Return to
User_Privilege.mof
CVS log
Up to [Pegasus] / pegasus / Schemas / CIMPrelim291
|
Return to
User_Privilege.mof
CVS log
|
Up to [Pegasus] / pegasus / Schemas / CIMPrelim291
|
|
File: [Pegasus] / pegasus / Schemas / CIMPrelim291 / Attic / User_Privilege.mof
(download)
Revision: 1.2, Tue Jan 17 20:13:15 2006 UTC (18 years, 4 months ago) by kumpf Branch: MAIN CVS Tags: TASK-PEP362_RestfulService-merged_out_from_trunk, TASK-PEP348_SCMO-merged_out_from_trunk, TASK-PEP317_pullop-merged_out_from_trunk, TASK-PEP317_pullop-merged_in_to_trunk, TASK-PEP311_WSMan-root, TASK-PEP311_WSMan-branch, HPUX_TEST, HEAD Changes since 1.1: +4 -4 lines FILE REMOVED BUG#: 4664 TITLE: CIMPrelim291 schema is obsolete DESCRIPTION: Removing the obsolete schema. |
// ===================================================================
// Title: User-Security Privilege
// $State: dead $
// $Date: 2006/01/17 20:13:15 $
// $Source: /cvs/MSB/pegasus/Schemas/CIMPrelim291/Attic/User_Privilege.mof,v $
// $Revision: 1.2 $
// ===================================================================
//#pragma inLine ("Includes/copyright.inc")
// Copyright 1998-2005 Distributed Management Task Force, Inc. (DMTF).
// All rights reserved.
// DMTF is a not-for-profit association of industry members dedicated
// to promoting enterprise and systems management and interoperability.
// DMTF specifications and documents may be reproduced for uses
// consistent with this purpose by members and non-members,
// provided that correct attribution is given.
// As DMTF specifications may be revised from time to time,
// the particular version and release date should always be noted.
//
// Implementation of certain elements of this standard or proposed
// standard may be subject to third party patent rights, including
// provisional patent rights (herein "patent rights"). DMTF makes
// no representations to users of the standard as to the existence
// of such rights, and is not responsible to recognize, disclose, or
// identify any or all such third party patent right, owners or
// claimants, nor for any incomplete or inaccurate identification or
// disclosure of such rights, owners or claimants. DMTF shall have no
// liability to any party, in any manner or circumstance, under any
// legal theory whatsoever, for failure to recognize, disclose, or
// identify any such third party patent rights, or for such party's
// reliance on the standard or incorporation thereof in its product,
// protocols or testing procedures. DMTF shall have no liability to
// any party implementing such standard, whether such implementation
// is foreseeable or not, nor to any patent owner or claimant, and shall
// have no liability or responsibility for costs or losses incurred if
// a standard is withdrawn or modified after publication, and shall be
// indemnified and held harmless by any party implementing the
// standard from any and all claims of infringement by a patent owner
// for such implementations.
//
// For information about patents held by third-parties which have
// notified the DMTF that, in their opinion, such patent may relate to
// or impact implementations of DMTF standards, visit
// http://www.dmtf.org/about/policies/disclosures.php.
//#pragma inLine
// ===================================================================
// Description: The User Model extends the management concepts that
// are related to users and security.
// This file defines the concepts and classes related to
// Privileges
//
// The object classes below are listed in an order that
// avoids forward references. Required objects, defined
// by other working groups, are omitted.
// ===================================================================
// Change Log for v2.9 Final -
// CR1547 - Fix enumeration conflict in Privilege.ActivityQualifiers
// .001: Fix range for dmtf reserved and propagate additional
// values to PrivilegeManagementService
// Change Log for v2.9 Preliminary -
// CR1342 - Added Privilege.RepresentsAuthorizationRights
// Added SCSI Commands to Privilege.QualifierFormats
// CR1442 - Addition of Packets to Privilege.QualifierFormats
//
// Change Log for v2.8 Final -
// CR1219 - Created subclass of Privilege, AuthorizedPrivilege,
// moved AuthorizedSubject/Target associations to Authorized
// Privilege, and promoted Privilege-related classes from
// Experimental to Final
// CR1221 - Also promoted Privilege-related classes to Final
// CR1229 - Added ArrayType ("Indexed") qualifier to
// Privilege.Activites
// CR1235 - Corrected copyright
//
// Change Log for v2.8 Preliminary -
// CR1011 - Created this file.
