " "the hosting system, by which the AuthenticationRequirement " "is known.")] string Name; [Description ( "The SecurityClassification property specifies a named level " "of security associated with the AuthenticationRequirement, " "e.g., 'Confidential', 'Top Secret', etc.")] string SecurityClassification; }; // ================================================================== // AccessControlInformation // ================================================================== [Description ( "CIM_AccessControlInformation provides, through its properties " "and its associations, the specification of the access rights " "granted to a set of subject users to a set of target resources. " "The AccessControlInformation class is weak to the system (e.g., " "Computer System or Administrative Domain) for which the access " "controls apply.")] class CIM_AccessControlInformation: CIM_LogicalElement { [Key, MaxLen (256), Propagated ("CIM_System.CreationClassName"), Description ("Hosting system creation class name")] string SystemCreationClassName; [Key, MaxLen (256), Propagated ("CIM_System.Name"), Description ("Hosting system name")] string SystemName; [Key, MaxLen (256), Description ( "CreationClassName indicates the name of the class or the " "subclass used in the creation of an instance. When used " "with the other key properties of this class, this property " "allows all instances of this class and its subclasses to " "be uniquely identified.")] string CreationClassName; [Key, MaxLen (256), Override ("Name"), Description ( "The Name property defines the unique label, in the context of " "the hosting system, by which the AccessControlInformation " "is known.")] string Name; [Description ( "The SecurityClassification property specifies a named level " "of security associated with the AccessControlInformation, " "e.g., 'Confidential', 'Top Secret', etc.")] string SecurityClassification; [Description ( "The AccessType property is an array of string values that " "specifies the type of access for which the corresponding " "permission applies. For example, it can be used to specify a " "generic access such as 'Read-only', 'Read/Write', etc. for " "file or record access control or it can be used to specifiy " "an entry point name for service access control."), ModelCorrespondence { "CIM_AccessControlInformation.AccessQualifier", "CIM_AccessControlInformation.Permission" } ] string AccessType[]; [Description ( "The AccessQualifier property is an array of string values " "may be used to further qualify the type of access for which " "the corresponding permission applies. For example, it may be " "used to specify a set of parameters that are permitted or " "denied in conjunction with the corresponding AccessType entry " "point name."), ModelCorrespondence { "CIM_AccessControlInformation.AccessType", "CIM_AccessControlInformation.Permission" } ] string AccessQualifier[]; [Description ( "The Permission property is an array of string values " "indicating the permission that applies to the corrsponding " "AccessType and AccessQualifier array values. The values " "may be extended in subclasses to provide more specific access " "controls."), ValueMap {"Unknown", "Allow", "Deny", "Manage"}, ModelCorrespondence { "CIM_AccessControlInformation.AccessType", "CIM_AccessControlInformation.AccessQualifier" } ] string Permission[]; }; // ================================================================== // === Association class definitions === // ================================================================== // Aggregations // ================================================================== // MemberPrincipal // ================================================================== [Association, Aggregation, Description ( "CIM_MemberPrincipal is an aggregation used to establish " "membership of principals (i.e., users) in a Collection. That " "membership can be established either directly or indirectly as " "indicated in the UsersAccessBy property. For example, a user " "may be identified directly by their userid (i.e., Account object " "instance) or the user may be identified indirectly by realm from " "which a ticket was issued (i.e., CredentialManagementService " "object instance). The latter case is useful, for example, for " "specifying that only users identified by an internal credential " "service are permitted to access very sensitive information." ) ] class CIM_MemberPrincipal: CIM_MemberOfCollection { [Override ("Collection") ] CIM_Collection REF Collection; [Override ("Member") ] CIM_ManagedElement REF Member; [Description ( "A MemberPrincipal may be identifed in several ways that may " "be either direct or indirect membership in the collection. " " - A 'UsersAccess' membership directly identifies the user by " " the UsersAccess object instance. " " - An 'Account' membership directly identifies the user by " " the Account object class instance. " " - A 'UsingElement' membership indirectly identifies the user " " by