Return to CIM_User25.mof CVS log

Up to [Pegasus] / pegasus / Schemas / CIM25

Merged dev branch into main trunk.

// ===================================================================
// Title:       User-Security MOF specification 2.5
// Filename:    CIM_UserSec25a.mof
// Version:     2.5
// Release:     0
// Date:        01/23/2001
// Description: These object classes define the user and security 
//              model for CIM and includes classes needed to represent
//              users, groups and organizational entities as well as 
//              security services and authentication and authorization 
//              information.
//              The object classes below are listed in an order that
//              avoids forward references. Required objects, defined 
//		    by other working groups, are omitted. 
// ===================================================================
// Author:      DMTF User and Security Working Group
//
// 14 Mar 2000  - Version 2.3
//
// 09 Jun 2000  - ERRATA to Version 2.3 creating V2.4
//		- CR493a, Correction of Antecedent/Dependent references
//			References are reversed from the original 2.3 model
//		- CR497: Corrections to antecedent/dependent references
//			1.  ElementAsUser should run between an ME and a 
//                UsersAccess.  Both references are ME in the MOF.  
//                UsersAccess is the Dependent reference.
//
//			2.  ManagesAccount should subclass from Dependency.
//
//			3.  ServiceUsesSecurityService - antecedent and 
//                dependent are backwards.  SecurityService should 
//			be the antecedent and Service the dependent.
//
//			4.  SecurityServiceForSystem - should subclass from 
//			ProvidesServiceToElement.
//
//			5.  UsersCredentials - The antecedent and dependent 
//			references are backwards.  The UsersAccess is 
//			dependent on the Credentials - the credentials 
//			are the antecedent.
//
//			6.  The change in UsersCredentials affects 
//			PublicPrivateKeyPair, since it inherits from 
//			UsersCredentials.
//
//			7.  CAHasPublicCertificate - The antecedent and 
//			dependent references are backwards.  The CA USES 
//			the public certificate - therefore, it is dependent
//			on the certificate.
//
//			8.  AuthenticateForUse - The antecedent and 
//			dependent are backwards. The association "provides 
//			an AuthenticationService with the 
//			AuthenticationRequirement it needs to do its job". 
//			AuthenticationService is Dependent on the 
//			Requirement.
//
//			9.  RequireCredentialsFrom - Antecedent and 
//			dependent are backwards.  The requirement is for 
//			a specific credential mgmt service - the service 
//			has no dependencies at all on the requirement.
//
//			10.  AuthenticationTarget - Clarification that the 
//			"target" is dependent on the requirement to protect 
//			it.
//
//			11.  AuthorizedUse - The antecedent and dependent 
//			are backwards since the description says that the 
//			association "provides an AuthorizationService
//			with the AccessControlInformation it needs to do 
//			its job". AuthorizationService is Dependent on the 
//			ACI.
//
// 21 June 2000 - ERRATA to Version 2.3 creating Version 2.4
//          - CR515: CIM Account keys.  CIM_Account currently has two
//			local keys, Name and UserID. 
//                The intent was to have CreationClassName and Name 
//			as keys where name could be set to a value equal to 
//			the UserID or to some other value, e.g., a DN from 
//			a directory.
//
// 10 Nov 2000  - Changes to Version 2.4 creating V2.5
//          - CR544a, Adds classes and properties needed for Network 
//                IPsec submodel.  
//                Classes added are:
//			CredentialManagementSAP 
//                LocalCredentialManagementService
//                PublicKeyManagementService
//                UnsignedPublicKey
//                NamedSharedIKESecret
//                TrustHierarchy
//                LocallyManagedPublicKey
//                IKESecretIsNamed
//                Properties added are:
//                CertificateAuthority.CADistinguishedName
//                CertificateAuthority.MaxChainLength
//                CertificateAuthority.CRLRefreshFrequency
//          - CR560, ERRATA renames KerberosTicket.Type to 
//                KerberosTicket.TicketType and changes it from an
//                array to a scalar property 
// 23 Jan 2001  - ERRATA to Version 2.5 creating V2.6
//          - CR591, Corrections to PROPAGATE qualifiers on 
//			Credential Subclasses
//
// ===================================================================

// ===================================================================
// ===                         Pragmas                             ===
// ===================================================================
#pragma Locale ("en_US")



// ==================================================================
// ===                  Data class definitions                    ===
// ==================================================================


// ==================================================================
// Group
// ==================================================================
   [Description (
   "The Group class is used to collect ManagedElements into groups. "
   "This class is defined so as to incorporate commonly-used LDAP "
   "attributes to permit implementations to easily derive this "
   "information from LDAP-accessible directories.  This class's "
   "properties are a subset of a related class, "
   "OtherGroupInformation, which defines all the group properties "
   "and in array form for directory compatibility." ) ]
class CIM_Group : CIM_Collection
   {  
      [Key, MaxLen (256), Description (  
	"CreationClassName indicates the name of the class or the "
	"subclass used in the creation of an instance. When used "
	"with the other key properties of this class, this property "
	"allows all instances of this class and its subclasses to "
	"be uniquely identified.")]
   string CreationClassName;
      [Key, MaxLen (1024), Description (  
      "The Name property defines the label by which the object is "
	"known. In the case of an LDAP-derived instance, the Name "
	"property value may be set to the distinguishedName of the "
	"LDAP-accessed object instance.")]
   string Name;
	[MaxLen (128), Description (  
      "The BusinessCategory property may be used to describe the "
	"kind of business activity performed by the members of the "
	"group.")]
   string BusinessCategory;
      [Required, Description (
	"A Common Name is a (possibly ambiguous) name by which the "
	"group is commonly known in some limited scope (such as an "
	"organization) and conforms to the naming conventions of the "
	"country or culture with which it is associated.")]
   string CommonName;
   };

// ==================================================================
// OtherGroupInformation
// ==================================================================
   [Description (
   "The OtherGroupInformation class provides additional information "
   "about an associated Group instance.  This class is defined so as "
   "to incorporate commonly-used LDAP attributes to permit "
   "implementations to easily derive this information from "
   "LDAP-accessible directories.") ]
class CIM_OtherGroupInformation : CIM_ManagedElement
   {  
      [Key, MaxLen (256), Description (  
	"CreationClassName indicates the name of the class or the "
	"subclass used in the creation of an instance. When used "
	"with the other key properties of this class, this property "
	"allows all instances of this class and its subclasses to "
	"be uniquely identified.")]
   string CreationClassName;
      [Key, MaxLen (1024), Description (  
      "The Name property defines the label by which the object is "
	"known. In the case of an LDAP-derived instance, the Name "
	"property value may be set to the distinguishedName of the "
	"LDAP-accessed object instance.")]
   string Name;
      [Description (  
      "In the case of an LDAP-derived instance, the ObjectClass "
      "property value(s) may be set to the objectClass attribute "
	"values.")]
   string ObjectClass[];
	[MaxLen (128), Description (  
      "The BusinessCategory property may be used to describe the "
	"kind of business activity performed by the members of the "
	"group.")]
   string BusinessCategory[];
      [Description (
	"A Common Name is a (possibly ambiguous) name by which the "
	"group is commonly known in some limited scope (such as an "
	"organization) and conforms to the naming conventions of the "
	"country or culture with which it is associated.")]
   string CommonName[];
      [MaxLen (1024), Description (  
      "The Descriptions property values may contain human-readable "
	"descriptions of the object.  In the case of an LDAP-derived "  
	"instance, the description attribute may have multiple values "
	"that, therefore, cannot be placed in the inherited "
	"Description property.")]
   string Descriptions[];
      [Description (  
      "The name of an organization related to the group.")]
   string OrganizationName[];
      [Description (  
      "The name of an organizational unit related to the group.")]
   string OU[];
      [Description (  
	"The Owner property specifies the name of some object that "
	"has some responsibility for the group.  In the case of an "
	"LDAP-derived instance, a property value for Owner may be a "
	"distinguishedName of owning persons, groups, roles, etc.")]
   string Owner[];
      [Description (  
	"In the case of an LDAP-derived instance, the See Also "
	"property specifies distinguishedName of other Directory "
	"objects which may be other aspects (in some sense) of the "
	"same real world object.")]
   string SeeAlso[];
   };

// ==================================================================
// Role
// ==================================================================
   [Description (  
   "The Role object class is used to represent a position or set of "
   "responsibilities within an organization, organizational unit or "
   "system administration scope and is filled by a person or persons "
   "(or non-human entities represented by ManagedSystemElement "
   "subclasses) that may be explicitly or implicitly members of this "
   "collection subclass.  The class is defined so as to incorporate "
   "commonly-used LDAP attributes to permit implementations to "
   "easily derive this information from LDAP-accessible directories. "
   "The members of a role are frequently called role occupants. "
   "This class's properties are a subset of a related class, "
   "OtherRoleInformation, which defines all the group properties "
   "and in array form for directory compatibility. ")]
class CIM_Role : CIM_Collection
   {  
      [Key, MaxLen (256), Description (  
	"CreationClassName indicates the name of the class or the "
	"subclass used in the creation of an instance. When used "
	"with the other key properties of this class, this property "
	"allows all instances of this class and its subclasses to "
	"be uniquely identified.")]
   string CreationClassName;
      [Key, MaxLen (1024),Description (  
      "The Name property defines the label by which the object is "
	"known. In the case of an LDAP-derived instance, the Name " 
	"property value may be set to the distinguishedName of the "
	"LDAP-accessed object instance.")]
   string Name;
      [MaxLen (128), Description (  
      "This property may be used to describe the kind of business "
	"activity performed by the members (role occupants) in the "
	"position or set of responsibilities represented by the Role. "
	)]
   string BusinessCategory;
      [Required, Description (
	"A Common Name is a (possibly ambiguous) name by which the "
	"role is commonly known in some limited scope (such as an "
	"organization) and conforms to the naming conventions of the "
	"country or culture with which it is associated.")]
   string CommonName;
   };

// ==================================================================
// OtherRoleInformation
// ==================================================================
   [Description (  
   "The OtherRoleInformation class is used to provide additional "
   "information about an associated Role instance.  This class is "
   "defined so as to incorporate commonly-used LDAP attributes to "
   "permit implementations to easily derive this information from "
   "LDAP-accessible directories.") ]
class CIM_OtherRoleInformation : CIM_ManagedElement
   {  
      [Key, MaxLen (256), Description (  
	"CreationClassName indicates the name of the class or the "
	"subclass used in the creation of an instance. When used "
	"with the other key properties of this class, this property "
	"allows all instances of this class and its subclasses to "
	"be uniquely identified.")]
   string CreationClassName;
      [Key, MaxLen (1024),Description (  
      "The Name property defines the label by which the object is "
	"known. In the case of an LDAP-derived instance, the Name " 
	"property value may be set to the distinguishedName of the "
	"LDAP-accessed object instance.")]
   string Name;
      [Description (  
      "In the case of an LDAP-derived instance, the ObjectClass "
      "property value(s) may be set to the objectClass attribute "
	"values.")]
   string ObjectClass[];
      [MaxLen (128), Description (  
      "This property may be used to describe the kind of business "
	"activity performed by the members (role occupants) in the "
	"position or set of responsibilities represented by the Role. "
	)]
   string BusinessCategory[];
      [Description (
	"A Common Name is a (possibly ambiguous) name by which the "
	"role is commonly known in some limited scope (such as an "
	"organization) and conforms to the naming conventions of the "
	"country or culture with which it is associated.")]
   string CommonName[];
      [MaxLen (1024), Description (  
      "The Descriptions property values may contain human-readable "
	"descriptions of the object.  In the case of an LDAP-derived "  
	"instance, the description attribute may have multiple values "
	"that, therefore, cannot be placed in the inherited "
	"Description property.")]
   string Descriptions[];
      [MaxLen (128), Description (  
	"This property is used for the role occupants' telegram "
	"service.")]
   string DestinationIndicator[];
      [Description (  
      "The role occupants' facsimile telephone number.")]
   string FacsimileTelephoneNumber[];
      [MaxLen (16), Description (  
      "The role occupants' International ISDN number.")]
   string InternationaliSDNNumber[];
      [Description (  
      "The name of an organizational unit related to the role.")]
   string OU[];
      [MaxLen (128), Description (  
      "The Physical Delivery Office Name property specifies the name "
	"of the city, village, etc. where a physical delivery office "
	"is situated.")]
   string PhysicalDeliveryOfficeName[];
      [Description (  
	"The Postal Address property values specify the address "
	"information required for the physical delivery of postal "
	"messages by the postal authority to the role occupants.")]
   string PostalAddress[];
      [MaxLen (40), Description (  
	"The Postal Code property specifies the postal code for the "
	"role occupants.  If this value is present it will be part of "
	"the object's postal address.")]
   string PostalCode[];
      [MaxLen (40), Description (  
	"The Post Office Box property specifies the Post Office Box "
	"by which the role occupants will receive physical postal "
	"delivery. If present, the property value is part of the "
	"object's postal address.")]
   string PostOfficeBox[];
      [Description (   
	"The Preferred Delivery Method property specifies the "
	"role occupants' preferred method to be used for contacting "
	"them in their role.")]
   string PreferredDeliveryMethod;
      [Description (  
	"This property specifies a postal address suitable for receipt "
	"of telegrams or expedited documents, where it is necessary to "
	"have the recipient accept delivery.")]
   string RegisteredAddress[];
      [Description (  
	"In the case of an LDAP-derived instance, the See Also "
	"property specifies distinguishedName of other Directory "
	"objects which may be other aspects (in some sense) of the "
	"same real world object.")]
   string SeeAlso[];
      [Description (  
 	"The State or Province Name property specifies a state or "
	"province." )]
   string StateOrProvince[];
      [MaxLen (128), Description (  
	"The Street Address property specifies a site for the local "
	"distribution and physical delivery in a postal address, i.e. "
	"the street name, place, avenue, and the number." )]
   string Street[];
      [MaxLen (32), Description (  
	"The Telephone Number property specifies a telephone number of "
	"the role occupants, e.g. + 44 582 10101)." )]
   string TelephoneNumber[];
      [Description (  
	"The Teletex Terminal Identifier property specifies the "
	"Teletex terminal identifier (and, optionally, parameters) for "
	"a teletex terminal associated with the role occupants." )]
   string TeletexTerminalIdentifier[];
      [Description (  
	"The Telex Number property specifies the telex number, country "
	"code, and answerback code of a telex terminal for the "
	"role occupants." )]
   string TelexNumber[];
      [MaxLen (15), Description (  
      "An X.121 address for the role occupants.")]
   string X121Address[];
   };

