version 1.1.2.1, 2012/01/24 13:50:36
|
version 1.1.2.2, 2012/02/15 17:46:56
|
|
|
|
// Copyright (c) 2008 DMTF. All rights reserved. |
|
[Association, Version ( "2.22.0" ), |
|
UMLPackagePath ( "CIM::User::Privilege" ), |
|
Description ( |
|
"CIM_AssociatedPrivilege is an association that models the " |
|
"privileges that a Subject element has to access or authorize " |
|
"other elements to access a Target element." )] |
|
class CIM_AssociatedPrivilege { |
|
|
|
[Key, Description ( |
|
"The Subject for which privileges are granted or denied." )] |
|
CIM_ManagedElement REF Subject; |
|
|
|
[Key, Description ( |
|
"The target element to which the privileges apply." )] |
|
CIM_ManagedElement REF Target; |
|
|
|
[Key, Description ( |
|
"UseKey is used to distinguish instances in case multiple " |
|
"instances of this association exist between the same " |
|
"Subject and Target. This may arise, for example, if " |
|
"separate instances are created for each management " |
|
"domain, or if the Subject has access and authorization " |
|
"rights to the Target.\n" |
|
"Within the scope of the instantiating Namespace, UseKey " |
|
"opaquely and uniquely identifies an instance of this " |
|
"class. In order to ensure uniqueness within the " |
|
"NameSpace, the value of UseKey should be constructed " |
|
"using the following \'preferred\' algorithm: \n" |
|
"<OrgID>:<LocalID> \n" |
|
"Where <OrgID> and <LocalID> are separated by a colon " |
|
"\':\', and where <OrgID> shall include a copyrighted, " |
|
"trademarked or otherwise unique name that is owned by " |
|
"the business entity creating/defining the UseKey, or is " |
|
"a registered ID that is assigned to the business entity " |
|
"by a recognized global authority. (This is similar to " |
|
"the <Schema Name>_<Class Name> structure of Schema class " |
|
"names.) In addition, to ensure uniqueness <OrgID> shall " |
|
"not contain a colon (\':\'). When using this algorithm, " |
|
"the first colon to appear in UseKey shall appear between " |
|
"<OrgID> and <LocalID>. \n" |
|
"<LocalID> is chosen by the business entity and should " |
|
"not be re-used to identify different underlying " |
|
"(real-world) elements. If the above \'preferred\' " |
|
"algorithm is not used, the defining entity shall assure " |
|
"that the resultant UseKey is not re-used across any " |
|
"UseKeys produced by this or other providers for this " |
|
"instance\'s NameSpace. \n" |
|
"For DMTF defined instances, the \'preferred\' algorithm " |
|
"shall be used with the <OrgID> set to \'CIM\'." )] |
|
string UseKey; |
|
|
|
[Description ( |
|
"Boolean indicating whether the Privilege is granted " |
|
"(TRUE) or denied (FALSE). The default is to grant " |
|
"permission." )] |
|
boolean PrivilegeGranted = true; |
|
|
|
[Description ( |
|
"An enumeration indicating the activities that are " |
|
"granted or denied. These activities apply to all " |
|
"entities specified in the ActivityQualifiers array.\n" |
|
"\"Other\" (1): indicates an activity that is not " |
|
"specified in this enumeration.\n" |
|
"\"Create\" (2), \"Delete\" (3), \"Detect\" (4), \"Read\" " |
|
"(5), \"Write\" (6), \"Execute\" (7): each of these " |
|
"values indicates that the Subject is permitted to use an " |
|
"operation supported by the Target. They are all " |
|
"straightforward except for one, 4=\"Detect\". This value " |
|
"indicates that the existence or presence of an entity " |
|
"may be determined, but not necessarily specific data " |
|
"(which requires the Read privilege to be true). This " |
|
"activity is exemplified by \'hidden files\'- if you list " |
|
"the contents of a directory, you will not see hidden " |
|
"files. However, if you know a specific file name, or " |
|
"know how to expose hidden files, then they can be " |
|
"\'detected\'. Another example is the ability to define " |
|
"search privileges in directory implementations.\n" |
|
"\"Deny Create\" (8), \"Deny Delete\" (9), \"Deny Detect\" " |
|
"(10), \"Deny Read\" (11), \"Deny Write\" (12), \"Deny " |
|
"Execute\" (13): each of these values indicates that the " |
|
"Subject is expressly denied permission to use an " |
|
"operation supported by the Target.\n" |
|
"Authorize to Grant/Deny Authorization (14): this value " |
|
"indicates that the Subject is permitted to add any of " |
|
"the following values to - or remove any of the following " |
|
"values from - the Activities array property in any other " |
|
