Class CIM_PrivilegeManagementService


CIM_ManagedElement
\_CIM_ManagedSystemElement
  \_CIM_LogicalElement
    \_CIM_EnabledLogicalElement
      \_CIM_Service
        \_CIM_SecurityService
          \_CIM_AuthorizationService


Description

The PrivilegeManagementService is responsible for creating, deleting, and associating AuthorizedPrivilege instances. References to'subject'and'target'define the entities that are associated with an AuthorizedPrivilege instance via the relationships, AuthorizedSubject and AuthorizedTarget, respectively. When created, an AuthorizedPrivilege instance is related to this (PrivilegeManagement)Service via the association, ConcreteDependency.

Subclasses

IBMTSDS_PrivilegeManagementService

Referenced By


Properties

IdTypeRangeDescription
Key
CreationClassName string
Max Length256
CreationClassName indicates the name of the class or the subclass that is used in the creation of an instance. When used with the other key properties of this class, this property allows all instances of this class and its subclasses to be uniquely identified.
Name string
Max Length256
The Name property uniquely identifies the Service and provides an indication of the functionality that is managed. This functionality is described in more detail in the Description property of the object.
SystemCreationClassName string
Max Length256
The CreationClassName of the scoping System.
SystemName string
Max Length256
The Name of the scoping System.
Read Only
Read Write
 
Inherited from class CIM_ManagedElement
Caption, Description, ElementName
 
Inherited from class CIM_ManagedSystemElement
HealthState, InstallDate, Name, OperationalStatus, Status, StatusDescriptions
 
Inherited from class CIM_EnabledLogicalElement
EnabledState, OtherEnabledState, RequestedState, TimeOfLastStateChange, EnabledDefault
 
Inherited from class CIM_Service
Started, StartMode, PrimaryOwnerContact, PrimaryOwnerName
 

Method Summary

NameDescription
AssignAccessWhen this method is called, a provider updates the specified Subject's rights to the Target according to the parameters of this call.
ChangeAccessChangeAccess updates the specified Subject's rights to the Target according to the parameters of this call.
RemoveAccessThis method revokes a specific AuthorizedPrivilege or all privileges for a particular target, subject, or subject/target pair.
ShowAccessShowAccess reports the Privileges (i.
 
Inherited from class CIM_EnabledLogicalElement
RequestStateChange
 
Inherited from class CIM_Service
StartService, StopService
 

Method Detail


AssignAccess

Description

When this method is called, a provider updates the specified Subject's rights to the Target according to the parameters of this call. The rights are modeled via an AuthorizedPrivilege instance. If an AuthorizedPrivilege instance is created as a result of this call, it MUST be linked to the Subject and Target via the AuthorizedSubject and AuthorizedTarget associations, respectively. When created, the AuthorizedPrivilege instance is associated to this PrivilegeManagementService via ConcreteDependency. If the execution of this call results in no rights between the Subject and Target, then they MUST NOT be linked to a particular AuthorizedPrivilege instance via AuthorizedSubject and AuthorizedTarget respectively.Note that regardless of whether specified via parameter, or template, the Activities, ActivityQualifiers and QualifierFormats, are mutually indexed. Also note that Subject and Target references MUST be supplied.The successful completion of the method SHALL create any necessary AuthorizedSubject, AuthorizedTarget, AuthorizedPrivilege, HostedDependency, and ConcreteDependency instances.Note if an associated PrivilegeManagementCapabilities.SharedPrivilegeSupported is FALSE, then an'Unsupported Shared Privilege'error will be returned if either the Subjects or the Targets parameter of the AssignAccess method has more than one entry.

