Class CIM_Privilege
Used in features: Role Based
Compatible with the following Intel AMT Releases: 3.2, 4.0, 5.0, 5.1,
6.0, 6.1, 6.2, 7.0, 8.0, 8.1, 9.0, 9.5, 10.0, 11.0
CIM_ManagedElement
CIM_Privilege
- Known Subclasses:
- CIM_AuthorizedPrivilege
class CIM_Privilege
- extends CIM_ManagedElement
General Information:
Privilege is the base class for all types of
activities which are granted or denied by a Role or an Identity. Whether an
individual Privilege is granted or denied is defined using the PrivilegeGranted
boolean. Any Privileges not specifically granted are assumed to be denied. An
explicit deny (Privilege Granted = FALSE) takes precedence over any granted
Privileges.
The association of subjects (Roles and Identities) to
Privileges is accomplished using policy or explicitly via the associations on a
subclass. The entities that are protected (targets) can be similarly defined.
Note that Privileges may be inherited through hierarchical Roles, or may
overlap. For example, a Privilege denying any instance Writes in a particular
CIM Server Namespace would overlap with a Privilege defining specific access
rights at an instance level within that Namespace. In this example, the
AuthorizedSubjects are either Identities or Roles, and the AuthorizedTargets are
a Namespace in the former case, and a particular instance in the
latter.
Product Specific Usage:
For every user in the system
there is an instance of this class. It represents the permission realms the user
has in the system.
For digest (non-kerberos) user, there are matching
instances of CIM_Account, CIM_Role and CIM_Privilege (a 1:1:1:1 structure).
CIM_Identity and CIM_Account are associated by CIM_AssignedIdentity,
CIM_Identity and CIM_Role by both CIM_MemberOfCollection and
CIM_ConcreteDependency, and CIM_Role and CIM_Privilege by
CIM_MemberOfCollection.
Kerberos users have an instance of
CIM_RemoteIdentity (which inherits from CIM_Identity) instead of the
CIM_Identity and the
CIM_Account.
Qualifiers:
-------------
Version=2.20.0
UMLPackagePath=CIM::User::Privilege
Supported Fields
Summary |
string
|
ElementName A
user-friendly name for the object . . .
|
string
|
Description The
Description property provides a textual description of the object.
|
string
|
Caption The Caption
property is a short textual description (one- line string) of the
object.
|
string
|
InstanceID Within the scope of the instantiating Namespace,
InstanceID opaquely and uniquely identifies an instance of this class . .
.
|
boolean
|
PrivilegeGranted
Boolean indicating whether the Privilege is granted (TRUE) or
denied (FALSE) . . .
|
uint16[25]
|
Activities An
enumeration indicating the activities that are granted or denied . .
.
|
string[25]
|
ActivityQualifiers
The ActivityQualifiers property is an array of string values
used to further qualify and specify the privileges granted or denied . .
.
|
uint16[25]
|
QualifierFormats
Defines the semantics of corresponding entries in the
ActivityQualifiers array . . .
|
boolean
|
RepresentsAuthorizationRights
The RepresentsAuthorizationRights flag indicates whether the
rights defined by this instance should be interpreted as rights of
Subjects to access Targets or as rights of Subjects to change those rights
on/for Targets.
|
Methods Summary |
|
Put(Instance) Changes
properties of the selected instance
|
|
Get(Instance) Gets the
representation of the instance
|
|
Pull(EnumerationContext,
MaxElements) Pulls instances of this class, following an
Enumerate operation
|
|
Enumerate()
Enumerates the instances of this class
|
|
Release(EnumerationContext)
Releases an enumeration context
|
ElementName
public string ElementName
- General Information:
A user-friendly name for the object. This
property allows each instance to define a user-friendly name in addition to
its key properties, identity data, and description information.
Note that
the Name property of ManagedSystemElement is also defined as a user-friendly
name. But, it is often subclassed to be a Key. It is not reasonable that the
same property can convey both identity and a user-friendly name, without
inconsistencies. Where Name exists and is not a Key (such as for instances of
LogicalDevice), the same information can be present in both the Name and
ElementName properties. Note that if there is an associated instance of
CIM_EnabledLogicalElementCapabilities, restrictions on this properties may
exist as defined in ElementNameMask and MaxElementNameLen properties defined
in that class.