// ==================================================================
// OrganizationalEntity
// ==================================================================
   [Abstract, Description (  
   "OrganizationalEntity is an abstract class from which classes "
   "that fit into an organizational structure are derived.") ]
class CIM_OrganizationalEntity : CIM_ManagedElement   
   {  
   };

// ==================================================================
// Organization
// ==================================================================
   [Description (  
   "The Organization class is used to represent an organization such "
   "as a corporation or other autonomous entity.  The class is "
   "defined so as to incorporate commonly-used LDAP attributes to "
   "permit implementations to easily derive this information from "
   "LDAP-accessible directories.  This class's properties are a "
   "subset of a related class, OtherOrganizationInformation, which "
   "defines all the group properties and in array form for "
   "directory compatibility.") ]
class CIM_Organization : CIM_OrganizationalEntity  
   {  
      [Key, MaxLen (256), Description (  
	"CreationClassName indicates the name of the class or the "
	"subclass used in the creation of an instance. When used "
	"with the other key properties of this class, this property "
	"allows all instances of this class and its subclasses to "
	"be uniquely identified.")]
   string CreationClassName;
      [Key, MaxLen (1024),Description (  
      "The Name property defines the label by which the object is "
	"known. In the case of an LDAP-derived instance, the Name "
	"property value may be set to the distinguishedName of the "
	"LDAP-accessed object instance.")]
   string Name;
      [MaxLen (128), Description (  
      "This property describes the kind of business performed by an "
	"organization.")]
   string BusinessCategory;
      [Description (  
      "The organization's facsimile telephone number.")]
   string FacsimileTelephoneNumber;
      [Description (  
	"This property contains the name of a locality, such as a "
	"city, county or other geographic region.")]
   string LocalityName;
      [Description (  
      "Based on RFC1274, the mail box addresses for the organization "
	"as defined in RFC822.")]
   string Mail;
      [Required, Description (  
      "The name of the organization.")]
   string OrganizationName;
      [Description (  
	"The Postal Address property values specify the address "
	"information required for the physical delivery of postal "
	"messages by the postal authority to the organization.")]
   string PostalAddress[];
      [MaxLen (40), Description (  
	"The Postal Code property specifies the postal code of the "
	"organization.  If this value is present it will be part of "
	"the object's postal address.")]
   string PostalCode;
      [Description (  
 	"The State or Province Name property specifies a state or "
	"province." )]
   string StateOrProvince;
      [MaxLen (32), Description (  
	"The Telephone Number property specifies a telephone number of "
	"the organization, e.g. + 44 582 10101)." )]
   string TelephoneNumber;
   };

// ==================================================================
// OtherOrganizationInformation
// ==================================================================
   [Description (  
   "The OtherOrganizationInformation class is used to provide "
   "additional information about an associated Organization instance. "
   "This class is defined so as to incorporate commonly-used LDAP "
   "attributes to permit implementations to easily derive this "
   "information from LDAP-accessible directories.") ]
class CIM_OtherOrganizationInformation : CIM_ManagedElement  
   {  
      [Key, MaxLen (256), Description (  
	"CreationClassName indicates the name of the class or the "
	"subclass used in the creation of an instance. When used "
	"with the other key properties of this class, this property "
	"allows all instances of this class and its subclasses to "
	"be uniquely identified.")]
   string CreationClassName;
      [Key, MaxLen (1024),Description (  
      "The Name property defines the label by which the object is "
	"known. In the case of an LDAP-derived instance, the Name "
	"property value may be set to the distinguishedName of the "
	"LDAP-accessed object instance.")]
   string Name;
      [Description (  
      "In the case of an LDAP-derived instance, the ObjectClass "
      "property value(s) may be set to the objectClass attribute "
	"values.")]
   string ObjectClass[];
      [MaxLen (128), Description (  
      "This property describes the kind of business performed by an "
	"organization.")]
   string BusinessCategory[];
      [MaxLen (1024), Description (  
      "The Descriptions property values may contain human-readable "
	"descriptions of the object.  In the case of an LDAP-derived "  
	"instance, the description attribute may have multiple values "
	"that, therefore, cannot be placed in the inherited "
	"Description property.")]
   string Descriptions[];
      [MaxLen (128), Description (  
	"This property is used for the organization's telegram "
	"service.")]
   string DestinationIndicator[];
      [Description (  
      "The organization's facsimile telephone number.")]
   string FacsimileTelephoneNumber[];
      [MaxLen (16), Description (  
      "The organization's International ISDN number.")]
   string InternationaliSDNNumber[];
      [Description (  
      "Uniform Resource Identifier with optional label as defined in "
	"RFC2079.")]
   string LabeledURI[]; 
      [Description (  
	"This property contains the name of a locality, such as a "
	"city, county or other geographic region.")]
   string LocalityName[];
      [Description (  
      "Based on RFC1274, the mail box addresses for the organization "
	"as defined in RFC822.")]
   string Mail[];
      [Description (  
      "The manager for the organization.  In the case of an "
	"LDAP-derived instance, the Manager property value may contain "
	"the distinguishedName of the Manager.")]
   string Manager[];
      [Description (  
      "The name of the organization.")]
   string OrganizationName[];
      [Description (  
      "Based on RFC1274, this property may be used for electronic "
	"mail box addresses other than RFC822 and X.400.")]
   string OtherMailbox[];
      [MaxLen (128), Description (  
      "The Physical Delivery Office Name property specifies the name "
	"of the city, village, etc. where a physical delivery office "
	"is situated.")]
   string PhysicalDeliveryOfficeName[];
      [Description (  
	"The Postal Address property values specify the address "
	"information required for the physical delivery of postal "
	"messages by the postal authority to the organization.")]
   string PostalAddress[];
      [MaxLen (40), Description (  
	"The Postal Code property specifies the postal code of the "
	"organization.  If this value is present it will be part of "
	"the object's postal address.")]
   string PostalCode[];
      [MaxLen (40), Description (  
	"The Post Office Box property specifies the Post Office Box "
	"by which the organization will receive physical postal "
	"delivery. If present, the property value is part of the "
	"object's postal address.")]
   string PostOfficeBox[];
      [Description (  
	"The Preferred Delivery Method property specifies the "
	"organization's preferred method to be used for communicating "
	"with it.")]
   string PreferredDeliveryMethod;
      [Description (  
	"This property specifies a postal address suitable for receipt "
	"of telegrams or expedited documents, where it is necessary to "
	"have the recipient accept delivery.")]
   string RegisteredAddress[];
      [Description (  
      "This property value is for use by X.500 clients in "
	"constructing search filters.")]
   string SearchGuide[];
      [Description (  
	"In the case of an LDAP-derived instance, the See Also "
	"property specifies distinguishedName of other Directory "
	"objects which may be other aspects (in some sense) of the "
	"same real world object.")]
   string SeeAlso[];
      [Description (  
 	"The State or Province Name property specifies a state or "
	"province." )]
   string StateOrProvince[];
      [MaxLen (128), Description (  
	"The Street Address property specifies a site for the local "
	"distribution and physical delivery in a postal address, i.e. "
	"the street name, place, avenue, and the number." )]
   string Street[];
      [MaxLen (32), Description (  
	"The Telephone Number property specifies a telephone number of "
	"the organization, e.g. + 44 582 10101)." )]
   string TelephoneNumber[];
      [Description (  
	"The Teletex Terminal Identifier property specifies the "
	"Teletex terminal identifier (and, optionally, parameters) for "
	"a teletex terminal associated with the organization." )]
   string TeletexTerminalIdentifier[];
      [Description (  
	"The Telex Number property specifies the telex number, country "
	"code, and answerback code of a telex terminal for the "
	"organization." )]
   string TelexNumber[];
      [Octetstring, Description (  
      "An image of the organization logo")]
   string ThumbnailLogo[];
      [Description (  
	"A unique identifier that may be assigned in an environment to "
	"differentiate between uses of a given named organization "
	"instance.")]
   string UniqueIdentifier[];
      [Octetstring, Description (  
      "In the case of an LDAP-derived instance, the UserPassword "
	"property may contain an encrypted password used to access "
	"the organization's resources in a directory." )]
   string UserPassword[];
      [MaxLen (15), Description (  
      "An X.121 address for the organization.")]
   string X121Address[];
   };

// ==================================================================
// OrgUnit
// ==================================================================
   [Description (  
   "The OrgUnit class is used to represent a sub-unit of an "
   "organization such a division or department.  The class is "
   "defined so as to incorporate commonly-used LDAP attributes to "
   "permit implementations to easily derive this information from "
   "LDAP-accessible directories.  This class's properties are a "
   "subset of a related class, OtherOrgUnitInformation, which "
   "defines all the group properties and in array form for "
   "directory compatibility. ") ]
class CIM_OrgUnit : CIM_OrganizationalEntity  
   {  
      [Key, MaxLen (256), Description (  
	"CreationClassName indicates the name of the class or the "
	"subclass used in the creation of an instance. When used "
	"with the other key properties of this class, this property "
	"allows all instances of this class and its subclasses to "
	"be uniquely identified.")]
   string CreationClassName;
      [Key, MaxLen (1024),Description (  
      "The Name property defines the label by which the object is "
	"known. In the case of an LDAP-derived instance, the Name " 
	"property value may be set to the distinguishedName of the "
	"LDAP-accessed object instance.")]
   string Name;
      [MaxLen (128), Description (  
      "This property describes the kind of business performed by an "
	"organizational unit.")]
   string BusinessCategory;
      [Description (  
      "The organizational unit's facsimile telephone number.")]
   string FacsimileTelephoneNumber;
      [Description (  
	"This property contains the name of a locality, such as a "
	"city, county or other geographic region.")]
   string LocalityName;
      [Required, Description (  
      "The name of the organizational unit.")]
   string OU;
      [Description (  
	"The Postal Address property values specify the address "
	"information required for the physical delivery of postal "
	"messages by the postal authority to the organizational unit."
	)]
   string PostalAddress[];
      [MaxLen (40), Description (  
	"The Postal Code property specifies the postal code of the "
	"organizational unit.  If this value is present it will be "
	"part of the object's postal address.")]
   string PostalCode;
      [Description (  
 	"The State or Province Name property specifies a state or "
	"province." )]
   string StateOrProvince;
      [MaxLen (32), Description (  
	"The Telephone Number property specifies a telephone number of "
	"the organizational unit, e.g. + 44 582 10101)." )]
   string TelephoneNumber;
   };

