Class CIM_Account
Used in features: Simple Identity
Compatible with the following Intel AMT Releases: 3.2, 4.0, 5.0, 5.1,
6.0, 6.1, 6.2, 7.0, 8.0, 8.1, 9.0, 9.5, 10.0, 11.0
CIM_ManagedElement
CIM_ManagedSystemElement
CIM_LogicalElement
CIM_EnabledLogicalElement
CIM_Account
class CIM_Account
- extends CIM_EnabledLogicalElement
General Information:
CIM_Account is the information held by a
SecurityService to track identity and privileges managed by that service. Common
examples of an Account are the entries in a UNIX /etc/passwd file. Several kinds
of security services use various information from those entries - the /bin/login
program uses the account name ('root') and hashed password to authenticate
users, and the file service, for instance, uses the UserID field ('0') and
GroupID field ('0') to record ownership and determine access control privileges
on files in the file system. This class is defined so as to incorporate
commonly-used LDAP attributes to permit implementations to easily derive this
information from LDAP-accessible directories.
The semantics of Account
overlap with that of the class, CIM_Identity. However, aspects of Account - such
as its specific tie to a System - are valuable and have been widely implemented.
For this reason, the Account and Identity classes are associated using a
subclass of LogicalIdentity (AccountIdentity), instead of deprecating the
Account class in the CIM Schema. When an Account has been authenticated, the
corresponding Identity's TrustEstablished Boolean would be set to TRUE. Then,
the Identity class can be used as defined for authorization
purposes.
Product Specific Usage:
For every digest
(non-kerberos) user in the system there is an instance of this class. This
instance enables management of the user account.
There are matching
instances of CIM_Identity, CIM_Role and CIM_Privilege (a 1:1:1:1 structure).
CIM_Identity and CIM_Account are associated by CIM_AssignedIdentity,
CIM_Identity and CIM_Role by both CIM_MemberOfCollection and
CIM_ConcreteDependency, and CIM_Role and CIM_Privilege by
CIM_MemberOfCollection.
Qualifiers:
-------------
Version=2.27.0
UMLPackagePath=CIM::User::Account
Supported Fields
Summary |
uint16
|
RequestedState
RequestedState is an integer enumeration that indicates the
last requested or desired state for the element, irrespective of the
mechanism through which it was requested . . .
|
uint16
|
EnabledState
EnabledState is an integer enumeration that indicates the
enabled and disabled states of an element . . .
|
string
|
ElementName A
user-friendly name for the object . . .
|
string
|
SystemCreationClassName The scoping System's CCN.
|
string
|
SystemName The scoping System's Name.
|
string
|
CreationClassName CreationClassName indicates the name
of the class or the subclass used in the creation of an instance . .
.
|
string
|
Name The Name property defines the label by which the
object is known . . .
|
string
|
UserID UserID is the
value used by the SecurityService to represent identity . . .
|
string[]
|
OrganizationName
The name of the organization related to the account.
|
string[2]
|
UserPassword In
the case of an LDAP-derived instance, the UserPassword property may
contain an encrypted password used to access the person's resources in a
directory.
|
uint16
|
UserPasswordEncryptionAlgorithm
The encryption algorithm (if any) used by the client to produce
the value in the UserPassword property when creating or modifying an
instance of CIM_Account . . .
|
Methods Summary |
uint32 |
RequestStateChange(RequestedState, REF
Job, TimeoutPeriod) Requests that the state of the element be
changed to the value specified in the RequestedState parameter . .
.
|
|
Put(Instance) Changes
properties of the selected instance
|
|
Get(Instance) Gets the
representation of the instance
|
|
Delete() Deletes an
instance
|
|
Pull(EnumerationContext,
MaxElements) Pulls instances of this class, following an
Enumerate operation
|
|
Enumerate()
Enumerates the instances of this class
|
|
Release(EnumerationContext)
Releases an enumeration context
|
RequestedState
public uint16 RequestedState
- General Information:
RequestedState is an integer enumeration
that indicates the last requested or desired state for the element,
irrespective of the mechanism through which it was requested. The actual state
of the element is represented by EnabledState. This property is provided to
compare the last requested and current enabled or disabled states. Note that
when EnabledState is set to 5 ("Not Applicable"), then this property has no
meaning. Refer to the EnabledState property description for explanations of
the values in the RequestedState enumeration.
"Unknown" (0) indicates the
last requested state for the element is unknown.
Note that the value "No
Change" (5) has been deprecated in lieu of indicating the last requested state
is "Unknown" (0). If the last requested or desired state is unknown,
RequestedState should have the value "Unknown" (0), but may have the value "No
Change" (5).Offline (6) indicates that the element has been requested to
transition to the Enabled but Offline EnabledState.