the ManagedElement object instance that has " " ElementAsUser associations to UsersAccess object " " instances. Hence, all UsersAccess instances are " " indirectly included in the collection. "), ValueMap {"1", "2", "3", "4" }, Values {"UsersAccess", "Account", "UsingElement", "CredentialManagementService"} ] uint16 UserAccessBy; }; // =================================================================== // AccountOnSystem // =================================================================== [Association, Aggregation, Description ( "A system (e.g., ApplicationSystem, ComputerSystem, AdminDomain) " "aggregates Accounts and scopes the uniqueness of the Account " "names (i.e., userids).") ] class CIM_AccountOnSystem : CIM_SystemComponent { [Override ("GroupComponent"), Min (1), Max (1), Description ("The aggregating system also provides name scoping " "for the Account.")] CIM_System REF GroupComponent; [Override ("PartComponent"), Weak, Description ("The subordinate Account")] CIM_Account REF PartComponent; }; // ================================================================== // OrgStructure // ================================================================== [Association, Aggregation, Description ( "CIM_OrgStructure is an association used to establish parent-child " "relationships between OrganizationalEntity instances. This is " "used to capture organizational relationships between object " "instances such as those that are imported from an LDAP-accessible " "directory.") ] class CIM_OrgStructure { [Key, Max (1), Description ("The organizational parent in this association.") ] CIM_OrganizationalEntity REF Parent; [Key, Description ("The organizational child in this association, " "i.e., the sub-unit or other owned object instance.") ] CIM_OrganizationalEntity REF Child; }; // ================================================================== // CollectionInOrganization // ================================================================== [Association, Aggregation, Description ( "CIM_CollectionInOrganization is an association used to establish " "a parent-child relationship between a collection and an 'owning' " "OrganizationalEntity. A single collection should not have both " "a CollectionInOrganization and a CollectionInSystem association." )] class CIM_CollectionInOrganization { [Key, Max (1), Description ("The parent organization responsible for the " "collection.") ] CIM_OrganizationalEntity REF Parent; [Key, Description ("The collection") ] CIM_Collection REF Child; }; // ================================================================== // CollectionInSystem // ================================================================== [Association, Aggregation, Description ( "CIM_CollectionInSystem is an association used to establish a " "parent-child relationship between a collection and an 'owning' " "System such as an AdminDomain or ComputerSystem. A single " "collection should not have both a CollectionInOrganization and a " "CollectionInSystem association." )] class CIM_CollectionInSystem { [Key, Max (1), Description ("The parent system responsible for the " "collection.") ] CIM_System REF Parent; [Key, Description ("The collection") ] CIM_Collection REF Child; }; // Associations // ================================================================== // ElementAsUser // ================================================================== [Association, Description ( "CIM_ElementAsUser is an association used to establish the " "'ownership' of UsersAccess object instances. That is, the " "ManagedElement may have UsersAccess to systems and, therefore, " "be 'users' on those systems. UsersAccess instances must have an " "'owning' ManagedElement. Typically, the ManagedElements will be " "limited to Collection, Person, Service and ServiceAccessPoint. " "Other non-human ManagedElements that might be thought of as " "having UsersAccess (e.g., a device or system) have services that " "have the UsersAccess.")] class CIM_ElementAsUser : CIM_Dependency { [Min (1), Max (1), Override ("Antecedent"), Description ("The ManagedElement that has UsersAccess") ] CIM_ManagedElement REF Antecedent; [Override ("Dependent"), Description ("The 'owned' UsersAccess") ] CIM_UsersAccess REF Dependent; }; // ================================================================== // MoreOrganizationInfo // ================================================================== [Association, Description ( "CIM_MoreOrganizationInfo is an association used to extend the " "information in a CIM_Organization class instance." )] class CIM_MoreOrganizationInfo : CIM_Dependency { [Max (1), Override ("Antecedent"), Description (" " " ") ] CIM_Organization REF Antecedent; [Min (0), Max (1), Override ("Dependent"), Description (" ") ] CIM_OtherOrganizationInformation REF Dependent; }; // ================================================================== // MoreOrgUnitInfo // ================================================================== [Association, Description ( "CIM_MoreOrgUnitInfo is an association used to extend the " "information in an CIM_OrgUnit class instance." )] class CIM_MoreOrgUnitInfo : CIM_Dependency { [Max (1), Override ("Antecedent"), Description (" " " ") ] CIM_OrgUnit REF Antecedent; [Min (0), Max (1), Override ("Dependent"), Description (" ") ] CIM_OtherOrgUnitInformation REF Dependent; }; // ================================================================== // MoreGroupInfo // ================================================================== [Association, Description ( "CIM_MoreGroupInfo is an association used to extend the " "information in a CIM_Group class instance." )] class CIM_MoreGroupInfo : CIM_Dependency { [Max (1), Override ("Antecedent"), Description (" " " ") ] CIM_Group REF Antecedent; [Min (0), Max (1), Override ("Dependent"), Description (" ") ] CIM_OtherGroupInformation REF Dependent; }; // ================================================================== // MoreRoleInfo // ================================================================== [Association, Description ( "CIM_MoreRoleInfo is an association used to extend the " "information in a CIM_Role class instance." )] class CIM_MoreRoleInfo : CIM_Dependency { [Max (1), Override ("Antecedent"), Description (" " " ") ] CIM_Role REF Antecedent; [Min (0), Max (1), Override ("Dependent"), Description (" ") ] CIM_OtherRoleInformation REF Dependent; }; // ================================================================== // MorePersonInfo // ================================================================== [Association, Description ( "CIM_MorePersonInfo is an association used to extend the " "information in a CIM_Person class instance." )] class CIM_MorePersonInfo : CIM_Dependency { [Max (1), Override ("Antecedent"), Description (" " " ") ] CIM_Person REF Antecedent; [Min (0), Max (1), Override ("Dependent"), Description (" ") ] CIM_OtherPersonInformation REF Dependent; }; // ================================================================== // SystemAdministrator // ================================================================== [Association, Description ( "CIM_SystemAdministrator is an association used to identify " "the UserEntity as a system administrator of a CIM_System." ) ] class CIM_SystemAdministrator: CIM_Dependency { [Override ("Antecedent"), Description ( "The administered system.") ] CIM_System REF Antecedent; [Override ("Dependent"), Description ( "The UserEntity that provides the admininstrative function " "for the associated system.") ] CIM_UserEntity REF Dependent; }; // ================================================================== // SystemAdministratorGroup // ================================================================== [Association, Description ( "CIM_SystemAdministratorGroup is an association used to identify " "a Group that has system administrator responsibilities for a " "CIM_System. " )] class CIM_SystemAdministratorGroup : CIM_Dependency { [Override ("Antecedent"), Description ("The administered system") ] CIM_System REF Antecedent; [Override ("Dependent"), Description ("The Group of administrators") ] CIM_Group REF Dependent; }; // ================================================================== // SystemAdministratorRole // ================================================================== [Association, Description ( "CIM_SystemAdministratorRole is an association used to identify " "a system administrator Role for a CIM_System.")] class CIM_SystemAdministratorRole : CIM_Dependency { [Override ("Antecedent"), Description ("The administered system") ] CIM_System REF Antecedent; [Override ("Dependent"), Description ("The system administration role") ] CIM_Role REF Dependent; }; // =================================================================== // UsersAccount // =================================================================== [Association, Description ( "This relationship associates UsersAccess with the Accounts " "with which they're able to interact.") ] class CIM_UsersAccount : CIM_Dependency { [Override ("Antecedent"), Description ( "The user's Account") ] CIM_Account REF Antecedent; [Override ("Dependent"), Description ( "The User as identified by their UsersAccess " "instance")] CIM_UsersAccess REF Dependent; }; // =================================================================== // AccountMapsToAccount // =================================================================== [Association, Description ( "This relationship may be used to associate an Account used by an " "AuthenticationService to an Account used for Authorization. For " "instance, this mapping occurs naturally in the UNIX /etc/passwd " "file, where the AuthenticationSerice Account ('root') is mapped " "to the AuthorizationService Account ('0'). The two are separate " "accounts, as evidenced by the ability to have another " "AuthenticationService Account which ALSO maps to the " "AuthorizationService Account ('0') without