CollapseAll image

Update User (Digest/Kerberos) Privileges

The following steps describe how toupdate the privileges (permissions) of a Digest or Kerberos user.The DASH RBA profile DSP1034 chapter 9.11 describes the general flow. The steps add information on the Intel AMT implementation of the profile.

1.  Follow the flow described in the DASH RBA profile DSP1034 chapter 9.11, and check if the given user supports modification of its realms. If so, continue.

2.  Start  with the CIM_Account or CIM_RemoteIdentity instance associated with the user (See here for Digest and here for Kerberos).

3.  Invoke CIM_Privilege.Put on the selected instance with the following parameters:

a.   InstanceID = “Intel(r) AMT:<user-name> Privilege” The field must have a non-empty value, but Intel AMT ignores the setting.

b.   ActivityQualifiers = an array of strings which represent the realms (INFO, UAC, HAI…). See Realm Names and Realm Shortcuts.

c.    Activities = for each realm add “7” to the corresponding array entry.

d.   QualifierFormat = for each realm add “16000” to the corresponding array entry.

Additional Information

The AUDIT and ADMIN realms have special behavior:

   AUDIT – This realm can be given only to one user (Digest or Kerberos). If there already is a user with AUDIT privileges that is not the “admin” user, attempting to assign this privilege to another user will result in a fault. Once a user has AUDIT privileges, the user should be assigned INFO ah UAC. This enables the AUDIT user to perform the necessary tasks. One of these tasks is being able to remove the AUDIT privilege. When AUDIT user does this, the privilege automatically returns to the “admin” user.

It is possible to create a Digest user, disable it and give it the AUDIT realm. The pre-defined “admin” user will retains AUDIT privileges until the audit user is enabled. The “admin” user will immediately lose AUDIT privileges.

   ADMIN – When giving this realm to a Digest or Kerberos user, the user will get one of the following:

If the set of realms (beside the “ADMIN” realm) contains only “remote” realms (realms which are only accessible remotely via network access) the user will get all the “remote” realms and all the “neutral” realms (realms which are accessible from remote and from local – e.g. INFO) but they will work only from remote.

If the set of realms (beside the “ADMIN” realm) contains a “local” realm (a realm which is only accessible from the local interface – e.g. LOCAPP) or a “neutral” realm the user will get all realms (“local”, “remote” and “neutral” which will work from local and from remote) .

The AUDIT realm will not be included in either of the above cases.

Instance Diagram

Digest Diagram:

Kerberos Diagram:

Classes Used in This Flow

SDK Sample

Not applicable

 

Copyright © 2006-2022, Intel Corporation. All rights reserved.