summaryrefslogtreecommitdiffstats
path: root/Schemas/CIM236/DMTF/User/CIM_AssociatedPrivilege.mof
diff options
context:
space:
mode:
Diffstat (limited to 'Schemas/CIM236/DMTF/User/CIM_AssociatedPrivilege.mof')
-rw-r--r--Schemas/CIM236/DMTF/User/CIM_AssociatedPrivilege.mof255
1 files changed, 255 insertions, 0 deletions
diff --git a/Schemas/CIM236/DMTF/User/CIM_AssociatedPrivilege.mof b/Schemas/CIM236/DMTF/User/CIM_AssociatedPrivilege.mof
new file mode 100644
index 0000000..db755f6
--- /dev/null
+++ b/Schemas/CIM236/DMTF/User/CIM_AssociatedPrivilege.mof
@@ -0,0 +1,255 @@
+// Copyright (c) 2008 DMTF. All rights reserved.
+ [Association, Version ( "2.22.0" ),
+ UMLPackagePath ( "CIM::User::Privilege" ),
+ Description (
+ "CIM_AssociatedPrivilege is an association that models the "
+ "privileges that a Subject element has to access or authorize "
+ "other elements to access a Target element." )]
+class CIM_AssociatedPrivilege {
+
+ [Key, Description (
+ "The Subject for which privileges are granted or denied." )]
+ CIM_ManagedElement REF Subject;
+
+ [Key, Description (
+ "The target element to which the privileges apply." )]
+ CIM_ManagedElement REF Target;
+
+ [Key, Description (
+ "UseKey is used to distinguish instances in case multiple "
+ "instances of this association exist between the same "
+ "Subject and Target. This may arise, for example, if "
+ "separate instances are created for each management "
+ "domain, or if the Subject has access and authorization "
+ "rights to the Target.\n"
+ "Within the scope of the instantiating Namespace, UseKey "
+ "opaquely and uniquely identifies an instance of this "
+ "class. In order to ensure uniqueness within the "
+ "NameSpace, the value of UseKey should be constructed "
+ "using the following \'preferred\' algorithm: \n"
+ "<OrgID>:<LocalID> \n"
+ "Where <OrgID> and <LocalID> are separated by a colon "
+ "\':\', and where <OrgID> shall include a copyrighted, "
+ "trademarked or otherwise unique name that is owned by "
+ "the business entity creating/defining the UseKey, or is "
+ "a registered ID that is assigned to the business entity "
+ "by a recognized global authority. (This is similar to "
+ "the <Schema Name>_<Class Name> structure of Schema class "
+ "names.) In addition, to ensure uniqueness <OrgID> shall "
+ "not contain a colon (\':\'). When using this algorithm, "
+ "the first colon to appear in UseKey shall appear between "
+ "<OrgID> and <LocalID>. \n"
+ "<LocalID> is chosen by the business entity and should "
+ "not be re-used to identify different underlying "
+ "(real-world) elements. If the above \'preferred\' "
+ "algorithm is not used, the defining entity shall assure "
+ "that the resultant UseKey is not re-used across any "
+ "UseKeys produced by this or other providers for this "
+ "instance\'s NameSpace. \n"
+ "For DMTF defined instances, the \'preferred\' algorithm "
+ "shall be used with the <OrgID> set to \'CIM\'." )]
+ string UseKey;
+
+ [Description (
+ "Boolean indicating whether the Privilege is granted "
+ "(TRUE) or denied (FALSE). The default is to grant "
+ "permission." )]
+ boolean PrivilegeGranted = true;
+
+ [Description (
+ "An enumeration indicating the activities that are "
+ "granted or denied. These activities apply to all "
+ "entities specified in the ActivityQualifiers array.\n"
+ "\"Other\" (1): indicates an activity that is not "
+ "specified in this enumeration.\n"
+ "\"Create\" (2), \"Delete\" (3), \"Detect\" (4), \"Read\" "
+ "(5), \"Write\" (6), \"Execute\" (7): each of these "
+ "values indicates that the Subject is permitted to use an "
+ "operation supported by the Target. They are all "
+ "straightforward except for one, 4=\"Detect\". This value "
+ "indicates that the existence or presence of an entity "
+ "may be determined, but not necessarily specific data "
+ "(which requires the Read privilege to be true). This "
+ "activity is exemplified by \'hidden files\'- if you list "
+ "the contents of a directory, you will not see hidden "
+ "files. However, if you know a specific file name, or "
+ "know how to expose hidden files, then they can be "
+ "\'detected\'. Another example is the ability to define "
+ "search privileges in directory implementations.\n"
+ "\"Deny Create\" (8), \"Deny Delete\" (9), \"Deny Detect\" "
+ "(10), \"Deny Read\" (11), \"Deny Write\" (12), \"Deny "
+ "Execute\" (13): each of these values indicates that the "
+ "Subject is expressly denied permission to use an "