It should be noted
that there are two new values in RequestedState that build on the statuses of
EnabledState. These are "Reboot" (10) and "Reset" (11). Reboot refers to doing
a "Shut Down" and then moving to an "Enabled" state. Reset indicates that the
element is first "Disabled" and then "Enabled". The distinction between
requesting "Shut Down" and "Disabled" should also be noted. Shut Down requests
an orderly transition to the Disabled state, and might involve removing power,
to completely erase any existing state. The Disabled state requests an
immediate disabling of the element, such that it will not execute or accept
any commands or processing requests.
This property is set as the
result of a method invocation (such as Start or StopService on CIM_Service),
or can be overridden and defined as WRITEable in a subclass. The method
approach is considered superior to a WRITEable property, because it allows an
explicit invocation of the operation and the return of a result code.
If knowledge of the last RequestedState is not supported for the
EnabledLogicalElement, the property shall be NULL or have the value 12 "Not
Applicable".
Product Specific Usage:
Value of this field is
identical to value of
"EnabledState"
Qualifiers:
-------------
ValueMap={0, 2,
3, 4, 5, 6, 7, 8, 9, 10, 11, 12, .., 32768..65535}
Values={Unknown,
Enabled, Disabled, Shut Down, No Change, Offline, Test, Deferred, Quiesce,
Reboot, Reset, Not Applicable, DMTF Reserved, Vendor
Reserved}
ModelCorrespondence={CIM_EnabledLogicalElement.EnabledState}
EnabledState
public uint16 EnabledState
- General Information:
EnabledState is an integer enumeration that
indicates the enabled and disabled states of an element. It can also indicate
the transitions between these requested states. For example, shutting down
(value=4) and starting (value=10) are transient states between enabled and
disabled. The following text briefly summarizes the various enabled and
disabled states:
Enabled (2) indicates that the element is or could be
executing commands, will process any queued commands, and queues new requests.
Disabled (3) indicates that the element will not execute commands and will
drop any new requests.
Shutting Down (4) indicates that the element is in
the process of going to a Disabled state.
Not Applicable (5) indicates the
element does not support being enabled or disabled.
Enabled but Offline
(6) indicates that the element might be completing commands, and will drop any
new requests.
Test (7) indicates that the element is in a test state.
Deferred (8) indicates that the element might be completing commands, but
will queue any new requests.
Quiesce (9) indicates that the element is
enabled but in a restricted mode.
Starting (10) indicates that the element
is in the process of going to an Enabled state. New requests are
queued.
Product Specific Usage:
Only "Enabled" (2) or
"Disabled" (3) values are actually
returned
Qualifiers:
-------------
ValueMap={0, 1, 2, 3,
4, 5, 6, 7, 8, 9, 10, 11..32767, 32768..65535}
Values={Unknown, Other,
Enabled, Disabled, Shutting Down, Not Applicable, Enabled but Offline, In
Test, Deferred, Quiesce, Starting, DMTF Reserved, Vendor
Reserved}
ModelCorrespondence={CIM_EnabledLogicalElement.OtherEnabledState}
ElementName
public string ElementName
- General Information:
A user-friendly name for the object. This
property allows each instance to define a user-friendly name in addition to
its key properties, identity data, and description information.
Note that
the Name property of ManagedSystemElement is also defined as a user-friendly
name. But, it is often subclassed to be a Key. It is not reasonable that the
same property can convey both identity and a user-friendly name, without
inconsistencies. Where Name exists and is not a Key (such as for instances of
LogicalDevice), the same information can be present in both the Name and
ElementName properties. Note that if there is an associated instance of
CIM_EnabledLogicalElementCapabilities, restrictions on this properties may
exist as defined in ElementNameMask and MaxElementNameLen properties defined
in that class.
Qualifiers:
-------------
MaxLen=32
SystemCreationClassName
public string SystemCreationClassName
- General Information:
The scoping System's CCN.
Product
Specific Usage:
In Intel AMT Release 6.0 and later releases value is
"CIM_ComputerSystem"
Qualifiers:
-------------
Key
MaxLen=20
Propagated=CIM_System.CreationClassName
SystemName
public string SystemName
- General Information:
The scoping System's
Name.
Product Specific Usage:
In Intel AMT Release 6.0 and
later releases value is
"ManagedSystem"
Qualifiers:
-------------
Key
MaxLen=16
Propagated=CIM_System.Name
CreationClassName
public string CreationClassName
- General Information:
CreationClassName indicates the name of the
class or the subclass used in the creation of an instance. When used with the
other key properties of this class, this property allows all instances of this
class and its subclasses to be uniquely identified.
Product Specific
Usage:
In Intel AMT Release 6.0 and later releases value is
"CIM_Account"
Qualifiers:
-------------
Key
MaxLen=12
Name
public string Name
- General Information:
The Name property defines the label by
which the object is known. The value of this property may be set to be the
same as that of the UserID property or, in the case of an LDAP-derived
instance, the Name property value may be set to the distinguishedName of the
LDAP-accessed object instance.
