1 tony 1.1 // ===================================================================
2 // Title: User-Security Accounts 2.8
3 // Filename: User28_Account.mof
4 // Version: 2.8
5 // Status: Final
6 // Date: Jan 26, 2004
7 // ===================================================================
8 // Copyright 2000-2004 Distributed Management Task Force, Inc. (DMTF).
9 // All rights reserved.
10 // DMTF is a not-for-profit association of industry members dedicated
11 // to promoting enterprise and systems management and interoperability.
12 // DMTF specifications and documents may be reproduced for uses
13 // consistent with this purpose by members and non-members,
14 // provided that correct attribution is given.
15 // As DMTF specifications may be revised from time to time,
16 // the particular version and release date should always be noted.
17 //
18 // Implementation of certain elements of this standard or proposed
19 // standard may be subject to third party patent rights, including
20 // provisional patent rights (herein "patent rights"). DMTF makes
21 // no representations to users of the standard as to the existence
22 tony 1.1 // of such rights, and is not responsible to recognize, disclose, or
23 // identify any or all such third party patent right, owners or
24 // claimants, nor for any incomplete or inaccurate identification or
25 // disclosure of such rights, owners or claimants. DMTF shall have no
26 // liability to any party, in any manner or circumstance, under any
27 // legal theory whatsoever, for failure to recognize, disclose, or
28 // identify any such third party patent rights, or for such party's
29 // reliance on the standard or incorporation thereof in its product,
30 // protocols or testing procedures. DMTF shall have no liability to
31 // any party implementing such standard, whether such implementation
32 // is foreseeable or not, nor to any patent owner or claimant, and shall
33 // have no liability or responsibility for costs or losses incurred if
34 // a standard is withdrawn or modified after publication, and shall be
35 // indemnified and held harmless by any party implementing the
36 // standard from any and all claims of infringement by a patent owner
37 // for such implementations.
38 //
39 // For information about patents held by third-parties which have
40 // notified the DMTF that, in their opinion, such patent may relate to
41 // or impact implementations of DMTF standards, visit
42 // http://www.dmtf.org/about/policies/disclosures.php.
43 tony 1.1 // ===================================================================
44 // Description: The User Model extends the management concepts that
45 // are related to users and security.
46 // This file defines the concepts and classes related to
47 // Accounts.
48 //
49 // The object classes below are listed in an order that
50 // avoids forward references. Required objects, defined
51 // by other working groups, are omitted.
52 // ===================================================================
53 // Change Log for v2.8 Final
54 // CR1218 - Accepted AccountIdentity and the deprecation of
55 // UsersAccount
56 // as Final
57 // CR1235 - Added Descriptions to the properties of ManagesAccount and
58 // SecurityServiceUsesAccount / Accepted Account's Description
59 // change as Final
60 //
61 // Change Log for v2.8 Preliminary
62 // CR1013 - Related the Account class with Identity, changed Account's
63 // Description, added AccountIdentity and deprecated
64 tony 1.1 // UsersAccount
65 //
66 // Change Log for v2.7 - None
67 // ===================================================================
68
69 #pragma Locale ("en_US")
70
71
72 // ==================================================================
73 // Account
74 // ==================================================================
75 [Version ( "2.8.0" ), Description (
76 "CIM_Account is the information held by a SecurityService to "
77 "track identity and privileges managed by that service. Common "
78 "examples of an Account are the entries in a UNIX /etc/passwd "
79 "file. Several kinds of security services use various "
80 "information from those entries - the /bin/login program uses "
81 "the account name ('root') and hashed password to authenticate "
82 "users, and the file service, for instance, uses the UserID "
83 "field ('0') and GroupID field ('0') to record ownership and "
84 "determine access control privileges on files in the file "
85 tony 1.1 "system. This class is defined so as to incorporate "
86 "commonly-used LDAP attributes to permit implementations to "
87 "easily derive this information from LDAP-accessible "
88 "directories. \n"
89 "\n"
90 "The semantics of Account overlap with that of the class, "
91 "CIM_Identity. However, aspects of Account - such as its "
92 "specific tie to a System - are valuable and have been widely "
93 "implemented. For this reason, the Account and Identity classes "
94 "are associated using a subclass of LogicalIdentity "
95 "(AccountIdentity), instead of deprecating the Account class in "
96 "the CIM Schema. When an Account has been authenticated, the "
97 "corresponding Identity's TrustEstablished Boolean would be set "
98 "to TRUE. Then, the Identity class can be used as defined for "
99 "authorization purposes.")]
