File: //usr/share/mof/cimv2.33.0/User/CIM_PrivilegeManagementService.mof
// Copyright (c) 2008 DMTF. All rights reserved.
[Version ( "2.20.0" ),
UMLPackagePath ( "CIM::User::PrivilegeManagementService" ),
Description (
"The PrivilegeManagementService is responsible for creating, "
"deleting, and associating AuthorizedPrivilege instances. "
"References to \'subject\' and \'target\' define the entities "
"that are associated with an AuthorizedPrivilege instance via "
"the relationships, AuthorizedSubject and AuthorizedTarget, "
"respectively. When created, an AuthorizedPrivilege instance is "
"related to this (PrivilegeManagement)Service via the "
"association, ConcreteDependency." )]
class CIM_PrivilegeManagementService : CIM_AuthorizationService {
[Description (
"ChangeAccess updates the specified Subject\'s rights to "
"the Target according to the parameters of this call. The "
"method may be called to update the propagation of "
"Privileges, and/or to define new Privileges for a "
"Subject/Target pair. Because the Subject/Target pair is "
"required in any usage scenario, these parameters are "
"defined as Required. \n"
"\n"
"If an instance of Privilege is created, it is associated "
"to this Service via ConcreteDependency. Further, if the "
"Privilege is an AuthorizedPrivilege, it is linked to the "
"specified Subject and Target via the AuthorizedSubject "
"and AuthorizedTarget associations, respectively." ),
ValueMap { "0", "1", "2", "3", "4", "5", "..", "16000",
"16001", "16002", "16003", "16004", "16005..31999",
"32000..65535" },
Values { "Success", "Not Supported", "Unknown", "Timeout",
"Failed", "Invalid Parameter", "DMTF Reserved",
"Unsupported Subject", "Unsupported Privilege",
"Unsupported Target", "Authorization Error",
"NULL not supported", "Method Reserved", "Vendor Specific" }]
uint32 ChangeAccess(
[Required, IN, Description (
"The Subject parameter is required and references "
"an instance of ManagedElement. The result of this "
"operation is that the Subject SHALL be authorized "
"to access or define the authorization rights for "
"the Target, via one or more instances of the "
"Privilege class - where the Privileges represent "
"the cumulative rights of this Subject. The "
"distinction between the Privileges specified in "
"this method call and the \'cumulative rights\' is "
"that the implementation returns all rights that "
"the Subject has in regards to the Target (that the "
"requestor is authorized to review), versus the "
"specific subset that may be specified in this "
"method call. The exception to the above is when "
"there are no remaining rights between the Subject "
"and Target. In that case, the Privilege instance "
"MAY be deleted. \n"
"\n"
"Note that even if the Subject element is a "
"Collection, the operation is only applied to the "
"Collection itself and NOT its members via "
"MemberOfCollection unless an appropriate "
"PolicyPropagationRule is specified. In either "
"case, the output parameters for this method "
"pertain only to the specified Subject/Collection "
"and Target, and do not provide details on the "
"individual members of the Collection. If this "
"information is needed, use the ShowAccess method. \n"
"\n"
"As noted in the method Description, if the "
"resultant Privileges are AuthorizedPrivileges, "
"then AuthorizedSubject associations SHALL be "
"created." )]
CIM_ManagedElement REF Subject,
[Required, IN, Description (
"The Target parameter is required and references an "
"instance of ManagedElement. The result of this "
"operation is that the Subject SHALL be authorized "
"to access or define the authorization rights for "
"the Target, via one or more instances of the "
"Privilege class - where the Privileges represent "
"the cumulative rights of this Subject. The "
"distinction between the Privileges specified in "
"this method call and the \'cumulative rights\' is "
"that the implementation returns all rights that "
"the Subject has in regards to this Target (that "
"the requestor is authorized to review), versus the "
"specific subset that may be specified in this "
"method call. The exception to the above is when "
"there are no remaining rights between the Subject "
"and Target. In that case, the Privilege instance "
"MAY be deleted. \n"
"\n"
"Note that even if the Target element is a "
"Collection, the operation is only applied to the "
"Collection itself and NOT its members via "
"MemberOfCollection unless an appropriate "
"PolicyPropagationRule is specified. In either "
"case, the output parameters for this method "
"pertain only to the specified Subject and "
