2 Role Based Authorization Profile 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 Document Number: DCIM1052 Document Type: Specification Document Status: Published Document Language: E Date: 2012-03-08 Version: 1.0.
31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 THIS PROFILE IS FOR INFORMATIONAL PURPOSES ONLY, AND MAY CONTAIN TYPOGRAPHICAL ERRORS AND TECHNICAL INACCURACIES. THE CONTENT IS PROVIDED AS IS, WITHOUT EXPRESS OR IMPLIED WARRANTIES OF ANY KIND.
67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 CONTENTS 1 2 3 4 5 6 7 8 9 10 11 Scope .................................................................................................................................................... 5 Normative References........................................................................................................................... 5 Terms and Definitions ......................................................
99 Figures 100 101 102 Figure 1 – Class Diagram ............................................................................................................................. 9 Figure 3 – Role Based Authorization Profile Implementation ..................................................................... 11 103 Tables 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 Table 1 – Related Profiles ...................
140 1 141 142 143 144 The Dell Role Based Authorization Profile describes the properties and interfaces for executing system management tasks related to the authorization. The profile standardizes and aggregates the description for the platform’s basic properties into a system view representation and provides static methodology for the clients to query the system views without substantial traversal of the model. 145 2 146 Refer to the following documents for more information.
185 186 187 188 189 190 191 192 193 o o o o o o o o o DCIM_IPMIServiceServiceDependency.mof DCIM_CLPServiceServiceDependency.mof DCIM_CSRoleLimitedToTarget.mof DCIM_SPHostedRBAPService.mof DCIM_LocalRBAIdentityMemberOfCollection.mof DCIM_ElementConformsToProfile.mof DCIM_RegisteredProfile.mof DCIM_LCElementConformsToProfile.mof DCIM_LCRegisteredProfile.mof 194 3 195 For the purposes of this document, the following terms and definitions apply. 196 197 198 3.
3.10 218 219 220 shall not – Indicates requirements to be followed strictly in order to conform to the document and from which no deviation is permitted. 221 222 223 should – Indicates that among several possibilities, one is recommended as particularly suitable, without mentioning or excluding others, or that a certain course of action is preferred but not necessarily required. 3.11 3.
253 5 254 Profile Name: Role Based Authorization 255 Version: 1.0.0 256 Organization: Dell 257 CIM Schema Version: 2.26 Experimental 258 Dell Schema Version: 1.0.
270 6 271 The Dell Role Based Authorization Profile describes platform’s basic properties. 272 Figure 1 details the class diagram of the Dell Role Based Authorization Profile.
275 276 Figure 2 and Figure 3 details typical Dell Role Based Authorization Profile implementation for a platform. SPComputerSystem RBAHostedService CLPRoleBasedAuthorizationService LocalRoleBasedAuthorizationService IPMIRoleBasedAuthorizationService LCElementConformsToProfile Implementation Namespace ElementConformsToProfile Interop Namespace RegisteredProfile LCRegisteredProfile 277 278 279 Figure 2 – Role Based Authorization Profile 10 Version 1.0.
system1 : ComputerSystem IPMIRBAElementCapabilities IPMIRoleBasedManagementCapabilities SPComputerSystem LocalRBAElementCapabilities SPHostedService LocalRoleBasedManagementCapabilities IPMIRoleBasedAuthorizationService LocalRolePrivilege RoleLimitedToTarget LocalRoleBasedAuthorizationService lRBAServiceAffectsElementRole LocalPrivilegeMemberOfCollection LocalUserIdentity role1 : Role LocalRoleConcreteDependency LocalRBAServiceAffectsElementRole LocalRBAIdentityMemberOfCollection LANIdentity ...
