1 tony 1.1 // ===================================================================
2 // Title: User-Security Privilege
3 // Filename: User28_Privilege.mof
4 // Version: 2.8
5 // Release: Preliminary
6 // Date: 06/03/2003
7 // ===================================================================
8 // Copyright 1998-2003 Distributed Management Task Force, Inc. (DMTF).
9 // All rights reserved.
10 // DMTF is a not-for-profit association of industry members dedicated
11 // to promoting enterprise and systems management and interoperability.
12 // DMTF specifications and documents may be reproduced for uses
13 // consistent with this purpose by members and non-members,
14 // provided that correct attribution is given.
15 // As DMTF specifications may be revised from time to time,
16 // the particular version and release date should always be noted.
17 //
18 // Implementation of certain elements of this standard or proposed
19 // standard may be subject to third party patent rights, including
20 // provisional patent rights (herein "patent rights"). DMTF makes
21 // no representations to users of the standard as to the existence
22 tony 1.1 // of such rights, and is not responsible to recognize, disclose, or
23 // identify any or all such third party patent right, owners or
24 // claimants, nor for any incomplete or inaccurate identification or
25 // disclosure of such rights, owners or claimants. DMTF shall have no
26 // liability to any party, in any manner or circumstance, under any
27 // legal theory whatsoever, for failure to recognize, disclose, or
28 // identify any such third party patent rights, or for such party's
29 // reliance on the standard or incorporation thereof in its product,
30 // protocols or testing procedures. DMTF shall have no liability to
31 // any party implementing such standard, whether such implementation
32 // is foreseeable or not, nor to any patent owner or claimant, and shall
33 // have no liability or responsibility for costs or losses incurred if
34 // a standard is withdrawn or modified after publication, and shall be
35 // indemnified and held harmless by any party implementing the
36 // standard from any and all claims of infringement by a patent owner
37 // for such implementations.
38 //
39 // For information about patents held by third-parties which have
40 // notified the DMTF that, in their opinion, such patent may relate to
41 // or impact implementations of DMTF standards, visit
42 // http://www.dmtf.org/about/policies/disclosures.php.
43 tony 1.1 // ===================================================================
44 // Description: The User Model extends the management concepts that
45 // are related to users and security.
46 // This file defines the concepts and classes related to
47 // Privileges
48 //
49 // The object classes below are listed in an order that
50 // avoids forward references. Required objects, defined
51 // by other working groups, are omitted.
52 // ===================================================================
53 // Change Log for v2.8 Preliminary -
54 // CR1011 - Created this file.
55 // CR1082 - Fix Value/ValueMap defintions for properties in Privilege
56 // ===================================================================
57
58 #pragma Locale ("en_US")
59
60
61 // ==================================================================
62 // Privilege
63 // ==================================================================
64 tony 1.1 [Experimental, Version ("2.7.1000"), Description (
65 "Privilege is the base class for all types of activities which "
66 "are granted or denied by a Role or an Identity. Whether an "
67 "individual Privilege is granted or denied is defined using the "
68 "PrivilegeGranted boolean. Any Privileges not specifically "
69 "granted are assumed to be denied. An explicit deny (Privilege "
70 "Granted = FALSE) takes precedence over any granted "
71 "Privileges.\n"
72 "\n"
73 "The association of Roles and Identities to Privileges is "
74 "accomplished using the AuthorizedSubject relationship. The "
75 "entities that are protected are defined using the Authorized "
76 "Target relationship.\n"
77 "\n"
78 "Note that Privileges may be inherited through hierarchical "
79 "Roles, or may overlap. For example, a Privilege denying any "
80 "instance Writes in a particular CIM Server Namespace would "
81 "overlap with a Privilege defining specific access rights at an "