"Target/Collection, and do not provide details on "
"the individual members of the Collection. If this "
"information is needed, use the ShowAccess method. \n"
"\n"
"As noted in the method Description, if the "
"resultant Privileges are AuthorizedPrivileges, "
"then AuthorizedTarget associations SHALL be "
"created." )]
CIM_ManagedElement REF Target,
[IN, Description (
"If supplied, PropagationPolicy defines the policy "
"rules that govern how the specified access rights "
"are propagated to instances associated with the "
"named Subject and/or Target. If a policy rule is "
"not supplied, the rights defined in the Privilege "
"are only granted or denied between the named "
"Subject and Target." )]
CIM_PrivilegePropagationRule REF PropagationPolicies[],
[IN, OUT, Description (
"A set of zero or more instances of CIM_Privilege "
"(or a subclass of Privilege) that are passed \'by "
"value\' as embedded objects. An embedded object is "
"used since the Privilege may only define a subset "
"of the total rights that should be assigned or "
"revoked. On input, Privilege.PrivilegeGranted MAY "
"be set to False to indicate that the enclosed "
"rights are denied. On return, the embedded "
"Privilege objects represent the cumulative rights "
"granted between the specified Subject and Target "
"(filtered to return the information that the "
"requestor is authorized to view). If the "
"Privileges array is empty, then there exist NO "
"rights that the requestor is authorized to view "
"between the Subject/Target pair." ),
EmbeddedObject]
string Privileges[]);
[Description (
"ShowAccess reports the Privileges (i.e., rights) granted "
"to a particular Subject and/or Target pair. Either a "
"Subject, a Target or both MUST be specified. In the case "
"where only one is specified, the method will return all "
"rights to all Targets for the specified Subject, or all "
"rights for all subjects which apply to the specified "
"Target. \n"
"\n"
"ShowAccess returns the cumulative rights granted between "
"the OutSubjects and OutTargets at the same array index "
"(filtered to return the information that the requestor "
"is authorized to view). If a specific array entry is "
"NULL, then there exist NO rights that the requestor is "
"authorized to view between the Subject/Target pair. \n"
"\n"
"Note that the Privileges returned by this method MAY NOT "
"correspond to what is actually instantiated in the "
"model, and MAY be optimized for ease of reporting. "
"Hence, the data is passed \'by value\', as embedded "
"objects. Also, note that multiple Privileges MAY be "
"defined for a given Subject/Target pair. \n"
"\n"
"Other mechanisms MAY also be used to retrieve this "
"information. CIM Operations\' EnumerateInstances MAY be "
"used to return all Privileges currently instantiated "
"within a namespace. Also, if the AuthorizedPrivilege "
"subclass is instantiated, the CIM Operation Associators "
"MAY be used to navigate from the Privilege to "
"AuthorizedSubjects and AuthorizedTargets. These CIM "
"Operations will not generally provide the functionality "
"or optimizations available with ShowAccess." ),
ValueMap { "0", "1", "2", "3", "4", "5", "..", "16000",
"16002", "16003", "16004", "16005..31999", "32000..65535" },
Values { "Success", "Not Supported", "Unknown", "Timeout",
"Failed", "Invalid Parameter", "DMTF Reserved",
"Unsupported Subject", "Unsupported Target",
"Authorization Error", "NULL not supported",
"Method Reserved", "Vendor Specific" }]
uint32 ShowAccess(
[IN, Description (
"The Subject parameter references an instance of "
"ManagedElement. The result of this operation is "
"that the cumulative rights of the Subject to "
"access or define authorization rights for the "
"Target will be reported. If no Subject is "
"specified, then a Target MUST be supplied and ALL "
"Subjects that have rights to access or define "
"authorizations for the Target will be reported. "
"(It should be noted that the information reported "
"MUST be filtered by the rights of the requestor to "
"view that data.) If the Subject element is a "
"Collection, then the operation will specifically "
"report the Privileges for all elements associated "
"to the Collection via MemberOfCollection. These "
"elements will be reported individually in the "
"returned OutSubjects array." ),
ModelCorrespondence {
"CIM_PrivilegeManagementService.ShowAccess.Target" }]
CIM_ManagedElement REF Subject,
[IN, Description (
"The Target parameter references an instance of "
"ManagedElement. The result of this operation is "
"that the cumulative rights of the Subject to "