"instance of CIM_AssociatedPrivilege that references the " |
|
"same Target: \"Authorize to Create\" (15), \"Authorize " |
|
"to Delete\" (16), \"Authorize to Detect\" (17), " |
|
"\"Authorize to Read\" (18), \"Authorize to Write\" (19), " |
|
"\"Authorize to Execute\" (20), \"Authorize to Deny " |
|
"Create\" (21), \"Authorize to Deny Delete\" (22), " |
|
"\"Authorize to Deny Detect\" (23), \"Authorize to Deny " |
|
"Read\" (24), \"Authorize to Deny Write\" (25), and " |
|
"\"Authorize to Deny Execute\" (26).\n" |
|
"\"Authorize to Create\" (15), \"Authorize to Delete\" " |
|
"(16), \"Authorize to Detect\" (17), \"Authorize to Read\" " |
|
"(18), \"Authorize to Write\" (19), \"Authorize to " |
|
"Execute\" (20), \"Authorize to Deny Create\" (21), " |
|
"\"Authorize to Deny Delete\" (22), \"Authorize to Deny " |
|
"Detect\" (23), \"Authorize to Deny Read\" (24), " |
|
"\"Authorize to Deny Write\" (25), and \"Authorize to " |
|
"Deny Execute\" (26): each of these values indicates that " |
|
"the Subject is permitted to add value named in the " |
|
"string to - or remove the value from - the Activities " |
|
"array property in any other instance of " |
|
"CIM_AssociatedPrivilege that references the same Target. " |
|
"For example, \"Authorize to Read\" indicates that the " |
|
"Subject is permitted to add or remove the value \"Read\", " |
|
"and \"Authorize to Deny Read\" indicates that the " |
|
"Subject is permitted to add or remove the value \"Deny " |
|
"Read\"." ), |
|
ValueMap { "1", "2", "3", "4", "5", "6", "7", "8", "9", "10", |
|
"11", "12", "13", "14", "15", "16", "17", "18", "19", |
|
"20", "21", "22", "23", "24", "25", "26", "..", "16000.." }, |
|
Values { "Other", "Create", "Delete", "Detect", "Read", |
|
"Write", "Execute", "Deny Create", "Deny Delete", |
|
"Deny Detect", "Deny Read", "Deny Write", "Deny Execute", |
|
"Authorize to Grant/Deny Authorization", |
|
"Authorize to Create", "Authorize to Delete", |
|
"Authorize to Detect", "Authorize to Read", |
|
"Authorize to Write", "Authorize to Execute", |
|
"Authorize to Deny Create", "Authorize to Deny Delete", |
|
"Authorize to Deny Detect", "Authorize to Deny Read", |
|
"Authorize to Deny Write", "Authorize to Deny Execute", |
|
"DMTF Reserved", "Vendor Reserved" }, |
|
ArrayType ( "Indexed" ), |
|
ModelCorrespondence { |
|
"CIM_AssociatedPrivilege.ActivityQualifiers" }] |
|
uint16 Activities[]; |
|
|
|
[Description ( |
|
"The ActivityQualifiers property is an array of string " |
|
"values used to further qualify and specify the " |
|
"privileges granted or denied. For example, it is used to " |
|
"specify a set of files for which \'Read\'/\'Write\' " |
|
"access is permitted or denied. Or, it defines a class\' " |
|
"methods that may be \'Executed\'. Details on the " |
|
"semantics of the individual entries in " |
|
"ActivityQualifiers are provided by corresponding entries " |
|
"in the QualifierFormats array." ), |
|
ArrayType ( "Indexed" ), |
|
ModelCorrespondence { "CIM_AssociatedPrivilege.Activities", |
|
"CIM_AssociatedPrivilege.QualifierFormats" }] |
|
string ActivityQualifiers[]; |
|
|
|
[Description ( |
|
"Defines the semantics of corresponding entries in the " |
|
"ActivityQualifiers array. An example of each of these " |
|
"\'formats\' and their use follows: \n" |
|
"- 2=Class Name. Example: If the authorization target is " |
|
"a CIM Service or a Namespace, then the " |
|
"ActivityQualifiers entries can define a list of classes " |
|
"that the authorized subject is able to create or delete. \n" |
|
"- 3=<Class.>Property. Example: If the authorization " |
|
"target is a CIM Service, Namespace or Collection of " |
|
"instances, then the ActivityQualifiers entries can " |
|
"define the class properties that may or may not be " |
|
"accessed. In this case, the class names are specified " |
|
"with the property names to avoid ambiguity - since a CIM " |
|
"Service, Namespace or Collection could manage multiple " |
|
"classes. On the other hand, if the authorization target " |
|
"is an individual instance, then there is no possible " |
|
"ambiguity and the class name may be omitted. To specify " |
|
"ALL properties, the wildcard string \"*\" should be " |
|
"used. \n" |
|
"- 4=<Class.>Method. This example is very similar to the " |
|
"Property one, above. And, as above, the string \"*\" may " |
|
"be specified to select ALL methods. \n" |
|
"- 5=Object Reference. Example: If the authorization " |
|
"target is a CIM Service or Namespace, then the " |
