1 a.dunfey 1.1 // ===================================================================
2 // Title: User_Identity
3 // $State: Exp $
4 // $Date: 2004/11/29 18:31:43 $
5 // $RCSfile: User_Identity.mof,v $
6 // $Revision: 1.3.2.3 $
7 // ===================================================================
8 //#pragma inLine ("Includes/copyright.inc")
9 // Copyright 1998-2005 Distributed Management Task Force, Inc. (DMTF).
10 // All rights reserved.
11 // DMTF is a not-for-profit association of industry members dedicated
12 // to promoting enterprise and systems management and interoperability.
13 // DMTF specifications and documents may be reproduced for uses
14 // consistent with this purpose by members and non-members,
15 // provided that correct attribution is given.
16 // As DMTF specifications may be revised from time to time,
17 // the particular version and release date should always be noted.
18 //
19 // Implementation of certain elements of this standard or proposed
20 // standard may be subject to third party patent rights, including
21 // provisional patent rights (herein "patent rights"). DMTF makes
22 a.dunfey 1.1 // no representations to users of the standard as to the existence
23 // of such rights, and is not responsible to recognize, disclose, or
24 // identify any or all such third party patent right, owners or
25 // claimants, nor for any incomplete or inaccurate identification or
26 // disclosure of such rights, owners or claimants. DMTF shall have no
27 // liability to any party, in any manner or circumstance, under any
28 // legal theory whatsoever, for failure to recognize, disclose, or
29 // identify any such third party patent rights, or for such party's
30 // reliance on the standard or incorporation thereof in its product,
31 // protocols or testing procedures. DMTF shall have no liability to
32 // any party implementing such standard, whether such implementation
33 // is foreseeable or not, nor to any patent owner or claimant, and shall
34 // have no liability or responsibility for costs or losses incurred if
35 // a standard is withdrawn or modified after publication, and shall be
36 // indemnified and held harmless by any party implementing the
37 // standard from any and all claims of infringement by a patent owner
38 // for such implementations.
39 //
40 // For information about patents held by third-parties which have
41 // notified the DMTF that, in their opinion, such patent may relate to
42 // or impact implementations of DMTF standards, visit
43 a.dunfey 1.1 // http://www.dmtf.org/about/policies/disclosures.php.
44 //#pragma inLine
45 // ===================================================================
46 // Description: The User Model extends the management concepts that
47 // are related to users and security.
48 // This file defines the concepts and classes related to
49 // Identities.
50 //
51 // The object classes below are listed in an order that
52 // avoids forward references. Required objects, defined
53 // by other working groups, are omitted.
54 // ===================================================================
55 // Change Log for v2.8 Final
56 // CR1218 - Clarified the Identity Description, added the
57 // IdentityContext
58 // association, removed the property IdentityContexts in lieu
59 // of the association, promoted Experimental classes to Final
60 // CR1221 - Identity class also promoted to Final
61 // CR1235 - Corrected copyright
62 //
63 // Change Log for v2.8 Preliminary
64 a.dunfey 1.1 // CR1011 - Added Identity and Privilege; Deprecated UsersAccess and
65 // AccessControlInformation and their related classes
66 // CR1026 - Extended Identity with an IPNetworkIdentity subclass
67 // ===================================================================
68
69 #pragma Locale ("en_US")
70
71
72 // ==================================================================
73 // Identity
74 // ==================================================================
75 [Version ( "2.8.0" ), Description (
76 "An instance of an Identity represents a ManagedElement that "
77 "acts as a security principal within the scope in which it is "
78 "defined and authenticated. (Note that the Identity's scope is "
79 "specified using the association, CIM_IdentityContext.) "
80 "ManagedElements with Identities can be OrganizationalEntities, "
81 "Services, Systems, etc. The ManagedElement 'behind' an "
82 "Identity is described using the AssignedIdentity association. "
83 "\n\n"
84 "Within a given security context, an Identity may be imparted a "
85 a.dunfey 1.1 "level of trust, usually based on its credentials. A trust "
86 "level is defined using the CIM_SecuritySensitivity class, and "
87 "associated with Identity using CIM_ElementSecuritySensitivity. "
88 "Whether an Identity is currently authenticated is evaluated by "
89 "checking the CurrentlyAuthenticated boolean property. This "
90 "property is set and cleared by the security infrastructure, "
91 "and should only be readable within the management "
92 "infrastructure. The conditions which must be met/authenticated "
93 "in order for an Identity's CurrentlyAuthenticated Boolean to "
94 "be TRUE are defined using a subclass of PolicyCondition - "
95 "AuthenticationCondition. The inheritance tree for "
96 "AuthenticationCondition is defined in the CIM Policy Model. \n"
97 "\n"
98 "Subclasses of Identity may include specific information "
99 "related to a given AuthenticationService or authority (such as "
100 "a security token or computer hardware port/communication "
101 "details) that more specifically determine the authenticity of "
102 "the Identity. An instance of Identity may be persisted even "
103 "though it is not CurrentlyAuthenticated, in order to maintain "
104 "static relationships to Roles, associations to accounting "
105 "information, and policy data defining authentication "
106 a.dunfey 1.1 "requirements. Note however, when an Identity is not "
107 "authenticated (CurrentlyAuthenticated = FALSE), then "
108 "Privileges or rights SHOULD NOT be authorized. The lifetime, "
109 "validity, and propagation of the Identity is dependent on a "
110 "security infrastructure's policies.")]