Product Specific Usage:
Additional Notes:
1) 'ElementName' property is supported in Intel AMT Release 4.0 and later
releases.
Qualifiers:
-------------
MaxLen=256
Description
public string Description
- General Information:
The Description property provides a textual
description of the object.
Product Specific Usage:
Additional
Notes:
1) 'Description' property is supported in Intel AMT Release 4.0 and
later
releases.
Qualifiers:
-------------
MaxLen=256
Caption
public string Caption
- General Information:
The Caption property is a short textual
description (one- line string) of the object.
Product Specific
Usage:
Additional Notes:
1) 'Caption' property is supported in
Intel AMT Release 4.0 and later
releases.
Qualifiers:
-------------
MaxLen=64
InstanceID
public string InstanceID
- General Information:
Within the scope of the instantiating
Namespace, InstanceID opaquely and uniquely identifies an instance of this
class. In order to ensure uniqueness within the NameSpace, the value of
InstanceID SHOULD be constructed using the following 'preferred' algorithm:
<OrgID>:<LocalID>
Where <OrgID> and <LocalID>
are separated by a colon ':', and where <OrgID> MUST include a
copyrighted, trademarked or otherwise unique name that is owned by the
business entity creating/defining the InstanceID, or is a registered ID that
is assigned to the business entity by a recognized global authority. (This is
similar to the <Schema Name>_<Class Name> structure of Schema
class names.) In addition, to ensure uniqueness <OrgID> MUST NOT contain
a colon (':'). When using this algorithm, the first colon to appear in
InstanceID MUST appear between <OrgID> and <LocalID>.
<LocalID> is chosen by the business entity and SHOULD not be re-used
to identify different underlying (real-world) elements. If the above
'preferred' algorithm is not used, the defining entity MUST assure that the
resultant InstanceID is not re-used across any InstanceIDs produced by this or
other providers for this instance's NameSpace. For DMTF defined instances, the
'preferred' algorithm MUST be used with the <OrgID> set to
'CIM'.
Product Specific Usage:
Additional Notes:
1) 'Max
Length' qualifier in Intel AMT Release 3.2 is '80'.
2) 'InstanceID' field
format is 'Intel(r) AMT:<userID> Privilege', depending on the user.
An exception is the 'admin' built-in user, where the 'InstanceID' of the
corresponding CIM_Privilege instance will be 'Intel AMT:Admin Privilege' (with
capital
'A').
Qualifiers:
-------------
Key
Override=InstanceID
MaxLen=256
PrivilegeGranted
public boolean PrivilegeGranted
- General Information:
Boolean indicating whether the Privilege is
granted (TRUE) or denied (FALSE). The default is to grant permission.
Activities
public uint16[25] Activities
- General Information:
An enumeration indicating the activities
that are granted or denied. These activities apply to all entities specified
in the ActivityQualifiers array. The values in the enumeration are
straightforward except for one, 4="Detect". This value indicates that the
existence or presence of an entity may be determined, but not necessarily
specific data (which requires the Read privilege to be true). This activity is
exemplified by 'hidden files'- if you list the contents of a directory, you
will not see hidden files. However, if you know a specific file name, or know
how to expose hidden files, then they can be 'detected'. Another example is
the ability to define search privileges in directory
implementations.
Product Specific Usage:
Additional Notes:
1) 'Max Length' qualifier in Intel AMT Release 3.2 is '19'.
2) 'Max
Length' qualifier in Intel AMT Release 6.0 and later releases is 25.
3) In
Intel AMT Release 6.0 and later releases only value is "Execute"
(7).
