175 lines
9.3 KiB
Plaintext
175 lines
9.3 KiB
Plaintext
// Copyright (c) 2008 DMTF. All rights reserved.
|
|
[Version ( "2.20.0" ),
|
|
UMLPackagePath ( "CIM::User::Privilege" ),
|
|
Description (
|
|
"Privilege is the base class for all types of activities which "
|
|
"are granted or denied by a Role or an Identity. Whether an "
|
|
"individual Privilege is granted or denied is defined using the "
|
|
"PrivilegeGranted boolean. Any Privileges not specifically "
|
|
"granted are assumed to be denied. An explicit deny (Privilege "
|
|
"Granted = FALSE) takes precedence over any granted Privileges. \n"
|
|
"\n"
|
|
"The association of subjects (Roles and Identities) to "
|
|
"Privileges is accomplished using policy or explicitly via the "
|
|
"associations on a subclass. The entities that are protected "
|
|
"(targets) can be similarly defined. \n"
|
|
"\n"
|
|
"Note that Privileges may be inherited through hierarchical "
|
|
"Roles, or may overlap. For example, a Privilege denying any "
|
|
"instance Writes in a particular CIM Server Namespace would "
|
|
"overlap with a Privilege defining specific access rights at an "
|
|
"instance level within that Namespace. In this example, the "
|
|
"AuthorizedSubjects are either Identities or Roles, and the "
|
|
"AuthorizedTargets are a Namespace in the former case, and a "
|
|
"particular instance in the latter." )]
|
|
class CIM_Privilege : CIM_ManagedElement {
|
|
|
|
[Key, Override ( "InstanceID" ),
|
|
Description (
|
|
"Within the scope of the instantiating Namespace, "
|
|
"InstanceID opaquely and uniquely identifies an instance "
|
|
"of this class. In order to ensure uniqueness within the "
|
|
"NameSpace, the value of InstanceID SHOULD be constructed "
|
|
"using the following \'preferred\' algorithm: \n"
|
|
"<OrgID>:<LocalID> \n"
|
|
"Where <OrgID> and <LocalID> are separated by a colon "
|
|
"\':\', and where <OrgID> MUST include a copyrighted, "
|
|
"trademarked or otherwise unique name that is owned by "
|
|
"the business entity creating/defining the InstanceID, or "
|
|
"is a registered ID that is assigned to the business "
|
|
"entity by a recognized global authority. (This is "
|
|
"similar to the <Schema Name>_<Class Name> structure of "
|
|
"Schema class names.) In addition, to ensure uniqueness "
|
|
"<OrgID> MUST NOT contain a colon (\':\'). When using "
|
|
"this algorithm, the first colon to appear in InstanceID "
|
|
"MUST appear between <OrgID> and <LocalID>. \n"
|
|
"<LocalID> is chosen by the business entity and SHOULD "
|
|
"not be re-used to identify different underlying "
|
|
"(real-world) elements. If the above \'preferred\' "
|
|
"algorithm is not used, the defining entity MUST assure "
|
|
"that the resultant InstanceID is not re-used across any "
|
|
"InstanceIDs produced by this or other providers for this "
|
|
"instance\'s NameSpace. For DMTF defined instances, the "
|
|
"\'preferred\' algorithm MUST be used with the <OrgID> "
|
|
"set to \'CIM\'." )]
|
|
string InstanceID;
|
|
|
|
[Description (
|
|
"Boolean indicating whether the Privilege is granted "
|
|
"(TRUE) or denied (FALSE). The default is to grant "
|
|
"permission." )]
|
|
boolean PrivilegeGranted = true;
|
|
|
|
[Description (
|
|
"An enumeration indicating the activities that are "
|
|
"granted or denied. These activities apply to all "
|
|
"entities specified in the ActivityQualifiers array. The "
|
|
"values in the enumeration are straightforward except for "
|
|
"one, 4=\"Detect\". This value indicates that the "
|
|
"existence or presence of an entity may be determined, "
|
|
"but not necessarily specific data (which requires the "
|
|
"Read privilege to be true). This activity is exemplified "
|
|
"by \'hidden files\'- if you list the contents of a "
|
|
"directory, you will not see hidden files. However, if "
|
|
"you know a specific file name, or know how to expose "
|
|
"hidden files, then they can be \'detected\'. Another "
|
|
"example is the ability to define search privileges in "
|
|
"directory implementations." ),
|
|
ValueMap { "1", "2", "3", "4", "5", "6", "7", "..", "16000.." },
|
|
Values { "Other", "Create", "Delete", "Detect", "Read",
|
|
"Write", "Execute", "DMTF Reserved", "Vendor Reserved" },
|
|
ArrayType ( "Indexed" ),
|
|
ModelCorrespondence { "CIM_Privilege.ActivityQualifiers" }]
|
|
uint16 Activities[];
|
|
|
|
[Description (
|
|
"The ActivityQualifiers property is an array of string "