Product Specific Usage:
In
Intel AMT Release 6.0 and later releases value is the username of the account
(identical to "UserID"
field)
Qualifiers:
-------------
Key
Override=Name
MaxLen=16
UserID
public string UserID
- General Information:
UserID is the value used by the
SecurityService to represent identity. For an authentication service, the
UserID may be the name of the user, or for an authorization service the value
which serves as a handle to a mapping of the identity.
Product
Specific Usage:
In Intel AMT Release 6.0 and later releases value is
the username of the account (identical to "Name" field).
In instance
creation, the value is detemined by the "UserID" input (and the "Name" is
ignored), and in the Put method, the value is detemined by the "Name" input
(and the "UserID" is ignored)
Qualifiers:
-------------
MaxLen=16
OrganizationName
public string[] OrganizationName
- General Information:
The name of the organization related to the
account.
Product Specific Usage:
Additional Notes:
1)
'Array Max Length' qualifier in Intel AMT Release 3.2 and earlier releases is
'2'.
Qualifiers:
-------------
Required
MaxLen=32
UserPassword
public string[2] UserPassword
- General Information:
In the case of an LDAP-derived instance,
the UserPassword property may contain an encrypted password used to access the
person's resources in a directory.
Product Specific
Usage:
Write-Only attribute. An empty string will be retrieved in a Get
request.
Hexadecimal representation of MD5 Hash of these parameters
concatenated together (Username + ":" + DigestRealm + ":" + Password)
The
DigestRealm is a field in
AMT_GeneralSettings.
Qualifiers:
-------------
OctetString
MaxLen=256
UserPasswordEncryptionAlgorithm
public uint16 UserPasswordEncryptionAlgorithm
- General Information:
The encryption algorithm (if any) used by
the client to produce the value in the UserPassword property when creating or
modifying an instance of CIM_Account. The original password is encrypted using
the algorithm specified in this property, and UserPassword contains the
resulting encrypted value. In response to an operation request that would
return the value of the UserPassword property to a client, an implementation
shall instead return an array of length zero.
The value of
UserPasswordEncryptionAlgorithm in an instance of CIM_Account shall be 0
("None") unless the SupportedUserPasswordEncryptionAlgorithms[] property in
the CIM_AccountManagementCapabilities instance associated with the
CIM_AccountManagementService instance associated with the CIM_Account instance
contains a non-null entry other than 0 ("None").
This property does not
prevent the use of encryption at the transport, network, or data-link layer to
protect communications between a management client and the server, nor is it
meant to encourage communications without such encryption.
The supported
values for this property are:
- 0 ("None"): Indicates that the contents of
UserPassword are not encrypted.
- 1 ("Other"): Indicates that the contents
of UserPassword are encrypted using an algorithm not specifically identified
in the value map for this property, and that this algorithm is described in
OtherUserPasswordEncryptionAlgorithm.
- 2 ("HTTP Digest MD5(A1)"): The MD5
hash algorithm, applied to the string A1 defined in RFC2617 as the
concatenation username-value ":" realm-value ":" passwd, where username-value
is provided by the client as the value of the UserID property. passwd is the
underlying user password. realm-value is the HTTP digest realm value, and is
provided by the server. The semantics of the HTTP digest realm are specified
in RFC 2617. The server may surface the realm-value in the
UserPasswordEncryptionSalt property of
CIM_AccountManagementCapabilities.
Product Specific
Usage:
Write-Only attribute.
Only acceptable value is "HTTP Digest
MD5(A1)" (2).
Qualifiers:
-------------
ValueMap={0, 1, 2,
..}
Values={None, Other, HTTP Digest MD5(A1), DMTF
Reserved}
ModelCorrespondence={CIM_Account.UserPassword,
CIM_Account.OtherUserPasswordEncryptionAlgorithm,
CIM_AccountManagementCapabilities.SupportedUserPasswordEncryptionAlgorithms,
CIM_AccountManagementCapabilities.UserPasswordEncryptionSalt}
RequestStateChange
public uint32 RequestStateChange([IN]uint16 RequestedState, [OUT]REF CIM_ConcreteJob Job, [IN]datetime TimeoutPeriod)
- Permission Information:
Permitted realms:
ADMIN_SECURITY_ADMINISTRATION_REALM
General
Information:
Requests that the state of the element be changed to the
value specified in the RequestedState parameter. When the requested state
change takes place, the EnabledState and RequestedState of the element will be
the same. Invoking the RequestStateChange method multiple times could result
in earlier requests being overwritten or lost.
A return code of 0 shall
indicate the state change was successfully initiated.
