Creating a Digest User

To create a Digest user (username and password-based) ACL entry, invoke CIM_AccountManagementService.CreateAccount. This method provides the user description in an instance of CIM_Account. The CIM_Account.UserID field is used to identify a new user; Intel AMT ignores CIM_Account.Name. However, both CIM_Account.UserID and CIM_Account.Name should be set to the username.

This request creates five objects, as shown in the following diagram:

These objects exist for each user – there are no many-to-one relationships, although the DASH profiles support such an implementation.

A user at this point has access to all of the realms listed as defaults in the table Realm Names and Realm Shortcuts

To change the privileges of a selected user, change the permitted realms by using the CIM_Privilege Get and Put methods.

To summarize some of the properties of these objects:

Object

Field

Value for Regular User

Value for ‘admin’ User

CIM_Identity

InstanceID

”Intel(r) AMT: <username>”

 

ElementName

“Intel(r) AMT Security Principal”

 

CIM_Account:

Name, UserID

<username>

 

CIM_Role

Name

”Intel(r) AMT: <username>”

“Administrator”

ElementName

”Intel(r) AMT: <username>”

“Administrator”

CommonName

(Digest) ”Intel(r) AMT: <username>” or

(Kerberos) “<accountName> Role”

Starting in Release 6.1, the Kerberos value changed to
“Intel(r) AMT:RemoteID <user name>”

”Intel(r) AMT: Administrator”

CIM_Privilege

InstanceID

”Intel(r) AMT: <username> Privilege”

”Intel(r) AMT:Admin Privilege”

ActivityQualifiers

one or more Realm strings

one or more Realm strings

QualifierFormats

16000 (Vendor Reserved)

16000 (vendor reserved)

Activities

7 (Execute)

7 (Execute)

The following object is associated with CIM_Account via CIM_ElementCapabilities:

CIM_EnabledLogicalElementCapabilities:
                   InstanceID is    ”Intel(r) AMT: <username>Account Capabilities” or
                                           ”Intel(r) AMT: Admin Account Capabilities”

                   ElementName is            “Account Management Capabilities” or
                                                       “Administrator Account Management Capabilities”

This object can identify if an account can be disabled (an admin account cannot be disabled).

Copyright © 2006-2022, Intel Corporation. All rights reserved.