// Copyright (c) 2005 DMTF. All rights reserved.
// Add UmlPackagePath
// qualifier values to CIM Schema.
// ==================================================================
// CIM_Privilege
// ==================================================================
[Version ( "2.8.0" ), UMLPackagePath ( "CIM::User::Privilege" ),
Description (
"Privilege is the base class for all types of activities which "
"are granted or denied by a Role or an Identity. Whether an "
"individual Privilege is granted or denied is defined using the "
"PrivilegeGranted boolean. Any Privileges not specifically "
"granted are assumed to be denied. An explicit deny (Privilege "
"Granted = FALSE) takes precedence over any granted Privileges. "
"\n\n"
"The association of subjects (Roles and Identities) to "
"Privileges is accomplished using policy or explicitly via the "
"associations on a subclass. The entities that are protected "
"(targets) can be similarly defined. \n"
"\n"
"Note that Privileges may be inherited through hierarchical "
"Roles, or may overlap. For example, a Privilege denying any "
"instance Writes in a particular CIM Server Namespace would "
"overlap with a Privilege defining specific access rights at an "
"instance level within that Namespace. In this example, the "
"AuthorizedSubjects are either Identities or Roles, and the "
"AuthorizedTargets are a Namespace in the former case, and a "
"particular instance in the latter.")]
class CIM_Privilege : CIM_ManagedElement {
[Key, Description (
"Within the scope of the instantiating Namespace, InstanceID "
"opaquely and uniquely identifies an instance of this class. "
"In order to ensure uniqueness within the NameSpace, the "
"value of InstanceID SHOULD be constructed using the "
"following 'preferred' algorithm: \n"
": \n"
"Where and are separated by a colon ':', "
"and where MUST include a copyrighted, trademarked "
"or otherwise unique name that is owned by the business "
"entity creating/defining the InstanceID, or is a registered "
"ID that is assigned to the business entity by a recognized "
"global authority. (This is similar to the _ structure of Schema class names.) In "
"addition, to ensure uniqueness MUST NOT contain a "
"colon (':'). When using this algorithm, the first colon to "
"appear in InstanceID MUST appear between and "
". \n"
" is chosen by the business entity and SHOULD not "
"be re-used to identify different underlying (real-world) "
"elements. If the above 'preferred' algorithm is not used, "
"the defining entity MUST assure that the resultant "
"InstanceID is not re-used across any InstanceIDs produced "
"by this or other providers for this instance's NameSpace. "
"For DMTF defined instances, the 'preferred' algorithm MUST "
"be used with the set to 'CIM'.")]
string InstanceID;
[Description (
"Boolean indicating whether the Privilege is granted (TRUE) "
"or denied (FALSE). The default is to grant permission.")]
boolean PrivilegeGranted = TRUE;
[Description (
"An enumeration indicating the activities that are granted "
"or denied. These activities apply to all entities specified "
"in the ActivityQualifiers array. The values in the "
"enumeration are straightforward except for one, "
"4=\"Detect\". This value indicates that the existence or "
"presence of an entity may be determined, but not "
"necessarily specific data (which requires the Read "
"privilege to be true). This activity is exemplified by "
"'hidden files'- if you list the contents of a directory, "
"you will not see hidden files. However, if you know a "
"specific file name, or know how to expose hidden files, "
"then they can be 'detected'. Another example is the ability "
"to define search privileges in directory implementations."),
ValueMap { "1", "2", "3", "4", "5", "6", "7", "..15999",
"16000.." },
Values { "Other", "Create", "Delete", "Detect", "Read", "Write",
"Execute", "DMTF Reserved", "Vendor Reserved" },
ArrayType ( "Indexed" ),
ModelCorrespondence { "CIM_Privilege.ActivityQualifiers" }]
uint16 Activities[];
[Description (
"The ActivityQualifiers property is an array of string "
"values used to further qualify and specify the privileges "
"granted or denied. For example, it is used to specify a set "
"of files for which 'Read'/'Write' access is permitted or "
"denied. Or, it defines a class' methods that may be "
"'Executed'. Details on the semantics of the individual "
"entries in ActivityQualifiers are provided by corresponding "
"entries in the QualifierFormats array."),
ArrayType ( "Indexed" ),
ModelCorrespondence { "CIM_Privilege.Activities",
"CIM_Privilege.QualifierFormats" }]
string ActivityQualifiers[];
[Description (
"Defines the semantics of corresponding entries in the "
"ActivityQualifiers array. An example of each of these "
"'formats' and their use follows: \n"
"- 2=Class Name. Example: If the authorization target is a "
"CIM Service or a Namespace, then the ActivityQualifiers "
"entries can define a list of classes that the authorized "
"subject is able to create or delete. \n"
"- 3=Property. Example: If the authorization target "
"is a CIM Service, Namespace or Collection of instances, "
"then the ActivityQualifiers entries can define the class "
"properties that may or may not be accessed. In this case, "
"the class names are specified with the property names to "
"avoid ambiguity - since a CIM Service, Namespace or "
"Collection could manage multiple classes. On the other "
"hand, if the authorization target is an individual "
"instance, then there is no possible ambiguity and the class "
"name may be omitted. To specify ALL properties, the "
"wildcard string \"*\" should be used. \n"
"- 4=Method. This example is very similar to the "
"Property one, above. And, as above, the string \"*\" may be "
"specified to select ALL methods. \n"
"- 5=Object Reference. Example: If the authorization target "
"is a CIM Service or Namespace, then the ActivityQualifiers "
"entries can define a list of object references (as strings) "
"that the authorized subject can access. \n"
"- 6=Namespace. Example: If the authorization target is a "
"CIM Service, then the ActivityQualifiers entries can define "
"a list of Namespaces that the authorized subject is able to "
"access. \n"
"- 7=URL. Example: An authorization target may not be "
"defined, but a Privilege could be used to deny access to "
"specific URLs by individual Identities or for specific "
"Roles, such as the 'under 17' Role. \n"
"- 8=Directory/File Name. Example: If the authorization "
"target is a FileSystem, then the ActivityQualifiers entries "
"can define a list of directories and files whose access is "
"protected. \n"
"- 9=Command Line Instruction. Example: If the authorization "
"target is a ComputerSystem or Service, then the "
"ActivityQualifiers entries can define a list of command "
"line instructions that may or may not be 'Executed' by the "
"authorized subjects."),
ValueMap { "2", "3", "4", "5", "6", "7", "8", "9", "..15999",
"16000.." },
Values { "Class Name", "Property", "Method",
"Object Reference", "Namespace", "URL",
"Directory/File Name", "Command Line Instruction",
"DMTF Reserved", "Vendor Reserved" }, ArrayType ( "Indexed" ),
ModelCorrespondence { "CIM_Privilege.ActivityQualifiers" }]
uint16 QualifierFormats[];
};