Differences in Implied User Permissions

Creating a user using AMT_AuthorizationService can result in a user who has permissions that are not the same as those held by a user created using the DASH Role-Based Authorization Profile. This happens because a user created with AMT_AuthorizationService has an AccessPermission associated with it. This permission states whether the user can access the network interface, the local interface or both.

Users created with role-based authorization do not have explicit interface access permissions, so Intel AMT infers access permissions based on the requested realms. For example,

     A new user is created with CIM_AccountManagementService.CreateAccount and receives access to all of the realms listed in the “Default Realm Access on Creation” column in the Realm Names and Realm Shortcuts table. The user is given both network and local access. Therefore, those realms with a Permission Type of Neutral (meaning, the realm is accessible both locally and from the network) to which the new user has access (Storage Realm, for example) will be accessible both locally and from the network.

     Now use CIM_Privilege.Put to assign the user permission for the ADMIN realm. In Release 6.0 and earlier releases, if the user is assigned only the ADMIN realm, the user will now have access to all network and neutral realms, but only with network access. Instead, also assign this ADMIN user a second realm, one with local (e.g., LOCAPP) or neutral (e.g., INFO) permissions. The user will now have access to all realms, both locally and from the network (except for the Audit realm).
In Release 6.1 and later releases assigning a user permission for the ADMIN realm gives that user both local and network access to to all realms, since all realms have local access.

Copyright © 2006-2022, Intel Corporation. All rights reserved.