1 a.dunfey 1.1 // ===================================================================
2 // Title: User_Privilege
3 // $State: Exp $
4 // $Date: 2004/11/29 18:31:43 $
5 // $RCSfile: User_Privilege.mof,v $
6 // $Revision: 1.5.2.3 $
7 // ===================================================================
8 //#pragma inLine ("Includes/copyright.inc")
9 // Copyright 1998-2005 Distributed Management Task Force, Inc. (DMTF).
10 // All rights reserved.
11 // DMTF is a not-for-profit association of industry members dedicated
12 // to promoting enterprise and systems management and interoperability.
13 // DMTF specifications and documents may be reproduced for uses
14 // consistent with this purpose by members and non-members,
15 // provided that correct attribution is given.
16 // As DMTF specifications may be revised from time to time,
17 // the particular version and release date should always be noted.
18 //
19 // Implementation of certain elements of this standard or proposed
20 // standard may be subject to third party patent rights, including
21 // provisional patent rights (herein "patent rights"). DMTF makes
22 a.dunfey 1.1 // no representations to users of the standard as to the existence
23 // of such rights, and is not responsible to recognize, disclose, or
24 // identify any or all such third party patent right, owners or
25 // claimants, nor for any incomplete or inaccurate identification or
26 // disclosure of such rights, owners or claimants. DMTF shall have no
27 // liability to any party, in any manner or circumstance, under any
28 // legal theory whatsoever, for failure to recognize, disclose, or
29 // identify any such third party patent rights, or for such party's
30 // reliance on the standard or incorporation thereof in its product,
31 // protocols or testing procedures. DMTF shall have no liability to
32 // any party implementing such standard, whether such implementation
33 // is foreseeable or not, nor to any patent owner or claimant, and shall
34 // have no liability or responsibility for costs or losses incurred if
35 // a standard is withdrawn or modified after publication, and shall be
36 // indemnified and held harmless by any party implementing the
37 // standard from any and all claims of infringement by a patent owner
38 // for such implementations.
39 //
40 // For information about patents held by third-parties which have
41 // notified the DMTF that, in their opinion, such patent may relate to
42 // or impact implementations of DMTF standards, visit
43 a.dunfey 1.1 // http://www.dmtf.org/about/policies/disclosures.php.
44 //#pragma inLine
45 // ===================================================================
46 // Description: The User Model extends the management concepts that
47 // are related to users and security.
48 // This file defines the concepts and classes related to
49 // Privileges
50 //
51 // The object classes below are listed in an order that
52 // avoids forward references. Required objects, defined
53 // by other working groups, are omitted.
54 // ===================================================================
55 // Change Log for v2.8 Final -
56 // CR1219 - Created subclass of Privilege, AuthorizedPrivilege,
57 // moved AuthorizedSubject/Target associations to Authorized
58 // Privilege, and promoted Privilege-related classes from
59 // Experimental to Final
60 // CR1221 - Also promoted Privilege-related classes to Final
61 // CR1229 - Added ArrayType ("Indexed") qualifier to
62 // Privilege.Activites
63 // CR1235 - Corrected copyright
64 a.dunfey 1.1 //
65 // Change Log for v2.8 Preliminary -
66 // CR1011 - Created this file.
67 // CR1082 - Fixed Value/ValueMap defintions for properties in Privilege
68 // ===================================================================
69
70 #pragma Locale ("en_US")
71
72
73 // ==================================================================
74 // Privilege
75 // ==================================================================
76 [Version ( "2.8.0" ), Description (
77 "Privilege is the base class for all types of activities which "
78 "are granted or denied by a Role or an Identity. Whether an "
79 "individual Privilege is granted or denied is defined using the "
80 "PrivilegeGranted boolean. Any Privileges not specifically "
81 "granted are assumed to be denied. An explicit deny (Privilege "
82 "Granted = FALSE) takes precedence over any granted Privileges. "
83 "\n\n"
84 "The association of subjects (Roles and Identities) to "
85 a.dunfey 1.1 "Privileges is accomplished using policy or explicitly via the "
86 "associations on a subclass. The entities that are protected "
87 "(targets) can be similarly defined. \n"
88 "\n"
89 "Note that Privileges may be inherited through hierarchical "
90 "Roles, or may overlap. For example, a Privilege denying any "
91 "instance Writes in a particular CIM Server Namespace would "
92 "overlap with a Privilege defining specific access rights at an "
93 "instance level within that Namespace. In this example, the "
94 "AuthorizedSubjects are either Identities or Roles, and the "
95 "AuthorizedTargets are a Namespace in the former case, and a "
96 "particular instance in the latter.")]
