SUMMARY: NESTED | FIELD | | METHOD
DETAIL: FIELD | METHOD

Class CIM_Privilege

Used in features: Role Based
Compatible with the following Intel AMT Releases: 3.2, 4.0, 5.0, 5.1, 6.0, 6.1, 6.2, 7.0, 8.0, 8.1, 9.0, 9.5, 10.0, 11.0 
CIM_ManagedElement
   extended by CIM_Privilege
Known Subclasses:
CIM_AuthorizedPrivilege 
class CIM_Privilege
 extends CIM_ManagedElement


General Information:
Privilege is the base class for all types of 
activities which are granted or denied by a Role or an Identity. Whether an 
individual Privilege is granted or denied is defined using the PrivilegeGranted 
boolean. Any Privileges not specifically granted are assumed to be denied. An 
explicit deny (Privilege Granted = FALSE) takes precedence over any granted 
Privileges. 

The association of subjects (Roles and Identities) to 
Privileges is accomplished using policy or explicitly via the associations on a 
subclass. The entities that are protected (targets) can be similarly defined. 


Note that Privileges may be inherited through hierarchical Roles, or may 
overlap. For example, a Privilege denying any instance Writes in a particular 
CIM Server Namespace would overlap with a Privilege defining specific access 
rights at an instance level within that Namespace. In this example, the 
AuthorizedSubjects are either Identities or Roles, and the AuthorizedTargets are 
a Namespace in the former case, and a particular instance in the 
latter.

Product Specific Usage:
For every user in the system 
there is an instance of this class. It represents the permission realms the user 
has in the system. 
For digest (non-kerberos) user, there are matching 
instances of CIM_Account, CIM_Role and CIM_Privilege (a 1:1:1:1 structure). 

CIM_Identity and CIM_Account are associated by CIM_AssignedIdentity, 
CIM_Identity and CIM_Role by both CIM_MemberOfCollection and 
CIM_ConcreteDependency, and CIM_Role and CIM_Privilege by 
CIM_MemberOfCollection. 

Kerberos users have an instance of 
CIM_RemoteIdentity (which inherits from CIM_Identity) instead of the 
CIM_Identity and the 
CIM_Account.

Qualifiers:
-------------
Version=2.20.0
UMLPackagePath=CIM::User::Privilege









  
  

    Supported Fields 
      Summary

  

     string 
      
    ElementName 
A 
      user-friendly name for the object . . .

  

     string 
      
    Description 
The 
      Description property provides a textual description of the object.

  

     string 
      
    Caption 
The Caption 
      property is a short textual description (one- line string) of the 
      object.

  

     string 
      
    InstanceID Key  
Within the scope of the instantiating Namespace, 
      InstanceID opaquely and uniquely identifies an instance of this class . . 
      .

  

     boolean 
      
    PrivilegeGranted 
      
Boolean indicating whether the Privilege is granted (TRUE) or 
      denied (FALSE) . . .

  

     uint16[25] 
      
    Activities 
An 
      enumeration indicating the activities that are granted or denied . . 
    .

  

     string[25] 
      
    ActivityQualifiers 
      
The ActivityQualifiers property is an array of string values 
      used to further qualify and specify the privileges granted or denied . . 
      .

  

     uint16[25] 
      
    QualifierFormats 
      
Defines the semantics of corresponding entries in the 
      ActivityQualifiers array . . .

  

     boolean 
      
    RepresentsAuthorizationRights 
      
The RepresentsAuthorizationRights flag indicates whether the 
      rights defined by this instance should be interpreted as rights of 
      Subjects to access Targets or as rights of Subjects to change those rights 
      on/for Targets.




  
  

    Methods Summary

  

     
    Put(Instance) 
Changes 
      properties of the selected instance

  

     
    Get(Instance) 
Gets the 
      representation of the instance

  

     
    Pull(EnumerationContext, 
      MaxElements) 
Pulls instances of this class, following an 
      Enumerate operation

  

     
    Enumerate() 
      
Enumerates the instances of this class

  

     
    Release(EnumerationContext) 
      
Releases an enumeration context




  
  

    Field 
Detail


ElementName 
public string ElementName



  
General Information:
A user-friendly name for the object. This 
  property allows each instance to define a user-friendly name in addition to 
  its key properties, identity data, and description information. 
Note that 
  the Name property of ManagedSystemElement is also defined as a user-friendly 
  name. But, it is often subclassed to be a Key. It is not reasonable that the 
  same property can convey both identity and a user-friendly name, without 
  inconsistencies. Where Name exists and is not a Key (such as for instances of 
  LogicalDevice), the same information can be present in both the Name and 
  ElementName properties. Note that if there is an associated instance of 
  CIM_EnabledLogicalElementCapabilities, restrictions on this properties may 
  exist as defined in ElementNameMask and MaxElementNameLen properties defined 
  in that class.