"access or define authorization rights for the "
"Target will be reported. If no Target is "
"specified, then a Subject MUST be supplied and ALL "
"Targets for which that the Subject has rights to "
"access or define authorization will be reported. "
"(It should be noted that the information reported "
"MUST be filtered by the rights of the requestor to "
"view that data.) If the Target element is a "
"Collection, then the operation will be applied to "
"all elements associated to the Collection via "
"MemberOfCollection. These elements will be "
"reported individually in the returned OutTargets "
"array." ),
ModelCorrespondence {
"CIM_PrivilegeManagementService.ShowAccess.Subject" }]
CIM_ManagedElement REF Target,
[IN ( false ), OUT, Description (
"The array of Subject REFs corresponding to the "
"individual Privileges and OutTargets arrays. The "
"resulting OutSubjects, Privileges and OutTargets "
"arrays define the cumulative rights granted "
"between the Subject/Target at the corresponding "
"index (filtered to return the information that the "
"requestor is authorized to view)." ),
ArrayType ( "Indexed" ),
ModelCorrespondence {
"CIM_PrivilegeManagementService.ShowAccess.Subject",
"CIM_PrivilegeManagementService.ShowAccess.Privileges",
"CIM_PrivilegeManagementService.ShowAccess.OutTargets" }]
CIM_ManagedElement REF OutSubjects[],
[IN ( false ), OUT, Description (
"The array of Target REFs corresponding to the "
"individual Privileges and OutSubjects arrays. The "
"resulting OutSubjects, Privileges and OutTargets "
"arrays define the cumulative rights granted "
"between the Subject/Target at the corresponding "
"index (filtered to return the information that the "
"requestor is authorized to view)." ),
ArrayType ( "Indexed" ),
ModelCorrespondence {
"CIM_PrivilegeManagementService.ShowAccess.Target",
"CIM_PrivilegeManagementService.ShowAccess.Privileges",
"CIM_PrivilegeManagementService.ShowAccess.OutSubjects" }]
CIM_ManagedElement REF OutTargets[],
[IN ( false ), OUT, Description (
"The returned Privilege objects represent the "
"cumulative rights granted between the OutSubjects "
"and OutTargets at the same array index (filtered "
"to return the information that the requestor is "
"authorized to view). If a specific array entry is "
"NULL, then there exist NO rights that the "
"requestor is authorized to view between the "
"Subject/Target pair." ),
EmbeddedObject, ArrayType ( "Indexed" ),
ModelCorrespondence {
"CIM_PrivilegeManagementService.ShowAccess.OutTargets",
"CIM_PrivilegeManagementService.ShowAccess.OutSubjects" }]
string Privileges[]);
[Experimental, Description (
"When this method is called, a provider updates the "
"specified Subject\'s rights to the Target according to "
"the parameters of this call. The rights are modeled via "
"an AuthorizedPrivilege instance. If an "
"AuthorizedPrivilege instance is created as a result of "
"this call, it MUST be linked to the Subject and Target "
"via the AuthorizedSubject and AuthorizedTarget "
"associations, respectively. When created, the "
"AuthorizedPrivilege instance is associated to this "
"PrivilegeManagementService via ConcreteDependency. If "
"the execution of this call results in no rights between "
"the Subject and Target, then they MUST NOT be linked to "
"a particular AuthorizedPrivilege instance via "
"AuthorizedSubject and AuthorizedTarget respectively. \n"
"\n"
"Note that regardless of whether specified via parameter, "
"or template, the Activities, ActivityQualifiers and "
"QualifierFormats, are mutually indexed. Also note that "
"Subject and Target references MUST be supplied. \n"
"\n"
"The successful completion of the method SHALL create any "
"necessary AuthorizedSubject, AuthorizedTarget, "
"AuthorizedPrivilege, HostedDependency, and "
"ConcreteDependency instances. \n"
"Note if an associated "
"PrivilegeManagementCapabilities.SharedPrivilegeSupported "
"is FALSE, then an \'Unsupported Shared Privilege\' error "
"will be returned if either the Subjects or the Targets "
"parameter of the AssignAccess method has more than one "
"entry." ),
ValueMap { "0", "1", "2", "3", "4", "5", "6..15999", "16000",
"16001", "16002", "16003", "16004", "16005",
"16005..31999", "32000..65535" },
Values { "Success", "Not Supported", "Unspecified Error",
"Timeout", "Failed", "Invalid Parameter", "DMTF Reserved",
"Unsupported Subject", "Unsupported Privilege",
"Unsupported Target", "Authorization Error",
"NULL not supported", "UnSupported Sharing Privileges",
"Method Reserved", "Vendor Specific" }]
uint32 AssignAccess(
[Required, IN, Description (
"The Subject parameter is a reference to a "