// ==================================================================
// OtherOrgUnitInformation
// ==================================================================
   [Description (  
   "The OtherOrgUnitInformation class is used to provide "
   "additional information about an associated OrgUnit instance. "
   "This class is defined so as to incorporate commonly-used LDAP "
   "attributes to permit implementations to easily derive this "
   "information from LDAP-accessible directories.") ]
class CIM_OtherOrgUnitInformation : CIM_ManagedElement  
   {  
      [Key, MaxLen (256), Description (  
	"CreationClassName indicates the name of the class or the "
	"subclass used in the creation of an instance. When used "
	"with the other key properties of this class, this property "
	"allows all instances of this class and its subclasses to "
	"be uniquely identified.")]
   string CreationClassName;
      [Key, MaxLen (1024),Description (  
      "The Name property defines the label by which the object is "
	"known. In the case of an LDAP-derived instance, the Name " 
	"property value may be set to the distinguishedName of the "
	"LDAP-accessed object instance.")]
   string Name;
      [Description (  
      "In the case of an LDAP-derived instance, the ObjectClass "
      "property value(s) may be set to the objectClass attribute "
	"values.")]
   string ObjectClass[];
      [MaxLen (128), Description (  
      "This property describes the kind of business performed by an "
	"organizational unit.")]
   string BusinessCategory[];
      [MaxLen (1024), Description (  
      "The Descriptions property values may contain human-readable "
	"descriptions of the object.  In the case of an LDAP-derived "  
	"instance, the description attribute may have multiple values "
	"that, therefore, cannot be placed in the inherited "
	"Description property.")]
   string Descriptions[];
      [MaxLen (128), Description (  
	"This property is used for the organizational unit's telegram "
	"service.")]
   string DestinationIndicator[];
      [Description (  
      "The organizational unit's facsimile telephone number.")]
   string FacsimileTelephoneNumber[];
      [MaxLen (16), Description (  
      "The organizational unit's International ISDN number.")]
   string InternationaliSDNNumber[];
      [Description (  
	"This property contains the name of a locality, such as a "
	"city, county or other geographic region.")]
   string LocalityName[];
      [Description (  
      "The name of the organizational unit.")]
   string OU[];
      [MaxLen (128), Description (  
      "The Physical Delivery Office Name property specifies the name "
	"of the city, village, etc. where a physical delivery office "
	"is situated.")]
   string PhysicalDeliveryOfficeName[];
      [Description (  
	"The Postal Address property values specify the address "
	"information required for the physical delivery of postal "
	"messages by the postal authority to the organizational unit."
	)]
   string PostalAddress[];
      [MaxLen (40), Description (  
	"The Postal Code property specifies the postal code of the "
	"organizational unit.  If this value is present it will be "
	"part of the object's postal address.")]
   string PostalCode[];
      [MaxLen (40), Description (  
	"The Post Office Box property specifies the Post Office Box "
	"by which the organizational unit will receive physical "
	"postal delivery. If present, the property value is part of "
	"the object's postal address.")]
   string PostOfficeBox[];
      [Description (  
	"The Preferred Delivery Method property specifies the "
	"organizational unit's preferred method to be used for "
	"communicating with it.")]
   string PreferredDeliveryMethod;
      [Description (  
      "This property value is for use by X.500 clients in "
	"constructing search filters.")]
   string SearchGuide[];
      [Description (  
	"In the case of an LDAP-derived instance, the See Also "
	"property specifies distinguishedName of other Directory "
	"objects which may be other aspects (in some sense) of the "
	"same real world object.")]
   string SeeAlso[];
      [Description (  
 	"The State or Province Name property specifies a state or "
	"province." )]
   string StateOrProvince[];
      [MaxLen (128), Description (  
	"The Street Address property specifies a site for the local "
	"distribution and physical delivery in a postal address, i.e. "
	"the street name, place, avenue, and the number." )]
   string Street[];
      [MaxLen (32), Description (  
	"The Telephone Number property specifies a telephone number of "
	"the organizational unit, e.g. + 44 582 10101)." )]
   string TelephoneNumber[];
      [Description (  
	"The Teletex Terminal Identifier property specifies the "
	"Teletex terminal identifier (and, optionally, parameters) for "
	"a teletex terminal associated with the organizational unit."
	)]
   string TeletexTerminalIdentifier[];
      [Description (  
	"The Telex Number property specifies the telex number, country "
	"code, and answerback code of a telex terminal for the "
	"organization." )]
   string TelexNumber[];
      [Octetstring, Description (  
      "In the case of an LDAP-derived instance, the UserPassword "
	"property may contain an encrypted password used to access "
	"the organizational unit's resources in a directory." )]
   string UserPassword[];
      [MaxLen (15), Description (  
      "An X.121 address for the organization.")]
   string X121Address[];
   };

// ==================================================================
// UserEntity
// ==================================================================
   [Abstract, Description (  
   "UserEntity is an abstract class that represents users.") ]
class CIM_UserEntity : CIM_OrganizationalEntity 
   {  
   };

// ==================================================================
// Person
// ==================================================================
   [Description (  
   "The Person object class is used to represent people.  The class "
   "is defined so as to incorporate commonly-used LDAP attributes to "
   "permit implementations to easily derive this information from "
   "LDAP-accessible directories.  This class's properties are a "
   "subset of a related class, OtherPersonInformation, which "
   "defines all the group properties and in array form for "
   "directory compatibility. ") ]
class CIM_Person : CIM_UserEntity 
   {  
      [Key, MaxLen (256), Description (  
	"CreationClassName indicates the name of the class or the "
	"subclass used in the creation of an instance. When used "
	"with the other key properties of this class, this property "
	"allows all instances of this class and its subclasses to "
	"be uniquely identified.")]
   string CreationClassName;
      [Key, MaxLen (1024),Description (  
      "The Name property defines the label by which the object is "
	"known. In the case of an LDAP-derived instance, the Name "
	"property value may be set to the distinguishedName of the "
	"LDAP-accessed object instance.")]
   string Name;
      [MaxLen (128), Description (  
      "This property describes the kind of business performed by an "
	"organization.")]
   string BusinessCategory;
      [Required, Description (
	"A Common Name is a (possibly ambiguous) name by which the "
	"role is commonly known in some limited scope (such as an "
	"organization) and conforms to the naming conventions of the "
	"country or culture with which it is associated.")]
   string CommonName;
      [Description (
	"Based on inetPrgPerson, the Employee Number property "
	"specifies a numeric or an alphanumeric identifier assigned to "
	"a person.")]
   string EmployeeNumber;
      [Description (
	"Based on inetOrgPerson, the Employee Type property is used to "
	"identify the employer to employee relationship.  Typical "
	"values used may include 'Contractor', 'Employee', 'Intern', "
	"'Temp', 'External', and 'Unknown' but any value may be used."
	)]
   string EmployeeType;
      [Description (  
      "The person's facsimile telephone number.")]
   string FacsimileTelephoneNumber;
      [MaxLen (32), Description (  
	"Based on RFC1274, the Home Phone property specifies a home "
	"telephone number for the person, e.g. + 44 582 10101)." )]
   string HomePhone;
      [Description (  
	"The Home Postal Address property values specify the home "
	"address information required for the physical delivery of "
	"postal messages by the postal authority.")]
   string HomePostalAddress[];
      [Description (
	"From inetOrgPerson, the JPEG Phto property values may be used "
	"for one or more images of a person using the JPEG File "
	"Interchange Format.")]
   string JPEGPhoto;
      [Description (  
	"This property contains the name of a locality, such as a "
	"city, county or other geographic region.")]
   string LocalityName;
      [Description (  
      "Based on RFC1274, the mail box addresses for the person "
	"as defined in RFC822.")]
   string Mail;
      [Description (  
      "The person's manager within the organization.  In the case of "
	"an LDAP-derived instance, the Manager property value may "
	"contain the distinguishedName of the Manager.")]
   string Manager;
      [MaxLen (32), Description (  
	"Based on RFC1274, the Mobile Phone property specifies a "
	"mobile telephone number for the person, e.g. + 44 582 10101)." 
	)]
   string Mobile;
      [Description (  
      "The name of an organizational unit related to the person.")]
   string OU;
      [MaxLen (32), Description (  
	"Based on RFC1274, the Pager property specifies a pager "
	"telephone number for the person, e.g. + 44 582 10101).")]
   string Pager;
      [Description (  
	"The Postal Address property values specify the address "
	"information required for the physical delivery of postal "
	"messages by the postal authority to the person.")]
   string PostalAddress[];
      [MaxLen (40), Description (  
	"The Postal Code property specifies the postal code of the "
	"organization.  If this value is present it will be part of "
	"the object's postal address.")]
   string PostalCode;
      [Description (
	"Based on inetOrgPerson, the person's preferred written or "
	"spoken language.")]
   string PreferredLanguage;
      [Description (
	"Based on RFC1274, the Secretary property may be used to "
	"specify a secretary for the person.  In the case of an "
	"LDAP-derived object instance, the value may be a "
	"distinguishedName.")]
   string Secretary;
      [Description (  
 	"The State or Province Name property specifies a state or "
	"province." )]
   string StateOrProvince;
      [Required, Description (
	"The Surname property specifies the linguistic construct that "
	"normally is inherited by an individual from the individual's "
	"parent or assumed by marriage, and by which the individual is "
	"commonly known.")]
   string Surname;
      [MaxLen (32), Description (  
	"The Telephone Number property specifies a telephone number of "
	"the organization, e.g. + 44 582 10101)." )]
   string TelephoneNumber;
      [Description (
	"The Title property may be used to specify the person's "
	"designated position or function of the object within an "
	"organization, e.g., Manager, Vice-President, etc.")]
   string Title;
   };