284 7 285 286 This section describes the requirements and guidelines for implementing Dell Role Based Authorization Profile. Implementation Description 287 Table 2 – Class Requirements: Role Based Authorization Profile Element Name Requirement Description DCIM_LocalRolePrivilege Mandatory The class shall be implemented in the Implementation Namespace: root/dcim. See section 7.1. DCIM_CLPPrivilege Mandatory The class shall be implemented in the Implementation Namespace: root/dcim.
Element Name Requirement Description DCIM_CLPRBAElementCapabilities Mandatory The class shall be implemented in the Implementation Namespace: root/dcim. See section 7.9 and 7.12 DCIM_LocalPrivilegeMemberOfCollection Mandatory The class shall be implemented in the Implementation Namespace: root/dcim. See section 7.1 and 7.3 DCIM_LocalRBAIdentityMemberOfCollection Mandatory The class shall be implemented in the Implementation Namespace: root/dcim. See section 7.
Element Name Requirement Description The class shall be implemented in the Implementation Namespace: root/dcim. See section 7.7, 7.8 and 7.9 DCIM_SPHostedRBAPService DCIM_ElementConformsToProfile Mandatory The class shall be implemented in both the Interop: root/interop and Implementation Namespace: root/dcim. See section 7.7, 7.8, 7.9 and 0 DCIM_RegisteredProfile Mandatory The class shall be implemented in the Interop Namespace. See section 7.
(Execute), and the QualifierFormats array elements may only be set to 9 (Command Line Instruction). 303 7.1.3 304 305 306 307 The following table lists the implemented properties for DCIM_LocalRolePrivilege instance representing a local account role. The “Requirements” column shall denote whether the property is implemented (for requirement definitions, see section 3). The “Additional Requirements” column shall denote either possible values for the property, or requirements on the value formulation.
Resource URIs for WinRM® 314 7.2.1 315 316 The class Resource URI shall be “http://schemas.dell.com/wbem/wscim/1/cimschema/2/DCIM_CLPPrivilege?__cimnamespace=root/dcim” 317 The key property shall be InstanceID. 318 319 320 The instance Resource URI for DCIM_CLPPrivilege instance shall be: “http://schemas.dell.com/wbem/wscim/1/cimschema/2/DCIM_CLPPrivilege?__cimnamespace=root/dcim+InstanceID=” 321 7.2.
• • • • • QualifierFormats[] uint16 Mandatory set load dump create delete The property shall be an array of the value 9 (Command Line Instruction) for each entry in ActivityQualifiers. This array shall have the same number of elements as the ActivityQualifiers property array. 331 7.3 332 This section describes the implementation for the DCIM_Role class. 333 This class shall be instantiated in the Implementation Namespace: root/dcim.
356 7.3.3 357 358 359 360 The following table lists the implemented properties for DCIM_Role instance representing a local account role. The “Requirements” column shall denote whether the property is implemented (for requirement definitions, see section 3). The “Additional Requirements” column shall denote either possible values for the property, or requirements on the value formulation..
382 7.4.3 383 384 385 386 The following table lists the implemented properties for DCIM_IPMIRole instance representing a local account role. The “Requirements” column shall denote whether the property is implemented (for requirement definitions, see section 3). The “Additional Requirements” column shall denote either possible values for the property, or requirements on the value formulation.
390 7.5 391 This section describes the implementation for the DCIM_IPMISOLRole class. 392 This class shall be instantiated in the Implementation Namespace: root/dcim. 393 394 The DCIM_IPMISOLRBAIdentityMemberOfCollection association shall reference the DCIM_IPMISOLRole instance and associate it with the DCIM_SerialIdentity instances. 395 396 The DCIM_RBAOwningCollectionElement association shall reference the DCIM_IPMISOLRole instance and associate it with the DCIM_SPComputerSystem instance.
418 7.6 419 This section describes the implementation for the DCIM_CLPRole class. 420 This class shall be instantiated in the Implementation Namespace: root/dcim. 421 422 The DCIM_CLPPrivilegeMemberOfCollection association shall reference CIM_CLPRole instance and associate it with DCIM_CLPPrivilege instance. 423 424 The DCIM_CLPRBAIdentityMemberOfCollection association shall reference DCIM_CLPRole instance and associate it with DCIM_CLPIdentity instances.