97 class CIM_Privilege : CIM_ManagedElement {
98
99 [Key, Description (
100 "Within the scope of the instantiating Namespace, InstanceID "
101 "opaquely and uniquely identifies an instance of this class. "
102 "In order to ensure uniqueness within the NameSpace, the "
103 "value of InstanceID SHOULD be constructed using the "
104 "following 'preferred' algorithm: \n"
105 "<OrgID>:<LocalID> \n"
106 a.dunfey 1.1 "Where <OrgID> and <LocalID> are separated by a colon ':', "
107 "and where <OrgID> MUST include a copyrighted, trademarked "
108 "or otherwise unique name that is owned by the business "
109 "entity creating/defining the InstanceID, or is a registered "
110 "ID that is assigned to the business entity by a recognized "
111 "global authority. (This is similar to the <Schema "
112 "Name>_<Class Name> structure of Schema class names.) In "
113 "addition, to ensure uniqueness <OrgID> MUST NOT contain a "
114 "colon (':'). When using this algorithm, the first colon to "
115 "appear in InstanceID MUST appear between <OrgID> and "
116 "<LocalID>. \n"
117 "<LocalID> is chosen by the business entity and SHOULD not "
118 "be re-used to identify different underlying (real-world) "
119 "elements. If the above 'preferred' algorithm is not used, "
120 "the defining entity MUST assure that the resultant "
121 "InstanceID is not re-used across any InstanceIDs produced "
122 "by this or other providers for this instance's NameSpace. "
123 "For DMTF defined instances, the 'preferred' algorithm MUST "
124 "be used with the <OrgID> set to 'CIM'.")]
125 string InstanceID;
126
127 a.dunfey 1.1 [Description (
128 "Boolean indicating whether the Privilege is granted (TRUE) "
129 "or denied (FALSE). The default is to grant permission.")]
130 boolean PrivilegeGranted = TRUE;
131
132 [Description (
133 "An enumeration indicating the activities that are granted "
134 "or denied. These activities apply to all entities specified "
135 "in the ActivityQualifiers array. The values in the "
136 "enumeration are straightforward except for one, "
137 "4=\"Detect\". This value indicates that the existence or "
138 "presence of an entity may be determined, but not "
139 "necessarily specific data (which requires the Read "
140 "privilege to be true). This activity is exemplified by "
141 "'hidden files'- if you list the contents of a directory, "
142 "you will not see hidden files. However, if you know a "
143 "specific file name, or know how to expose hidden files, "
144 "then they can be 'detected'. Another example is the ability "
145 "to define search privileges in directory implementations."),
146 ValueMap { "1", "2", "3", "4", "5", "6", "7", "..15999",
147 "16000.." },
148 a.dunfey 1.1 Values { "Other", "Create", "Delete", "Detect", "Read", "Write",
149 "Execute", "DMTF Reserved", "Vendor Reserved" },
150 ArrayType ( "Indexed" ),
151 ModelCorrespondence { "CIM_Privilege.ActivityQualifiers" }]
152 uint16 Activities[];
153
154 [Description (
155 "The ActivityQualifiers property is an array of string "
156 "values used to further qualify and specify the privileges "
157 "granted or denied. For example, it is used to specify a set "
158 "of files for which 'Read'/'Write' access is permitted or "
159 "denied. Or, it defines a class' methods that may be "
160 "'Executed'. Details on the semantics of the individual "
161 "entries in ActivityQualifiers are provided by corresponding "
162 "entries in the QualifierFormats array."),
163 ArrayType ( "Indexed" ),
164 ModelCorrespondence { "CIM_Privilege.Activities",
165 "CIM_Privilege.QualifierFormats" }]
166 string ActivityQualifiers[];
167
168 [Description (
169 a.dunfey 1.1 "Defines the semantics of corresponding entries in the "
170 "ActivityQualifiers array. An example of each of these "
171 "'formats' and their use follows: \n"
172 "- 2=Class Name. Example: If the authorization target is a "
173 "CIM Service or a Namespace, then the ActivityQualifiers "
174 "entries can define a list of classes that the authorized "
175 "subject is able to create or delete. \n"
176 "- 3=<Class.>Property. Example: If the authorization target "
177 "is a CIM Service, Namespace or Collection of instances, "
178 "then the ActivityQualifiers entries can define the class "
179 "properties that may or may not be accessed. In this case, "
180 "the class names are specified with the property names to "
181 "avoid ambiguity - since a CIM Service, Namespace or "
182 "Collection could manage multiple classes. On the other "
183 "hand, if the authorization target is an individual "
184 "instance, then there is no possible ambiguity and the class "
185 "name may be omitted. To specify ALL properties, the "
186 "wildcard string \"*\" should be used. \n"
187 "- 4=<Class.>Method. This example is very similar to the "