// ==================================================================
// OtherPersonInformation
// ==================================================================
   [Description (  
   "The OtherPersonInformation class is used to provide "
   "additional information about an associated Person instance. "
   "This class is defined so as to incorporate commonly-used LDAP "
   "attributes to permit implementations to easily derive this "
   "information from LDAP-accessible directories.") ]
class CIM_OtherPersonInformation : CIM_UserEntity 
   {  
      [Key, MaxLen (256), Description (  
	"CreationClassName indicates the name of the class or the "
	"subclass used in the creation of an instance. When used "
	"with the other key properties of this class, this property "
	"allows all instances of this class and its subclasses to "
	"be uniquely identified.")]
   string CreationClassName;
      [Key, MaxLen (1024),Description (  
      "The Name property defines the label by which the object is "
	"known. In the case of an LDAP-derived instance, the Name "
	"property value may be set to the distinguishedName of the "
	"LDAP-accessed object instance.")]
   string Name;
      [Description (  
      "In the case of an LDAP-derived instance, the ObjectClass "
      "property value(s) may be set to the objectClass attribute "
	"values.")]
   string ObjectClass[];
      [Octetstring, Description (  
	"The Audio property may be used to store an audio clip of the "
	"person.")]
   string Audio[];
      [MaxLen (128), Description (  
      "This property describes the kind of business performed by an "
	"organization.")]
   string BusinessCategory[];
      [MaxLen (128), Description (
	"The Car License property is used to record the values of the "
	"vehicle license or registration plate associated with an "
	"individual.")]
   string CarLicense[];
      [Description (
	"A Common Name is a (possibly ambiguous) name by which the "
	"role is commonly known in some limited scope (such as an "
	"organization) and conforms to the naming conventions of the "
	"country or culture with which it is associated.")]
   string CommonName[];
      [Description (
	"The Country Name property specifies a country as defined in "
	"ISO 3166.")]
   string CountryName[];
      [Description (
	"Based on inetOrgPerson, the Department Number is a code for "
	"department to which a person belongs.  This can be strictly "
	"numeric (e.g., 1234) or alphanumeric (e.g., ABC/123).")]
   string DepartmentNumber[];
      [MaxLen (1024), Description (  
      "The Descriptions property values may contain human-readable "
	"descriptions of the object.  In the case of an LDAP-derived "  
	"instance, the description attribute may have multiple values "
	"that, therefore, cannot be placed in the inherited "
	"Description property.")]
   string Descriptions[];
      [MaxLen (128), Description (  
	"This property is used for the organization's telegram "
	"service.")]
   string DestinationIndicator[];
      [Description (
	"Based on inetOrgPerson, the Display Name property values are "
	"used when displaying an entry.")]
   string DisplayName[];
      [Description (
	"Based on inetPrgPerson, the Employee Number property "
	"specifies a numeric or an alphanumeric identifier assigned to "
	"a person.")]
   string EmployeeNumber;
      [Description (
	"Based on inetOrgPerson, the Employee Type property is used to "
	"identify the employer to employee relationship.  Typical "
	"values used may include 'Contractor', 'Employee', 'Intern', "
	"'Temp', 'External', and 'Unknown' but any value may be used."
	)]
   string EmployeeType[];
      [Description (  
      "The person's facsimile telephone number.")]
   string FacsimileTelephoneNumber[];
      [Description (
	"Based on liPerson, the GenerationQualifier property specifies "
	"a name qualifier that represents the person's generation "
	"(e.g., JR., III, etc.).")]
   string GenerationQualifier[];
      [Description (
	"The Given Name property is used for the part of a person's "
	"name that is not their surname nor their middle name.")]
   string GivenName[];
      [Description (
	"Based on liPerson, the Home Fax property specifies the "
	"person's facsimile telephone number at home.")]
   string HomeFax[];
      [MaxLen (32), Description (  
	"Based on RFC1274, the Home Phone property specifies a home "
	"telephone number for the person, e.g. + 44 582 10101)." )]
   string HomePhone[];
      [Description (  
	"The Home Postal Address property values specify the home "
	"address information required for the physical delivery of "
	"postal messages by the postal authority.")]
   string HomePostalAddress[];
      [Description (
	"Based on inetOrgPerson, the Initials property specifies the "
	"first letters of the person's name, typically the property "
	"values will exclude the first letter of the surname.")]
   string Initials[];
      [MaxLen (16), Description (  
      "The person's International ISDN number.")]
   string InternationaliSDNNumber[];
      [Description (
	"From inetOrgPerson, the JPEG Phto property values may be used "
	"for one or more images of a person using the JPEG File "
	"Interchange Format.")]
   string JPEGPhoto[];
      [Description (  
      "Uniform Resource Identifier with optional label as defined in "
	"RFC2079.")]
   string LabeledURI[]; 
      [Description (  
	"This property contains the name of a locality, such as a "
	"city, county or other geographic region.")]
   string LocalityName[];
      [Description (  
      "Based on RFC1274, the mail box addresses for the person "
	"as defined in RFC822.")]
   string Mail[];
      [Description (  
      "The person's manager within the organization.  In the case of "
	"an LDAP-derived instance, the Manager property value may "
	"contain the distinguishedName of the Manager.")]
   string Manager[];
      [Description (
	"Based on liPerson, the middle name of the person.")]
   string MiddleName[];
      [MaxLen (32), Description (  
	"Based on RFC1274, the Mobile Phone property specifies a "
	"mobile telephone number for the person, e.g. + 44 582 10101)." 
	)]
   string Mobile[];
      [Required, Description (  
      "The name of the person's organization.")]
   string OrganizationName[];
      [Description (
	"Based on RFC1274, the OrganizationalStatus property specifies "
	"a category by which a person is often referred to within an "
	"organization.  Examples of usage in academia might include "
	"undergraduate student, researcher, lecturer, etc.")]
   string OrganizationalStatus[];
     [Description (  
      "Based on RFC1274, this property may be used for electronic "
	"mail box addresses other than RFC822 and X.400.")]
   string OtherMailbox[];
      [Description (  
      "The name of an organizational unit related to the person.")]
   string OU[];
      [MaxLen (32), Description (  
	"Based on RFC1274, the Pager property specifies a pager "
	"telephone number for the person, e.g. + 44 582 10101).")]
   string Pager[];
      [Description (
	"Based on liPerson, the PersonalTitle property may be used to "
	"specify the person's personal title such as Mr., Ms., Dr., "
	"Prof. etc.")]
   string PersonalTitle[];
      [Octetstring, Description (
	"Based on RFC1274, the Photo property may be used to specify a "
	"photograph for the person encoded in G3 fax as explained in "
	"recommendation T.4, with an ASN.1 wrapper to make it "
	"compatible with an X.400 BodyPart as defined in X.420.")]
   string Photo[];
      [MaxLen (128), Description (  
      "The Physical Delivery Office Name property specifies the name "
	"of the city, village, etc. where a physical delivery office "
	"is situated.")]
   string PhysicalDeliveryOfficeName[];
      [Description (  
	"The Postal Address property values specify the address "
	"information required for the physical delivery of postal "
	"messages by the postal authority to the person.")]
   string PostalAddress[];
      [MaxLen (40), Description (  
	"The Postal Code property specifies the postal code of the "
	"organization.  If this value is present it will be part of "
	"the object's postal address.")]
   string PostalCode[];
      [MaxLen (40), Description (  
	"The Post Office Box property specifies the Post Office Box "
	"by which the person will receive physical postal delivery. "
	"If present, the property value is part of the object's postal "
	"address.")]
   string PostOfficeBox[];
      [Description (  
	"The Preferred Delivery Method property specifies the "
	"preferred method to be used for contacting the person.")]
   string PreferredDeliveryMethod;
      [Description (
	"Based on inetOrgPerson, the person's preferred written or "
	"spoken language.")]
   string PreferredLanguage;
      [Description (  
	"This property specifies a postal address suitable for receipt "
	"of telegrams or expedited documents, where it is necessary to "
	"have the recipient accept delivery.")]
   string RegisteredAddress[];
      [Description (
	"Based on RFC1274, the Room Number property specifies the room "
	"number for the person.")]
   string RoomNumber[];
      [Description (
	"Based on RFC1274, the Secretary property may be used to "
	"specify a secretary for the person.  In the case of an "
	"LDAP-derived object instance, the value may be a "
	"distinguishedName.")]
   string Secretary[];
      [Description (  
	"In the case of an LDAP-derived instance, the See Also "
	"property specifies distinguishedName of other Directory "
	"objects which may be other aspects (in some sense) of the "
	"same real world object.")]
   string SeeAlso[];
      [Description (  
 	"The State or Province Name property specifies a state or "
	"province." )]
   string StateOrProvince[];
      [MaxLen (128), Description (  
	"The Street Address property specifies a site for the local "
	"distribution and physical delivery in a postal address, i.e. "
	"the street name, place, avenue, and the number." )]
   string Street[];
      [Description (
	"The Surname property specifies the linguistic construct that "
	"normally is inherited by an individual from the individual's "
	"parent or assumed by marriage, and by which the individual is "
	"commonly known.")]
   string Surname[];
      [MaxLen (32), Description (  
	"The Telephone Number property specifies a telephone number of "
	"the organization, e.g. + 44 582 10101)." )]
   string TelephoneNumber[];
      [Description (  
	"The Teletex Terminal Identifier property specifies the "
	"Teletex terminal identifier (and, optionally, parameters) for "
	"a teletex terminal associated with the organization." )]
   string TeletexTerminalIdentifier[];
      [Description (  
	"The Telex Number property specifies the telex number, country "
	"code, and answerback code of a telex terminal for the "
	"organization." )]
   string TelexNumber[];
      [Octetstring, Description (  
      "A small image of the person's organization logo")]
   string ThumbnailLogo[];
      [Octetstring, Description (
	"A small image of the person.")]
   string ThumbnailPhoto[];
      [Description (
	"The Title property may be used to specify the person's "
	"designated position or function of the object within an "
	"organization, e.g., Manager, Vice-President, etc.")]
   string Title[];
      [Description (
	"Based on RFC1274, the UserID property may be used to specify "
	"a computer system login name.")]
   string UserID[];
      [Description (  
	"A unique identifier that may be assigned in an environment to "
	"differentiate between uses of a given named person instance."
	)]
   string UniqueIdentifier[];
      [Octetstring, Description (
	"Based on inetOrgPerson and for directory compatibility, the "
	"User Certificate property may be used to specify a public key "
	"certificate for the person.")]
   string UserCertificate[];
      [Octetstring, Description (  
      "In the case of an LDAP-derived instance, the UserPassword "
	"property may contain an encrypted password used to access "
	"the person's resources in a directory." )]
   string UserPassword[];
      [Octetstring, Description (
	"Based on inetOrgPerson and for directory compatibility, the "
	"UserPKCS12 property value may be used to   provides a format "
	"for exchange of personal identity information.  The property "
	"values are PFX PDUs stored as Octetstrings.")]
   string UserPKCS12[];
      [Octetstring, Description (
	"Based on inetOrgPerson, the User S/MIME Certificate property "
	"may be used to specify the person's an S/MIME (RFC1847) "
	"signed message with a zero-length body. It contains the "
	"entire certificate chain and the signed attribute that "
	"describes their algorithm capabilities.  If available, this "
	"property is preferred over the UserCertificate property for "
	"S/MIME applications.")]  
   string UserSMIMECertificate[];
      [MaxLen (15), Description (  
      "An X.121 address for the organization.")]
   string X121Address[];
      [Octetstring, Description (  
	"An X.500 specified unique identifier that may be assigned in "
	"an environment to differentiate between uses of a given named "
	"person object instance.")]
   string X500UniqueIdentifier[];
   };


// ==================================================================
// UsersAccess
// ==================================================================
   [Description (  
   "The UsersAccess object class is used to specify a system user "
   "that permitted access to system resources.  The ManagedElement "
   "that has access to system resources (represented in the model in "
   "the ElementAsUser association) may be a person, a service, a "
   "service access point or any collection thereof. Whereas the "
   "Account class represents the user's relationship to a system "
   "from the perspective of the security services of the system, the "
   "UserAccess class represents the relationships to the systems "
   "independent of a particular system or service.") ]
class CIM_UsersAccess: CIM_UserEntity 
   {  
      [Key, MaxLen (256), Description (  
	"CreationClassName indicates the name of the class or the "
	"subclass used in the creation of an instance. When used "
	"with the other key properties of this class, this property "
	"allows all instances of this class and its subclasses to "
	"be uniquely identified.")]
   string CreationClassName;
      [Key, MaxLen (256),Description (  
      "The Name property defines the label by which the object is "
	"known.")]
   string Name;
      [Key, Description (
	"The ElementID property uniquely specifies the ManagedElement "
	"object instance that is the user represented by the "
	"UsersAccess object instance.  The ElementID is formatted "
	"similarly to a model path except that the property-value "
	"pairs are ordered in alphabetical order (US ASCII lexical "
	"order).")]
   string ElementID;
      [Description ( 
	"Biometric information used to identify a person.  The "
	"property value is left null or set to 'N/A' for non-human "
	"user or a user not using biometric information for "
	"authentication."),
	Values { "N/A", "Other", "Facial", "Retina", "Mark", "Finger", 
	         "Voice", "DNA-RNA", "EEG"} ]
   uint16 Biometric[];
   };

// ================================================================== 
//    Account
// ==================================================================
        [Description (
         "CIM_Account is the information held by a SecurityService "
         "to track identity and privileges managed by that service.  "
         "Common examples of an Account are the entries in a UNIX "
         "/etc/passwd file.  Several kinds of security services use "
         "various information from those entries - the /bin/login "
         "program uses the account name ('root') and hashed password "
         "to authenticate users, and the file service, for instance, "
         "uses the UserID field ('0') and GroupID field ('0') to "
         "record ownership and determine access control privileges "
         "on files in the file system. This class is defined so as "
         "to incorporate commonly-used LDAP attributes to permit "
         "implementations to easily derive this information from "
         "LDAP-accessible directories.") ]
class CIM_Account:CIM_LogicalElement
{
         [Propagated ("CIM_System.CreationClassName"), Key, 
          MaxLen (256), Description ("Scoping System")]
   string SystemCreationClassName;
         [Propagated ("CIM_System.Name"), Key, 
          MaxLen (256),Description ("Scoping System")]
   string SystemName;
      [Key, MaxLen (256), Description (  
        "CreationClassName indicates the name of the class or the "
        "subclass used in the creation of an instance. When used "
        "with the other key properties of this class, this property "
        "allows all instances of this class and its subclasses to "
        "be uniquely identified.")]
   string CreationClassName;
      [Key, Override("Name"), MaxLen (1024), Description (  
      "The Name property defines the label by which the object is "
        "known.  The value of this property may be set to be the same "
        "as that of the UserID property or, in the case of an "
        "LDAP-derived instance, the Name property value may be set to "
        "the distinguishedName of the LDAP-accessed object instance.")]
   string Name;
        [MaxLen (256), Description (
         "UserID is the value used by the SecurityService to "
         "represent identity.  For an authentication service, the "
         "UserID may be the name of the user, or for an authorization "
         "service the value which serves as a handle to a mapping of "
         "the identity.") ] 
   string UserID;
      [Description (  
      "In the case of an LDAP-derived instance, the ObjectClass "
      "property value(s) may be set to the objectClass attribute "
        "values.")]
   string ObjectClass[];
      [MaxLen (1024), Description (  
      "The Descriptions property values may contain human-readable "
        "descriptions of the object.  In the case of an LDAP-derived "  
        "instance, the description attribute may have multiple values "
        "that, therefore, cannot be placed in the inherited "
        "Description property.")]
   string Descriptions[];
        [Description (
        "Based on RFC1274, the host name of the system(s) for which "
        "the account applies.  The host name may be a fully-qualified "
        "DNS name or it may be an unqualified host name.")] 
   string Host[];
      [Description (  
        "This property contains the name of a locality, such as a "
        "city, county or other geographic region.")]
   string LocalityName[];
      [Required, Description (  
      "The name of the organization related to the account.")]
   string OrganizationName[];
      [Description (  
      "The name of an organizational unit related to the account.")]
   string OU[];
      [Description (  
        "In the case of an LDAP-derived instance, the See Also "
        "property specifies distinguishedName of other Directory "
        "objects which may be other aspects (in some sense) of the "
        "same real world object.")]
   string SeeAlso[];
      [Octetstring, Description (
        "Based on inetOrgPerson and for directory compatibility, the "
        "User Certificate property may be used to specify a public key "
        "certificate for the person.")]
   string UserCertificate[];
      [Octetstring, Description (  
      "In the case of an LDAP-derived instance, the UserPassword "
        "property may contain an encrypted password used to access "
        "the person's resources in a directory." )]
   string UserPassword[];
};