Parameters

IdTypeRangeDescription
In
Subject CIM_ManagedElement
The Subject parameter is a reference to a ManagedElement instance. This parameter MUST be supplied.
PrivilegeGranted boolean
MUST be NULL unless Privilege is NULL on input. The PrivilegeGranted flag indicates whether the rights defined by the parameters in this call should be granted or denied to the named Subject/Target pair.
Activities uint16
MUST be NULL unless the Privilege is NULL on input. This parameter specifies the activities to be granted or denied.
ActivityQualifiers string
MUST be NULL unless Privilege is NULL on input. This parameter defines the activity qualifiers for the Activities to be granted or denied.
QualifierFormats uint16
MUST be NULL unless Privilege is NULL on input. This parameter defines the qualifier formats for the corresponding ActivityQualifiers.
Target CIM_ManagedElement
The Target parameter is a reference to an instance of ManagedElement. This parameter MUST be supplied.
Privilege CIM_AuthorizedPrivilege
On input, this reference MUST be either NULL or refer to an instance of AuthorizedPrivilege that is used as a template. The rights granted by corresponding entries in the Activities, ActivityQualifiers and QualifierFormats array properties are applied incrementally and do not affect unnamed rights. If the property, PrivilegeGranted, is false, then the named rights are removed. If PrivilegeGranted is True, then the named rights are added. (Note that the RemoveAccess method SHOULD be used to completely remove all privileges between a subject and a target. On output, this property references an AuthorizedPrivilege instance that represents the resulting rights between the named Subject and the named Target. AuthorizedPrivilege instances used as a templates in this property SHOULD have a HostedDependency association to the PriviligeManagementService and SHOULD NOT have any AuthorizedTarget or AuthorizedSubject associations to it.
out
Privilege CIM_AuthorizedPrivilege
On input, this reference MUST be either NULL or refer to an instance of AuthorizedPrivilege that is used as a template. The rights granted by corresponding entries in the Activities, ActivityQualifiers and QualifierFormats array properties are applied incrementally and do not affect unnamed rights. If the property, PrivilegeGranted, is false, then the named rights are removed. If PrivilegeGranted is True, then the named rights are added. (Note that the RemoveAccess method SHOULD be used to completely remove all privileges between a subject and a target. On output, this property references an AuthorizedPrivilege instance that represents the resulting rights between the named Subject and the named Target. AuthorizedPrivilege instances used as a templates in this property SHOULD have a HostedDependency association to the PriviligeManagementService and SHOULD NOT have any AuthorizedTarget or AuthorizedSubject associations to it.
Return Codes
none

ChangeAccess

Description

ChangeAccess updates the specified Subject's rights to the Target according to the parameters of this call. The method may be called to update the propagation of Privileges, and/or to define new Privileges for a Subject/Target pair. Because the Subject/Target pair is required in any usage scenario, these parameters are defined as Required.If an instance of Privilege is created, it is associated to this Service via ConcreteDependency. Further, if the Privilege is an AuthorizedPrivilege, it is linked to the specified Subject and Target via the AuthorizedSubject and AuthorizedTarget associations, respectively.

Parameters

IdTypeRangeDescription
In
Subject CIM_ManagedElement
The Subject parameter is required and references an instance of ManagedElement. The result of this operation is that the Subject SHALL be authorized to access or define the authorization rights for the Target, via one or more instances of the Privilege class - where the Privileges represent the cumulative rights of this Subject. The distinction between the Privileges specified in this method call and the'cumulative rights'is that the implementation returns all rights that the Subject has in regards to the Target (that the requestor is authorized to review), versus the specific subset that may be specified in this method call. The exception to the above is when there are no remaining rights between the Subject and Target. In that case, the Privilege instance MAY be deleted.Note that even if the Subject element is a Collection, the operation is only applied to the Collection itself and NOT its members via MemberOfCollection unless an appropriate PolicyPropagationRule is specified. In either case, the output parameters for this method pertain only to the specified Subject/Collection and Target, and do not provide details on the individual members of the Collection. If this information is needed, use the ShowAccess method.As noted in the method Description, if the resultant Privileges are AuthorizedPrivileges, then AuthorizedSubject associations SHALL be created.
Target CIM_ManagedElement
The Target parameter is required and references an instance of ManagedElement. The result of this operation is that the Subject SHALL be authorized to access or define the authorization rights for the Target, via one or more instances of the Privilege class - where the Privileges represent the cumulative rights of this Subject. The distinction between the Privileges specified in this method call and the'cumulative rights'is that the implementation returns all rights that the Subject has in regards to this Target (that the requestor is authorized to review), versus the specific subset that may be specified in this method call. The exception to the above is when there are no remaining rights between the Subject and Target. In that case, the Privilege instance MAY be deleted.Note that even if the Target element is a Collection, the operation is only applied to the Collection itself and NOT its members via MemberOfCollection unless an appropriate PolicyPropagationRule is specified. In either case, the output parameters for this method pertain only to the specified Subject and Target/Collection, and do not provide details on the individual members of the Collection. If this information is needed, use the ShowAccess method.As noted in the method Description, if the resultant Privileges are AuthorizedPrivileges, then AuthorizedTarget associations SHALL be created.
PropagationPolicies CIM_PrivilegePropagationRule
If supplied, PropagationPolicy defines the policy rules that govern how the specified access rights are propagated to instances associated with the named Subject and/or Target. If a policy rule is not supplied, the rights defined in the Privilege are only granted or denied between the named Subject and Target.
Privileges string
A set of zero or more instances of CIM_Privilege (or a subclass of Privilege) that are passed'by value'as embedded objects. An embedded object is used since the Privilege may only define a subset of the total rights that should be assigned or revoked. On input, Privilege.PrivilegeGranted MAY be set to False to indicate that the enclosed rights are denied. On return, the embedded Privilege objects represent the cumulative rights granted between the specified Subject and Target (filtered to return the information that the requestor is authorized to view). If the Privileges array is empty, then there exist NO rights that the requestor is authorized to view between the Subject/Target pair.
out
Privileges string
A set of zero or more instances of CIM_Privilege (or a subclass of Privilege) that are passed'by value'as embedded objects. An embedded object is used since the Privilege may only define a subset of the total rights that should be assigned or revoked. On input, Privilege.PrivilegeGranted MAY be set to False to indicate that the enclosed rights are denied. On return, the embedded Privilege objects represent the cumulative rights granted between the specified Subject and Target (filtered to return the information that the requestor is authorized to view). If the Privileges array is empty, then there exist NO rights that the requestor is authorized to view between the Subject/Target pair.
Return Codes
none

