CollapseAll image

Discovery

The following steps describe how to locate the base objects required as a starting point for using the functionality associated with the Simple Identity Management and Role-Based Authorization DASH profiles.

Checking whether Simple Identity Management and Role-Based Authorization profiles are supported

Invoke Enumerate() and Pull() on CIM_RegisteredProfile. Check if the relevant instance which represents the relevant profile exists. See the Get ME Capabilities use case to retrieve the registered profiles (both DASH and Intel proprietary).

Finding the central class of each profile

For Simple Identity Management – The central class is CIM_AccountManagementService and the discovery flow can be found in the profile document DSP1034, Chapter 9.1.

For Role-Based Authorization – The central class is CIM_RoleBasedAuthorizationService and the discovery flow can be found in the profile document DSP1039, Chapter 9.1.

 Note:

For Intel AMT, find the instance with a RegisteredName of “Intel(r) ME:Base Desktop and Mobile”.

 

Intel AMT does not support finding the central class by traversing from the profile instance and using the CIM_ElementConformsToProfile association. Therefore, perform the following:

1.  Perform Enumerate on CIM_RegisteredProfile.

2.  Find the instance with the following property values:

a.   RegisteredName = “Base Desktop and Mobile”
or (Preferred)

b.   InstanceID = “Intel(r) ME:Base Desktop and Mobile”.

3.  Traverse CIM_ElementConformsToProfile using the instance from previous step to find the central/scoping class of “Base Desktop and Mobile” – CIM_ComputerSystem:
AssociatedInstances

a.   ObjectPath of CIM_RegisteredProfile.InstanceID = “Intel(r) ME: BaseDesktop and Mobile”

b.   AssociationClassName = “CIM_ElementConformsToProfile”

c.    Role = ”ConformantStandard”

d.   ResultClassName = “CIM_ComputerSystem”

e.   ResultRole=”ManagedElement”

4.  Starting with the autonomous profile central instance, traverse the component profile to get the central class of “Role Based Authorization”:
AssociatedInstances

a.   ObjectPath of CIM_ComputerSystem.CreationClassName = “CIM_ComputerSystem”, Name=”ManagedSystem”

b.   AssociationClassName=”CIM_HostedService”

c.    Role=”Antecedent”

d.   ResultClassName=”CIM_RoleBasedAuthorizationService”

e.   ResultRole=”Dependent”

Finding the capabilities of the component

1.  For Simple Identity Management – From the central class CIM_AccountManagementService find the CIM_AccountManagementCapabilities by traversing CIM_ElementCapabilities.

2.  For Role-Based Authorization – From the central class CIM_ RoleBasedAuthorizationService find the CIM_RoleBasedManagementCapabilities by traversing CIM_ElementCapabilities.

Finding a Digest user (CIM_Account)

From CIM_ComputerSystem find the CIM_Account by traversing CIM_AccountOnSystem.

Finding a Kerberos user (CIM_RemoteIdentity)

1.  From CIM_ComputerSystem find the CIM_Role by traversing CIM_RoleLimitedToTarget or CIM_OwningCollectionElement.

2.  From the relevant instance of CIM_Role find the CIM_RemoteIdentity by traversing CIM_MemberOfCollection or CIM_ConcreteDependency.

Find user (Digest or Kerberos) permissions (privileges)

1.  From CIM_ComputerSystem find the CIM_Role by traversing CIM_RoleLimitedToTarget or CIM_OwningCollectionElement.

2.  From the relevant instance of CIM_Role find the CIM_Privilege by traversing CIM_MemberOfCollection.

Alternatively,

For Digest:

1.  From the CIM_Account instance returned upon the creation find the CIM_Identity by traversing CIM_AssignedIdentity.

2.  From the relevant instance of CIM_Identity find the CIM_Role by traversing CIM_MemberOfCollection or CIM_ConcreteDependency.

3.  From the relevant instance of CIM_Role find the CIM_Privilege by traversing CIM_MemberOfCollection.

For Kerberos:

1.  From the CIM_RemoteIdentity instance returned upon creation of the user, find the CIM_Role by traversing CIM_MemberOfCollection or CIM_ConcreteDependency.

2.  From the relevant instance of CIM_Role find the CIM_Privilege by traversing CIM_MemberOfCollection.

Instance Diagram

Classes Used in This Flow

SDK Sample

Not applicable

 

See Also:

   Role Based Authorization and Simple Identity Management

Copyright © 2006-2022, Intel Corporation. All rights reserved.