// ================================================================== 
//    SecurityService
// ==================================================================
        [ Abstract, Description (
         "CIM_SecurityService ...") ]
class CIM_SecurityService:CIM_Service
{
};

// ================================================================== 
//    AccountManagementService
// ==================================================================
   [Description (
   "CIM_AccountManagementService creates, manages, and if necessary "
   "destroys Accounts on behalf of other SecuritySerices.") ]
class CIM_AccountManagementService:CIM_SecurityService
   {
   };

// ================================================================== 
//    AuthenticationService
// ==================================================================
   [Description (
   "CIM_AuthenticationService verifies users' identities through "
   "some means.  These services are decomposed into a subclass that "
   "provides credentials to users and a subclass that provides for "
   "the verification of the validity of a credential and, perhaps, "
   "the appropriateness of its use for access to target resources. "
   "The persistent state information used from one such verification "
   "to another is maintained in an Account for that Users Access on "
   "that AuthenticationService.") ]
class CIM_AuthenticationService:CIM_SecurityService
   {
   };

// ================================================================== 
//    VerificationService
// ==================================================================
   [Description (
   "CIM_VerificationService is the authentication service that "
   "verifies a credential for use and may also verify the "
   "appropriateness of a particular credential in conjunction with a "
   "particular target resource.")]
class CIM_VerificationService:CIM_AuthenticationService
   {
   };

// ================================================================== 
//    CredentialManagementService
// ==================================================================
   [Description (
   "CIM_CredentialManagementService issues credentials and manages "
   "the credential lifecycle.") ] 
class CIM_CredentialManagementService:CIM_AuthenticationService
   {
   };

// ==================================================================
//    CredentialManagementSAP
// ==================================================================
        [Description (
         "CIM_CredentialManagementSAP represents the ability to "
         "utilize or invoke a CredentialManagementService.") ] 
class CIM_CredentialManagementSAP:CIM_ServiceAccessPoint
{
        [Description ("The URL for the access point.") ] 
    string URL;
};

// ================================================================== 
//    CertificateAuthority
// ==================================================================
        [Description ("A Certificate Authority (CA) is a credential "
         "management service that issues and cryptographically "
         "signs certificates thus acting as an trusted third-party "
         "intermediary in establishing trust relationships. The CA "
         "authenicates the holder of the private key related to the "
         "certificate's public key; the authenicated entity is "
         "represented by the UsersAccess class.") ]
class CIM_CertificateAuthority:CIM_CredentialManagementService
{
        [Description (
         "The CAPolicyStatement describes what care is taken by the "
         "CertificateAuthority when signing a new certificate.  "
         "The CAPolicyStatment may be a dot-delimited ASN.1 OID "
         "string which identifies to the formal policy statement.") ] 
    string CAPolicyStatement;
        [Description ( "A CRL, or CertificateRevocationList, is a "
         "list of certificates which the CertificateAuthority has "
         "revoked and which are not yet expired.  Revocation is "
         "necessary when the private key associated with the public "
         "key of a certificate is lost or compromised, or when the "
         "person for whom the certificate is signed no longer is "
         "entitled to use the certificate."), Octetstring ]
    string CRL[];
        [Description ("Certificate Revocation Lists may be "
         "available from a number of distribution points.  "
         "CRLDistributionPoint array values provide URIs for those "
         "distribution points.")]
    string CRLDistributionPoint[];
        [Description ( "Certificates refer to their issuing CA by "
         "its Distinguished Name (as defined in X.501)."), DN]
    string CADistinguishedName;
        [Description ( "The frequency, expressed in hours, at which "
	   "the CA will update its Certificate Revocation List.  Zero "
	   "implies that the refresh frequency is unknown."),
	   Units("Hours")]
    uint8 CRLRefreshFrequency;
        [Description ( "The maximum number of certificates in a "
         "certificate chain permitted for credentials issued by "
         "this certificate authority or it's subordinate CAs.\n"
         "The MaxChainLength of a superior CA in the trust "
         "hierarchy should be greater than this value and the "
         "MaxChainLength of a subordinate CA in the trust hierarchy "
         "should be less than this value.")]
    uint8 MaxChainLength;
};


// ================================================================== 
//    KerberosKeyDistributionCenter
// ==================================================================
        [Description (
         "CIM_KerberosKeyDistributionCenter ...") ]
class CIM_KerberosKeyDistributionCenter:CIM_CredentialManagementService
{
        [Override ("Name"),
         Description ("The Realm served by this KDC.")] 
    string Name;
        [Description ("The version of Kerberos supported by this "
         "service."),
         Values {"V4", "V5", "DCE", "MS"} ]
    uint16 Protocol[];
};


// ================================================================== 
//    Notary
// ==================================================================
        [Description (
         "CIM_Notary is an AuthenticationService (credential "
         "management service) which compares the "
         "biometric characteristics of a person with the "
         "known characteristics of an Users Access, and determines "
         "whether the person is the UsersAccess.  An example is "
         "a bank teller who compares a picture ID with the person "
         "trying to cash a check, or a biometric login service that "
         "uses voice recognition to identify a user.") ]
class CIM_Notary:CIM_CredentialManagementService
{
        [Description ( "The types of biometric information which "
	   "this Notary can compare."),
         Values { "N/A", "Other", "Facial", "Retina", "Mark",
                  "Finger", "Voice", "DNA-RNA", "EEG"} ] 
    uint16 Comparitors;
        [Description (
         "The SealProtocol is how the decision of the Notary is "
         "recorded for future use by parties who will rely on its "
         "decision.  For instance, a drivers licence frequently "
         "includes tamper-resistent coatings and markings to protect "
         "the recorded decision that a driver, having various "
         "biometric characteristics of height, weight, hair and eye "
         "color, using a particular name, has features represented in "
         "a photograph of their face.")]
    string SealProtocol;
        [Description (
         "CharterIssued documents when the Notary is first "
         "authorized, by whoever gave it responsibility, to perform "
         "its service.")]
    datetime CharterIssued;
        [Description (
         "CharterExpired documents when the Notary is no longer "
         "authorized, by whoever gave it responsibility, to perform "
         "its service.")]
    datetime CharterExpired;
};


// ================================================================== 
//    LocalCredentialManagementService
// ==================================================================
        [Description (
         "CIM_LocalCredentialManagementService is a credential "
         "management service that provides local system "
         "management of credentials used by the local system.") ]
class CIM_LocalCredentialManagementService:CIM_CredentialManagementService
{
};

// ================================================================== 
//    SharedSecretService
// ==================================================================
        [Description (
         "CIM_SharedSecretService is a service which ascertains "
         "whether messages received are from the Principal with "
         "whom a secret is shared.  Examples include a login "
         "service that proves identity on the basis of knowledge of "
         "the shared secret, or a transport integrity service (like "
         "Kerberos provides) that includes a message authenticity "
         "code that proves each message in the messsage stream came "
         "from someone who knows the shared secret session key.")]
class CIM_SharedSecretService:CIM_LocalCredentialManagementService
{
        [MaxLen (256), Description (
         "The Algorithm used to convey the shared secret, such as "
         "HMAC-MD5,or PLAINTEXT.") ] 
    string Algorithm;
        [Description (
         "The Protocol supported by the SharedSecretService.")]
    string Protocol;
};

// ================================================================== 
//    PublicKeyManagementService
// ==================================================================
        [Description (
         "CIM_PublicKeyManagementService is a credential management "
         "service that provides local system management of public "
         "keys used by the local system.") ]
class CIM_PublicKeyManagementService:CIM_LocalCredentialManagementService
{
};

// ================================================================== 
//    Credential
// ==================================================================
        [Abstract, Description (
         "Subclasses of CIM_Credential define materials, "
         "information, or other data which are used to prove the "
         "identity of a CIM_UsersAccess to a particular "
         "CIM_SecurityService.  Generally, there may be some shared "
         "information, or credential material which is used to "
         "identify and authenticate ones self in the process of "
         "gaining access to, or permission to use, an Account. "
         "Such credential material may be used to authenticate a "
         "users access identity  initially, as done by a "
         "CIM_AuthenticationService (see later), and additionally on "
         "an ongoing basis during the course of a connection or "
         "other  security association, as proof that each received "
         "message or communication came from the owning user access of "
         "that credential material.") ]
class CIM_Credential:CIM_ManagedElement
{
};


// ================================================================== 
//    PublicKeyCertificate
// ==================================================================
        [Description ("A Public Key Certificate is a credential "
         "that is cryptographically signed by a trusted Certificate "
         "Authority (CA) and issued to an authenticated entity "
         "(e.g., human user, service,etc.) called the Subject in "
         "the certificate and represented by the UsersAccess class. "
         "The public key in the certificate is cryptographically "
         "related to a private key that is to be held and kept "
         "private by the authenticated Subject.  The certificate "
         "and its related private key can then be used for "
         "establishing trust relationships and securing "
         "communications with the Subject.  Refer to the ITU/CCITT "
         "X.509 standard as an example of such certificates.") ]
class CIM_PublicKeyCertificate:CIM_Credential
{
         [Propagated ("CIM_CertificateAuthority.SystemCreationClassName"), 
          Key, MaxLen (256), Description ("Scoping System")]
     string SystemCreationClassName;
         [Propagated ("CIM_CertificateAuthority.SystemName"), 
          Key, MaxLen (256),Description ("Scoping System")]
     string SystemName;
         [Propagated ("CIM_CertificateAuthority.CreationClassName"),
          Key, MaxLen (256), Description ("Scoping Service")]
     string ServiceCreationClassName;
         [Propagated ("CIM_CertificateAuthority.Name"), 
          Key, MaxLen (256), Description ("Scoping Service")]
     string ServiceName; 
         [Key, MaxLen (256), Description (
          "Certificate subject identifier")]
     string Subject;
         [MaxLen (256), Description (
          "Alternate subject identifier for the Certificate.")]
     string AltSubject;
         [Description ("The DER-encoded raw public key."), Octetstring]
     uint8 PublicKey[];
};

// ================================================================== 
//    UnsignedPublicKey
// ==================================================================
        [Description (
         "A CIM_UnsignedPublicKey represents an unsigned public "
         "key credential.  The local UsersAccess (or subclass "
         "thereof) accepts the public key as authentic because of "
         "a direct trust relationship rather than via a third-party "
         "Certificate Authority.") ]
class CIM_UnsignedPublicKey:CIM_Credential
{
         [Key, MaxLen (256), Description ("Scoping System"), Propagated 	   ("CIM_PublicKeyManagementService.SystemCreationClassName")]          
     string SystemCreationClassName;
         [Propagated ("CIM_PublicKeyManagementService.SystemName"), 
          Key, MaxLen (256),Description ("Scoping System")]
     string SystemName;
         [Propagated ("CIM_PublicKeyManagementService.CreationClassName"),
          Key, MaxLen (256), Description ("Scoping Service")]
     string ServiceCreationClassName;
         [Propagated ("CIM_PublicKeyManagementService.Name"), 
          Key, MaxLen (256), Description ("Scoping Service")]
     string ServiceName; 
         [Key, MaxLen (256), Description (
          "The Identity of the Peer with whom a direct trust "
          "relationship exists.  The public key may be used for "
          "security functions with the Peer."),
         ModelCorrespondence 
           {"CIM_PublicKeyManagementService.PeerIdentityType" } ]
     string PeerIdentity;
	   [Description ("PeerIdentityType is used to describe the "
          "type of the PeerIdentity.  The currently defined values "
          "are used for IKE identities."),
	   ValueMap {"0", "1", "2", "3", "4", "5", "6", "7", "8", 
          "9", "10", "11"},
	   Values {"Other", "IPV4_ADDR", "FQDN", "USER_FQDN", 
          "IPV4_ADDR_SUBNET", "IPV6_ADDR", "IPV6_ADDR_SUBNET", 
          "IPV4_ADDR_RANGE", "IPV6_ADDR_RANGE", "DER_ASN1_DN", 
          "DER_ASN1_GN", "KEY_ID"},
         ModelCorrespondence 
           {"CIM_PublicKeyManagementService.PeerIdentity" } ]
     uint16 PeerIdentityType;
         [Description ("The DER-encoded raw public key."), 
          Octetstring]
     uint8 PublicKey[];
};