ambiguity. This " "association may be used for other account mappings as well such " "as for coordinating single signon for multiple accounts for the " "same user.") ] class CIM_AccountMapsToAccount : CIM_Dependency { [Override ("Antecedent"), Description ( "An Account") ] CIM_Account REF Antecedent; [Override ("Dependent"), Description ( "A related Account")] CIM_Account REF Dependent; }; // =================================================================== // SecurityServiceUsesAccount // =================================================================== [Association, Description ( "This relationship associates SecurityService instances to " "the Accounts they use in the course of their work.") ] class CIM_SecurityServiceUsesAccount : CIM_Dependency { [ Override ("Antecedent") ] CIM_Account REF Antecedent; [ Override ("Dependent") ] CIM_SecurityService REF Dependent; }; // =================================================================== // ManagesAccount // =================================================================== [Association, Description ( "This relationship associates the AccountManagement security " "service to the Accounts for which it is responsible.") ] class CIM_ManagesAccount:CIM_Dependency { [ Override ("Antecedent") ] CIM_AccountManagementService REF Antecedent; [ Override ("Dependent") ] CIM_Account REF Dependent; }; // =================================================================== // ServiceUsesSecurityService // =================================================================== [Association, Description ( "This relationship associates a Services with the Security " "Service it uses.") ] class CIM_ServiceUsesSecurityService : CIM_ServiceServiceDependency { [ Override ("Antecedent") ] CIM_SecurityService REF Antecedent; [ Override ("Dependent") ] CIM_Service REF Dependent; }; // =================================================================== // SecurityServiceForSystem // =================================================================== [Association, Description ( "The CIM_SecurityServiceForSystem provides the association between " "a System and a SecurityService that provides services for that " "system." ) ] class CIM_SecurityServiceForSystem : CIM_ProvidesServiceToElement { [Override ("Antecedent"), Description ( "The SecurityService that provides services for the system.")] CIM_SecurityService REF Antecedent; [Override ("Dependent"), Description ( "The system that is dependent on the security service.")] CIM_System REF Dependent; }; // =================================================================== // ManagesAccountOnSystem // =================================================================== [Association, Description ( "The CIM_ManagesAccountOnSystem provides the association between a " "System and the AccountManagementService that manages accounts for " "that system." ) ] class CIM_ManagesAccountOnSystem:CIM_SecurityServiceForSystem { [Override ("Antecedent"), Description ( "An AccountManagementService that manages accounts for the " "system.")] CIM_AccountManagementService REF Antecedent; [Override ("Dependent"), Description ( "The system that is dependent on the AccountManagementService." )] CIM_System REF Dependent; }; // ================================================================== // UsersCredential // ================================================================== [Association, Description ( "CIM_UsersCredential is an association used to establish the " "credentials that may be used for a UsersAccess to a system or " "set of systems. " )] class CIM_UsersCredential : CIM_Dependency { [Override ("Antecedent"), Description ("The issued credential that may be used.") ] CIM_Credential REF Antecedent; [Override ("Dependent"), Description ("The UsersAccess that has use of a credential") ] CIM_UsersAccess REF Dependent; }; // =================================================================== // PublicPrivateKeyPair // =================================================================== [Association, Description ( "This relationship associates a PublicKeyCertificate with " "the Principal who has the PrivateKey used with the " "PublicKey. The PrivateKey is not modeled, since it is not " "a data element that ever SHOULD be accessible via " "management applications, other than key recovery services, " "which are outside our scope.") ] class CIM_PublicPrivateKeyPair:CIM_UsersCredential { [ Override ("Antecedent") ] CIM_PublicKeyCertificate REF Antecedent; [ Override ("Dependent") ] CIM_UsersAccess REF Dependent; [Description ( "The Certificate may be used for signature only " "or for confidentiality as well as signature"), Values { "SignOnly", "ConfidentialityOrSignature"} ] uint16 Use; boolean NonRepudiation; boolean BackedUp; [Description ("The repository in which the certificate is " "backed up.")] string Repository; }; // =================================================================== // CAHasPublicCertificate // =================================================================== [Association, Description ( "A CertificateAuthority may have certificates issued by other CAs. " "This association is essentially an optimization of the CA having " "a UsersAccess instance with an association to a certificate thus " "mapping more closely to LDAP-based certificate authority " "implementations.") ] class CIM_CAHasPublicCertificate:CIM_Dependency { [Max (1), Override ("Antecedent"), Description ("The Certificate used by the CA")] CIM_PublicKeyCertificate REF Antecedent; [Override ("Dependent"), Description ("The CA that uses a Certificate")] CIM_CertificateAuthority REF Dependent; }; // =================================================================== // ManagedCredential // =================================================================== [Association, Description ( "This relationship associates a CredentialManagementService " "with the Credential it manages.") ] class CIM_ManagedCredential:CIM_Dependency { [Override ("Antecedent"), Min (1), Max (1), Description ( "The credential management service")] CIM_CredentialManagementService REF Antecedent; [Override ("Dependent"), Description ( "The managed credential")] CIM_Credential REF Dependent; }; // =================================================================== // CASignsPublicKeyCertificate // =================================================================== [Association, Description ( "This relationship associates a CertificateAuthority with " "the certificates it signs.") ] class CIM_CASignsPublicKeyCertificate:CIM_ManagedCredential { [Override ("Antecedent"), Min (1), Max (1), Description ( "The CA which signed the certificate")] CIM_CertificateAuthority REF Antecedent; [Override ("Dependent"), Weak, Description ( "The certificate issued by the CA")] CIM_PublicKeyCertificate REF Dependent; string SerialNumber; [ Octetstring ] uint8 Signature[]; datetime Expires; string CRLDistributionPoint[]; }; // =================================================================== // KDCIssuesKerberosTicket // =================================================================== [Association, Description ( "The KDC issues and owns Kerberos tickets. This association " "captures the relationship between the KDC and its issued tickets." ) ] class CIM_KDCIssuesKerberosTicket:CIM_ManagedCredential { [Override ("Antecedent"), Min (1), Max (1), Description ( "The issuing KDC") ] CIM_KerberosKeyDistributionCenter REF Antecedent; [Override ("Dependent"), Weak, Description ( "The managed credential")] CIM_KerberosTicket REF Dependent; }; // =================================================================== // SharedSecretIsShared // =================================================================== [Association, Description ( "This relationship associates a SharedSecretService with the " "SecretKey it verifies.") ] class CIM_SharedSecretIsShared : CIM_ManagedCredential { [Override ("Antecedent"), Min (1), Max (1), Description ("The credential management service")] CIM_SharedSecretService REF Antecedent; [Override ("Dependent"), Weak, Description ( "The managed credential")] CIM_SharedSecret REF Dependent; }; // =================================================================== // NotaryVerifiesBiometric // =================================================================== [Association, Description ( "This relationship associates a Notary service with the " "Users Access whose biometric information is verified.") ] class CIM_NotaryVerifiesBiometric : CIM_Dependency { [Override ("Antecedent"), Description ("The Notary service that verifies biometric " "information ") ] CIM_Notary REF Antecedent; [Override ("Dependent"), Description ( "The UsersAccess that represents a person using " "biometric information for authentication.")] CIM_UsersAccess REF Dependent; }; // ================================================================== // HostedAuthenticationRequirement // ================================================================== [Association, Description ( "CIM_HostedAuthenticationRequirement is an association used to " "provide the namespace scoping of AuthenticationRequirement. The " "hosted requirements may or may not apply to resources on the " "hosting system." )] class CIM_HostedAuthenticationRequirement : CIM_Dependency { [Min (1), Max (1), Override ("Antecedent"), Description ("The hosting system") ] CIM_System REF Antecedent; [Override ("Dependent"), Weak, Description ("The hosted AuthenticationRequirement") ] CIM_AuthenticationRequirement REF Dependent; }; // ================================================================== // AuthenticateForUse // ================================================================== [Association, Description ( "CIM_AuthenticateForUse is an association used to provide an " "AuthenticationService with the AuthenticationRequirement it " "needs to do its job.")] class CIM_AuthenticateForUse : CIM_Dependency { [Override ("Antecedent"), Description ("AuthenticationRequirement for use") ] CIM_AuthenticationRequirement REF Antecedent; [Override ("Dependent"), Description ("AuthenticationService that uses the requirements" ) ] CIM_AuthenticationService REF Dependent; }; // ================================================================== // RequireCredentialsFrom // ================================================================== [Association, Description ( "CIM_RequireCredentialsFrom is an association used to require " "that credentials are issued by particular Credential Management " "Services in order to authenticate a user." )] class CIM_RequireCredentialsFrom : CIM_Dependency { [Override ("Antecedent"), Description ("CredentialManagementService from which " "credentials are accepted for the associated " "AuthenticationRequirement.") ] CIM_CredentialManagementService REF Antecedent; [Override ("Dependent"), Description ("AuthenticationRequirement that limit acceptable " "credentials. ") ] CIM_AuthenticationRequirement REF Dependent; }; // ================================================================== // AuthenticationTarget // ================================================================== [Association, Description ( "CIM_AuthenticationTarget is an association used to apply " "authentication requirements for access to specific resources. " "For example, a shared secret may be sufficient for access to " "unclassified resources, but for confidential resources, a " "stronger authentication may be required." )] class CIM_AuthenticationTarget : CIM_Dependency { [Override ("Antecedent"), Description ("AuthenticationRequirement that apply to " "specific resources") ] CIM_AuthenticationRequirement REF Antecedent; [Override ("Dependent"), Description ("Target resources that may be in a Collection or " "an individual ManagedElement. These resources are protected " "by the AuthenticationRequirement.") ] CIM_ManagedElement REF Dependent; }; // ================================================================== // HostedACI // ================================================================== [Association, Description ( "CIM_HostedACI is an association used to provide the namespace " "scoping of AccessControlInformation. The hosted ACI may or may " "not apply to resources on the hosting system." )] class CIM_HostedACI : CIM_Dependency { [Min (1), Max (1), Override ("Antecedent"), Description ("The hosting system") ] CIM_System REF Antecedent; [Override ("Dependent"), Weak, Description ("The hosted AccessControlInformation") ] CIM_AccessControlInformation REF Dependent; }; // ================================================================== // AuthorizedUse // ================================================================== [Association, Description ( "CIM_AuthorizedUse is an association used to provide an " "AuthorizationService with the AccessControlInformation it needs " "to do its job." )] class CIM_AuthorizedUse : CIM_Dependency { [Override ("Antecedent"), Description ("AccessControlInformation") ] CIM_AccessControlInformation REF Antecedent; [Override ("Dependent"), Description ("AuthorizationService that uses an ACI.") ] CIM_AuthorizationService REF Dependent; }; // ================================================================== // AuthorizationSubject // ================================================================== [Association, Description ( "CIM_AuthorizationSubject is an association used to apply " "authorization decisions to specific subjects (i.e., users). The " "subjects may be identified directly or they may be aggregated " "into a collection that may, in turn, use the MemberPrincipal " "association to provide further indirection in the specification " "of the subject set." )] class CIM_AuthorizationSubject : CIM_Dependency { [Override ("Antecedent"), Description ( "AccessControlInformation that applies to a subject set.") ] CIM_AccessControlInformation REF Antecedent; [Override ("Dependent"), Description ( "The subject set may be specified as a collection or as a set " "of associations to ManagedElements that represent users.") ] CIM_ManagedElement REF Dependent; }; // ================================================================== // AuthorizationTarget // ================================================================== [Association, Description ( "CIM_AuthorizationTarget is an association used to apply " "authorization decisions to specific target resources. The " "target resources may be aggregated into a collection or may be " "represented as a set of associations to ManagedElements." )] class CIM_AuthorizationTarget : CIM_Dependency { [Override ("Antecedent"), Description ( "AccessControlInformation that applies to the target set.") ] CIM_AccessControlInformation REF Antecedent; [Override ("Dependent"), Description ( "The target set of resources may be specified as a collection " "or as a set of associations to ManagedElements that represent " "target resources.") ] CIM_ManagedElement REF Dependent; }; // End of file