|
DMTF Tutorial
> CIM > CIM
Schema > Common
Models > User Model
 |
CIM Schema - User Model
|
 |
Overview | CIM Specification | CIM Schema | Extension Schema
Core Model
| Common Models
The focuses of the CIM User/Security Common Model are twofold,
defining classes to manage:
-
General contact and white pages information for organizations,
organizational units and people
-
"Users" of services, and the related security information to
authenticate and authorize those "users"
The contact and white pages information is contained in the class
hierarchy under CIM_OrganizationalEntity. These classes capture
organizational data (such as addresses and phone numbers) and relationships
(using the OrgStructure association).
Regarding "users", users may be people, or they may be non-human
entities - such as a service running as part of an application system
- and they may be collections thereof. The User and Security Model
factors the user into several classes. There are managed elements
that have a user relationship to a system or set of systems (conveyed
using the CIM_ElementAsUser association), and two classes that represent
the users' access to system resources: CIM_UsersAccess and CIM_Account.
CIM_UsersAccess is the nexus of a user's system access information,
such as credentials and system accounts, independent of the associated
element that has access. That is, a managed element such as a Person
instance might have several user accesses: for example, one could
be for an administrative set of authorities in an administrative
domain, and another for access for other general business processes
(such as routine access of mail). The CIM_UsersAccess class instances,
then, provide a user's view of their relationship to the systems
with which they interact. The CIM_ElementAsUser association is used
to convey the "ownership" relationship between the managed element
that has access and the CIM_UsersAccess instances.
CIM_Account, on the other hand, can be used as the nexus of a system's
information about a user. The CIM_UsersAccount association
provides the relationship back to the user (for traversals for information
such as a person's name or the credentials that may be used for
access to the account, etc.). A system instance (e.g., CIM_ComputerSystem,
CIM_AdminDomain, CIM_ApplicationSystem) provides namespace scoping
via the weak aggregation of accounts. Instances of CIM_Account are
defined within the scope of their aggregating system. The management
of these account instances, however, need not be from a service
on that system. CIM_AccountManagementService instances may have
CIM_ManagesAccountOnSystem relationships for accounts on any system
and, therefore, CIM_ManagesAccount relationships as well. For example,
this might occur when the accounts are on an administrative domain
and the account management service instances are hosted on a subset
of the computers in that administrative domain.
Although not complete in this release of the Model, several classes
are defined to provide operational implementation of some security
policies. (This is distinct from the specification of a device-independent
security policy, or the resulting device-specific configuration
of those policies). The CIM_AuthenticationRequirement class permits
the specification of the credentials, required for authentication,
for access to specific target resources. On the other hand, CIM_AccessControlInformation
permits the specification of authorization policies that match users
(subjects) and resources (targets) with a set of permissions (access
type, access qualifier, and permission).
The concepts and relationships of Credentials, Users Access and
Access Control Information are shown in the figure below.
|