Property Name RoleCharacteristics[] CommonName Type uint16 string Requirements Mandatory Mandatory Additional Requirements The array property value shalle be [2]. The property value shall be one of the following: • • DCIM:CLPRole:Administrator DCIM:CLPRole:Operator • DCIM:CLPRole:ReadOnly The property value shall be one of the following: ElementName string Mandatory • • SM CLP Administrator SM CLP Operator • SM CLP Read Only 448 449 7.
479 7.7.2 480 The following table lists the operations implemented on DCIM_LocalRoleBasedAuthorizationService. Operations 481 Table 15 – DCIM_LocalRoleBasedAuthorizationService - Operations Operation Name Get Enumerate Requirements Mandatory Mandatory Required Input Instance URI Class URI 482 7.7.3 483 484 485 486 The following table lists the implemented properties for DCIM_LocalRoleBasedAuthorizationService instance representing.
507 508 509 The DCIM_ElementConformsToProfile association shall reference the DCIM_IPMIRoleBasedAuthorizationService instance and associate it with the DCIM_RegisteredProfile instance. 510 7.8.1 511 512 The class Resource URI shall be “http://schemas.dell.com/wbem/wscim/1/cim-schema/2/ DCIM_IPMIRoleBasedAuthorizationService?__cimnamespace=root/dcim” 513 514 The key property shall be the SystemCreationClassName, SystemName, CreationClassName, and Name.
533 534 535 The DCIM_CLPRBAElementCapabilities association shall reference DCIM_CLPRoleBasedAuthorizationService instance and associate it with DCIM_CLPRBAElementCapabilities instance. 536 537 The DCIM_CLPRBAServiceAffectsElementRole association shall reference DCIM_CLPRoleBasedAuthorizationService instance and associate it with DCIM_CLPRole instances.
SystemCreationClassName SystemName string string Mandatory Mandatory CreationClassName string Mandatory Name string Mandatory The property value shall be “DCIM_SPComputerSystem” The property value shall be “systemmc” The property value shall be "DCIM_CLPRoleBasedAuthorizationService" The property value shall be "DCIM CLP Role Based Authorization Service". ElementName string Mandatory The property value shall be "DCIM CLP Role Based Authorization Service". 569 570 26 Version 1.0.
571 572 7.10 DCIM_LocalRoleBasedManagementCapabilities - Local User Account 573 This section describes the implementation for the DCIM_LocalRoleBasedManagementCapabilities class. 574 This class shall be instantiated in the Implementation Namespace: root/dcim. 575 576 577 The DCIM_LocalRBAElementCapabilities class shall reference the DCIM_LocalRoleBasedManagementCapabilities class and associate it with the DCIM_LocalRoleBasedAuthorizationService class. 578 7.10.
Property Name Type Requirement QualifierFormatsSupported[] ActivitiesSupported[] uint16 uint16 Mandatory Mandatory Additional Requirements Alerts”, “Execute Diagnostic Methods”] This array property value shall be 9. This array property value shall be 7. 595 596 7.11 DCIM_IPMIRoleBasedManagementCapabilities – IPMI Role Management 597 This section describes the implementation for the DCIM_IPMIRoleBasedManagementCapabilities class.
619 620 7.12 DCIM_CLPRoleBasedManagementCapabilities - CLIP Role Management 621 This section describes the implementation for the DCIM_CLPRoleBasedManagementCapabilities class. 622 This class shall be instantiated in the Implementation Namespace: root/dcim. 623 624 The DCIM_CLPRBAElementCapabilities class shall reference the DCIM_CLPRBAElementCapabilities class and associate it with the DCIM_CLPRoleBasedAuthorizationServiceclass. 625 7.12.