|
|
"values used to further qualify and specify the "
|
|
"privileges granted or denied. For example, it is used to "
|
|
"specify a set of files for which \'Read\'/\'Write\' "
|
|
"access is permitted or denied. Or, it defines a class\' "
|
|
"methods that may be \'Executed\'. Details on the "
|
|
"semantics of the individual entries in "
|
|
"ActivityQualifiers are provided by corresponding entries "
|
|
"in the QualifierFormats array." ),
|
|
ArrayType ( "Indexed" ),
|
|
ModelCorrespondence { "CIM_Privilege.Activities",
|
|
"CIM_Privilege.QualifierFormats" }]
|
|
string ActivityQualifiers[];
|
|
|
|
[Description (
|
|
"Defines the semantics of corresponding entries in the "
|
|
"ActivityQualifiers array. An example of each of these "
|
|
"\'formats\' and their use follows: \n"
|
|
"- 2=Class Name. Example: If the authorization target is "
|
|
"a CIM Service or a Namespace, then the "
|
|
"ActivityQualifiers entries can define a list of classes "
|
|
"that the authorized subject is able to create or delete. \n"
|
|
"- 3=<Class.>Property. Example: If the authorization "
|
|
"target is a CIM Service, Namespace or Collection of "
|
|
"instances, then the ActivityQualifiers entries can "
|
|
"define the class properties that may or may not be "
|
|
"accessed. In this case, the class names are specified "
|
|
"with the property names to avoid ambiguity - since a CIM "
|
|
"Service, Namespace or Collection could manage multiple "
|
|
"classes. On the other hand, if the authorization target "
|
|
"is an individual instance, then there is no possible "
|
|
"ambiguity and the class name may be omitted. To specify "
|
|
"ALL properties, the wildcard string \"*\" should be "
|
|
"used. \n"
|
|
"- 4=<Class.>Method. This example is very similar to the "
|
|
"Property one, above. And, as above, the string \"*\" may "
|
|
"be specified to select ALL methods. \n"
|
|
"- 5=Object Reference. Example: If the authorization "
|
|
"target is a CIM Service or Namespace, then the "
|
|
"ActivityQualifiers entries can define a list of object "
|
|
"references (as strings) that the authorized subject can "
|
|
"access. \n"
|
|
"- 6=Namespace. Example: If the authorization target is a "
|
|
"CIM Service, then the ActivityQualifiers entries can "
|
|
"define a list of Namespaces that the authorized subject "
|
|
"is able to access. \n"
|
|
"- 7=URL. Example: An authorization target may not be "
|
|
"defined, but a Privilege could be used to deny access to "
|
|
"specific URLs by individual Identities or for specific "
|
|
"Roles, such as the \'under 17\' Role. \n"
|
|
"- 8=Directory/File Name. Example: If the authorization "
|
|
"target is a FileSystem, then the ActivityQualifiers "
|
|
"entries can define a list of directories and files whose "
|
|
"access is protected. \n"
|
|
"- 9=Command Line Instruction. Example: If the "
|
|
"authorization target is a ComputerSystem or Service, "
|
|
"then the ActivityQualifiers entries can define a list of "
|
|
"command line instructions that may or may not be "
|
|
"\'Executed\' by the authorized subjects. \n"
|
|
"- 10=SCSI Command, using a format of \'CDB=xx[,Page=pp]\'. "
|
|
"For example, the ability to select the VPD page of the "
|
|
"Inquiry command is encoded as \'CDB=12,Page=83\' in the "
|
|
"corresponding ActivityQualifiers entry. A \'*\' may be "
|
|
"used to indicate all CDBs or Page numbers. \n"
|
|
"- 11=Packets. Example: The transmission of packets is "
|
|
"permitted or denied by the Privilege for the target (a "
|
|
"ComputerSystem, ProtocolEndpoint, Pipe, or other "
|
|
"ManagedSystemElement)." ),
|
|
ValueMap { "2", "3", "4", "5", "6", "7", "8", "9", "10",
|
|
"11", "..", "16000.." },
|
|
Values { "Class Name", "<Class.>Property", "<Class.>Method",
|
|
"Object Reference", "Namespace", "URL",
|
|
"Directory/File Name", "Command Line Instruction",
|
|
"SCSI Command", "Packets", "DMTF Reserved",
|
|
"Vendor Reserved" },
|
|
ArrayType ( "Indexed" ),
|
|
ModelCorrespondence { "CIM_Privilege.ActivityQualifiers" }]
|
|
uint16 QualifierFormats[];
|
|
|
|
[Description (
|
|
"The RepresentsAuthorizationRights flag indicates whether "
|
|
"the rights defined by this instance should be "
|
|
"interpreted as rights of Subjects to access Targets or "
|
|
"as rights of Subjects to change those rights on/for "
|
|
"Targets." )]
|
|
boolean RepresentsAuthorizationRights = false;
|
|
|
|
|
|
};
|