// ================================================================== 
//    KerberosTicket
// ==================================================================
        [Description (
         "A CIM_KerberosTicket represents a credential issued by a "
         "particular Kerberos Key Distribution Center (KDC) "
         "to a particular CIM_UsersAccess as the result of a "
         "successful authentication process.  There are two types of "
         "tickets that a KDC may issue to a Users Access - a "
         "TicketGranting ticket, which is used to protect and "
         "authenticate communications between the Users Access and the "
         "KDC, and a Session ticket, which the KDC issues to two "
         "Users Access to allow them to communicate with each other. "
          ) ]
class CIM_KerberosTicket:CIM_Credential
{
         [Key, MaxLen (256), Description ("Scoping System"), Propagated
	   ("CIM_KerberosKeyDistributionCenter.SystemCreationClassName")]
     	string SystemCreationClassName;
         [Propagated ("CIM_KerberosKeyDistributionCenter.SystemName"), 
	   Key, MaxLen (256),Description ("Scoping System")]
     	string SystemName;
         [Key, MaxLen (256), Propagated 
         ("CIM_KerberosKeyDistributionCenter.CreationClassName"), 
         Description ("Scoping Service")]
     	string ServiceCreationClassName;
         [Propagated ("CIM_KerberosKeyDistributionCenter.Name"), 
         Key, MaxLen (256),
         Description ("Scoping Service.  The Kerberos KDC Realm of "
        "CIM_KerberosTicket is used to record the security "
        "authority, or Realm, name so that tickets issued by "
        "different Realms can be separately managed and "
	  "enumerated.")]
     	string ServiceName;
        [Key, MaxLen (256), Description ("The name of the service "
	   "for which this ticket is used.")]
     	string AccessesService;
        [Key, MaxLen (256), Description (
         "RemoteID is the name by which the user is known at "
         "the KDC security service.")]
     	string RemoteID;
     	datetime Issued;
     	datetime Expires;
	  [Description (
	  "The Type of CIM_KerberosTicket is used to indicate whether "
	  "the ticket in question was issued by the Kerberos Key "
	  "Distribution Center (KDC) to support ongoing communication "
	  "between the Users Access and the KDC (\"TicketGranting\"), "
	  "or was issued by the KDC to support ongoing communication "
	  "between two Users Access entities (\"Session\")." ),
	  Values {"Session", "TicketGranting"}]
	uint16 TicketType;
};


// ================================================================== 
//    SharedSecret
// ==================================================================
        [Description (
         "CIM_SharedSecret is the secret shared between a Users Access "
         "and a particular SharedSecret security service.  Secrets "
         "may be in the form of a password used for initial "
         "authentication, or as with a session key, used as part of "
         "a message authentication code to verify that a message "
         "originated by the pricinpal with whom the secret is shared. "
         "It is important to note that SharedSecret is not just the "
         "password, but rather is the password used with a particular "
         "security service.")]
class CIM_SharedSecret:CIM_Credential
{
         [Propagated ("CIM_SharedSecretService.SystemCreationClassName"), 
	    Key, MaxLen (256), Description ("Scoping System")]
     string SystemCreationClassName;
         [Propagated ("CIM_SharedSecretService.SystemName"), Key, 
          MaxLen (256),Description ("Scoping System")]
     string SystemName;
         [Key, MaxLen (256), Propagated 
          ("CIM_SharedSecretService.CreationClassName"), 
          Description ("Scoping Service")]
     string ServiceCreationClassName;
         [Propagated ("CIM_SharedSecretService.Name"), 
          Key, MaxLen (256),
          Description ("Scoping Service")]
     string ServiceName;
        [Key, MaxLen (256), Description (
         "RemoteID is the name by which the user is known at "
         "the remote secret key authentication service.")]
     string RemoteID; 
        [Description (
         "secret is the secret known by the Users Access.")]
     string secret;
        [Description (
         "algorithm names the transformation algorithm, if any, used "
         "to protect passwords before use in the protocol.  For "
         "instance, Kerberos doesn't store passwords as the shared "
         "secret, but rather, a hash of the password.")]
     string algorithm;
        [Description (
         "protocol names the protocol with which the SharedSecret is "
         "used.")]
     string protocol;
};

// ================================================================== 
//    NamedSharedIKESecret
// ==================================================================
        [Description (
         "CIM_NamedSharedIKESecret indirectly represents a shared "
         "secret credential.  The local identity, IKEIdentity, "
         "and the remote peer identity share the secret that is "
         "named by the SharedSecretName.  The SharedSecretName is "
         "used SharedSecretService to reference the secret.") ]
class CIM_NamedSharedIKESecret:CIM_Credential
{
         [Propagated ("CIM_SharedSecretService.SystemCreationClassName"), 
          Key, MaxLen (256), Description ("Scoping System")]
     string SystemCreationClassName;
         [Propagated ("CIM_SharedSecretService.SystemName"), 
          Key, MaxLen (256),Description ("Scoping System")]
     string SystemName;
         [Propagated ("CIM_SharedSecretService.CreationClassName"),
          Key, MaxLen (256), Description ("Scoping Service")]
     string ServiceCreationClassName;
         [Propagated ("CIM_SharedSecretService.Name"), 
          Key, MaxLen (256), Description ("Scoping Service")]
     string ServiceName; 
         [Key, MaxLen (256), Description (
          "The local Identity with whom the direct trust "
          "relationship exists."),
         ModelCorrespondence 
           {"CIM_NamedSharedIKESecret.LocalIdentityType" } ]
     string LocalIdentity;
	   [Key, Description ("LocalIdentityType is used to describe "
          "the type of the LocalIdentity."),
	   ValueMap {"1", "2", "3", "4", "5", "6", "7", "8", 
          "9", "10", "11"},
	   Values {"IPV4_ADDR", "FQDN", "USER_FQDN", 
          "IPV4_ADDR_SUBNET", "IPV6_ADDR", "IPV6_ADDR_SUBNET", 
          "IPV4_ADDR_RANGE", "IPV6_ADDR_RANGE", "DER_ASN1_DN", 
          "DER_ASN1_GN", "KEY_ID"},
         ModelCorrespondence 
           {"CIM_NamedSharedIKESecret.LocalIdentity" } ]
    uint16 LocalIdentityType;
         [Key, MaxLen (256), Description (
          "The peer identity with whom the direct trust "
          "relationship exists."),
         ModelCorrespondence 
           {"CIM_NamedSharedIKESecret.PeerIdentityType" } ]
     string PeerIdentity;
	   [Key, Description ("PeerIdentityType is used to describe "
          "the type of the PeerIdentity."),
	   ValueMap {"1", "2", "3", "4", "5", "6", "7", "8", 
          "9", "10", "11"},
	   Values {"IPV4_ADDR", "FQDN", "USER_FQDN", 
          "IPV4_ADDR_SUBNET", "IPV6_ADDR", "IPV6_ADDR_SUBNET", 
          "IPV4_ADDR_RANGE", "IPV6_ADDR_RANGE", "DER_ASN1_DN", 
          "DER_ASN1_GN", "KEY_ID"},
         ModelCorrespondence 
           {"CIM_NamedSharedIKESecret.PeerIdentity" } ]
     uint16 PeerIdentityType;
         [Description ("SharedSecretName is an indirect reference "
          "to a shared secret.  The SecretService does not expose "
          "the actual secret but rather provides access to the "
          "secret via a name.")]
     string SharedSecretName;
};

// ================================================================== 
//    AuthorizationService
// ==================================================================
   [Description (
   "CIM_AuthorizationService determines whether a user, by "
   "association with an Account used by the AuthorizationService, is "
   "permitted access a resource or set of resources.") ]
class CIM_AuthorizationService:CIM_SecurityService
   {
   };

// ================================================================== 
//    AuthenticationRequirement
// ==================================================================
   [Description (
   "CIM_AuthenticationRequirement provides, through its "
   "associations, the authentication requirements for access to "
   "system resources.  For a particular set of target resources, the "
   "AuthenticationService may require that credentials be issued by "
   "a specific CredentialManagementService.  The "
   "AuthenticationRequirement class is weak to the system (e.g., "
   "Computer System or Administrative Domain) for which the "
   "requirements apply.")]
class CIM_AuthenticationRequirement : CIM_LogicalElement
   {
	[Key, MaxLen (256), Propagated ("CIM_System.CreationClassName"),
	Description ("Hosting system creation class name")]
   string SystemCreationClassName;
	[Key, MaxLen (256), Propagated ("CIM_System.Name"),
	Description ("Hosting system name")]
   string SystemName;
      [Key, MaxLen (256), Description (  
	"CreationClassName indicates the name of the class or the "
	"subclass used in the creation of an instance. When used "
	"with the other key properties of this class, this property "
	"allows all instances of this class and its subclasses to "
	"be uniquely identified.")]
   string CreationClassName;
      [Key, MaxLen (256), Override ("Name"), Description (  
      "The Name property defines the unique label, in the context of "
	"the hosting system, by which the AuthenticationRequirement "
	"is known.")]
   string Name;
	[Description (
	"The SecurityClassification property specifies a named level "
	"of security associated with the AuthenticationRequirement, "
	"e.g., 'Confidential', 'Top Secret', etc.")]
   string SecurityClassification;
   };


// ================================================================== 
//    AccessControlInformation
// ==================================================================
   [Description (
   "CIM_AccessControlInformation provides, through its properties "
   "and its associations, the specification of the access rights "
   "granted to a set of subject users to a set of target resources. "
   "The AccessControlInformation class is weak to the system (e.g., "
   "Computer System or Administrative Domain) for which the access "
   "controls apply.")]
class CIM_AccessControlInformation: CIM_LogicalElement
   {
	[Key, MaxLen (256), Propagated ("CIM_System.CreationClassName"),
	Description ("Hosting system creation class name")]
   string SystemCreationClassName;
	[Key, MaxLen (256), Propagated ("CIM_System.Name"),
	Description ("Hosting system name")]
   string SystemName;
      [Key, MaxLen (256), Description (  
	"CreationClassName indicates the name of the class or the "
	"subclass used in the creation of an instance. When used "
	"with the other key properties of this class, this property "
	"allows all instances of this class and its subclasses to "
	"be uniquely identified.")]
   string CreationClassName;
      [Key, MaxLen (256), Override ("Name"), Description (  
      "The Name property defines the unique label, in the context of "
	"the hosting system, by which the AccessControlInformation "
	"is known.")]
   string Name;
	[Description (
	"The SecurityClassification property specifies a named level "
	"of security associated with the AccessControlInformation, "
	"e.g., 'Confidential', 'Top Secret', etc.")]
   string SecurityClassification;
	[Description (
	"The AccessType property is an array of string values that "
	"specifies the type of access for which the corresponding "
	"permission applies. For example, it can be used to specify a "
	"generic access such as 'Read-only', 'Read/Write', etc. for "
	"file or record access control or it can be used to specifiy "
	"an entry point name for service access control."),  
	ModelCorrespondence {
		"CIM_AccessControlInformation.AccessQualifier",
		"CIM_AccessControlInformation.Permission" } ]
   string AccessType[];
	[Description (
	"The AccessQualifier property is an array of string values "
	"may be used to further qualify the type of access for which "
	"the corresponding permission applies. For example, it may  be "
	"used to specify a set of parameters that are permitted or "
	"denied in conjunction with the corresponding AccessType entry "
	"point name."),
	ModelCorrespondence {
		"CIM_AccessControlInformation.AccessType",
		"CIM_AccessControlInformation.Permission" } ]
   string AccessQualifier[];
	[Description (
	"The Permission property is an array of string values "
	"indicating the permission that applies to the corrsponding "
	"AccessType and AccessQualifier array values.  The values "
	"may be extended in subclasses to provide more specific access "
	"controls."),
	ValueMap {"Unknown", "Allow", "Deny", "Manage"},
	ModelCorrespondence {
		"CIM_AccessControlInformation.AccessType",
		"CIM_AccessControlInformation.AccessQualifier" } ]
   string Permission[];
   };

// ==================================================================
// ===              Association class definitions                 ===
// ==================================================================

// Aggregations
                 
// ==================================================================
// MemberPrincipal    
// ==================================================================
   [Association, Aggregation, Description (   
   "CIM_MemberPrincipal is an aggregation used to establish "   
   "membership of principals (i.e., users) in a Collection.  That "
   "membership can be established either directly or indirectly as "
   "indicated in the UsersAccessBy property.  For example, a user "
   "may be identified directly by their userid (i.e., Account object "
   "instance) or the user may be identified indirectly by realm from "
   "which a ticket was issued (i.e., CredentialManagementService "
   "object instance).  The latter case is useful, for example, for "
   "specifying that only users identified by an internal credential "
   "service are permitted to access very sensitive information." ) ]  
class CIM_MemberPrincipal: CIM_MemberOfCollection  
   {
            [Override ("Collection") ]   
   CIM_Collection REF Collection;
      [Override ("Member") ]
   CIM_ManagedElement REF Member;
	[Description (
	"A MemberPrincipal may be identifed in several ways that may "
	"be either direct or indirect membership in the collection. "
	" - A 'UsersAccess' membership directly identifies the user by "
	"   the UsersAccess object instance. "
	" - An 'Account' membership directly identifies the user by "
	"   the Account object class instance. "
	" - A 'UsingElement' membership indirectly identifies the user "
	"   by the ManagedElement object instance that has "
	"   ElementAsUser associations to UsersAccess object "
	"   instances.  Hence, all UsersAccess instances are "
	"   indirectly included in the collection. "),
	ValueMap {"1", "2", "3", "4" },
	Values {"UsersAccess", "Account", "UsingElement", 
	        "CredentialManagementService"} ]
   uint16 UserAccessBy;
   };                    