Qualifiers:
-------------
ValueMap={1, 2, 3, 4, 5, 6,
7, .., 16000..}
Values={Other, Create, Delete, Detect, Read, Write,
Execute, DMTF Reserved, Vendor
Reserved}
ArrayType=Indexed
ModelCorrespondence={CIM_Privilege.ActivityQualifiers}
ActivityQualifiers
public string[25] ActivityQualifiers
- General Information:
The ActivityQualifiers property is an array
of string values used to further qualify and specify the privileges granted or
denied. For example, it is used to specify a set of files for which
'Read'/'Write' access is permitted or denied. Or, it defines a class' methods
that may be 'Executed'. Details on the semantics of the individual entries in
ActivityQualifiers are provided by corresponding entries in the
QualifierFormats array.
Product Specific Usage:
Additional
Notes:
1) 'Max Length' qualifier in Intel AMT Release 3.2 is '10'.
2)
'Array Max Length' qualifier in Intel AMT Release 3.2 is '19'.
3) 'Array
Max Length' qualifier in Intel AMT Release 6.0 and later releases is 25
4)
Each entry contains a string that represents a matching realm that the user of
this privileged has:
"RCS" - ADMIN_SECURITY_RCS_ADMIN_REALM
"REDIR" -
ADMIN_SECURITY_SOLIDER_REALM
"ADMIN" - ADMIN_SECURITY_ADMINISTRATION_REALM
"HAI" - ADMIN_SECURITY_HARDWARE_ASSET_REALM
"RC" -
ADMIN_SECURITY_REMOTE_CONTROL_REALM
"STOR" - ADMIN_SECURITY_STORAGE_REALM
"EVTMGR" - ADMIN_SECURITY_EVENT_MANAGER_REALM
"STORA" -
ADMIN_SECURITY_STORAGE_ADMIN_REALM
"AGPL" -
ADMIN_SECURITY_AGENT_PRECENSE_LOCAL_REALM
"AGPR" -
ADMIN_SECURITY_AGENT_PRECENSE_REMOTE_REALM
"CB" -
ADMIN_SECURITY_CIRCUIT_BREAKER_REALM
"NETT" -
ADMIN_SECURITY_NETWORK_TIME_REALM
"INFO" -
ADMIN_SECURITY_GENERAL_INFO_REALM
"FWUPD" - ADMIN_SECURITY_FW_UPDATE_REALM
"EIT" - ADMIN_SECURITY_EIT_PROVISIONING_REALM
"LOCAPP" -
ADMIN_SECURITY_LOCAL_APPS_REALM
"EAC" - ADMIN_SECURITY_EAC_REALM
"EACADM" - ADMIN_SECURITY_EAC_ADMIN_REALM
"EVTLOG" -
ADMIN_SECURITY_EVENT_LOG_READER_REALM
"AUDIT" -
ADMIN_SECURITY_AUDIT_LOG_REALM
"UAC" -
ADMIN_SECURITY_USER_ACCESS_CONTROL_REALM
"SEC_LCL" -
ADMIN_SECURITY_LOCAL_SYSTEM_REALM
"RESERVED"
Qualifiers:
-------------
ArrayType=Indexed
ModelCorrespondence={CIM_Privilege.Activities,
CIM_Privilege.QualifierFormats}
MaxLen=15
QualifierFormats
public uint16[25] QualifierFormats
- General Information:
Defines the semantics of corresponding
entries in the ActivityQualifiers array. An example of each of these 'formats'
and their use follows:
- 2=Class Name. Example: If the authorization
target is a CIM Service or a Namespace, then the ActivityQualifiers entries
can define a list of classes that the authorized subject is able to create or
delete.
- 3=<Class.>Property. Example: If the authorization target
is a CIM Service, Namespace or Collection of instances, then the
ActivityQualifiers entries can define the class properties that may or may not
be accessed. In this case, the class names are specified with the property
names to avoid ambiguity - since a CIM Service, Namespace or Collection could
manage multiple classes. On the other hand, if the authorization target is an
individual instance, then there is no possible ambiguity and the class name
may be omitted. To specify ALL properties, the wildcard string "*" should be
used.
- 4=<Class.>Method. This example is very similar to the
Property one, above. And, as above, the string "*" may be specified to select
ALL methods.
- 5=Object Reference. Example: If the authorization target is
a CIM Service or Namespace, then the ActivityQualifiers entries can define a
list of object references (as strings) that the authorized subject can access.