82 "instance level within that Namespace. In this example, the "
83 "AuthorizedSubjects are either Identities or Roles, and the "
84 "AuthorizedTargets are a Namespace in the former case, and a "
85 tony 1.1 "particular instance in the latter.") ]
86 class CIM_Privilege : CIM_ManagedElement {
87
88 [Key, Description (
89 "Within the scope of the instantiating Namespace, InstanceID "
90 "opaquely and uniquely identifies an instance of this "
91 "class. In order to ensure uniqueness within the NameSpace, "
92 "the value of InstanceID SHOULD be constructed using the "
93 "following 'preferred' algorithm:\n"
94 "<OrgID>:<LocalID>\n"
95 "Where <OrgID> and <LocalID> are separated by a colon ':', "
96 "and where <OrgID> MUST include a copyrighted, trademarked "
97 "or otherwise unique name that is owned by the business "
98 "entity creating/defining the InstanceID, or is a registered "
99 "ID that is assigned to the business entity by a recognized "
100 "global authority (This is similar to the <Schema "
101 "Name>_<Class Name> structure of Schema class names.) In "
102 "addition, to ensure uniqueness <OrgID> MUST NOT contain a "
103 "colon (':'). When using this algorithm, the first colon to "
104 "appear in InstanceID MUST appear between <OrgID> and "
105 "<LocalID>.\n"
106 tony 1.1 "<LocalID> is chosen by the business entity and SHOULD not "
107 "be re-used to identify different underlying (real-world) "
108 "elements. If the above 'preferred' algorithm is not used, "
109 "the defining entity MUST assure that the resultant "
110 "InstanceID is not re-used across any InstanceIDs produced "
111 "by this or other providers for this instance's NameSpace.\n"
112 "For DMTF defined instances, the 'preferred' algorithm MUST "
113 "be used with the <OrgID> set to 'CIM'.") ]
114 string InstanceID;
115
116 [Description (
117 "Boolean indicating whether the Privilege is granted (TRUE) "
118 "or denied (FALSE). The default is to grant permission.") ]
119 boolean PrivilegeGranted = TRUE;
120
121 [Description (
122 "An enumeration indicating the activities that are granted "
123 "or denied. These activities apply to all entities "
124 "specified in the ActivityQualifiers array. The values in "
125 "the enumeration are straightforward except for one, "
126 "4=\"Detect\". This value indicates that the existence or "
127 tony 1.1 "presence of an entity may be determined, but not "
128 "necessarily specific data (which requires the Read "
129 "privilege to be true). This activity is exemplified by "
130 "'hidden files'- if you list the contents of a directory, "
131 "you will not see hidden files. However, if you know a "
132 "specific file name, or know how to expose hidden files, "
133 "then they can be 'detected'. Another example is the "
134 "ability to define search privileges in directory "
135 "implementations."),
136 ValueMap {"1", "2", "3", "4", "5", "6", "7", "..15999",
137 "16000.."},
138 Values {"Other", "Create", "Delete", "Detect", "Read", "Write",
139 "Execute", "DMTF Reserved", "Vendor Reserved"},
140 ModelCorrespondence {"CIM_Privilege.ActivityQualifiers"} ]
141 uint16 Activities[];
142
143 [Description (
144 "The ActivityQualifiers property is an array of string "
145 "values used to further qualify and specify the privileges "
146 "granted or denied. For example, it is used to specify a "
147 "set of files for which 'Read'/'Write' access is permitted "
148 tony 1.1 "or denied. Or, it defines a class' methods that may be "
149 "'Executed'. Details on the semantics of the individual "
150 "entries in ActivityQualifiers are provided by corresponding "
151 "entries in the QualifierFormats array."),
152 ArrayType ("Indexed"),
153 ModelCorrespondence {"CIM_Privilege.Activities",
154 "CIM_Privilege.QualifierFormats"} ]
155 string ActivityQualifiers[];
156
157 [Description (
158 "Defines the semantics of corresponding entries in the "
159 "ActivityQualifiers array. An example of each of these "
160 "'formats' and their use follows:\n"
161 "- 2=Class Name. Example: If the AuthorizedTarget is a CIM "
162 "Service or a Namespace, then the ActivityQualifiers entries "
163 "can define a list of classes that the AuthorizedSubject is "
164 "able to create or delete.\n"
165 "- 3=<Class.>Property. Example: If the AuthorizedTarget is "
166 "a CIM Service, Namespace or Collection of instances, then "
167 "the ActivityQualifiers entries can define the class "