100 class CIM_Account : CIM_LogicalElement {
101
102 [Key, Propagated ( "CIM_System.CreationClassName" ),
103 Description (
104 "The scoping System's CCN."),
105 MaxLen ( 256 )]
106 tony 1.1 string SystemCreationClassName;
107
108 [Key, Propagated ( "CIM_System.Name" ), Description (
109 "The scoping System's Name."),
110 MaxLen ( 256 )]
111 string SystemName;
112
113 [Key, Description (
114 "CreationClassName indicates the name of the class or the "
115 "subclass used in the creation of an instance. When used "
116 "with the other key properties of this class, this property "
117 "allows all instances of this class and its subclasses to be "
118 "uniquely identified."),
119 MaxLen ( 256 )]
120 string CreationClassName;
121
122 [Key, Override ( "Name" ), Description (
123 "The Name property defines the label by which the object is "
124 "known. The value of this property may be set to be the same "
125 "as that of the UserID property or, in the case of an "
126 "LDAP-derived instance, the Name property value may be set "
127 tony 1.1 "to the distinguishedName of the LDAP-accessed object "
128 "instance."),
129 MaxLen ( 1024 )]
130 string Name;
131
132 [Description (
133 "UserID is the value used by the SecurityService to "
134 "represent identity. For an authentication service, the "
135 "UserID may be the name of the user, or for an authorization "
136 "service the value which serves as a handle to a mapping of "
137 "the identity."),
138 MaxLen ( 256 )]
139 string UserID;
140
141 [Description (
142 "In the case of an LDAP-derived instance, the ObjectClass "
143 "property value(s) may be set to the objectClass attribute "
144 "values.")]
145 string ObjectClass[];
146
147 [Description (
148 tony 1.1 "The Descriptions property values may contain human-readable "
149 "descriptions of the object. In the case of an LDAP-derived "
150 "instance, the description attribute may have multiple "
151 "values that, therefore, cannot be placed in the inherited "
152 "Description property."),
153 MaxLen ( 1024 )]
154 string Descriptions[];
155
156 [Description (
157 "Based on RFC1274, the host name of the system(s) for which "
158 "the account applies. The host name may be a fully-qualified "
159 "DNS name or it may be an unqualified host name.")]
160 string Host[];
161
162 [Description (
163 "This property contains the name of a locality, such as a "
164 "city, county or other geographic region.")]
165 string LocalityName[];
166
167 [Required, Description (
168 "The name of the organization related to the account.")]
169 tony 1.1 string OrganizationName[];
170
171 [Description (
172 "The name of an organizational unit related to the account.")]
173 string OU[];
174
175 [Description (
176 "In the case of an LDAP-derived instance, the SeeAlso "
177 "property specifies distinguished name of other Directory "
178 "objects which may be other aspects (in some sense) of the "
179 "same real world object.")]
180 string SeeAlso[];
181
182 [Description (
183 "Based on inetOrgPerson and for directory compatibility, the "
184 "UserCertificate property may be used to specify a public "
185 "key certificate for the person."),
186 OctetString]
187 string UserCertificate[];
188
189 [Description (
190 tony 1.1 "In the case of an LDAP-derived instance, the UserPassword "
191 "property may contain an encrypted password used to access "
192 "the person's resources in a directory."),
193 OctetString]
194 string UserPassword[];
195 };
196
197
198 // ==================================================================
199 // AccountIdentity
200 // ==================================================================
201 [Association, Version ( "2.8.0" ), Description (
202 "CIM_AccountIdentity relates a system Account with the Identity "
203 "that is established. Since Account also carries Identity "
204 "semantics, the LogicalIdentity association is defined as the "
205 "superclass of this association.")]
206 class CIM_AccountIdentity : CIM_LogicalIdentity {
207
208 [Override ( "SystemElement" ), Description (
209 "The Account that establishes Identity.")]
210 CIM_Account REF SystemElement;
211 tony 1.1
212 [Override ( "SameElement" ), Description (
213 "The Identity established by the Account.")]
214 CIM_Identity REF SameElement;
215 };
216
217
218 // ===================================================================
219 // AccountOnSystem
220 // ===================================================================
221 [Association, Aggregation, Version ( "2.6.0" ), Description (
222 "A system (e.g., ApplicationSystem, ComputerSystem, "
223 "AdminDomain) aggregates Accounts and scopes the uniqueness of "
224 "the Account names (i.e., userids).")]
225 class CIM_AccountOnSystem : CIM_SystemComponent {
226
227 [Aggregate, Override ( "GroupComponent" ), Min ( 1 ), Max ( 1 ),
228 Description (
229 "The aggregating system also provides name scoping for the "
230 "Account.")]
231 CIM_System REF GroupComponent;
232 tony 1.1
233 [Override ( "PartComponent" ), Weak, Description (
234 "The subordinate Account.")]