Product Specific Usage:
Additional Notes: 
  
1) 'ElementName' property is supported in Intel AMT Release 4.0 and later 
  releases.

Qualifiers:
-------------
MaxLen=256


  

  





Description 
public string Description



  
General Information:
The Description property provides a textual 
  description of the object.

Product Specific Usage:
Additional 
  Notes: 
1) 'Description' property is supported in Intel AMT Release 4.0 and 
  later 
  releases.

Qualifiers:
-------------
MaxLen=256


  

  





Caption 
public string Caption



  
General Information:
The Caption property is a short textual 
  description (one- line string) of the object.

Product Specific 
  Usage:
Additional Notes: 
1) 'Caption' property is supported in 
  Intel AMT Release 4.0 and later 
  releases.

Qualifiers:
-------------
MaxLen=64


  

  





InstanceID Key 
public string InstanceID



  
General Information:
Within the scope of the instantiating 
  Namespace, InstanceID opaquely and uniquely identifies an instance of this 
  class. In order to ensure uniqueness within the NameSpace, the value of 
  InstanceID SHOULD be constructed using the following 'preferred' algorithm: 
  
<OrgID>:<LocalID> 
Where <OrgID> and <LocalID> 
  are separated by a colon ':', and where <OrgID> MUST include a 
  copyrighted, trademarked or otherwise unique name that is owned by the 
  business entity creating/defining the InstanceID, or is a registered ID that 
  is assigned to the business entity by a recognized global authority. (This is 
  similar to the <Schema Name>_<Class Name> structure of Schema 
  class names.) In addition, to ensure uniqueness <OrgID> MUST NOT contain 
  a colon (':'). When using this algorithm, the first colon to appear in 
  InstanceID MUST appear between <OrgID> and <LocalID>. 
  
<LocalID> is chosen by the business entity and SHOULD not be re-used 
  to identify different underlying (real-world) elements. If the above 
  'preferred' algorithm is not used, the defining entity MUST assure that the 
  resultant InstanceID is not re-used across any InstanceIDs produced by this or 
  other providers for this instance's NameSpace. For DMTF defined instances, the 
  'preferred' algorithm MUST be used with the <OrgID> set to 
  'CIM'.

Product Specific Usage:
Additional Notes: 
1) 'Max 
  Length' qualifier in Intel AMT Release 3.2 is '80'. 
2) 'InstanceID' field 
  format is 'Intel(r) AMT:<userID> Privilege', depending on the user. 
  
An exception is the 'admin' built-in user, where the 'InstanceID' of the 
  corresponding CIM_Privilege instance will be 'Intel AMT:Admin Privilege' (with 
  capital 
  'A').

Qualifiers:
-------------
Key
Override=InstanceID
MaxLen=256


  

  





PrivilegeGranted 
public boolean PrivilegeGranted



  
General Information:
Boolean indicating whether the Privilege is 
  granted (TRUE) or denied (FALSE). The default is to grant permission.

  

  





Activities 
public uint16[25] Activities



  
General Information:
An enumeration indicating the activities 
  that are granted or denied. These activities apply to all entities specified 
  in the ActivityQualifiers array. The values in the enumeration are 
  straightforward except for one, 4="Detect". This value indicates that the 
  existence or presence of an entity may be determined, but not necessarily 
  specific data (which requires the Read privilege to be true). This activity is 
  exemplified by 'hidden files'- if you list the contents of a directory, you 
  will not see hidden files. However, if you know a specific file name, or know 
  how to expose hidden files, then they can be 'detected'. Another example is 
  the ability to define search privileges in directory 
  implementations.

Product Specific Usage:
Additional Notes: 
  
1) 'Max Length' qualifier in Intel AMT Release 3.2 is '19'. 
2) 'Max 
  Length' qualifier in Intel AMT Release 6.0 and later releases is 25. 
3) In 
  Intel AMT Release 6.0 and later releases only value is "Execute" 
  (7).