// CR1082 - Fixed Value/ValueMap defintions for properties in Privilege
// ===================================================================
#pragma Locale ("en_US")
// ==================================================================
// Privilege
// ==================================================================
[Version ( "2.8.1000" ), Description (
"Privilege is the base class for all types of activities which "
"are granted or denied by a Role or an Identity. Whether an "
"individual Privilege is granted or denied is defined using the "
"PrivilegeGranted boolean. Any Privileges not specifically "
"granted are assumed to be denied. An explicit deny (Privilege "
"Granted = FALSE) takes precedence over any granted Privileges. "
"\n\n"
"The association of subjects (Roles and Identities) to "
"Privileges is accomplished using policy or explicitly via the "
"associations on a subclass. The entities that are protected "
"(targets) can be similarly defined. \n"
"\n"
"Note that Privileges may be inherited through hierarchical "
"Roles, or may overlap. For example, a Privilege denying any "
"instance Writes in a particular CIM Server Namespace would "
"overlap with a Privilege defining specific access rights at an "
"instance level within that Namespace. In this example, the "
"AuthorizedSubjects are either Identities or Roles, and the "
"AuthorizedTargets are a Namespace in the former case, and a "
"particular instance in the latter.")]
class CIM_Privilege : CIM_ManagedElement {
[Key, Description (
"Within the scope of the instantiating Namespace, InstanceID "
"opaquely and uniquely identifies an instance of this class. "
"In order to ensure uniqueness within the NameSpace, the "
"value of InstanceID SHOULD be constructed using the "
"following 'preferred' algorithm: \n"
"<OrgID>:<LocalID> \n"
"Where <OrgID> and <LocalID> are separated by a colon ':', "
"and where <OrgID> MUST include a copyrighted, trademarked "
"or otherwise unique name that is owned by the business "
"entity creating/defining the InstanceID, or is a registered "
"ID that is assigned to the business entity by a recognized "
"global authority. (This is similar to the <Schema "
"Name>_<Class Name> structure of Schema class names.) In "
"addition, to ensure uniqueness <OrgID> MUST NOT contain a "
"colon (':'). When using this algorithm, the first colon to "
"appear in InstanceID MUST appear between <OrgID> and "
"<LocalID>. \n"
"<LocalID> is chosen by the business entity and SHOULD not "
"be re-used to identify different underlying (real-world) "
"elements. If the above 'preferred' algorithm is not used, "
"the defining entity MUST assure that the resultant "
"InstanceID is not re-used across any InstanceIDs produced "
"by this or other providers for this instance's NameSpace. "
"For DMTF defined instances, the 'preferred' algorithm MUST "
"be used with the <OrgID> set to 'CIM'.")]
string InstanceID;
[Description (
"Boolean indicating whether the Privilege is granted (TRUE) "
"or denied (FALSE). The default is to grant permission.")]
boolean PrivilegeGranted = TRUE;
[Description (
"An enumeration indicating the activities that are granted "
"or denied. These activities apply to all entities specified "
"in the ActivityQualifiers array. The values in the "
"enumeration are straightforward except for one, "
"4=\"Detect\". This value indicates that the existence or "
"presence of an entity may be determined, but not "
"necessarily specific data (which requires the Read "
"privilege to be true). This activity is exemplified by "
"'hidden files'- if you list the contents of a directory, "
"you will not see hidden files. However, if you know a "
"specific file name, or know how to expose hidden files, "
"then they can be 'detected'. Another example is the ability "
"to define search privileges in directory implementations."),
ValueMap { "1", "2", "3", "4", "5", "6", "7", "..", "16000.." },
Values { "Other", "Create", "Delete", "Detect", "Read", "Write",
"Execute", "DMTF Reserved", "Vendor Reserved" },
ArrayType ( "Indexed" ),
ModelCorrespondence { "CIM_Privilege.ActivityQualifiers" }]
uint16 Activities[];
[Description (
"The ActivityQualifiers property is an array of string "
"values used to further qualify and specify the privileges "
"granted or denied. For example, it is used to specify a set "
"of files for which 'Read'/'Write' access is permitted or "
"denied. Or, it defines a class' methods that may be "
"'Executed'. Details on the semantics of the individual "
"entries in ActivityQualifiers are provided by corresponding "
"entries in the QualifierFormats array."),
ArrayType ( "Indexed" ),
ModelCorrespondence { "CIM_Privilege.Activities",
"CIM_Privilege.QualifierFormats" }]
string ActivityQualifiers[];
[Description (
"Defines the semantics of corresponding entries in the "
"ActivityQualifiers array. An example of each of these "
"'formats' and their use follows: \n"
"- 2=Class Name. Example: If the authorization target is a "
"CIM Service or a Namespace, then the ActivityQualifiers "
"entries can define a list of classes that the authorized "
"subject is able to create or delete. \n"
"- 3=<Class.>Property. Example: If the authorization target "
"is a CIM Service, Namespace or Collection of instances, "
"then the ActivityQualifiers entries can define the class "
"properties that may or may not be accessed. In this case, "
"the class names are specified with the property names to "
"avoid ambiguity - since a CIM Service, Namespace or "
"Collection could manage multiple classes. On the other "