+ "operation supported by the Target.\n"
+ "Authorize to Grant/Deny Authorization (14): this value "
+ "indicates that the Subject is permitted to add any of "
+ "the following values to - or remove any of the following "
+ "values from - the Activities array property in any other "
+ "instance of CIM_AssociatedPrivilege that references the "
+ "same Target: \"Authorize to Create\" (15), \"Authorize "
+ "to Delete\" (16), \"Authorize to Detect\" (17), "
+ "\"Authorize to Read\" (18), \"Authorize to Write\" (19), "
+ "\"Authorize to Execute\" (20), \"Authorize to Deny "
+ "Create\" (21), \"Authorize to Deny Delete\" (22), "
+ "\"Authorize to Deny Detect\" (23), \"Authorize to Deny "
+ "Read\" (24), \"Authorize to Deny Write\" (25), and "
+ "\"Authorize to Deny Execute\" (26).\n"
+ "\"Authorize to Create\" (15), \"Authorize to Delete\" "
+ "(16), \"Authorize to Detect\" (17), \"Authorize to Read\" "
+ "(18), \"Authorize to Write\" (19), \"Authorize to "
+ "Execute\" (20), \"Authorize to Deny Create\" (21), "
+ "\"Authorize to Deny Delete\" (22), \"Authorize to Deny "
+ "Detect\" (23), \"Authorize to Deny Read\" (24), "
+ "\"Authorize to Deny Write\" (25), and \"Authorize to "
+ "Deny Execute\" (26): each of these values indicates that "
+ "the Subject is permitted to add value named in the "
+ "string to - or remove the value from - the Activities "
+ "array property in any other instance of "
+ "CIM_AssociatedPrivilege that references the same Target. "
+ "For example, \"Authorize to Read\" indicates that the "
+ "Subject is permitted to add or remove the value \"Read\", "
+ "and \"Authorize to Deny Read\" indicates that the "
+ "Subject is permitted to add or remove the value \"Deny "
+ "Read\"." ),
+ ValueMap { "1", "2", "3", "4", "5", "6", "7", "8", "9", "10",
+ "11", "12", "13", "14", "15", "16", "17", "18", "19",
+ "20", "21", "22", "23", "24", "25", "26", "..", "16000.." },
+ Values { "Other", "Create", "Delete", "Detect", "Read",
+ "Write", "Execute", "Deny Create", "Deny Delete",
+ "Deny Detect", "Deny Read", "Deny Write", "Deny Execute",
+ "Authorize to Grant/Deny Authorization",
+ "Authorize to Create", "Authorize to Delete",
+ "Authorize to Detect", "Authorize to Read",
+ "Authorize to Write", "Authorize to Execute",
+ "Authorize to Deny Create", "Authorize to Deny Delete",
+ "Authorize to Deny Detect", "Authorize to Deny Read",
+ "Authorize to Deny Write", "Authorize to Deny Execute",
+ "DMTF Reserved", "Vendor Reserved" },
+ ArrayType ( "Indexed" ),
+ ModelCorrespondence {
+ "CIM_AssociatedPrivilege.ActivityQualifiers" }]
+ uint16 Activities[];
+
+ [Description (
+ "The ActivityQualifiers property is an array of string "
+ "values used to further qualify and specify the "
+ "privileges granted or denied. For example, it is used to "
+ "specify a set of files for which \'Read\'/\'Write\' "
+ "access is permitted or denied. Or, it defines a class\' "
+ "methods that may be \'Executed\'. Details on the "
+ "semantics of the individual entries in "
+ "ActivityQualifiers are provided by corresponding entries "
+ "in the QualifierFormats array." ),
+ ArrayType ( "Indexed" ),
+ ModelCorrespondence { "CIM_AssociatedPrivilege.Activities",
+ "CIM_AssociatedPrivilege.QualifierFormats" }]
+ string ActivityQualifiers[];
+
+ [Description (
+ "Defines the semantics of corresponding entries in the "
+ "ActivityQualifiers array. An example of each of these "
+ "\'formats\' and their use follows: \n"
+ "- 2=Class Name. Example: If the authorization target is "
+ "a CIM Service or a Namespace, then the "
+ "ActivityQualifiers entries can define a list of classes "
+ "that the authorized subject is able to create or delete. \n"
+ "- 3=<Class.>Property. Example: If the authorization "
+ "target is a CIM Service, Namespace or Collection of "
+ "instances, then the ActivityQualifiers entries can "
+ "define the class properties that may or may not be "
+ "accessed. In this case, the class names are specified "
+ "with the property names to avoid ambiguity - since a CIM "
+ "Service, Namespace or Collection could manage multiple "
+ "classes. On the other hand, if the authorization target "
+ "is an individual instance, then there is no possible "
+ "ambiguity and the class name may be omitted. To specify "
+ "ALL properties, the wildcard string \"*\" should be "
+ "used. \n"
+ "- 4=<Class.>Method. This example is very similar to the "
+ "Property one, above. And, as above, the string \"*\" may "