- 6=Namespace. Example: If the authorization target is a CIM Service, then
the ActivityQualifiers entries can define a list of Namespaces that the
authorized subject is able to access.
- 7=URL. Example: An authorization
target may not be defined, but a Privilege could be used to deny access to
specific URLs by individual Identities or for specific Roles, such as the
'under 17' Role.
- 8=Directory/File Name. Example: If the authorization
target is a FileSystem, then the ActivityQualifiers entries can define a list
of directories and files whose access is protected.
- 9=Command Line
Instruction. Example: If the authorization target is a ComputerSystem or
Service, then the ActivityQualifiers entries can define a list of command line
instructions that may or may not be 'Executed' by the authorized subjects.
- 10=SCSI Command, using a format of 'CDB=xx[,Page=pp]'. For example, the
ability to select the VPD page of the Inquiry command is encoded as
'CDB=12,Page=83' in the corresponding ActivityQualifiers entry. A '*' may be
used to indicate all CDBs or Page numbers.
- 11=Packets. Example: The
transmission of packets is permitted or denied by the Privilege for the target
(a ComputerSystem, ProtocolEndpoint, Pipe, or other
ManagedSystemElement).
Product Specific Usage:
Additional
Notes:
1) 'Array Max Length' qualifier in Intel AMT Release 3.2 is '19'.
2) 'Array Max Length' qualifier in Intel AMT Release 6.0 and later
releases is 25
3) In Intel AMT Release 6.0 and later releases only value
is "Vendor Reserved"
(16000)
Qualifiers:
-------------
ValueMap={2, 3, 4, 5, 6,
7, 8, 9, 10, 11, .., 16000..}
Values={Class Name, <Class.>Property,
<Class.>Method, Object Reference, Namespace, URL, Directory/File Name,
Command Line Instruction, SCSI Command, Packets, DMTF Reserved, Vendor
Reserved}
ArrayType=Indexed
ModelCorrespondence={CIM_Privilege.ActivityQualifiers}
RepresentsAuthorizationRights
public boolean RepresentsAuthorizationRights
- General Information:
The RepresentsAuthorizationRights flag
indicates whether the rights defined by this instance should be interpreted as
rights of Subjects to access Targets or as rights of Subjects to change those
rights on/for Targets.
Product Specific Usage:
In Intel AMT
Release 6.0 and later releases value is 'false'
Put
public Put([IN]CIM_Privilege Instance)
- Permission Information:
Permitted realms:
ADMIN_SECURITY_ADMINISTRATION_REALM,
ADMIN_SECURITY_USER_ACCESS_CONTROL_REALM
General
Information:
Changes properties of the selected
instance
Product Specific Usage:
The following properties
must be included in any representation of CIM_Privilege:
InstanceID
In Intel AMT Release 6.0 and later releases it's permitted to
ADMIN_SECURITY_ADMINISTRATION_REALM and
ADMIN_SECURITY_USER_ACCESS_CONTROL_REALM.
ADMIN_SECURITY_USER_ACCESS_CONTROL_REALM can't change the actual
permissions.
Get
public Get([OUT]CIM_Privilege Instance)
- Permission Information:
This method is accessible from any
realm
General Information:
Gets the representation of the
instance
Product Specific Usage:
Additional Notes:
1)
'Get' in Intel AMT Release 3.2 until release 5.1 is permitted only to
'ADMIN_SECURITY_ADMINISTRATION_REALM' and
'ADMIN_SECURITY_USER_ACCESS_CONTROL_REALM'
2) In Intel AMT Release 6.0 and
later releases it's permitted to all realms
Pull
public Pull([IN]String EnumerationContext, [IN]String MaxElements)
- Permission Information:
All users permitted to use method, only
instances to whom the user has permissions will be returned
General
Information:
Pulls instances of this class, following an Enumerate
operation
Enumerate
public Enumerate()
- Permission Information:
All users permitted to use
method
General Information:
Enumerates the instances of this
class
Release
public Release([IN]String EnumerationContext)
- Permission Information:
All users permitted to use
method
General Information:
Releases an enumeration
context