Qualifiers:
-------------
ValueMap={1, 2, 3, 4, 5, 6, 
  7, .., 16000..}
Values={Other, Create, Delete, Detect, Read, Write, 
  Execute, DMTF Reserved, Vendor 
  Reserved}
ArrayType=Indexed
ModelCorrespondence={CIM_Privilege.ActivityQualifiers}


  

  





ActivityQualifiers 
public string[25] ActivityQualifiers



  
General Information:
The ActivityQualifiers property is an array 
  of string values used to further qualify and specify the privileges granted or 
  denied. For example, it is used to specify a set of files for which 
  'Read'/'Write' access is permitted or denied. Or, it defines a class' methods 
  that may be 'Executed'. Details on the semantics of the individual entries in 
  ActivityQualifiers are provided by corresponding entries in the 
  QualifierFormats array.

Product Specific Usage:
Additional 
  Notes: 
1) 'Max Length' qualifier in Intel AMT Release 3.2 is '10'. 
2) 
  'Array Max Length' qualifier in Intel AMT Release 3.2 is '19'. 
3) 'Array 
  Max Length' qualifier in Intel AMT Release 6.0 and later releases is 25 
4) 
  Each entry contains a string that represents a matching realm that the user of 
  this privileged has: 
"RCS" - ADMIN_SECURITY_RCS_ADMIN_REALM 
"REDIR" - 
  ADMIN_SECURITY_SOLIDER_REALM 
"ADMIN" - ADMIN_SECURITY_ADMINISTRATION_REALM 
  
"HAI" - ADMIN_SECURITY_HARDWARE_ASSET_REALM 
"RC" - 
  ADMIN_SECURITY_REMOTE_CONTROL_REALM 
"STOR" - ADMIN_SECURITY_STORAGE_REALM 
  
"EVTMGR" - ADMIN_SECURITY_EVENT_MANAGER_REALM 
"STORA" - 
  ADMIN_SECURITY_STORAGE_ADMIN_REALM 
"AGPL" - 
  ADMIN_SECURITY_AGENT_PRECENSE_LOCAL_REALM 
"AGPR" - 
  ADMIN_SECURITY_AGENT_PRECENSE_REMOTE_REALM 
"CB" - 
  ADMIN_SECURITY_CIRCUIT_BREAKER_REALM 
"NETT" - 
  ADMIN_SECURITY_NETWORK_TIME_REALM 
"INFO" - 
  ADMIN_SECURITY_GENERAL_INFO_REALM 
"FWUPD" - ADMIN_SECURITY_FW_UPDATE_REALM 
  
"EIT" - ADMIN_SECURITY_EIT_PROVISIONING_REALM 
"LOCAPP" - 
  ADMIN_SECURITY_LOCAL_APPS_REALM 
"EAC" - ADMIN_SECURITY_EAC_REALM 
  
"EACADM" - ADMIN_SECURITY_EAC_ADMIN_REALM 
"EVTLOG" - 
  ADMIN_SECURITY_EVENT_LOG_READER_REALM 
"AUDIT" - 
  ADMIN_SECURITY_AUDIT_LOG_REALM 
"UAC" - 
  ADMIN_SECURITY_USER_ACCESS_CONTROL_REALM 
"SEC_LCL" - 
  ADMIN_SECURITY_LOCAL_SYSTEM_REALM 
  
"RESERVED"

Qualifiers:
-------------
ArrayType=Indexed
ModelCorrespondence={CIM_Privilege.Activities, 
  CIM_Privilege.QualifierFormats}
MaxLen=15


  

  





QualifierFormats 
public uint16[25] QualifierFormats



  
General Information:
Defines the semantics of corresponding 
  entries in the ActivityQualifiers array. An example of each of these 'formats' 
  and their use follows: 
- 2=Class Name. Example: If the authorization 
  target is a CIM Service or a Namespace, then the ActivityQualifiers entries 
  can define a list of classes that the authorized subject is able to create or 
  delete. 
- 3=<Class.>Property. Example: If the authorization target 
  is a CIM Service, Namespace or Collection of instances, then the 
  ActivityQualifiers entries can define the class properties that may or may not 
  be accessed. In this case, the class names are specified with the property 
  names to avoid ambiguity - since a CIM Service, Namespace or Collection could 
  manage multiple classes. On the other hand, if the authorization target is an 
  individual instance, then there is no possible ambiguity and the class name 
  may be omitted. To specify ALL properties, the wildcard string "*" should be 
  used. 
- 4=<Class.>Method. This example is very similar to the 
  Property one, above. And, as above, the string "*" may be specified to select 
  ALL methods. 
- 5=Object Reference. Example: If the authorization target is 
  a CIM Service or Namespace, then the ActivityQualifiers entries can define a 
  list of object references (as strings) that the authorized subject can access. 
  
