Creating a Digest User
To create a Digest user (username and password-based) ACL entry, invoke CIM_AccountManagementService.CreateAccount. This method provides the user description in an instance of CIM_Account. The CIM_Account.UserID field is used to identify a new user; Intel AMT ignores CIM_Account.Name. However, both CIM_Account.UserID and CIM_Account.Name should be set to the username.
This request creates five objects, as shown in the following diagram:
These objects exist for each user – there are no many-to-one relationships, although the DASH profiles support such an implementation.
A user at this point has access to all of the realms listed as defaults in the table Realm Names and Realm Shortcuts
To change the privileges of a selected user, change the permitted realms by using the CIM_Privilege Get and Put methods.
To summarize some of the properties of these objects:
|
Object |
Field |
Value for Regular User |
Value for ‘admin’ User |
|
CIM_Identity |
InstanceID |
”Intel(r) AMT: <username>” |
|
|
ElementName |
“Intel(r) AMT Security Principal” |
| |
|
CIM_Account: |
Name, UserID |
<username> |
|
|
CIM_Role |
Name |
”Intel(r) AMT: <username>” |
“Administrator” |
|
ElementName |
”Intel(r) AMT: <username>” |
“Administrator” | |
|
CommonName |
(Digest) ”Intel(r) AMT: <username>”
or Starting in Release 6.1, the Kerberos value changed
to |
”Intel(r) AMT: Administrator” | |
|
CIM_Privilege |
InstanceID |
”Intel(r) AMT: <username> Privilege” |
”Intel(r) AMT:Admin Privilege” |
|
ActivityQualifiers |
one or more Realm strings |
one or more Realm strings | |
|
QualifierFormats |
16000 (Vendor Reserved) |
16000 (vendor reserved) | |
|
Activities |
7 (Execute) |
7 (Execute) |
The following object is associated with CIM_Account via CIM_ElementCapabilities:
CIM_EnabledLogicalElementCapabilities:
InstanceID is ”Intel(r) AMT: <username>Account
Capabilities”
or
”Intel(r) AMT: Admin Account Capabilities”
ElementName is
“Account Management Capabilities”
or
“Administrator Account Management Capabilities”
This object can identify if an account can be disabled (an admin account cannot be disabled).
|
Copyright © 2006-2022, Intel Corporation. All rights reserved. |