"ManagedElement instance. This parameter MUST be "
"supplied." )]
CIM_ManagedElement REF Subject,
[IN, Description (
"MUST be NULL unless Privilege is NULL on input. "
"The PrivilegeGranted flag indicates whether the "
"rights defined by the parameters in this call "
"should be granted or denied to the named "
"Subject/Target pair." ),
ModelCorrespondence {
"CIM_AuthorizedPrivilege.PrivilegeGranted",
"CIM_PrivilegeManagementService.AssignAccess.Privilege" }]
boolean PrivilegeGranted,
[IN, Description (
"MUST be NULL unless the Privilege is NULL on "
"input. This parameter specifies the activities to "
"be granted or denied." ),
ValueMap { "1", "2", "3", "4", "5", "6", "7", "..",
"16000..65535" },
Values { "Other", "Create", "Delete", "Detect", "Read",
"Write", "Execute", "DMTF Reserved",
"Vendor Reserved" },
ArrayType ( "Indexed" ),
ModelCorrespondence {
"CIM_AuthorizedPrivilege.Activities",
"CIM_PrivilegeManagementService.AssignAccess.Privilege" }]
uint16 Activities[],
[IN, Description (
"MUST be NULL unless Privilege is NULL on input. "
"This parameter defines the activity qualifiers for "
"the Activities to be granted or denied." ),
ArrayType ( "Indexed" ),
ModelCorrespondence {
"CIM_AuthorizedPrivilege.ActivityQualifers",
"CIM_PrivilegeManagementService.AssignAccess.Privilege" }]
string ActivityQualifiers[],
[IN, Description (
"MUST be NULL unless Privilege is NULL on input. "
"This parameter defines the qualifier formats for "
"the corresponding ActivityQualifiers." ),
ValueMap { "2", "3", "4", "5", "6", "7", "8", "9",
"10", "11", "..", "16000..65535" },
Values { "Class Name", "<Class.>Property",
"<Class.>Method", "Object Reference", "Namespace",
"URL", "Directory/File Name",
"Command Line Instruction", "SCSI Command",
"Packets", "DMTF Reserved", "Vendor Reserved" },
ArrayType ( "Indexed" ),
ModelCorrespondence {
"CIM_AuthorizedPrivilege.QualifierFormats",
"CIM_PrivilegeManagementService.AssignAccess.Privilege" }]
uint16 QualifierFormats[],
[Required, IN, Description (
"The Target parameter is a reference to an instance "
"of ManagedElement. This parameter MUST be "
"supplied." )]
CIM_ManagedElement REF Target,
[IN, OUT, Description (
"On input, this reference MUST be either NULL or "
"refer to an instance of AuthorizedPrivilege that "
"is used as a template. The rights granted by "
"corresponding entries in the Activities, "
"ActivityQualifiers and QualifierFormats array "
"properties are applied incrementally and do not "
"affect unnamed rights. If the property, "
"PrivilegeGranted, is false, then the named rights "
"are removed. If PrivilegeGranted is True, then the "
"named rights are added. (Note that the "
"RemoveAccess method SHOULD be used to completely "
"remove all privileges between a subject and a "
"target. On output, this property references an "
"AuthorizedPrivilege instance that represents the "
"resulting rights between the named Subject and the "
"named Target. AuthorizedPrivilege instances used "
"as a templates in this property SHOULD have a "
"HostedDependency association to the "
"PriviligeManagementService and SHOULD NOT have any "
"AuthorizedTarget or AuthorizedSubject associations "
"to it." )]
CIM_AuthorizedPrivilege REF Privilege);
[Description (
"This method revokes a specific AuthorizedPrivilege or "
"all privileges for a particular target, subject, or "
"subject/target pair. If an AuthorizedPrivilege instance "
"is left with no AuthorizedTarget associations, it SHOULD "
"be deleted. The successful completion of the method "
"SHALL remove the directly or indirectly requested "
"AuthorizedSubject, AuthorizedTarget and "
"AuthorizedPrivilege instances." ),
ValueMap { "0", "1", "2", "3", "4", "5", "6..15999", "16000",
"16001", "16002", "16003", "16004..32767", "32768..65535" },
Values { "Success", "Not Supported", "Unspecified Error",
"Timeout", "Failed", "Invalid Parameter", "DMTF Reserved",
"Unsupported Privilege", "Unsupported Target",
"Authorization Error", "Null parameter not supported",
"Method Reserved", "Vendor Specific" }]
uint32 RemoveAccess(
[IN, Description (
"The Subject parameter is a reference to a "
"ManagedElement instance (associated via "
"AuthorizedSubject) for which privileges are to be "
"revoked." )]
CIM_ManagedElement REF Subject,
[IN, Description (
"A reference to the AuthorizedPrivilege to be revoked."
)]
CIM_AuthorizedPrivilege REF Privilege,
[IN, Description (
"The Target parameter is a reference to a "
"ManagedElement (associated via AuthorizedTarget) "
"which will no longer be protected via the "
"AuthorizedPrivilege." )]
CIM_ManagedElement REF Target);
};