CIM Elements (RBA/SIM)

The following table describes the CIM elements used to implement the Role–Based Authorization/Simple Identity Management means for managing Intel AMT users.

Element Name

Description

Instance Creation**

Cardinality

Classes

CIM_Account

The information used to track identity and privileges associated with an account.

Static (Predefined users)

Implicit (New users)

(Release 6.0): 4..14

4 Pre-defined + 10 that can be created

(Release 6.1): 5..15

5 Pre-defined + 10 that can be created

(Release 7.0): 3..14

3 Pre-defined + 11 that can be created

CIM_AccountManagementCapabilities

Describes the capabilities supported for managing accounts associated with an instance of CIM_AccountManagementService

Static

1

CIM_AccountManagementService

Creates, manages, and destroys accounts on behalf of other security services

Static

1

CIM_EnabledLogicalElementCapabilities

Created by invoking CIM_AccountManagementService.CreateAccount

Static (Predefined users)

Implicit (New users)

(Release 6.0): 4..15

4 Pre-defined + 10 that can be created + 1 for KVM usage (not part of Role-Based Authorization)

(Release 6.1): 5..16

5 Pre-defined + 10 that can be created

+ 1 for KVM usage

(Release 7.0): 3..15

3 Pre-defined + 11 that can be created + 1 for KVM usage

(Release 8.0): 3..17

3 Pre-defined + 11 that can be created + 1 for KVM usage + 1 for LAN Endpoint usage + 1 for Ethernet Port Wired usage

CIM_Identity

Represents a ManagedElement that acts as a security principal within the scope in which it is defined and authenticated.

Created by invoking CIM_AccountManagementService.CreateAccount

Static (Predefined users)

Implicit (New users)

(Release 6.0): 4..14

4 Pre-defined + 10 that can be created

(Release 6.1): 5..15

5 Pre-defined + 10 that can be created

(Release 7.0): 3..14

3 Pre-defined + 11 that can be created

CIM_RegisteredProfile

Represents the feature profiles supported by Intel AMT

Static

1 for each supported profile type

 

CIM_Privilege

The base class for all types of activities which are granted or denied by a Role or an Identity.

Created by invoking CIM_AccountManagementService.CreateAccount or

CIM_RemoteIdentity.Create

Static (Predefined users)

Implicit (New users)

(Release 6.0): 4..14

4 Pre-defined + 10 that can be created

(Release 6.1): 5..15

5 Pre-defined + 10 that can be created

(Release 7.0): 3..14

3 Pre-defined + 11 that can be created

CIM_RoleBasedManagementCapabilities

Extends the capabilities of CIM_RoleBasedAuthorizationService and describes the format the privilege is represented

Static

1

CIM_Role

Represents a position or set of responsibilities within an organization.

Created by invoking CIM_AccountManagementService.CreateAccount or

CIM_RemoteIdentity.Create

Static (Predefined users)

Implicit (New users)

(Release 6.0): 4..14

4 Pre-defined + 10 that can be created

(Release 6.1): 5..15

5 Pre-defined + 10 that can be created

(Release 7.0): 3..14

3 Pre-defined + 11 that can be created

CIM_RoleBasedAuthorizationService

Represents the authorization service that manages and configures roles on a managed system.

Static

1

CIM_RemoteIdentity

Used to define ACL entries that use Kerberos authentication.

Created by invoking CIM_RemoteIdentity.Create

User

0..32

Associations

CIM_AccountOnSystem

Associates between the ManagedSystem instance of CIM_ComputerSystem and CIM_Account

Static (Predefined users)

Implicit (New users)

(Release 6.0): 4..14

4 Pre-defined + 10 that can be created

(Release 6.1): 5..15

5 Pre-defined + 10 that can be created

(Release 7.0): 3..14

3 Pre-defined + 11 that can be created

CIM_AssignedIdentity

Associates between CIM_Identity and CIM_Account

Static (Predefined users)

Implicit (New users)

(Release 6.0): 4..14

4 Pre-defined + 10 that can be created

(Release 6.1): 5..15

5 Pre-defined + 10 that can be created

(Release 7.0): 3..14

3 Pre-defined + 11 that can be created

CIM_ElementCapabilities

Associates between CIM_Account and CIM_EnabledLogicalElementCapabilities

Static (Predefined users)

Implicit (New users)

(Release 6.0): 2..16 2 for SIM and RBA services +

4 Pre-defined + 10 that can be created

(Release 6.1): 7..17  2 for SIM and RBA Services +

5 Pre-defined + 10 that can be created

(Release 7.0): 5..16  2 for SIM & RBA Services +

3 Pre-defined + 11 that can be created

CIM_MemberOfCollection

Associates between CIM_Role and CIM_Privilege

Static (Predefined users)

Implicit (New users)

(Release 6.0): 8..28: 2 for each -

4 Pre-defined + 10 that can be created

(Release 6.1): 10..30: 2 for each -

5 Pre-defined + 10 that can be created

(Release 7.0): 6..28: 2 for each -

3 Pre-defined + 11 that can be created

CIM_OwningCollectionElement

Associates between the ManagedSystem instance of CIM_ComputerSystem and CIM_Role

Static (Predefined users)

Implicit (New users)

(Release 6.0): 4..14

4 Pre-defined + 10 that can be created

(Release 6.1): 5..15

5 Pre-defined + 10 that can be created

(Release 7.0): 3..14

3 Pre-defined + 11 that can be created

CIM_ServiceAffectsElement

Digest:

Associates between CIM_RoleBasedAuthorizationService and CIM_Role

and between CIM_AccountManagementService and CIM_Identity

Kerberos:

Associates between CIM_AccountManagementService and CIM_RemoteIdentity

Static (Predefined users)

Implicit (New users)

(Release 6.0): 8..60: 2 for each digest user

4 Pre-defined + 10 that can be created, 1 for 0..32 Kerberos users

(Release 6.1): 10..62: 2 for each digest user

5 Pre-defined + 10 that can be created, 1 for 0..32 Kerberos users

(Release 7.0): 6..60: 2 for each digest user

3 Pre-defined + 11 that can be created, 1 for 0..32 Kerberos users

CIM_ConcreteDependency

Digest:

Associates between CIM_Role and CIM_Identity

Kerberos:

Associates between CIM_Role and CIM_RemoteIdentity

Static (Predefined users)

Implicit (New users)

(Release 6.0): 4..14

4 Pre-defined + 10 that can be created

(Release 6.1): 5..15

5 Pre-defined + 10 that can be created

(Release 7.0): 3..14

3 Pre-defined + 11 that can be created

CIM_RoleLimitedToTarget

Associates between the ManagedSystem instance of CIM_ComputerSystem and CIM_Role

Static (Predefined users)

Implicit (New users)

(Release 6.0): 4..14

4 Pre-defined + 10 that can be created

(Release 6.1): 5..15

5 Pre-defined + 10 that can be created

(Release 7.0): 3..14

3 Pre-defined + 11 that can be created

* Multiple instances

** Instance Creation:

     Implicit: Instances created implicitly by Intel AMT in response to a user CIM operation

     Static: Instances created by Intel AMT on initialization

     User: The class supports create/delete

 

The following diagrams illustrate the CIM elements used in the Role–Based Authorization/Simple Identity Management feature.

Digest Diagram:

Kerberos Diagram:

Copyright © 2006-2013, Intel Corporation. All rights reserved.