1 tony 1.1 // ===================================================================
2 // Title: User-Security Identity
3 // Filename: User28_Identity.mof
4 // Version: 2.8
5 // Release: Final
6 // Date: Jan 26, 2004
7 // ===================================================================
8 // Copyright 2003-2004 Distributed Management Task Force, Inc. (DMTF).
9 // All rights reserved.
10 // DMTF is a not-for-profit association of industry members dedicated
11 // to promoting enterprise and systems management and interoperability.
12 // DMTF specifications and documents may be reproduced for uses
13 // consistent with this purpose by members and non-members,
14 // provided that correct attribution is given.
15 // As DMTF specifications may be revised from time to time,
16 // the particular version and release date should always be noted.
17 //
18 // Implementation of certain elements of this standard or proposed
19 // standard may be subject to third party patent rights, including
20 // provisional patent rights (herein "patent rights"). DMTF makes
21 // no representations to users of the standard as to the existence
22 tony 1.1 // of such rights, and is not responsible to recognize, disclose, or
23 // identify any or all such third party patent right, owners or
24 // claimants, nor for any incomplete or inaccurate identification or
25 // disclosure of such rights, owners or claimants. DMTF shall have no
26 // liability to any party, in any manner or circumstance, under any
27 // legal theory whatsoever, for failure to recognize, disclose, or
28 // identify any such third party patent rights, or for such party's
29 // reliance on the standard or incorporation thereof in its product,
30 // protocols or testing procedures. DMTF shall have no liability to
31 // any party implementing such standard, whether such implementation
32 // is foreseeable or not, nor to any patent owner or claimant, and shall
33 // have no liability or responsibility for costs or losses incurred if
34 // a standard is withdrawn or modified after publication, and shall be
35 // indemnified and held harmless by any party implementing the
36 // standard from any and all claims of infringement by a patent owner
37 // for such implementations.
38 //
39 // For information about patents held by third-parties which have
40 // notified the DMTF that, in their opinion, such patent may relate to
41 // or impact implementations of DMTF standards, visit
42 // http://www.dmtf.org/about/policies/disclosures.php.
43 tony 1.1 // ===================================================================
44 // Description: The User Model extends the management concepts that
45 // are related to users and security.
46 // This file defines the concepts and classes related to
47 // Identities.
48 //
49 // The object classes below are listed in an order that
50 // avoids forward references. Required objects, defined
51 // by other working groups, are omitted.
52 // ===================================================================
53 // Change Log for v2.8 Final
54 // CR1218 - Clarified the Identity Description, added the
55 // IdentityContext
56 // association, removed the property IdentityContexts in lieu
57 // of the association, promoted Experimental classes to Final
58 // CR1221 - Identity class also promoted to Final
59 // CR1235 - Corrected copyright
60 //
61 // Change Log for v2.8 Preliminary
62 // CR1011 - Added Identity and Privilege; Deprecated UsersAccess and
63 // AccessControlInformation and their related classes
64 tony 1.1 // CR1026 - Extended Identity with an IPNetworkIdentity subclass
65 // ===================================================================
66
67 #pragma Locale ("en_US")
68
69
70 // ==================================================================
71 // Identity
72 // ==================================================================
73 [Version ( "2.8.0" ), Description (
74 "An instance of an Identity represents a ManagedElement that "
75 "acts as a security principal within the scope in which it is "
76 "defined and authenticated. (Note that the Identity's scope is "
77 "specified using the association, CIM_IdentityContext.) "
78 "ManagedElements with Identities can be OrganizationalEntities, "
79 "Services, Systems, etc. The ManagedElement 'behind' an "
80 "Identity is described using the AssignedIdentity association. "
81 "\n\n"
82 "Within a given security context, an Identity may be imparted a "
83 "level of trust, usually based on its credentials. A trust "
84 "level is defined using the CIM_SecuritySensitivity class, and "
85 tony 1.1 "associated with Identity using CIM_ElementSecuritySensitivity. "
86 "Whether an Identity is currently authenticated is evaluated by "
87 "checking the CurrentlyAuthenticated boolean property. This "
88 "property is set and cleared by the security infrastructure, "
89 "and should only be readable within the management "
90 "infrastructure. The conditions which must be met/authenticated "
91 "in order for an Identity's CurrentlyAuthenticated Boolean to "
92 "be TRUE are defined using a subclass of PolicyCondition - "
93 "AuthenticationCondition. The inheritance tree for "
94 "AuthenticationCondition is defined in the CIM Policy Model. \n"
95 "\n"
96 "Subclasses of Identity may include specific information "
97 "related to a given AuthenticationService or authority (such as "
98 "a security token or computer hardware port/communication "
99 "details) that more specifically determine the authenticity of "
100 "the Identity. An instance of Identity may be persisted even "
101 "though it is not CurrentlyAuthenticated, in order to maintain "
102 "static relationships to Roles, associations to accounting "
103 "information, and policy data defining authentication "
104 "requirements. Note however, when an Identity is not "
105 "authenticated (CurrentlyAuthenticated = FALSE), then "
106 tony 1.1 "Privileges or rights SHOULD NOT be authorized. The lifetime, "
107 "validity, and propagation of the Identity is dependent on a "
108 "security infrastructure's policies.")]