// ===================================================================
//    AccountOnSystem
// ===================================================================
   [Association, Aggregation, Description (
   "A system (e.g., ApplicationSystem, ComputerSystem, AdminDomain) "
   "aggregates Accounts and scopes the uniqueness of the Account "
   "names (i.e., userids).") ]
class CIM_AccountOnSystem : CIM_SystemComponent
   {
	[Override ("GroupComponent"), Min (1), Max (1),
	Description ("The aggregating system also provides name scoping "
	"for the Account.")]
   CIM_System REF GroupComponent;
	[Override ("PartComponent"), Weak,
	Description ("The subordinate Account")]
   CIM_Account REF PartComponent;
   };

// ==================================================================
// OrgStructure    
// ==================================================================
  [Association, Aggregation, Description (   
   "CIM_OrgStructure is an association used to establish parent-child "
   "relationships between OrganizationalEntity instances.  This is "
   "used to capture organizational relationships between object " 
   "instances such as those that are imported from an LDAP-accessible "
   "directory.") ]    
  class CIM_OrgStructure
  {   
	[Key, Max (1),  
	Description ("The organizational parent in this association.") ]    
   CIM_OrganizationalEntity REF Parent;   
	[Key,  
	Description ("The organizational child in this association,    "
	"i.e., the sub-unit or other owned object instance.") ]    
   CIM_OrganizationalEntity REF Child;   
  };   
      
// ==================================================================
// CollectionInOrganization
// ==================================================================
   [Association, Aggregation, Description (   
   "CIM_CollectionInOrganization is an association used to establish "
   "a parent-child relationship between a collection and an 'owning' "
   "OrganizationalEntity.  A single collection should not have both "
   "a CollectionInOrganization and a CollectionInSystem association." 
   )]
class CIM_CollectionInOrganization
   {   
	[Key, Max (1), 
	Description ("The parent organization responsible for the "
	"collection.") ]
   CIM_OrganizationalEntity REF Parent;   
	[Key, 
	Description ("The collection") ]
   CIM_Collection REF Child;   
   };   

// ==================================================================
// CollectionInSystem
// ==================================================================
   [Association, Aggregation, Description (   
   "CIM_CollectionInSystem is an association used to establish a "
   "parent-child relationship between a collection and an 'owning' "
   "System such as an AdminDomain or ComputerSystem.  A single "
   "collection should not have both a CollectionInOrganization and a "
   "CollectionInSystem association."    )]
class CIM_CollectionInSystem
   {   
	[Key, Max (1), 
	Description ("The parent system responsible for the "
	"collection.") ]
   CIM_System REF Parent;   
	[Key, 
	Description ("The collection") ]
   CIM_Collection REF Child; 
   };        

// Associations

// ==================================================================
// ElementAsUser    
// ==================================================================
   [Association, Description (   
   "CIM_ElementAsUser is an association used to establish the "
   "'ownership' of UsersAccess object instances.  That is, the "
   "ManagedElement may have UsersAccess to systems and, therefore, "
   "be 'users' on those systems.  UsersAccess instances must have an "
   "'owning' ManagedElement.  Typically, the ManagedElements will be "
   "limited to Collection, Person, Service and ServiceAccessPoint. "
   "Other non-human ManagedElements that might be thought of as "
   "having UsersAccess (e.g., a device or system) have services that "
   "have the UsersAccess.")]
class CIM_ElementAsUser : CIM_Dependency
   {   
	[Min (1), Max (1), Override ("Antecedent"), 
	Description ("The ManagedElement that has UsersAccess") ]
   CIM_ManagedElement REF Antecedent;   
	[Override ("Dependent"), 
	Description ("The 'owned' UsersAccess") ]
   CIM_UsersAccess REF Dependent;   
   }; 


// ==================================================================
// MoreOrganizationInfo
// ==================================================================
   [Association, Description (   
   "CIM_MoreOrganizationInfo is an association used to extend the "
   "information in a CIM_Organization class instance."
   )]
class CIM_MoreOrganizationInfo : CIM_Dependency
   {   
	[Max (1), Override ("Antecedent"), 
	Description (" "
	" ") ]
   CIM_Organization REF Antecedent;   
	[Min (0), Max (1), Override ("Dependent"), 
	Description (" ") ]
   CIM_OtherOrganizationInformation REF Dependent; 
   };        

// ==================================================================
// MoreOrgUnitInfo
// ==================================================================
   [Association, Description (   
   "CIM_MoreOrgUnitInfo is an association used to extend the "
   "information in an CIM_OrgUnit class instance."
   )]
class CIM_MoreOrgUnitInfo : CIM_Dependency
   {   
	[Max (1), Override ("Antecedent"), 
	Description (" "
	" ") ]
   CIM_OrgUnit REF Antecedent;   
	[Min (0), Max (1), Override ("Dependent"), 
	Description (" ") ]
   CIM_OtherOrgUnitInformation REF Dependent; 
   };        

// ==================================================================
// MoreGroupInfo
// ==================================================================
   [Association, Description (   
   "CIM_MoreGroupInfo is an association used to extend the "
   "information in a CIM_Group class instance."
   )]
class CIM_MoreGroupInfo : CIM_Dependency
   {   
	[Max (1), Override ("Antecedent"), 
	Description (" "
	" ") ]
   CIM_Group REF Antecedent;   
	[Min (0), Max (1), Override ("Dependent"), 
	Description (" ") ]
   CIM_OtherGroupInformation REF Dependent; 
   };        

// ==================================================================
// MoreRoleInfo
// ==================================================================
   [Association, Description (   
   "CIM_MoreRoleInfo is an association used to extend the "
   "information in a CIM_Role class instance."
   )]
class CIM_MoreRoleInfo : CIM_Dependency
   {   
	[Max (1), Override ("Antecedent"), 
	Description (" "
	" ") ]
   CIM_Role REF Antecedent;   
	[Min (0), Max (1), Override ("Dependent"), 
	Description (" ") ]
   CIM_OtherRoleInformation REF Dependent; 
   };        

// ==================================================================
// MorePersonInfo
// ==================================================================
   [Association, Description (   
   "CIM_MorePersonInfo is an association used to extend the "
   "information in a CIM_Person class instance."
   )]
class CIM_MorePersonInfo : CIM_Dependency
   {   
	[Max (1), Override ("Antecedent"), 
	Description (" "
	" ") ]
   CIM_Person REF Antecedent;   
	[Min (0), Max (1), Override ("Dependent"), 
	Description (" ") ]
   CIM_OtherPersonInformation REF Dependent; 
   };        

       
// ==================================================================
// SystemAdministrator    
// ==================================================================
  [Association, Description (   
   "CIM_SystemAdministrator is an association used to identify "
   "the UserEntity as a system administrator of a CIM_System." ) ]    
  class CIM_SystemAdministrator: CIM_Dependency  
  {   
    [Override ("Antecedent"), Description (   
    "The administered system.") ]    
   CIM_System REF Antecedent;   
   [Override ("Dependent"), Description (   
    "The UserEntity that provides the admininstrative function "
    "for the associated system.") ]    
   CIM_UserEntity REF Dependent;   

  };   

// ==================================================================
// SystemAdministratorGroup
// ==================================================================
   [Association, Description (   
   "CIM_SystemAdministratorGroup is an association used to identify "
   "a Group that has system administrator responsibilities for a "
   "CIM_System. "   )]
class CIM_SystemAdministratorGroup : CIM_Dependency
   {   
	[Override ("Antecedent"), 
	Description ("The administered system") ]
   CIM_System REF Antecedent;   
	[Override ("Dependent"), 
	Description ("The Group of administrators") ]
   CIM_Group REF Dependent;   
   }; 
  
// ==================================================================
// SystemAdministratorRole
// ==================================================================
   [Association, Description (   
   "CIM_SystemAdministratorRole is an association used to identify "
   "a system administrator Role for a CIM_System.")]
class CIM_SystemAdministratorRole : CIM_Dependency
   {   
	[Override ("Antecedent"), 
	Description ("The administered system") ]
   CIM_System REF Antecedent;   
	[Override ("Dependent"), 
	Description ("The system administration role") ]
   CIM_Role REF Dependent;   
   };   

// ===================================================================
//    UsersAccount
// ===================================================================
        [Association, Description (
         "This relationship associates UsersAccess with the Accounts "
         "with which they're able to interact.") ]
class CIM_UsersAccount : CIM_Dependency
{
	[Override ("Antecedent"), 
	Description ( "The user's Account") ]
   CIM_Account REF Antecedent;
	[Override ("Dependent"),
	Description ( "The User as identified by their UsersAccess "
	"instance")]
   CIM_UsersAccess REF Dependent;
};


// ===================================================================
//    AccountMapsToAccount
// ===================================================================
   [Association, Description (
   "This relationship may be used to associate an Account used by an "
   "AuthenticationService to an Account used for Authorization.  For "
   "instance, this mapping occurs naturally in the UNIX /etc/passwd "
   "file, where the AuthenticationSerice Account ('root') is mapped "
   "to the AuthorizationService Account ('0').  The two are separate "
   "accounts, as evidenced by the ability to have another "
   "AuthenticationService Account which ALSO maps to the "
   "AuthorizationService Account ('0') without ambiguity.  This "
   "association may be used for other account mappings as well such "
   "as for coordinating single signon for multiple accounts for the "
   "same user.") ]
class CIM_AccountMapsToAccount : CIM_Dependency
{
	[Override ("Antecedent"), 
	Description ( "An Account") ]
   CIM_Account REF Antecedent;
	[Override ("Dependent"),
	Description ( "A related Account")]
   CIM_Account REF Dependent;
};

// ===================================================================
//    SecurityServiceUsesAccount
// ===================================================================
        [Association, Description (
         "This relationship associates SecurityService instances to "
         "the Accounts they use in the course of their work.") ]
class CIM_SecurityServiceUsesAccount : CIM_Dependency
{
      [ Override ("Antecedent") ]
   CIM_Account REF Antecedent;
      [ Override ("Dependent") ]
   CIM_SecurityService REF Dependent;
};


// ===================================================================
//    ManagesAccount
// ===================================================================
        [Association, Description (
         "This relationship associates the AccountManagement security "
         "service to the Accounts for which it is responsible.") ]
class CIM_ManagesAccount:CIM_Dependency
{
      [ Override ("Antecedent") ]
   CIM_AccountManagementService REF Antecedent;
      [ Override ("Dependent") ]
   CIM_Account REF Dependent;
};

// ===================================================================
//    ServiceUsesSecurityService
// ===================================================================
        [Association, Description (
         "This relationship associates a Services with the Security "
         "Service it uses.") ]
class CIM_ServiceUsesSecurityService : CIM_ServiceServiceDependency
{
      [ Override ("Antecedent") ]
   CIM_SecurityService REF Antecedent;
      [ Override ("Dependent") ]
   CIM_Service REF Dependent;
};

// ===================================================================
//    SecurityServiceForSystem
// ===================================================================
   [Association, Description (
   "The CIM_SecurityServiceForSystem provides the association between "
   "a System and a SecurityService that provides services for that "
   "system." ) ]
class CIM_SecurityServiceForSystem : CIM_ProvidesServiceToElement
{
	[Override ("Antecedent"), Description ( 
	"The SecurityService that provides services for the system.")]
   CIM_SecurityService REF Antecedent;
	[Override ("Dependent"), Description (
	"The system that is dependent on the security service.")]
   CIM_System REF Dependent;
};


// ===================================================================
//    ManagesAccountOnSystem
// ===================================================================
   [Association, Description (
   "The CIM_ManagesAccountOnSystem provides the association between a "
   "System and the AccountManagementService that manages accounts for "
   "that system." ) ]
class CIM_ManagesAccountOnSystem:CIM_SecurityServiceForSystem
{
	[Override ("Antecedent"), Description ( 
	"An AccountManagementService that manages accounts for the "
	"system.")]
   CIM_AccountManagementService REF Antecedent;
	[Override ("Dependent"), Description (
	"The system that is dependent on the AccountManagementService."
	)]
   CIM_System REF Dependent;
};

