// Copyright (c) 2005-2006 DMTF. All rights reserved.
// Add new properties to
// CIM_Account
// Change parent class of
// CIM_Account to CIM_EnabledLogicalElement.
// Add UmlPackagePath
// qualifier values to CIM Schema.
// ==================================================================
// CIM_Account
// ==================================================================
[Version ( "2.18.0" ), UMLPackagePath ( "CIM::User::Account" ),
Description (
"CIM_Account is the information held by a SecurityService to "
"track identity and privileges managed by that service. Common "
"examples of an Account are the entries in a UNIX /etc/passwd "
"file. Several kinds of security services use various "
"information from those entries - the /bin/login program uses "
"the account name ('root') and hashed password to authenticate "
"users, and the file service, for instance, uses the UserID "
"field ('0') and GroupID field ('0') to record ownership and "
"determine access control privileges on files in the file "
"system. This class is defined so as to incorporate "
"commonly-used LDAP attributes to permit implementations to "
"easily derive this information from LDAP-accessible "
"directories. \n"
"\n"
"The semantics of Account overlap with that of the class, "
"CIM_Identity. However, aspects of Account - such as its "
"specific tie to a System - are valuable and have been widely "
"implemented. For this reason, the Account and Identity classes "
"are associated using a subclass of LogicalIdentity "
"(AccountIdentity), instead of deprecating the Account class in "
"the CIM Schema. When an Account has been authenticated, the "
"corresponding Identity's TrustEstablished Boolean would be set "
"to TRUE. Then, the Identity class can be used as defined for "
"authorization purposes.")]
class CIM_Account : CIM_EnabledLogicalElement {
[Key, Propagated ( "CIM_System.CreationClassName" ),
Description (
"The scoping System's CCN."),
MaxLen ( 256 )]
string SystemCreationClassName;
[Key, Propagated ( "CIM_System.Name" ), Description (
"The scoping System's Name."),
MaxLen ( 256 )]
string SystemName;
[Key, Description (
"CreationClassName indicates the name of the class or the "
"subclass used in the creation of an instance. When used "
"with the other key properties of this class, this property "
"allows all instances of this class and its subclasses to be "
"uniquely identified."),
MaxLen ( 256 )]
string CreationClassName;
[Key, Override ( "Name" ), Description (
"The Name property defines the label by which the object is "
"known. The value of this property may be set to be the same "
"as that of the UserID property or, in the case of an "
"LDAP-derived instance, the Name property value may be set "
"to the distinguishedName of the LDAP-accessed object "
"instance."),
MaxLen ( 1024 )]
string Name;
[Description (
"UserID is the value used by the SecurityService to "
"represent identity. For an authentication service, the "
"UserID may be the name of the user, or for an authorization "
"service the value which serves as a handle to a mapping of "
"the identity."),
MaxLen ( 256 )]
string UserID;
[Description (
"In the case of an LDAP-derived instance, the ObjectClass "
"property value(s) may be set to the objectClass attribute "
"values.")]
string ObjectClass[];
[Description (
"The Descriptions property values may contain human-readable "
"descriptions of the object. In the case of an LDAP-derived "
"instance, the description attribute may have multiple "
"values that, therefore, cannot be placed in the inherited "
"Description property."),
MaxLen ( 1024 )]
string Descriptions[];
[Description (
"Based on RFC1274, the host name of the system(s) for which "
"the account applies. The host name may be a fully-qualified "
"DNS name or it may be an unqualified host name.")]
string Host[];
[Description (
"This property contains the name of a locality, such as a "
"city, county or other geographic region.")]
string LocalityName[];
[Required, Description (
"The name of the organization related to the account.")]
string OrganizationName[];
[Description (
"The name of an organizational unit related to the account.")]
string OU[];
[Description (
"In the case of an LDAP-derived instance, the SeeAlso "
"property specifies distinguished name of other Directory "
"objects which may be other aspects (in some sense) of the "
"same real world object.")]
string SeeAlso[];
[Description (
"Based on inetOrgPerson and for directory compatibility, the "
"UserCertificate property may be used to specify a public "
"key certificate for the person."),
OctetString]
string UserCertificate[];
[Description (
"In the case of an LDAP-derived instance, the UserPassword "
"property may contain an encrypted password used to access "
"the person's resources in a directory."),
OctetString]
string UserPassword[];
[Experimental, Description (
"PasswordHistoryDepth indicates the number of previous "
"passwords that shall be maintained for the Account. The "
"Account shall preclude the selection of a password if it "
"occurs in the password history. A value of zero shall "
"indicate that a password history is not maintained.")]
uint16 PasswordHistoryDepth;
[Experimental, Description (
"PasswordExpiration indicates the maximum password age "
"enforced for the Account. The value may be expressed as an "
"absolute date-time as an interval, or may be NULL. \n"
"An absolute date-time shall indicate the date and time when "
"the password will expire. \n"
"An interval value shall indicate the time remaining until "
"the password expires. \n"
"A value of NULL shall indicate the password never expires.")]