111 class CIM_Identity : CIM_ManagedElement {
112
113 [Key, Description (
114 "Within the scope of the instantiating Namespace, InstanceID "
115 "opaquely and uniquely identifies an instance of this class. "
116 "In order to ensure uniqueness within the NameSpace, the "
117 "value of InstanceID SHOULD be constructed using the "
118 "following 'preferred' algorithm: \n"
119 "<OrgID>:<LocalID> \n"
120 "Where <OrgID> and <LocalID> are separated by a colon ':', "
121 "and where <OrgID> MUST include a copyrighted, trademarked "
122 "or otherwise unique name that is owned by the business "
123 "entity creating/defining the InstanceID, or is a registered "
124 "ID that is assigned to the business entity by a recognized "
125 "global authority. (This is similar to the <Schema "
126 "Name>_<Class Name> structure of Schema class names.) In "
127 a.dunfey 1.1 "addition, to ensure uniqueness <OrgID> MUST NOT contain a "
128 "colon (':'). When using this algorithm, the first colon to "
129 "appear in InstanceID MUST appear between <OrgID> and "
130 "<LocalID>. \n"
131 "<LocalID> is chosen by the business entity and SHOULD not "
132 "be re-used to identify different underlying (real-world) "
133 "elements. If the above 'preferred' algorithm is not used, "
134 "the defining entity MUST assure that the resultant "
135 "InstanceID is not re-used across any InstanceIDs produced "
136 "by this or other providers for this instance's NameSpace. \n"
137 "For DMTF defined instances, the 'preferred' algorithm MUST "
138 "be used with the <OrgID> set to 'CIM'.")]
139 string InstanceID;
140
141 [Description (
142 "Boolean indicating whether this Identity has been "
143 "authenticated, and is currently known within the scope of "
144 "an AuthenticationService or authority. By default, "
145 "authenticity SHOULD NOT be assumed. This property is set "
146 "and cleared by the security infrastructure, and should only "
147 "be readable within the management infrastructure. Note that "
148 a.dunfey 1.1 "its value, alone, may not be sufficient to determine "
149 "authentication/ authorization, in that properties of an "
150 "Identity subclass (such as a security token or computer "
151 "hardware port/ communication details) may be required by "
152 "the security infrastructure.")]
153 boolean CurrentlyAuthenticated = FALSE;
154 };
155
156
157 // ===================================================================
158 // IdentityContext
159 // ===================================================================
160 [Association, Version ( "2.8.0" ), Description (
161 "This relationship defines the context (for example, a System "
162 "Service) of an Identity.")]
163 class CIM_IdentityContext {
164
165 [Key, Description (
166 "An Identity whose context is defined.")]
167 CIM_Identity REF ElementInContext;
168
169 a.dunfey 1.1 [Key, Description (
170 "The ManagedElement that provides context or scope for the "
171 "Identity.")]
172 CIM_ManagedElement REF ElementProvidingContext;
173 };
174
175
176 // ===================================================================
177 // AssignedIdentity
178 // ===================================================================
179 [Association, Version ( "2.8.0" ), Description (
180 "This relationship associates an Identity to a specific "
181 "ManagedElement, whose trust is represented.")]
182 class CIM_AssignedIdentity {
183
184 [Key, Description (
185 "An Identity of the referenced ManagedElement.")]
186 CIM_Identity REF IdentityInfo;
187
188 [Key, Max ( 1 ), Description (
189 "The ManagedElement assigned to a specific Identity.")]
190 a.dunfey 1.1 CIM_ManagedElement REF ManagedElement;
191 };
192
193
194 // ==================================================================
195 // IPNetworkIdentity
196 // ==================================================================
197 [Version ( "2.8.0" ), Description (
198 "IPNetworkIdentity is used to represent the various network "
199 "identities that may be used for an IPProtocolEndpoint. The "
200 "relationship between the NetworkIdentity and the "
201 "IPProtocolEndpoint is modeled by the AssignedIdentity "
202 "association, inherited from CIM_Identity. This association "
203 "could also be used to relate an address range or other "
204 "endpoint collection with the Identity."),
205 MappingStrings { "IPSP Policy Model.IETF|IKEIdentity" }]
206 class CIM_IPNetworkIdentity : CIM_Identity {
207
208 [Required, Description (
209 "The IdentityType specifies the type of IP network Identity. "
210 "The list of identities was generated from Section 4.6.2.1 "
211 a.dunfey 1.1 "of RFC2407. Note that the enumeration is different than the "
212 "RFC list, since the value 'Other' is taken into account."),
213 ValueMap { "1", "2", "3", "4", "5", "6", "7", "8", "9", "10",
214 "11", "12", "..", "0x8000.." },
215 Values { "Other", "IPV4 Address", "FQDN", "User FQDN",
216 "IPV4 Subnet Address", "IPV6 Address", "IPV6 Subnet Address",
217 "IPV4 Address Range", "IPV6 Address Range", "DER ASN1 DN",
218 "DER ASN1 GN", "KEY ID", "DMTF Reserved", "Vendor Reserved" },
219 MappingStrings { "IPSP Policy "
220 "Model.IETF|IKEIdentity.IdentityType",
221 "RFC2407.IETF|Section 4.6.2.1" },
222 ModelCorrespondence { "CIM_IPNetworkIdentity.IdentityValue" }]
223 uint16 IdentityType;
224
225 [Required, Description (
226 "IdentityValue contains a string encoding of the Identity. "
227 "For Identity instances that are address types, the "
228 "IdentityValue string value may be omitted and the "
229 "associated IPProtocolEndpoint, RangeOfIPAddresses or "
230 "similar class is used to define this information. The class "
231 "is associated using the AssignedIdentity relationship."),
232 a.dunfey 1.1 MappingStrings { "IPSP Policy "
233 "Model.IETF|IKEIdentity.IdentityValue" },
234 ModelCorrespondence { "CIM_IPNetworkIdentity.IdentityType" }]
235 string IdentityValue;
236 };
237
238
239 // ===================================================================
240 // end of file
241 // ===================================================================
|