Return to
User28_Privilege.mof
CVS log
Up to [Pegasus] / pegasus / Schemas / CIMPrelim28
|
Return to
User28_Privilege.mof
CVS log
|
Up to [Pegasus] / pegasus / Schemas / CIMPrelim28
|
|
File: [Pegasus] / pegasus / Schemas / CIMPrelim28 / Attic / User28_Privilege.mof
(download)
Revision: 1.2, Thu Feb 24 20:47:29 2005 UTC (19 years, 3 months ago) by a.dunfey Branch: MAIN CVS Tags: TASK-PEP362_RestfulService-merged_out_from_trunk, TASK-PEP348_SCMO-merged_out_from_trunk, TASK-PEP317_pullop-merged_out_from_trunk, TASK-PEP317_pullop-merged_in_to_trunk, TASK-PEP311_WSMan-root, TASK-PEP311_WSMan-branch, RELEASE_2_5_0-RC1, HPUX_TEST, HEAD Changes since 1.1: +0 -0 lines FILE REMOVED PEP#: 215 TITLE: Remove old schemas DESCRIPTION: Removing old, unneeded schema files from the repository: CIM 2.7 CIM 2.7.1 Preliminary CIM 2.8 Preliminary CIM 2.9 Preliminary |
// ===================================================================
// Title: User-Security Privilege
// Filename: User28_Privilege.mof
// Version: 2.8
// Release: Preliminary
// Date: 06/03/2003
// ===================================================================
// Copyright 1998-2003 Distributed Management Task Force, Inc. (DMTF).
// All rights reserved.
// DMTF is a not-for-profit association of industry members dedicated
// to promoting enterprise and systems management and interoperability.
// DMTF specifications and documents may be reproduced for uses
// consistent with this purpose by members and non-members,
// provided that correct attribution is given.
// As DMTF specifications may be revised from time to time,
// the particular version and release date should always be noted.
//
// Implementation of certain elements of this standard or proposed
// standard may be subject to third party patent rights, including
// provisional patent rights (herein "patent rights"). DMTF makes
// no representations to users of the standard as to the existence
// of such rights, and is not responsible to recognize, disclose, or
// identify any or all such third party patent right, owners or
// claimants, nor for any incomplete or inaccurate identification or
// disclosure of such rights, owners or claimants. DMTF shall have no
// liability to any party, in any manner or circumstance, under any
// legal theory whatsoever, for failure to recognize, disclose, or
// identify any such third party patent rights, or for such party's
// reliance on the standard or incorporation thereof in its product,
// protocols or testing procedures. DMTF shall have no liability to
// any party implementing such standard, whether such implementation
// is foreseeable or not, nor to any patent owner or claimant, and shall
// have no liability or responsibility for costs or losses incurred if
// a standard is withdrawn or modified after publication, and shall be
// indemnified and held harmless by any party implementing the
// standard from any and all claims of infringement by a patent owner
// for such implementations.
//
// For information about patents held by third-parties which have
// notified the DMTF that, in their opinion, such patent may relate to
// or impact implementations of DMTF standards, visit
// http://www.dmtf.org/about/policies/disclosures.php.
// ===================================================================
// Description: The User Model extends the management concepts that
// are related to users and security.
// This file defines the concepts and classes related to
// Privileges
//
// The object classes below are listed in an order that
// avoids forward references. Required objects, defined
// by other working groups, are omitted.
// ===================================================================
// Change Log for v2.8 Preliminary -
// CR1011 - Created this file.