- 6=Namespace. Example: If the authorization target is a CIM Service, then 
  the ActivityQualifiers entries can define a list of Namespaces that the 
  authorized subject is able to access. 
- 7=URL. Example: An authorization 
  target may not be defined, but a Privilege could be used to deny access to 
  specific URLs by individual Identities or for specific Roles, such as the 
  'under 17' Role. 
- 8=Directory/File Name. Example: If the authorization 
  target is a FileSystem, then the ActivityQualifiers entries can define a list 
  of directories and files whose access is protected. 
- 9=Command Line 
  Instruction. Example: If the authorization target is a ComputerSystem or 
  Service, then the ActivityQualifiers entries can define a list of command line 
  instructions that may or may not be 'Executed' by the authorized subjects. 
  
- 10=SCSI Command, using a format of 'CDB=xx[,Page=pp]'. For example, the 
  ability to select the VPD page of the Inquiry command is encoded as 
  'CDB=12,Page=83' in the corresponding ActivityQualifiers entry. A '*' may be 
  used to indicate all CDBs or Page numbers. 
- 11=Packets. Example: The 
  transmission of packets is permitted or denied by the Privilege for the target 
  (a ComputerSystem, ProtocolEndpoint, Pipe, or other 
  ManagedSystemElement).

Product Specific Usage:
Additional 
  Notes: 
1) 'Array Max Length' qualifier in Intel AMT Release 3.2 is '19'. 
  
2) 'Array Max Length' qualifier in Intel AMT Release 6.0 and later 
  releases is 25 
3) In Intel AMT Release 6.0 and later releases only value 
  is "Vendor Reserved" 
  (16000)

Qualifiers:
-------------
ValueMap={2, 3, 4, 5, 6, 
  7, 8, 9, 10, 11, .., 16000..}
Values={Class Name, <Class.>Property, 
  <Class.>Method, Object Reference, Namespace, URL, Directory/File Name, 
  Command Line Instruction, SCSI Command, Packets, DMTF Reserved, Vendor 
  Reserved}
ArrayType=Indexed
ModelCorrespondence={CIM_Privilege.ActivityQualifiers}


  

  





RepresentsAuthorizationRights 
public boolean RepresentsAuthorizationRights



  
General Information:
The RepresentsAuthorizationRights flag 
  indicates whether the rights defined by this instance should be interpreted as 
  rights of Subjects to access Targets or as rights of Subjects to change those 
  rights on/for Targets.

Product Specific Usage:
In Intel AMT 
  Release 6.0 and later releases value is 'false'

  

  






  
  

    Method 
Detail


Put
public  Put([IN]CIM_Privilege Instance)



  
Permission Information:
Permitted realms: 
  ADMIN_SECURITY_ADMINISTRATION_REALM, 
  ADMIN_SECURITY_USER_ACCESS_CONTROL_REALM

General 
  Information:
Changes properties of the selected 
  instance

Product Specific Usage:
The following properties 
  must be included in any representation of CIM_Privilege: 

InstanceID 
  

In Intel AMT Release 6.0 and later releases it's permitted to 
  ADMIN_SECURITY_ADMINISTRATION_REALM and 
  ADMIN_SECURITY_USER_ACCESS_CONTROL_REALM. 
  
ADMIN_SECURITY_USER_ACCESS_CONTROL_REALM can't change the actual 
  permissions.





Get
public  Get([OUT]CIM_Privilege Instance)



  
Permission Information:
This method is accessible from any 
  realm

General Information:
Gets the representation of the 
  instance

Product Specific Usage:
Additional Notes: 
1) 
  'Get' in Intel AMT Release 3.2 until release 5.1 is permitted only to 
  'ADMIN_SECURITY_ADMINISTRATION_REALM' and 
  'ADMIN_SECURITY_USER_ACCESS_CONTROL_REALM' 
2) In Intel AMT Release 6.0 and 
  later releases it's permitted to all realms





Pull
public  Pull([IN]String EnumerationContext, [IN]String MaxElements)



  
Permission Information:
All users permitted to use method, only 
  instances to whom the user has permissions will be returned

General 
  Information:
Pulls instances of this class, following an Enumerate 
  operation





Enumerate
public  Enumerate()



  
Permission Information:
All users permitted to use 
  method

General Information:
Enumerates the instances of this 
  class





Release
public  Release([IN]String EnumerationContext)



  
Permission Information:
All users permitted to use 
  method

General Information:
Releases an enumeration 
  context






  
  

    SUMMARY: NESTED | FIELD | METHOD
  

  

    DETAIL: FIELD | METHOD



  
  

    
      
Copyright © 2006-2022, Intel 
      Corporation. All rights 
reserved.