168 "properties that may or may not be accessed. In this case, "
169 tony 1.1 "the class names are specified with the property names to "
170 "avoid ambiguity - since a CIM Service, Namespace or "
171 "Collection could manage multiple classes. On the other "
172 "hand, if the AuthorizedTarget is an individual instance, "
173 "then there is no possible ambiguity and the class name may "
174 "be omitted. To specify ALL properties, the wildcard string "
175 "\"*\" should be used.\n"
176 "- 4=<Class.>Method. This example is very similar to the "
177 "Property one, above. And, as above, the string \"*\" may "
178 "be specified to select ALL methods.\n"
179 "- 5=Object Reference. Example: If the AuthorizedTarget is "
180 "a CIM Service or Namespace, then the ActivityQualifiers "
181 "entries can define a list of object references (as strings) "
182 "that the AuthorizedSubject can access.\n"
183 "- 6=Namespace. Example: If the AuthorizedTarget is a CIM "
184 "Service, then the ActivityQualifiers entries can define a "
185 "list of Namespaces that the AuthorizedSubject is able to "
186 "access.\n"
187 "- 7=URL. Example: An AuthorizedTarget may not be defined, "
188 "but a Privilege could be used to deny access to specific "
189 "URLs by individual Identities or for specific Roles, such "
190 tony 1.1 "as the 'under 17' Role. The latter are defined using the "
191 "AuthorizedSubject association.\n"
192 "- 8=Directory/File Name. Example: If the AuthorizedTarget "
193 "is a FileSystem, then the ActivityQualifiers entries can "
194 "define a list of directories and files whose access is "
195 "protected.\n"
196 "- 9=Command Line Instruction. Example: If the "
197 "AuthorizedTarget is a ComputerSystem or Service, then the "
198 "ActivityQualifiers entries can define a list of command "
199 "line instructions that may or may not be 'Executed' by the "
200 "AuthorizedSubjects."),
201 ValueMap {"2", "3", "4", "5", "6", "7", "8", "9", "..15999",
202 "16000.."},
203 Values {"Class Name", "<Class.>Property", "<Class.>Method",
204 "Object Reference", "Namespace", "URL",
205 "Directory/File Name", "Command Line Instruction",
206 "DMTF Reserved", "Vendor Reserved"},
207 ArrayType ("Indexed"),
208 ModelCorrespondence {"CIM_Privilege.ActivityQualifiers"} ]
209 uint16 QualifierFormats[];
210 };
211 tony 1.1
212
213 // ==================================================================
214 // AuthorizedSubject
215 // ==================================================================
216 [Association, Experimental, Version ("2.7.1000"), Description (
217 "CIM_AuthorizedSubject is an association used to tie specific "
218 "Privileges to specific subjects (i.e., Identities, Roles or "
219 "Collections of these). At this time, only Identities and "
220 "Roles (or Collections of Identities and Roles) should be "
221 "associated to Privileges using this relationship. Note that "
222 "any Privileges not explicitly granted to a subject, SHOULD be "
223 "denied.") ]
224 class CIM_AuthorizedSubject {
225
226 [Key, Description (
227 "The Privilege either granted or denied to an Identity, Role "
228 "or Collection. Whether the Privilege is granted or denied "
229 "is defined by the property, "
230 "CIM_Privilege.PrivilegeGranted.") ]
231 CIM_Privilege REF Privilege;
232 tony 1.1
233 [Key, Description (
234 "The Subject for which Privileges are granted or denied. "
235 "Whether the Privilege is granted or denied is defined by "
236 "the property, CIM_Privilege.PrivilegeGranted.") ]
237 CIM_ManagedElement REF PrivilegedElement;
238 };
239
240
241 // ==================================================================
242 // AuthorizedTarget
243 // ==================================================================
244 [Association, Experimental, Version ("2.7.1000"), Description (
245 "CIM_AuthorizedTarget is an association used to tie an Identity "
246 "or Roles Privileges to specific target resources.") ]
247 class CIM_AuthorizedTarget {
248
249 [Key, Description (
250 "The Privilege affecting the target resource.") ]
251 CIM_Privilege REF Privilege;
252
253 tony 1.1 [Key, Description (
254 "The target set of resources to which the Privilege "
255 "applies.") ]
256 CIM_ManagedElement REF TargetElement;
257 };
258
259
260 // ===================================================================
261 // end of file
262 // ===================================================================
|