// CR1082 - Fix Value/ValueMap defintions for properties in Privilege
// ===================================================================
#pragma Locale ("en_US")
// ==================================================================
// Privilege
// ==================================================================
[Experimental, Version ("2.7.1000"), Description (
"Privilege is the base class for all types of activities which "
"are granted or denied by a Role or an Identity. Whether an "
"individual Privilege is granted or denied is defined using the "
"PrivilegeGranted boolean. Any Privileges not specifically "
"granted are assumed to be denied. An explicit deny (Privilege "
"Granted = FALSE) takes precedence over any granted "
"Privileges.\n"
"\n"
"The association of Roles and Identities to Privileges is "
"accomplished using the AuthorizedSubject relationship. The "
"entities that are protected are defined using the Authorized "
"Target relationship.\n"
"\n"
"Note that Privileges may be inherited through hierarchical "
"Roles, or may overlap. For example, a Privilege denying any "
"instance Writes in a particular CIM Server Namespace would "
"overlap with a Privilege defining specific access rights at an "
"instance level within that Namespace. In this example, the "
"AuthorizedSubjects are either Identities or Roles, and the "
"AuthorizedTargets are a Namespace in the former case, and a "
"particular instance in the latter.") ]
class CIM_Privilege : CIM_ManagedElement {
[Key, Description (
"Within the scope of the instantiating Namespace, InstanceID "
"opaquely and uniquely identifies an instance of this "
"class. In order to ensure uniqueness within the NameSpace, "
"the value of InstanceID SHOULD be constructed using the "
"following 'preferred' algorithm:\n"
"<OrgID>:<LocalID>\n"
"Where <OrgID> and <LocalID> are separated by a colon ':', "
"and where <OrgID> MUST include a copyrighted, trademarked "
"or otherwise unique name that is owned by the business "
"entity creating/defining the InstanceID, or is a registered "
"ID that is assigned to the business entity by a recognized "
"global authority (This is similar to the <Schema "
"Name>_<Class Name> structure of Schema class names.) In "
"addition, to ensure uniqueness <OrgID> MUST NOT contain a "
"colon (':'). When using this algorithm, the first colon to "
"appear in InstanceID MUST appear between <OrgID> and "
"<LocalID>.\n"
"<LocalID> is chosen by the business entity and SHOULD not "
"be re-used to identify different underlying (real-world) "
"elements. If the above 'preferred' algorithm is not used, "
"the defining entity MUST assure that the resultant "
"InstanceID is not re-used across any InstanceIDs produced "
"by this or other providers for this instance's NameSpace.\n"
"For DMTF defined instances, the 'preferred' algorithm MUST "
"be used with the <OrgID> set to 'CIM'.") ]
string InstanceID;
[Description (
"Boolean indicating whether the Privilege is granted (TRUE) "
"or denied (FALSE). The default is to grant permission.") ]
boolean PrivilegeGranted = TRUE;
[Description (
"An enumeration indicating the activities that are granted "
"or denied. These activities apply to all entities "
"specified in the ActivityQualifiers array. The values in "
"the enumeration are straightforward except for one, "
"4=\"Detect\". This value indicates that the existence or "
"presence of an entity may be determined, but not "
"necessarily specific data (which requires the Read "
"privilege to be true). This activity is exemplified by "
"'hidden files'- if you list the contents of a directory, "
"you will not see hidden files. However, if you know a "
"specific file name, or know how to expose hidden files, "
"then they can be 'detected'. Another example is the "
"ability to define search privileges in directory "
"implementations."),
ValueMap {"1", "2", "3", "4", "5", "6", "7", "..15999",
"16000.."},
Values {"Other", "Create", "Delete", "Detect", "Read", "Write",
"Execute", "DMTF Reserved", "Vendor Reserved"},
ModelCorrespondence {"CIM_Privilege.ActivityQualifiers"} ]
uint16 Activities[];
[Description (
"The ActivityQualifiers property is an array of string "
"values used to further qualify and specify the privileges "
"granted or denied. For example, it is used to specify a "
"set of files for which 'Read'/'Write' access is permitted "
"or denied. Or, it defines a class' methods that may be "
"'Executed'. Details on the semantics of the individual "
"entries in ActivityQualifiers are provided by corresponding "
"entries in the QualifierFormats array."),
ArrayType ("Indexed"),
ModelCorrespondence {"CIM_Privilege.Activities",