"hand, if the authorization target is an individual "
"instance, then there is no possible ambiguity and the class "
"name may be omitted. To specify ALL properties, the "
"wildcard string \"*\" should be used. \n"
"- 4=<Class.>Method. This example is very similar to the "
"Property one, above. And, as above, the string \"*\" may be "
"specified to select ALL methods. \n"
"- 5=Object Reference. Example: If the authorization target "
"is a CIM Service or Namespace, then the ActivityQualifiers "
"entries can define a list of object references (as strings) "
"that the authorized subject can access. \n"
"- 6=Namespace. Example: If the authorization target is a "
"CIM Service, then the ActivityQualifiers entries can define "
"a list of Namespaces that the authorized subject is able to "
"access. \n"
"- 7=URL. Example: An authorization target may not be "
"defined, but a Privilege could be used to deny access to "
"specific URLs by individual Identities or for specific "
"Roles, such as the 'under 17' Role. \n"
"- 8=Directory/File Name. Example: If the authorization "
"target is a FileSystem, then the ActivityQualifiers entries "
"can define a list of directories and files whose access is "
"protected. \n"
"- 9=Command Line Instruction. Example: If the authorization "
"target is a ComputerSystem or Service, then the "
"ActivityQualifiers entries can define a list of command "
"line instructions that may or may not be 'Executed' by the "
"authorized subjects. \n"
"- 10=SCSI Command, using a format of 'CDB=xx[,Page=pp]'. "
"For example, the ability to select the VPD page of the "
"Inquiry command is encoded as 'CDB=12,Page=83' in the "
"corresponding ActivityQualifiers entry. A '*' may be used "
"to indicate all CDBs or Page numbers. \n"
"- 11=Packets. Example: The transmission of packets is "
"permitted or denied by the Privilege for the target (a "
"ComputerSystem, ProtocolEndpoint, Pipe, or other "
"ManagedSystemElement)."),
ValueMap { "2", "3", "4", "5", "6", "7", "8", "9", "10", "11",
"..", "16000.." },
Values { "Class Name", "<Class.>Property", "<Class.>Method",
"Object Reference", "Namespace", "URL",
"Directory/File Name", "Command Line Instruction",
"SCSI Command", "Packets", "DMTF Reserved",
"Vendor Reserved" }, ArrayType ( "Indexed" ),
ModelCorrespondence { "CIM_Privilege.ActivityQualifiers" }]
uint16 QualifierFormats[];
[Experimental, Description (
"The RepresentsAuthorizationRights flag indicates whether "
"the rights defined by this instance should be interpreted "
"as rights of Subjects to access Targets or as rights of "
"Subjects to change those rights on/for Targets.")]
boolean RepresentsAuthorizationRights = False;
};
// ==================================================================
// AuthorizedPrivilege
// ==================================================================
[Version ( "2.8.0" ), Description (
"Privilege is the base class for all types of activities which "
"are granted or denied to a Role or an Identity. "
"AuthorizedPrivilege is a subclass defining static renderings "
"of authorization policy rules. The association of Roles and "
"Identities to AuthorizedPrivilege is accomplished using the "
"AuthorizedSubject relationship. The entities that are "
"protected are defined using the AuthorizedTarget relationship. "
"\n\n"
"Note that this class and its AuthorizedSubject/Target "
"associations provide a short-hand, static mechanism to "
"represent authorization policies.")]
class CIM_AuthorizedPrivilege : CIM_Privilege {
};
// ==================================================================
// AuthorizedSubject
// ==================================================================
[Association, Version ( "2.8.0" ), Description (
"CIM_AuthorizedSubject is an association used to tie specific "
"AuthorizedPrivileges to specific subjects (i.e., Identities, "
"Roles or Collections of these). At this time, only Identities "
"and Roles (or Collections of Identities and Roles) should be "
"associated to AuthorizedPrivileges using this relationship. "
"Note that any Privileges not explicitly granted to a subject, "
"SHOULD be denied.")]
class CIM_AuthorizedSubject {
[Key, Description (
"The AuthorizedPrivilege either granted or denied to an "
"Identity, Role or Collection. Whether the privilege is "
"granted or denied is defined by the inherited property, "
"CIM_Privilege.PrivilegeGranted.")]
CIM_AuthorizedPrivilege REF Privilege;
[Key, Description (
"The Subject for which AuthorizedPrivileges are granted or "
"denied. Whether the privilege is granted or denied is "
"defined by the property, CIM_Privilege.PrivilegeGranted.")]
CIM_ManagedElement REF PrivilegedElement;
};
// ==================================================================
// AuthorizedTarget
// ==================================================================
[Association, Version ( "2.8.0" ), Description (
"CIM_AuthorizedTarget is an association used to tie an "
"Identity's or Role's AuthorizedPrivileges to specific target "
"resources.")]
class CIM_AuthorizedTarget {
[Key, Description (
"The AuthorizedPrivilege affecting the target resource.")]
CIM_AuthorizedPrivilege REF Privilege;
[Key, Description (
"The target set of resources to which the "
"AuthorizedPrivilege applies.")]
CIM_ManagedElement REF TargetElement;
};
// ===================================================================
// end of file
// ===================================================================
| No CVS admin address has been configured |
Powered by ViewCVS 0.9.2 |