|
"ActivityQualifiers entries can define a list of object " |
|
"references (as strings) that the authorized subject can " |
|
"access. \n" |
|
"- 6=Namespace. Example: If the authorization target is a " |
|
"CIM Service, then the ActivityQualifiers entries can " |
|
"define a list of Namespaces that the authorized subject " |
|
"is able to access. \n" |
|
"- 7=URL. Example: An authorization target may not be " |
|
"defined, but a Privilege could be used to deny access to " |
|
"specific URLs by individual Identities or for specific " |
|
"Roles, such as the \'under 17\' Role. \n" |
|
"- 8=Directory/File Name. Example: If the authorization " |
|
"target is a FileSystem, then the ActivityQualifiers " |
|
"entries can define a list of directories and files whose " |
|
"access is protected. \n" |
|
"- 9=Command Line Instruction. Example: If the " |
|
"authorization target is a ComputerSystem or Service, " |
|
"then the ActivityQualifiers entries can define a list of " |
|
"command line instructions that may or may not be " |
|
"\'Executed\' by the authorized subjects. \n" |
|
"- 10=SCSI Command, using a format of \'CDB=xx[,Page=pp]\'. " |
|
"For example, the ability to select the VPD page of the " |
|
"Inquiry command is encoded as \'CDB=12,Page=83\' in the " |
|
"corresponding ActivityQualifiers entry. A \'*\' may be " |
|
"used to indicate all CDBs or Page numbers. \n" |
|
"- 11=Packets. Example: The transmission of packets is " |
|
"permitted or denied by the Privilege for the target (a " |
|
"ComputerSystem, ProtocolEndpoint, Pipe, or other ManagedSystemElement).\n" |
|
"- 12=Specification-defined. The semantics are defined in " |
|
"a a specification produced by the DMTF or other " |
|
"organization. The value of the corresponding " |
|
"ActivityQualifiers entry names the specification and the " |
|
"organization that produced it, and includes a label that " |
|
"unambiguously references the semantic definition within " |
|
"the specification. The value of of the corresponding " |
|
"ActivityQualifiers entry should be constructed using the " |
|
"following \"preferred\" algorithm: \n" |
|
"<OrgID>:<SpecID>:<Label>, where <OrgID>, <SpecID>, and " |
|
"<Label> are separated by a colon (:), and where <OrgID> " |
|
"shall include a copyrighted, trademarked, or otherwise " |
|
"unique name that is owned by the business entity that is " |
|
"creating or defining the InstanceID or that is a " |
|
"registered ID assigned to the business entity by a " |
|
"recognized global authority. (This requirement is " |
|
"similar to the <Schema Name>_<Class Name> structure of " |
|
"Schema class names.) In addition, to ensure uniqueness " |
|
"both <OrgID> and <SpecID> shall not contain a colon " |
|
"(\':\'). When using this algorithm, the first colon to " |
|
"appear in the corresponding ActivityQualifiers entry " |
|
"shall appear between <OrgID> and <SpecID> and the second " |
|
"colon to appear in the corresponding ActivityQualifiers " |
|
"entry shall appear between <SpecID> and <Label>. \n" |
|
"<Label> is chosen by the business entity and should not " |
|
"be reused to identify different underlying semantics. If " |
|
"the above \"preferred\" algorithm is not used, the " |
|
"defining entity must assure that the resulting value is " |
|
"not reused to refer to a different specification or " |
|
"different semantics within defined within the same specification.\n" |
|
"For DMTF-defined instances, the \"preferred\" algorithm " |
|
"shall be used with the <OrgID> set to \"DMTF\", and the " |
|
"<SpecID> set to \"DSPx\", where x is the number of a DSP " |
|
"published by the DMTF." ), |
|
ValueMap { "2", "3", "4", "5", "6", "7", "8", "9", "10", |
|
"11", "12", "..", "16000.." }, |
|
Values { "Class Name", "<Class.>Property", "<Class.>Method", |
|
"Object Reference", "Namespace", "URL", |
|
"Directory/File Name", "Command Line Instruction", |
|
"SCSI Command", "Packets", "Specification-defined", |
|
"DMTF Reserved", "Vendor Reserved" }, |
|
ArrayType ( "Indexed" ), |
|
ModelCorrespondence { |
|
"CIM_AssociatedPrivilege.ActivityQualifiers" }] |
|
uint16 QualifierFormats[]; |
|
|
|
[Description ( |
|
"The RepresentsAuthorizationRights flag indicates whether " |
|
"the rights defined by this instance shall be interpreted " |
|
"as rights of Subjects to access Targets or as rights of " |
|
"Subjects to change those rights on/for Targets." )] |
|
boolean RepresentsAuthorizationRights = false; |
|
|
|
|
|
}; |