"CIM_Privilege.QualifierFormats"} ]
string ActivityQualifiers[];
[Description (
"Defines the semantics of corresponding entries in the "
"ActivityQualifiers array. An example of each of these "
"'formats' and their use follows:\n"
"- 2=Class Name. Example: If the AuthorizedTarget is a CIM "
"Service or a Namespace, then the ActivityQualifiers entries "
"can define a list of classes that the AuthorizedSubject is "
"able to create or delete.\n"
"- 3=<Class.>Property. Example: If the AuthorizedTarget is "
"a CIM Service, Namespace or Collection of instances, then "
"the ActivityQualifiers entries can define the class "
"properties that may or may not be accessed. In this case, "
"the class names are specified with the property names to "
"avoid ambiguity - since a CIM Service, Namespace or "
"Collection could manage multiple classes. On the other "
"hand, if the AuthorizedTarget is an individual instance, "
"then there is no possible ambiguity and the class name may "
"be omitted. To specify ALL properties, the wildcard string "
"\"*\" should be used.\n"
"- 4=<Class.>Method. This example is very similar to the "
"Property one, above. And, as above, the string \"*\" may "
"be specified to select ALL methods.\n"
"- 5=Object Reference. Example: If the AuthorizedTarget is "
"a CIM Service or Namespace, then the ActivityQualifiers "
"entries can define a list of object references (as strings) "
"that the AuthorizedSubject can access.\n"
"- 6=Namespace. Example: If the AuthorizedTarget is a CIM "
"Service, then the ActivityQualifiers entries can define a "
"list of Namespaces that the AuthorizedSubject is able to "
"access.\n"
"- 7=URL. Example: An AuthorizedTarget may not be defined, "
"but a Privilege could be used to deny access to specific "
"URLs by individual Identities or for specific Roles, such "
"as the 'under 17' Role. The latter are defined using the "
"AuthorizedSubject association.\n"
"- 8=Directory/File Name. Example: If the AuthorizedTarget "
"is a FileSystem, then the ActivityQualifiers entries can "
"define a list of directories and files whose access is "
"protected.\n"
"- 9=Command Line Instruction. Example: If the "
"AuthorizedTarget is a ComputerSystem or Service, then the "
"ActivityQualifiers entries can define a list of command "
"line instructions that may or may not be 'Executed' by the "
"AuthorizedSubjects."),
ValueMap {"2", "3", "4", "5", "6", "7", "8", "9", "..15999",
"16000.."},
Values {"Class Name", "<Class.>Property", "<Class.>Method",
"Object Reference", "Namespace", "URL",
"Directory/File Name", "Command Line Instruction",
"DMTF Reserved", "Vendor Reserved"},
ArrayType ("Indexed"),
ModelCorrespondence {"CIM_Privilege.ActivityQualifiers"} ]
uint16 QualifierFormats[];
};
// ==================================================================
// AuthorizedSubject
// ==================================================================
[Association, Experimental, Version ("2.7.1000"), Description (
"CIM_AuthorizedSubject is an association used to tie specific "
"Privileges to specific subjects (i.e., Identities, Roles or "
"Collections of these). At this time, only Identities and "
"Roles (or Collections of Identities and Roles) should be "
"associated to Privileges using this relationship. Note that "
"any Privileges not explicitly granted to a subject, SHOULD be "
"denied.") ]
class CIM_AuthorizedSubject {
[Key, Description (
"The Privilege either granted or denied to an Identity, Role "
"or Collection. Whether the Privilege is granted or denied "
"is defined by the property, "
"CIM_Privilege.PrivilegeGranted.") ]
CIM_Privilege REF Privilege;
[Key, Description (
"The Subject for which Privileges are granted or denied. "
"Whether the Privilege is granted or denied is defined by "
"the property, CIM_Privilege.PrivilegeGranted.") ]
CIM_ManagedElement REF PrivilegedElement;
};
// ==================================================================
// AuthorizedTarget
// ==================================================================
[Association, Experimental, Version ("2.7.1000"), Description (
"CIM_AuthorizedTarget is an association used to tie an Identity "
"or Roles Privileges to specific target resources.") ]
class CIM_AuthorizedTarget {
[Key, Description (
"The Privilege affecting the target resource.") ]
CIM_Privilege REF Privilege;
[Key, Description (
"The target set of resources to which the Privilege "
"applies.") ]
CIM_ManagedElement REF TargetElement;
};
// ===================================================================
// end of file
// ===================================================================
| No CVS admin address has been configured |
Powered by ViewCVS 0.9.2 |