109 class CIM_Identity : CIM_ManagedElement {
110
111 [Key, Description (
112 "Within the scope of the instantiating Namespace, InstanceID "
113 "opaquely and uniquely identifies an instance of this class. "
114 "In order to ensure uniqueness within the NameSpace, the "
115 "value of InstanceID SHOULD be constructed using the "
116 "following 'preferred' algorithm: \n"
117 "<OrgID>:<LocalID> \n"
118 "Where <OrgID> and <LocalID> are separated by a colon ':', "
119 "and where <OrgID> MUST include a copyrighted, trademarked "
120 "or otherwise unique name that is owned by the business "
121 "entity creating/defining the InstanceID, or is a registered "
122 "ID that is assigned to the business entity by a recognized "
123 "global authority. (This is similar to the <Schema "
124 "Name>_<Class Name> structure of Schema class names.) In "
125 "addition, to ensure uniqueness <OrgID> MUST NOT contain a "
126 "colon (':'). When using this algorithm, the first colon to "
127 tony 1.1 "appear in InstanceID MUST appear between <OrgID> and "
128 "<LocalID>. \n"
129 "<LocalID> is chosen by the business entity and SHOULD not "
130 "be re-used to identify different underlying (real-world) "
131 "elements. If the above 'preferred' algorithm is not used, "
132 "the defining entity MUST assure that the resultant "
133 "InstanceID is not re-used across any InstanceIDs produced "
134 "by this or other providers for this instance's NameSpace. \n"
135 "For DMTF defined instances, the 'preferred' algorithm MUST "
136 "be used with the <OrgID> set to 'CIM'.")]
137 string InstanceID;
138
139 [Description (
140 "Boolean indicating whether this Identity has been "
141 "authenticated, and is currently known within the scope of "
142 "an AuthenticationService or authority. By default, "
143 "authenticity SHOULD NOT be assumed. This property is set "
144 "and cleared by the security infrastructure, and should only "
145 "be readable within the management infrastructure. Note that "
146 "its value, alone, may not be sufficient to determine "
147 "authentication/ authorization, in that properties of an "
148 tony 1.1 "Identity subclass (such as a security token or computer "
149 "hardware port/ communication details) may be required by "
150 "the security infrastructure.")]
151 boolean CurrentlyAuthenticated = FALSE;
152 };
153
154
155 // ===================================================================
156 // IdentityContext
157 // ===================================================================
158 [Association, Version ( "2.8.0" ), Description (
159 "This relationship defines the context (for example, a System "
160 "Service) of an Identity.")]
161 class CIM_IdentityContext {
162
163 [Key, Description (
164 "An Identity whose context is defined.")]
165 CIM_Identity REF ElementInContext;
166
167 [Key, Description (
168 "The ManagedElement that provides context or scope for the "
169 tony 1.1 "Identity.")]
170 CIM_ManagedElement REF ElementProvidingContext;
171 };
172
173
174 // ===================================================================
175 // AssignedIdentity
176 // ===================================================================
177 [Association, Version ( "2.8.0" ), Description (
178 "This relationship associates an Identity to a specific "
179 "ManagedElement, whose trust is represented.")]
180 class CIM_AssignedIdentity {
181
182 [Key, Description (
183 "An Identity of the referenced ManagedElement.")]
184 CIM_Identity REF IdentityInfo;
185
186 [Key, Max ( 1 ), Description (
187 "The ManagedElement assigned to a specific Identity.")]
188 CIM_ManagedElement REF ManagedElement;
189 };
190 tony 1.1
191
192 // ==================================================================
193 // IPNetworkIdentity
194 // ==================================================================
195 [Version ( "2.8.0" ), Description (
196 "IPNetworkIdentity is used to represent the various network "
197 "identities that may be used for an IPProtocolEndpoint. The "
198 "relationship between the NetworkIdentity and the "
199 "IPProtocolEndpoint is modeled by the AssignedIdentity "
200 "association, inherited from CIM_Identity. This association "
201 "could also be used to relate an address range or other "
202 "endpoint collection with the Identity."),
203 MappingStrings { "IPSP Policy Model.IETF|IKEIdentity" }]
204 class CIM_IPNetworkIdentity : CIM_Identity {
205
206 [Required, Description (
207 "The IdentityType specifies the type of IP network Identity. "
208 "The list of identities was generated from Section 4.6.2.1 "
209 "of RFC2407. Note that the enumeration is different than the "
210 "RFC list, since the value 'Other' is taken into account."),
211 tony 1.1 ValueMap { "1", "2", "3", "4", "5", "6", "7", "8", "9", "10",
212 "11", "12", "..", "0x8000.." },
213 Values { "Other", "IPV4 Address", "FQDN", "User FQDN",
214 "IPV4 Subnet Address", "IPV6 Address", "IPV6 Subnet Address",
215 "IPV4 Address Range", "IPV6 Address Range", "DER ASN1 DN",
216 "DER ASN1 GN", "KEY ID", "DMTF Reserved", "Vendor Reserved" },
217 MappingStrings { "IPSP Policy "
218 "Model.IETF|IKEIdentity.IdentityType",
219 "RFC2407.IETF|Section 4.6.2.1" },
220 ModelCorrespondence { "CIM_IPNetworkIdentity.IdentityValue" }]
221 uint16 IdentityType;
222
223 [Required, Description (
224 "IdentityValue contains a string encoding of the Identity. "
225 "For Identity instances that are address types, the "
226 "IdentityValue string value may be omitted and the "
227 "associated IPProtocolEndpoint, RangeOfIPAddresses or "
228 "similar class is used to define this information. The class "
229 "is associated using the AssignedIdentity relationship."),
230 MappingStrings { "IPSP Policy "
231 "Model.IETF|IKEIdentity.IdentityValue" },
232 tony 1.1 ModelCorrespondence { "CIM_IPNetworkIdentity.IdentityType" }]
233 string IdentityValue;
234 };
235
236
237 // ===================================================================
238 // end of file
239 // ===================================================================
|