644 645 7.13 DCIM_RegisteredProfile - DMTF Role Based Authorization Profile Profile 646 This section describes the implementation for the DCIM_RegisteredProfile class. 647 This class shall be instantiated in the Interop Namespace. 648 649 The DCIM_ElementConformsToProfile association(s) shall reference the DCIM_RegisteredProfile instance. 650 7.13.1 Resource URIs 651 652 The class Resource URI shall be "http://schemas.dmtf.
668 7.14 DCIM_LCRegisteredProfile 669 This section describes the implementation for the DCIM_LCRegisteredProfile class. 670 This class shall be instantiated in the Interop Namespace. 671 672 The DCIM_ElementConformsToProfile association(s) shall reference the DCIM_LCRegisteredProfile instance. 673 7.14.1 Resource URIs for WinRM® 674 675 The class Resource URI shall be "http://schemas.dmtf.
Property Name Type Requirement ProfileRequireLicen se[] string Mandatory Additional Requirements This property array shall describe the required licenses for this profile. If no license is required for the profile, the property shall have value NULL. This property array shall contain the status for the corresponding license in the same element index of the ProfileRequireLicense array property.
691 8 692 693 This section details the requirements for supporting extrinsic methods for the CIM elements defined by this profile. 694 8.1 Methods DCIM_IPMIRoleBasedAuthorizationService.AssignRoles() 695 696 697 698 The invocation of “Assign Roles” shall follow the following steps: 1. Enumerate DCIM_LANIdentity or DCIM_SerialIdentity 2. Enumerate DCIM_IPMIRole for LAN Identities or DCIM_IPMISOLRole for Serial Identities 3. Call AssignRoles with references to an instance of each class.
704 8.2 705 706 707 708 709 DCIM_CLPRoleBasedAuthorizationService.AssignRoles() User invocation of “Assign Roles” shall follow the following steps: 1. Enumerate DCIM_CLPIdentity 2. Enumerate DCIM_CLPRole 3. Call AssignRoles with references to an instance of each class. Table 34 – DCIM_CLPRoleBasedAuthorizationService.AssignRoles() Method: Return Code Values Value Description 0 Request was successfully executed. 2 Error occurred. 710 711 Table 35 – DCIM_CLPRoleBasedAuthorizationService.
714 9 715 See Lifecycle Controller (LC) Integration Best Practices Guide.. 716 10 717 No additional details specified. 718 11 719 720 721 The following table describes the privilege and license requirements for the listed operations. . For the detailed explanation of the privileges and licenses, refer to the Dell WSMAN Licenses and Privileges specification. Use Cases CIM Elements Privilege and License Requirement Version 1.0.
722 Table 37 – Privilege and License Requirements Class and Method DCIM_LocalRolePrivilege DCIM_LocalRolePrivilege DCIM_CLPPrivilege DCIM_Role DCIM_IPMIRole DCIM_IPMISOLRole DCIM_CLPRole DCIM_LocalRoleBasedAuthorizationServic e DCIM_IPMIRoleBasedAuthorizationService DCIM_IPMIRoleBasedAuthorizationService . AssignRoles() DCIM_CLPRoleBasedAuthorizationService Operation User Privilege Required License Required ENUMERATE, GET Login None. SET Login , Configure Users None. ENUMERATE, GET Login None.
Class and Method DCIM_CLPRBAServiceAffectsElementRole DCIM_LocalServiceServiceDependenc y DCIM_IPMIServiceServiceDependency DCIM_CLPServiceServiceDependency DCIM_CSRoleLimitedToTarget DCIM_SPHostedRBAPService DCIM_LocalRBAIdentityMemberOfColl ection DCIM_ElementConformsToProfile DCIM_RegisteredProfile DCIM_LCElementConformsToProfile DCIM_LCRegisteredProfile Operation User Privilege Required License Required ENUMERATE, GET Login None. ENUMERATE, GET Login None. ENUMERATE, GET Login None.