188 "Property one, above. And, as above, the string \"*\" may be "
189 "specified to select ALL methods. \n"
190 a.dunfey 1.1 "- 5=Object Reference. Example: If the authorization target "
191 "is a CIM Service or Namespace, then the ActivityQualifiers "
192 "entries can define a list of object references (as strings) "
193 "that the authorized subject can access. \n"
194 "- 6=Namespace. Example: If the authorization target is a "
195 "CIM Service, then the ActivityQualifiers entries can define "
196 "a list of Namespaces that the authorized subject is able to "
197 "access. \n"
198 "- 7=URL. Example: An authorization target may not be "
199 "defined, but a Privilege could be used to deny access to "
200 "specific URLs by individual Identities or for specific "
201 "Roles, such as the 'under 17' Role. \n"
202 "- 8=Directory/File Name. Example: If the authorization "
203 "target is a FileSystem, then the ActivityQualifiers entries "
204 "can define a list of directories and files whose access is "
205 "protected. \n"
206 "- 9=Command Line Instruction. Example: If the authorization "
207 "target is a ComputerSystem or Service, then the "
208 "ActivityQualifiers entries can define a list of command "
209 "line instructions that may or may not be 'Executed' by the "
210 "authorized subjects."),
211 a.dunfey 1.1 ValueMap { "2", "3", "4", "5", "6", "7", "8", "9", "..15999",
212 "16000.." },
213 Values { "Class Name", "<Class.>Property", "<Class.>Method",
214 "Object Reference", "Namespace", "URL",
215 "Directory/File Name", "Command Line Instruction",
216 "DMTF Reserved", "Vendor Reserved" }, ArrayType ( "Indexed" ),
217 ModelCorrespondence { "CIM_Privilege.ActivityQualifiers" }]
218 uint16 QualifierFormats[];
219 };
220
221
222 // ==================================================================
223 // AuthorizedPrivilege
224 // ==================================================================
225 [Version ( "2.8.0" ), Description (
226 "Privilege is the base class for all types of activities which "
227 "are granted or denied to a Role or an Identity. "
228 "AuthorizedPrivilege is a subclass defining static renderings "
229 "of authorization policy rules. The association of Roles and "
230 "Identities to AuthorizedPrivilege is accomplished using the "
231 "AuthorizedSubject relationship. The entities that are "
232 a.dunfey 1.1 "protected are defined using the AuthorizedTarget relationship. "
233 "\n\n"
234 "Note that this class and its AuthorizedSubject/Target "
235 "associations provide a short-hand, static mechanism to "
236 "represent authorization policies.")]
237 class CIM_AuthorizedPrivilege : CIM_Privilege {
238 };
239
240
241 // ==================================================================
242 // AuthorizedSubject
243 // ==================================================================
244 [Association, Version ( "2.8.0" ), Description (
245 "CIM_AuthorizedSubject is an association used to tie specific "
246 "AuthorizedPrivileges to specific subjects (i.e., Identities, "
247 "Roles or Collections of these). At this time, only Identities "
248 "and Roles (or Collections of Identities and Roles) should be "
249 "associated to AuthorizedPrivileges using this relationship. "
250 "Note that any Privileges not explicitly granted to a subject, "
251 "SHOULD be denied.")]
252 class CIM_AuthorizedSubject {
253 a.dunfey 1.1
254 [Key, Description (
255 "The AuthorizedPrivilege either granted or denied to an "
256 "Identity, Role or Collection. Whether the privilege is "
257 "granted or denied is defined by the inherited property, "
258 "CIM_Privilege.PrivilegeGranted.")]
259 CIM_AuthorizedPrivilege REF Privilege;
260
261 [Key, Description (
262 "The Subject for which AuthorizedPrivileges are granted or "
263 "denied. Whether the privilege is granted or denied is "
264 "defined by the property, CIM_Privilege.PrivilegeGranted.")]
265 CIM_ManagedElement REF PrivilegedElement;
266 };
267
268
269 // ==================================================================
270 // AuthorizedTarget
271 // ==================================================================
272 [Association, Version ( "2.8.0" ), Description (
273 "CIM_AuthorizedTarget is an association used to tie an "
274 a.dunfey 1.1 "Identity's or Role's AuthorizedPrivileges to specific target "
275 "resources.")]
276 class CIM_AuthorizedTarget {
277
278 [Key, Description (
279 "The AuthorizedPrivilege affecting the target resource.")]
280 CIM_AuthorizedPrivilege REF Privilege;
281
282 [Key, Description (
283 "The target set of resources to which the "
284 "AuthorizedPrivilege applies.")]
285 CIM_ManagedElement REF TargetElement;
286 };
287
288
289 // ===================================================================
290 // end of file
291 // ===================================================================
|