RemoveAccess

Description

This method revokes a specific AuthorizedPrivilege or all privileges for a particular target, subject, or subject/target pair. If an AuthorizedPrivilege instance is left with no AuthorizedTarget associations, it SHOULD be deleted. The successful completion of the method SHALL remove the directly or indirectly requested AuthorizedSubject, AuthorizedTarget and AuthorizedPrivilege instances.

Parameters

IdTypeRangeDescription
In
Subject CIM_ManagedElement
The Subject parameter is a reference to a ManagedElement instance (associated via AuthorizedSubject) for which privileges are to be revoked.
Privilege CIM_AuthorizedPrivilege
A reference to the AuthorizedPrivilege to be revoked.
Target CIM_ManagedElement
The Target parameter is a reference to a ManagedElement (associated via AuthorizedTarget) which will no longer be protected via the AuthorizedPrivilege.
out
none
Return Codes
none

ShowAccess

Description

ShowAccess reports the Privileges (i.e., rights) granted to a particular Subject and/or Target pair. Either a Subject, a Target or both MUST be specified. In the case where only one is specified, the method will return all rights to all Targets for the specified Subject, or all rights for all subjects which apply to the specified Target.ShowAccess returns the cumulative rights granted betweenthe OutSubjects and OutTargets at the same array index (filtered to return the information that the requestor is authorized to view). If a specific array entry is NULL, then there exist NO rights that the requestor is authorized to view between the Subject/Target pair.Note that the Privileges returned by this method MAY NOT correspond to what is actually instantiated in the model, and MAY be optimized for ease of reporting. Hence, the data is passed'by value', as embedded objects. Also, note that multiple Privileges MAY be defined for a given Subject/Target pair.Other mechanisms MAY also be used to retrieve this information. CIM Operations'EnumerateInstances MAY be used to return all Privileges currently instantiated within a namespace. Also, if the AuthorizedPrivilege subclass is instantiated, the CIM Operation Associators MAY be used to navigate from the Privilege to AuthorizedSubjects and AuthorizedTargets. These CIM Operations will not generally provide the functionality or optimizations available with ShowAccess.

Parameters

IdTypeRangeDescription
In
Subject CIM_ManagedElement
The Subject parameter references an instance of ManagedElement. The result of this operation is that thecumulative rights of the Subject to access or define authorization rights for the Target will be reported. If no Subject is specified, then a Target MUST be supplied and ALL Subjects that have rights to access or define authorizations for the Target will be reported. (It should be noted that the information reported MUST be filtered by the rights of the requestor to view that data.) If the Subject element is a Collection, then the operation will specifically report the Privileges for all elements associated to the Collection via MemberOfCollection. These elements will be reported individually in the returned OutSubjects array.
Target CIM_ManagedElement
The Target parameter references an instance of ManagedElement. The result of this operation is that the cumulative rights of the Subject to access or define authorization rights for the Target will be reported. If no Target is specified, then a Subject MUST be supplied and ALL Targets for which that the Subject has rights to access or define authorization will be reported. (It should be noted that the information reported MUST be filtered by the rights of the requestor to view that data.) If the Target element is a Collection, then the operation will be applied to all elements associated to the Collection via MemberOfCollection. These elements will be reported individually in the returned OutTargets array.
out
OutSubjects CIM_ManagedElement
The array of Subject REFs corresponding to the individual Privileges and OutTargets arrays. The resulting OutSubjects, Privileges and OutTargets arrays define the cumulative rights granted between the Subject/Target at the corresponding index (filtered to return the information that the requestor is authorized to view).
OutTargets CIM_ManagedElement
The array of Target REFs corresponding to the individual Privileges and OutSubjects arrays. The resulting OutSubjects, Privileges and OutTargets arrays define the cumulative rights granted between the Subject/Target at the corresponding index (filtered to return the information that the requestor is authorized to view).
Privileges string
The returned Privilege objects represent the cumulative rights granted between the OutSubjects and OutTargets at the same array index (filtered to return the information that the requestor is authorized to view). If a specific array entry is NULL, then there exist NO rights that the requestor is authorized to view between the Subject/Target pair.
Return Codes
none