// ==================================================================
//    TrustHierarchy
// ==================================================================
        [Association, Description (
         "CIM_TrustHierarchy is an association between two "
         "CredentialManagementService instances that establishes "
         "the trust hierarchy between them.") ]
class CIM_TrustHierarchy:CIM_Dependency
{
        [Override ("Antecedent"), Max (1),
         Description ("The superior CredentialManagementService "
         "from which the dependent service gets its authority.") ] 
    CIM_CredentialManagementService  REF Antecedent;
        [Override ("Dependent"), Description (
         "The subordinate CredentialManagementService.") ] 
    CIM_CredentialManagementService  REF Dependent;
};

// ==================================================================
// UsersCredential
// ==================================================================
   [Association, Description (   
   "CIM_UsersCredential is an association used to establish the "
   "credentials that may be used for a UsersAccess to a system or "
   "set of systems. "    )]
class CIM_UsersCredential : CIM_Dependency
   {   
	[Override ("Antecedent"), 
	Description ("The issued credential that may be used.") ]
   CIM_Credential REF Antecedent;   
	[Override ("Dependent"), 
	Description ("The UsersAccess that has use of a credential") ]
   CIM_UsersAccess REF Dependent;   
   };   

// ===================================================================
//    PublicPrivateKeyPair
// ===================================================================
        [Association, Description (
         "This relationship associates a PublicKeyCertificate with "
         "the Principal who has the PrivateKey used with the "
         "PublicKey.  The PrivateKey is not modeled, since it is not "
         "a data element that ever SHOULD be accessible via "
         "management applications, other than key recovery services, "
         "which are outside our scope.") ]
class CIM_PublicPrivateKeyPair:CIM_UsersCredential
{
      [ Override ("Antecedent") ]
   CIM_PublicKeyCertificate REF Antecedent;
      [ Override ("Dependent") ]
   CIM_UsersAccess REF Dependent;
	[Description ( "The Certificate may be used for signature only "
	"or for confidentiality as well as signature"),
	Values { "SignOnly", "ConfidentialityOrSignature"} ]
   uint16 Use;
   boolean NonRepudiation;
   boolean BackedUp;
	[Description ("The repository in which the certificate is "
	"backed up.")]
   string Repository;
};


// ===================================================================
//    CAHasPublicCertificate
// ===================================================================
   [Association, Description (
   "A CertificateAuthority may have certificates issued by other CAs. "
   "This association is essentially an optimization of the CA having "
   "a UsersAccess instance with an association to a certificate thus "
   "mapping more closely to LDAP-based certificate authority "
   "implementations.") ]
class CIM_CAHasPublicCertificate:CIM_Dependency
{
	[Max (1), Override ("Antecedent"),
	Description ("The Certificate used by the CA")]
   CIM_PublicKeyCertificate REF Antecedent;
	[Override ("Dependent"), 
	Description ("The CA that uses a Certificate")]
   CIM_CertificateAuthority REF Dependent;
};


// ===================================================================
//    ManagedCredential
// ===================================================================
        [Association, Description (
         "This relationship associates a CredentialManagementService "
         "with the Credential it manages.") ]
class CIM_ManagedCredential:CIM_Dependency
{
	[Override ("Antecedent"), Min (1), Max (1),
	Description ( "The credential management service")] 
   CIM_CredentialManagementService REF Antecedent;
	[Override ("Dependent"),
	Description ( "The managed credential")]
   CIM_Credential REF Dependent;
};

// ===================================================================
//    CASignsPublicKeyCertificate
// ===================================================================
        [Association, Description (
         "This relationship associates a CertificateAuthority with "
         "the certificates it signs.") ]
class CIM_CASignsPublicKeyCertificate:CIM_ManagedCredential
{
	[Override ("Antecedent"), Min (1), Max (1),
	Description ( "The CA which signed the certificate")] 
   CIM_CertificateAuthority REF Antecedent;
	[Override ("Dependent"), Weak,
	Description ( "The certificate issued by the CA")]
   CIM_PublicKeyCertificate REF Dependent;
   string SerialNumber;
      [ Octetstring ]
   uint8 Signature[];
   datetime Expires;
   string CRLDistributionPoint[];
};

// ==================================================================
//    LocallyManagedPublicKey
// ==================================================================
        [Association, Description (
         "CIM_LocallyManagedPublicKey association provides the "
         "relationship between a PublicKeyManagementService and an "
         "UnsignedPublicKey.") ]
class CIM_LocallyManagedPublicKey:CIM_ManagedCredential
{
        [Override ("Antecedent"), Min (1), Max (1), 
         Description ("The PublicKeyManagementService that manages "
         "an unsigned public key.") ] 
    CIM_PublicKeyManagementService REF Antecedent;
        [Override ("Dependent"), Weak, Description (
         "An unsigned public key.") ] 
    CIM_UnsignedPublicKey REF Dependent;
};

// ===================================================================
//    SharedSecretIsShared
// ===================================================================
        [Association, Description (
         "This relationship associates a SharedSecretService with the "
         "SecretKey it verifies.") ]
class CIM_SharedSecretIsShared : CIM_ManagedCredential
{
	[Override ("Antecedent"), Min (1), Max (1),
	Description ("The credential management service")]
   CIM_SharedSecretService REF Antecedent;
	[Override ("Dependent"), Weak,
	Description ( "The managed credential")]
   CIM_SharedSecret REF Dependent;
};

// ==================================================================
//    IKESecretIsNamed
// ==================================================================
        [Association, Description (
         "CIM_IKESecretIsNamed association provides the "
         "relationship between a SharedSecretService and a "
         "NamedSharedIKESecret.") ]
class CIM_IKESecretIsNamed:CIM_ManagedCredential
{
        [Override ("Antecedent"), Min (1), Max (1), 
         Description ("The SharedSecretService that manages a "
         "NamedSharedIKESecret.")] 
    CIM_SharedSecretService REF Antecedent;
        [Override ("Dependent"), Weak, Description (
         "The managed NamedSharedIKESecret.") ] 
    CIM_NamedSharedIKESecret  REF Dependent;
};

// ===================================================================
//    KDCIssuesKerberosTicket
// ===================================================================
   [Association, Description (
   "The KDC issues and owns Kerberos tickets.  This association "
   "captures the relationship between the KDC and its issued tickets."
   ) ]
class CIM_KDCIssuesKerberosTicket:CIM_ManagedCredential
{
	[Override ("Antecedent"), Min (1), Max (1),
	Description ( "The issuing KDC") ] 
   CIM_KerberosKeyDistributionCenter REF Antecedent;
	[Override ("Dependent"), Weak,
	Description ( "The managed credential")]
   CIM_KerberosTicket REF Dependent;
};

// ===================================================================
//    NotaryVerifiesBiometric
// ===================================================================
        [Association, Description (
         "This relationship associates a Notary service with the "
         "Users Access whose biometric information is verified.") ]
class CIM_NotaryVerifiesBiometric : CIM_Dependency
{
	[Override ("Antecedent"), 
	Description ("The Notary service that verifies biometric "
	"information ") ]
   CIM_Notary REF Antecedent;
	[Override ("Dependent"),
	Description ( "The UsersAccess that represents a person using "
	"biometric information for authentication.")]
   CIM_UsersAccess REF Dependent;
};


// ==================================================================
// HostedAuthenticationRequirement
// ==================================================================
   [Association, Description (   
   "CIM_HostedAuthenticationRequirement is an association used to "
   "provide the namespace scoping of AuthenticationRequirement.  The "
   "hosted requirements may or may not apply to resources on the "
   "hosting system." )]
class CIM_HostedAuthenticationRequirement : CIM_Dependency
   {   
	[Min (1), Max (1), Override ("Antecedent"), 
	Description ("The hosting system") ]
   CIM_System REF Antecedent;   
	[Override ("Dependent"), Weak, 
	Description ("The hosted AuthenticationRequirement") ]
   CIM_AuthenticationRequirement REF Dependent;   
   };   

// ==================================================================
// AuthenticateForUse 
// ==================================================================
   [Association, Description (   
   "CIM_AuthenticateForUse is an association used to provide an "
   "AuthenticationService with the AuthenticationRequirement it "
   "needs to do its job.")]
class CIM_AuthenticateForUse : CIM_Dependency
   {   
	[Override ("Antecedent"), 
	Description ("AuthenticationRequirement for use") ]
   CIM_AuthenticationRequirement REF Antecedent;   
	[Override ("Dependent"), 
	Description ("AuthenticationService that uses the requirements"
	) ]
   CIM_AuthenticationService REF Dependent;   
   };  
 
// ==================================================================
// RequireCredentialsFrom 
// ==================================================================
   [Association, Description (   
   "CIM_RequireCredentialsFrom is an association used to require "
   "that credentials are issued by particular Credential Management "
   "Services in order to authenticate a user."   )]
class CIM_RequireCredentialsFrom : CIM_Dependency
   {   
	[Override ("Antecedent"),
	Description ("CredentialManagementService from which "
	"credentials are accepted for the associated "
	"AuthenticationRequirement.") ]
   CIM_CredentialManagementService REF Antecedent;   
	[Override ("Dependent"), 
	Description ("AuthenticationRequirement that limit acceptable "
	"credentials. ") ]
   CIM_AuthenticationRequirement REF Dependent;   
   };   

// ==================================================================
// AuthenticationTarget 
// ==================================================================
   [Association, Description (   
   "CIM_AuthenticationTarget is an association used to apply "
   "authentication requirements for access to specific resources. "
   "For example, a shared secret may be sufficient for access to "
   "unclassified resources, but for confidential resources, a "
   "stronger authentication may be required."   )]
class CIM_AuthenticationTarget : CIM_Dependency
   {   
	[Override ("Antecedent"), 
	Description ("AuthenticationRequirement that apply to "
	"specific resources") ]
   CIM_AuthenticationRequirement REF Antecedent;   
	[Override ("Dependent"), 
	Description ("Target resources that may be in a Collection or "
	"an individual ManagedElement.  These resources are protected "
      "by the AuthenticationRequirement.") ]
   CIM_ManagedElement REF Dependent;   
   };  
 
// ==================================================================
// HostedACI 
// ==================================================================
   [Association, Description (   
   "CIM_HostedACI is an association used to provide the namespace "
   "scoping of AccessControlInformation.  The hosted ACI may or may "
   "not apply to resources on the hosting system." )]
class CIM_HostedACI : CIM_Dependency
   {   
	[Min (1), Max (1), Override ("Antecedent"), 
	Description ("The hosting system") ]
   CIM_System REF Antecedent;   
	[Override ("Dependent"), Weak,
	Description ("The hosted AccessControlInformation") ]
   CIM_AccessControlInformation REF Dependent;   
   };   

// ==================================================================
// AuthorizedUse 
// ==================================================================
   [Association, Description (   
   "CIM_AuthorizedUse is an association used to provide an "
   "AuthorizationService with the AccessControlInformation it needs "
   "to do its job."   )]
class CIM_AuthorizedUse : CIM_Dependency
   {   
	[Override ("Antecedent"), 
	Description ("AccessControlInformation") ]
   CIM_AccessControlInformation REF Antecedent;   
	[Override ("Dependent"), 
	Description ("AuthorizationService that uses an ACI.") ]
   CIM_AuthorizationService REF Dependent;   
   };   

// ==================================================================
// AuthorizationSubject 
// ==================================================================
   [Association, Description (   
   "CIM_AuthorizationSubject is an association used to apply "
   "authorization decisions to specific subjects (i.e., users).  The "
   "subjects may be identified directly or they may be aggregated "
   "into a collection that may, in turn, use the MemberPrincipal "
   "association to provide further indirection in the specification "
   "of the subject set."   )]
class CIM_AuthorizationSubject : CIM_Dependency
   {   
	[Override ("Antecedent"), Description (
	"AccessControlInformation that applies to a subject set.") ]
   CIM_AccessControlInformation REF Antecedent;   
	[Override ("Dependent"), Description (
	"The subject set may be specified as a collection or as a set "
	"of associations to ManagedElements that represent users.") ]
   CIM_ManagedElement REF Dependent;   
   };
  
// ==================================================================
// AuthorizationTarget 
// ==================================================================
   [Association, Description (   
   "CIM_AuthorizationTarget is an association used to apply "
   "authorization decisions to specific target resources.  The "
   "target resources may be aggregated into a collection or may be "
   "represented as a set of associations to ManagedElements."   )]
class CIM_AuthorizationTarget : CIM_Dependency
   {   
	[Override ("Antecedent"), Description (
	"AccessControlInformation that applies to the target set.") ]
   CIM_AccessControlInformation REF Antecedent;   
	[Override ("Dependent"), Description (
	"The target set of resources may be specified as a collection "
	"or as a set of associations to ManagedElements that represent "
	"target resources.") ]
   CIM_ManagedElement REF Dependent;   
   };   


// End of file