Intel AMT Users and Permissions/Realms

Intel AMT functionality is partitioned into services or interfaces. Some services are accessible only from the network interface, some are accessible only via the local interface, and others can be accessed from either interface. Users who have access to the corresponding realm have permission to invoke the methods and change or retrieve the properties that are included in the service. The Class and Method to Realm mapping table shows which specific WS-Management CIM class methods can be executed by a user with access to a selected realm. Note that the fields returned or updated by a method may vary depending on the realms assigned to the user. See the permissions associated with a field in the WS-Management Class Reference.

The Intel AMT Access Control List (ACL) manages who has access to which capabilities within the device. An ACL entry has a user ID and a list of realms to which a user has access. It also has an access permission – whether a remote (network) access to Intel AMT, local access, or both.

 Note:

Starting with Release 6.1, all realms that were accessible only remotely are now accessible locally.

An ACL entry can be either “enabled” or “disabled”. An entry is, by default, enabled when it is created. There are API commands to disable or enable an entry. A disabled entry is not permitted to perform any activities. A user with Admin permissions can enable or disable other users.

There are two kinds of ACL entries: Kerberos and non-Kerberos (Digest). The main difference between them is that Kerberos entries have an Active Directory SID to identify a user or group of users. Non-Kerberos, or Digest, entries have a username and password for user identification.

A user can be created and granted access to one or more realms. Users are created in two different ways:

     The AddUserAclEntryEx and UpdateUserAclEntryEx methods in the AMT_AuthorizationService class are used to create users and assign them realm permissions. See the Use Cases for a description. Note that a user created using AMT_AuthorizationService must be specified as having remote or local interface access or both. The realms accessible to the user must be consistent with that designation. For example, a user given network access only cannot have access to the Agent Presence–Local realm.

     Users can be created and managed using the framework of the DASH Simple Identity Management Profile and the Role-Based Authorization Profile. ACL entries are created with the CIM_AccountManagementService.CreateAccount method (Digest authentication) or the CIM_RemoteIdentity.Create method (Kerberos authentication). In both cases, the realms to which a user has access can be changed with the CIM_Privilege Activity Qualifiers property. See Role Based Authorization and Simple Identity Management

The Functionality to Realm Mapping lists Intel AMT functional areas and the realm permission required to access that functionality. The table uses the names in the realms enumeration in AMT_AuthorizationService methods AddUserAclEntryEx and UpdateUserAclEntryEx. It also lists whether the realm is accessible remotely, locally, or both.

The Realm Names and Realm Shortcuts lists each realm name with the name used for that realm in the class documentation. The method descriptions in the class documentation identify which realm permissions a user must have to successfully invoke the method. A number of the methods can be accessed by more than one realm. Note that methods that retrieve an object or a number of objects will return only those objects that the user with certain permissions is permitted to see. The table lists the realm shortcut used when invoking CIM_Privilege to add realms to or remove realms from user access. It also shows the realms that a user has access to by default when the user is created using CIM_AccountManagementService.CreateAccount or CIM_RemoteIdentity.Create.

Copyright © 2006-2022, Intel Corporation. All rights reserved.