datetime PasswordExpiration;
[Experimental, Description (
"ComplexPasswordRulesEnforced indicates the rules for "
"constructing a complex password enforced by the Account. \n"
"Minimum Length a minimum length is enforced for passwords "
"for the account. \n"
"Preclude User ID inclusion precluding the password from "
"including the user ID is supported. \n"
"Maximum Repeating Characters a limit will be enforced on "
"the number of times a character can occur consecutively. \n"
"Lower Case Alpha at least one lower case alpha character is "
"required. \n"
"Upper Case Alpha at least one upper case alpha character is "
"required. \n"
"Numeric Character at least one numeric character is "
"required. \n"
"Special Character at least one special character is "
"required."),
ValueMap { "2", "3", "4", "5", "6", "7", "8", "..",
"0x8000..0xFFFF" },
Values { "Minimum Length", "Preclude User ID Inclusion",
"Maximum Repeating Characters", "Lower Case Alpha",
"Upper Case Alpha", "Numeric Character", "Special Character",
"DMTF Reserved", "Vendor Reserved" }]
uint16 ComplexPasswordRulesEnforced[];
[Experimental, Description (
"InactivityTimeout specifies the interval after which if an "
"account has been inactive, it shall be Disabled. The value "
"may be expressed in interval format, as an absolute "
"date-time, or be NULL. \n"
"An absolute date-time shall indicate when the password will "
"be disabled due to inactivity. \n"
"An interval value shall indicate the time remaining before "
"the password is disabled due to inactivity. \n"
"A value of NULL shall indicate that the Account will not be "
"disabled due to inactivity.")]
datetime InactivityTimeout;
[Experimental, Description (
"MaximumSuccessiveLoginFailures indicates the number of "
"successive failed login attempts that shall result in the "
"Account being disabled. A value of zero shall indicate that "
"the Account will not be disabled due to successive failed "
"login attempts.")]
uint16 MaximumSuccessiveLoginFailures;
[Experimental, Description (
"LastLogin shall be an absolute date-time that specifies the "
"last successful authentication that occurred for this "
"Account. A value of 99990101000000.000000+000 shall "
"indicate the Account has never been used. A value of NULL "
"shall indicate the last successful login is unknown.")]
datetime LastLogin;
[Experimental, Description (
"The encryption algorithm (if any) used by the client to "
"produce the value in the UserPassword property when "
"creating or modifying an instance of CIM_Account. "
"The original password is encrypted using the algorithm "
"specified in this property, and UserPassword contains "
"the resulting encrypted value. In response to an operation "
"request that would return the value of the UserPassword "
"property to a client, an implementation shall instead "
"return an array of length zero.\n"
"The value of UserPasswordEncryptionAlgorithm in an instance "
"of CIM_Account shall be 0 (\"None\") unless the "
"SupportedUserPasswordEncryptionAlgorithms[] property in the "
"CIM_AccountManagementCapabilities instance associated with "
"the CIM_AccountManagementService instance associated with "
"the CIM_Account instance contains a non-null entry other "
"than 0 (\"None\").\n"
"This property does not prevent the use of encryption at "
"the transport, network, or data-link layer to protect "
"communications between a management client and the server, "
"nor is it meant to encourage communications without such "
"encryption.\n"
"The supported values for this property are:\n"
"- 0 (\"None\"): Indicates that the contents of UserPassword "
"are not encrypted.\n"
"- 1 (\"Other\"): Indicates that the contents of UserPassword "
"are encrypted using an algorithm not specifically identified "
"in the value map for this property, and that this algorithm is "
"described in OtherUserPasswordEncryptionAlgorithm.\n"
"- 2 (\"HTTP Digest MD5(A1)\"): The MD5 hash algorithm, applied "
"to the string A1 defined in RFC2617 as the concatenation\n"
" username-value \":\" realm-value \":\" passwd, where\n"
" username-value is provided by the client as the value of the "
"UserID property.\n"
" passwd is the underlying user password.\n"
" realm-value is the HTTP digest realm value, and is provided "
"by the server. The semantics of the HTTP digest realm are "
"specified in RFC 2617. The server may surface the realm-value "
"in the UserPasswordEncryptionSalt property of "
"CIM_AccountManagementCapabilities." ),
ValueMap { "0", "1", "2", ".." },
Values { "None", "Other", "HTTP Digest MD5(A1)", "DMTF Reserved" },
ModelCorrespondence {
"CIM_Account.UserPassword",
"CIM_Account.OtherUserPasswordEncryptionAlgorithm",
"CIM_AccountManagementCapabilities.SupportedUserPasswordEncryptionAlgorithms",
"CIM_AccountManagementCapabilities.UserPasswordEncryptionSalt" }]
uint16 UserPasswordEncryptionAlgorithm;
[Experimental, Description (
"If the UserPasswordEncryptionAlgorithm property is set to 2 "
"(\"Other\") this property contains a free form string that "
"provides more information about the encryption algorithm. "
"If UserPasswordEncryptionAlgorithm is not set to 2 (\"Other\") "
"this property has no meaning."),
ModelCorrespondence {
"CIM_Account.UserPasswordEncryptionAlgorithm" }]
string OtherUserPasswordEncryptionAlgorithm;
};