235 CIM_Account REF PartComponent;
236 };
237
238
239 // ===================================================================
240 // UsersAccount
241 // ===================================================================
242 [Association, Deprecated { "CIM_AccountIdentity" },
243 Version ( "2.8.0" ), Description (
244 "This relationship associates UsersAccess with the Accounts "
245 "with which they're able to interact. This association is "
246 "deprecated in lieu of AccountIdentity, which defines similar "
247 "semantics. This was done since the UsersAccess reference in "
248 "UsersAccount has been deprecated and replaced by the more "
249 "specific semantics of CIM_Identity.")]
250 class CIM_UsersAccount : CIM_Dependency {
251
252 [Deprecated { "CIM_AccountIdentity.SystemElement" },
253 tony 1.1 Override ( "Antecedent" ), Description (
254 "The user's Account.")]
255 CIM_Account REF Antecedent;
256
257 [Deprecated { "CIM_AccountIdentity.SameElement" },
258 Override ( "Dependent" ), Description (
259 "The User as identified by their UsersAccess instance.")]
260 CIM_UsersAccess REF Dependent;
261 };
262
263
264 // ===================================================================
265 // AccountMapsToAccount
266 // ===================================================================
267 [Association, Version ( "2.6.0" ), Description (
268 "This relationship may be used to associate an Account used by "
269 "an AuthenticationService to an Account used for Authorization. "
270 "For instance, this mapping occurs naturally in the UNIX "
271 "/etc/passwd file, where the AuthenticationService Account "
272 "('root') is mapped to the AuthorizationService Account ('0'). "
273 "The two are separate accounts, as evidenced by the ability to "
274 tony 1.1 "have another AuthenticationService Account which ALSO maps to "
275 "the AuthorizationService Account ('0') without ambiguity. This "
276 "association may be used for other account mappings as well "
277 "such as for coordinating single signon for multiple accounts "
278 "for the same user.")]
279 class CIM_AccountMapsToAccount : CIM_Dependency {
280
281 [Override ( "Antecedent" ), Description (
282 "An Account.")]
283 CIM_Account REF Antecedent;
284
285 [Override ( "Dependent" ), Description (
286 "A related Account.")]
287 CIM_Account REF Dependent;
288 };
289
290
291 // ===================================================================
292 // SecurityServiceUsesAccount
293 // ===================================================================
294 [Association, Version ( "2.6.0" ), Description (
295 tony 1.1 "This relationship associates SecurityService instances to the "
296 "Accounts they use in the course of their work.")]
297 class CIM_SecurityServiceUsesAccount : CIM_Dependency {
298
299 [Override ( "Antecedent" ), Description (
300 "Account used by the SecurityService.")]
301 CIM_Account REF Antecedent;
302
303 [Override ( "Dependent" ), Description (
304 "The Service using the Account.")]
305 CIM_SecurityService REF Dependent;
306 };
307
308
309 // ==================================================================
310 // AccountManagementService
311 // ==================================================================
312 [Version ( "2.6.0" ), Description (
313 "CIM_AccountManagementService creates, manages, and if "
314 "necessary destroys Accounts on behalf of other "
315 "SecuritySerices.")]
316 tony 1.1 class CIM_AccountManagementService : CIM_SecurityService {
317 };
318
319
320 // ===================================================================
321 // ManagesAccount
322 // ===================================================================
323 [Association, Version ( "2.6.0" ), Description (
324 "This relationship associates the AccountManagement security "
325 "service to the Accounts for which it is responsible.")]
326 class CIM_ManagesAccount : CIM_Dependency {
327
328 [Override ( "Antecedent" ), Description (
329 "The account management service.")]
330 CIM_AccountManagementService REF Antecedent;
331
332 [Override ( "Dependent" ), Description (
333 "An account managed by the service.")]
334 CIM_Account REF Dependent;
335 };
336
337 tony 1.1
338 // ===================================================================
339 // ManagesAccountOnSystem
340 // ===================================================================
341 [Association, Version ( "2.6.0" ), Description (
342 "The CIM_ManagesAccountOnSystem provides the association "
343 "between a System and the AccountManagementService that manages "
344 "accounts for that system.")]
345 class CIM_ManagesAccountOnSystem : CIM_SecurityServiceForSystem {
346
347 [Override ( "Antecedent" ), Description (
348 "An AccountManagementService that manages accounts for the "
349 "system.")]
350 CIM_AccountManagementService REF Antecedent;
351
352 [Override ( "Dependent" ), Description (
353 "The system that is dependent on the "
354 "AccountManagementService.")]
355 CIM_System REF Dependent;
356 };
357
358 tony 1.1
359 // ===================================================================
360 // end of file
361 // ===================================================================
|