A return code of 3
shall indicate that the state transition cannot complete within the interval
specified by the TimeoutPeriod parameter.
A return code of 4096 (0x1000)
shall indicate the state change was successfully initiated, a ConcreteJob has
been created, and its reference returned in the output parameter Job. Any
other return code indicates an error condition.
Product Specific
Usage:
Additional Notes:
1) The method returns INTERNAL_ERROR fault
in case of Audit Fail, due to DASH compliancy requirement (DSP1034)
2)
Only "Enabled" (2) or "Disabled" (3) values are applicable in parameter
"RequestedState".
3) "TimeoutPeriod" value must be either NULL or contain
an all-zero period.
4) system administrator account can't be
disabled.
Qualifiers:
-------------
ValueMap={0, 1, 2, 3,
4, 5, 6, .., 4096, 4097, 4098, 4099, 4100..32767,
32768..65535}
Values={Completed with No Error, Not Supported, Unknown or
Unspecified Error, Cannot complete within Timeout Period, Failed, Invalid
Parameter, In Use, DMTF Reserved, Method Parameters Checked - Job Started,
Invalid State Transition, Use of Timeout Parameter Not Supported, Busy, Method
Reserved, Vendor
Specific}
ModelCorrespondence={CIM_EnabledLogicalElement.RequestedState}
Parameters:
--------------
- RequestedState
- General Information:
The state requested for the element. This
information will be placed into the RequestedState property of the instance
if the return code of the RequestStateChange method is 0 ('Completed with No
Error'), or 4096 (0x1000) ('Job Started'). Refer to the description of the
EnabledState and RequestedState properties for the detailed explanations of
the RequestedState
values.
Qualifiers:
-------------
IN
ValueMap={2, 3,
4, 6, 7, 8, 9, 10, 11, .., 32768..65535}
Values={Enabled, Disabled, Shut
Down, Offline, Test, Defer, Quiesce, Reboot, Reset, DMTF Reserved, Vendor
Reserved}
ModelCorrespondence={CIM_EnabledLogicalElement.RequestedState}
- Job
- General Information:
May contain a reference to the
ConcreteJob created to track the state transition initiated by the method
invocation.
Qualifiers:
-------------
IN=false
OUT
- TimeoutPeriod
- General Information:
A timeout period that specifies the
maximum amount of time that the client expects the transition to the new
state to take. The interval format must be used to specify the
TimeoutPeriod. A value of 0 or a null parameter indicates that the client
has no time requirements for the transition.
If this property does not
contain 0 or null and the implementation does not support this parameter, a
return code of 'Use Of Timeout Parameter Not Supported' shall be
returned.
Qualifiers:
-------------
IN
Put
public Put([IN]CIM_Account Instance)
- Permission Information:
Permitted realms:
ADMIN_SECURITY_ADMINISTRATION_REALM,
ADMIN_SECURITY_USER_ACCESS_CONTROL_REALM
General
Information:
Changes properties of the selected
instance
Product Specific Usage:
The following properties
must be included in any representation of CIM_Account:
SystemCreationClassName
SystemName
CreationClassName
Name
OrganizationName
Additional Notes:
1) Only system with
ADMIN_SECURITY_ADMINISTRATION_REALM or the user of an account can set the
acount instance. Otherwise - the access is denied.
2) 2) For
"OrganizationName" field, if value is NULL, it will not change the
"OrganizationName" value of the account.
Get
public Get([OUT]CIM_Account Instance)
- Permission Information:
This method is accessible from any
realm
General Information:
Gets the representation of the
instance
Product Specific Usage:
Only system with
ADMIN_SECURITY_ADMINISTRATION_REALM or the user of an account can see the
acount instance. Otherwise - the access is denied.
Delete
public Delete()
- Permission Information:
Permitted realms:
ADMIN_SECURITY_ADMINISTRATION_REALM,
ADMIN_SECURITY_AUDIT_LOG_REALM
General Information:
Deletes
an instance
Product Specific Usage:
Additional Notes:
1)
'Delete' in Intel AMT Release 4.0 is permitted only to
'ADMIN_SECURITY_ADMINISTRATION_REALM'.
2) In Intel AMT Release 5.1 and
later releases any user with 'ADMIN_SECURITY_AUDIT_LOG_REALM' can delete
itself only.
Pull
public Pull([IN]String EnumerationContext, [IN]String MaxElements)
- Permission Information:
All users permitted to use method, only
instances to whom the user has permissions will be returned
General
Information:
Pulls instances of this class, following an Enumerate
operation
Enumerate
public Enumerate()
- Permission Information:
All users permitted to use
method
General Information:
Enumerates the instances of this
class
Release
public Release([IN]String EnumerationContext)
- Permission Information:
All users permitted to use
method
General Information:
Releases an enumeration
context