+ "be specified to select ALL methods. \n"
+ "- 5=Object Reference. Example: If the authorization "
+ "target is a CIM Service or Namespace, then the "
+ "ActivityQualifiers entries can define a list of object "
+ "references (as strings) that the authorized subject can "
+ "access. \n"
+ "- 6=Namespace. Example: If the authorization target is a "
+ "CIM Service, then the ActivityQualifiers entries can "
+ "define a list of Namespaces that the authorized subject "
+ "is able to access. \n"
+ "- 7=URL. Example: An authorization target may not be "
+ "defined, but a Privilege could be used to deny access to "
+ "specific URLs by individual Identities or for specific "
+ "Roles, such as the \'under 17\' Role. \n"
+ "- 8=Directory/File Name. Example: If the authorization "
+ "target is a FileSystem, then the ActivityQualifiers "
+ "entries can define a list of directories and files whose "
+ "access is protected. \n"
+ "- 9=Command Line Instruction. Example: If the "
+ "authorization target is a ComputerSystem or Service, "
+ "then the ActivityQualifiers entries can define a list of "
+ "command line instructions that may or may not be "
+ "\'Executed\' by the authorized subjects. \n"
+ "- 10=SCSI Command, using a format of \'CDB=xx[,Page=pp]\'. "
+ "For example, the ability to select the VPD page of the "
+ "Inquiry command is encoded as \'CDB=12,Page=83\' in the "
+ "corresponding ActivityQualifiers entry. A \'*\' may be "
+ "used to indicate all CDBs or Page numbers. \n"
+ "- 11=Packets. Example: The transmission of packets is "
+ "permitted or denied by the Privilege for the target (a "
+ "ComputerSystem, ProtocolEndpoint, Pipe, or other ManagedSystemElement).\n"
+ "- 12=Specification-defined. The semantics are defined in "
+ "a a specification produced by the DMTF or other "
+ "organization. The value of the corresponding "
+ "ActivityQualifiers entry names the specification and the "
+ "organization that produced it, and includes a label that "
+ "unambiguously references the semantic definition within "
+ "the specification. The value of of the corresponding "
+ "ActivityQualifiers entry should be constructed using the "
+ "following \"preferred\" algorithm: \n"
+ "<OrgID>:<SpecID>:<Label>, where <OrgID>, <SpecID>, and "
+ "<Label> are separated by a colon (:), and where <OrgID> "
+ "shall include a copyrighted, trademarked, or otherwise "
+ "unique name that is owned by the business entity that is "
+ "creating or defining the InstanceID or that is a "
+ "registered ID assigned to the business entity by a "
+ "recognized global authority. (This requirement is "
+ "similar to the <Schema Name>_<Class Name> structure of "
+ "Schema class names.) In addition, to ensure uniqueness "
+ "both <OrgID> and <SpecID> shall not contain a colon "
+ "(\':\'). When using this algorithm, the first colon to "
+ "appear in the corresponding ActivityQualifiers entry "
+ "shall appear between <OrgID> and <SpecID> and the second "
+ "colon to appear in the corresponding ActivityQualifiers "
+ "entry shall appear between <SpecID> and <Label>. \n"
+ "<Label> is chosen by the business entity and should not "
+ "be reused to identify different underlying semantics. If "
+ "the above \"preferred\" algorithm is not used, the "
+ "defining entity must assure that the resulting value is "
+ "not reused to refer to a different specification or "
+ "different semantics within defined within the same specification.\n"
+ "For DMTF-defined instances, the \"preferred\" algorithm "
+ "shall be used with the <OrgID> set to \"DMTF\", and the "
+ "<SpecID> set to \"DSPx\", where x is the number of a DSP "
+ "published by the DMTF." ),
+ ValueMap { "2", "3", "4", "5", "6", "7", "8", "9", "10",
+ "11", "12", "..", "16000.." },
+ Values { "Class Name", "<Class.>Property", "<Class.>Method",
+ "Object Reference", "Namespace", "URL",
+ "Directory/File Name", "Command Line Instruction",
+ "SCSI Command", "Packets", "Specification-defined",
+ "DMTF Reserved", "Vendor Reserved" },
+ ArrayType ( "Indexed" ),
+ ModelCorrespondence {
+ "CIM_AssociatedPrivilege.ActivityQualifiers" }]
+ uint16 QualifierFormats[];
+
+ [Description (
+ "The RepresentsAuthorizationRights flag indicates whether "
+ "the rights defined by this instance shall be interpreted "
+ "as rights of Subjects to access Targets or as rights of "
+ "Subjects to change those rights on/for Targets." )]
+ boolean RepresentsAuthorizationRights = false;
+
+
+};