JavaScript is required to for searching.
Skip Navigation Links
Exit Print View
Oracle Solaris WBEM Developer's Guide     Oracle Solaris 11 Express 11/10
Oracle Technology Network
Library
PDF
Print View
Feedback
search filter icon
search icon

Document Information

Preface

1.  Overview of Solaris Web-Based Enterprise Management

2.  Using the CIM Object Manager

3.  Using the Sample Programs

4.  Writing a Client Program

5.  Writing WBEM Queries

6.  Writing a Provider Program

7.  Creating JavaBeans Components Using the MOF Compiler

8.  Administering Security

WBEM Security Mechanisms

Client Authentication

Role Assumption

Secure Messaging

Authorization

Auditing

Logging

Using Sun WBEM User Manager to Set Access Control

What You Can and Cannot Do With Sun WBEM User Manager

Using Sun WBEM User Manager

How to Start Sun WBEM User Manager

How to Grant Default Access Rights to a User

How to Change Access Rights for a User

How to Remove Access Rights for a User

How to Set Access Rights for a Namespace

How to Remove Access Rights for a Namespace

Using the Solaris WBEM SDK APIs to Set Access Control

Solaris_UserAcl Class

How to Set Access Control for a User

Solaris_NamespaceAcl Class

How to Set Access Control for a Namespace

Troubleshooting Problems With WBEM Security

If a Client (User) Cannot Be Authenticated by the CIMOM on the WBEM Server

If Other CIM Security Exception Errors Appear

If an Authorization Check Fails

9.  Troubleshooting

A.  Solaris Schema

Index

Using the Solaris WBEM SDK APIs to Set Access Control

You can use the WBEM SDK's application programming interfaces (SDK APIs) to set access control on a namespace or on a per-user basis. These security classes are stored in the root\security namespace:

You can set access control for individual users to the CIM objects within a namespace by creating an instance of the Solaris_UserACL class. Then use the APIs to change the access rights for that instance. Similarly, you can set access control for namespaces by first creating an instance of the Solaris_NameSpaceACL class. Then using APIs, such as the createInstance method, to set the access rights for that instance.

An effective way to combine the use of these two classes is to use the Solaris_NameSpaceACL class first to restrict access to all users to the objects in a namespace. Then, you can use the Solaris_UserACL class to grant selected users access to the namespace.

Solaris_UserAcl Class

The Solaris_UserAcl class inherits the string property capability with a default value r (read only) from theSolaris_Acl class.

You can set the capability property to any one of these values for access privileges.

Access Right
Description
r
Read
rw
Read and Write
w
Write
none
No access

The Solaris_UserAcl class defines the following two key properties. Only one instance of the namespace and user-name ACL pair can exist in a namespace.

Property
Data Type
Purpose
nspace
string
Identifies the namespace to which this ACL applies
username
string
Identifies the user to which this ACL applies

How to Set Access Control for a User

  1. Create an instance of the Solaris_UserAcl class.

    For example:

    ... 
/* Create a namespace object initialized with root\security
(name of namespace) on the local host. */

CIMNameSpace cns = new CIMNameSpace("", "root\security");

// Connect to the root\security namespace as root. 
cc = new CIMClient(cns, user, user_passwd);

// Get the Solaris_UserAcl class 
cimclass = cc.getClass(new CIMObjectPath("Solaris_UserAcl");

// Create a new instance of the Solaris_UserAcl
class ci = cimclass.newInstance();
...
  2. Set the capability property to the desired access rights.

    For example:

    ...
/* Change the access rights (capability) to read/write for user Guest
on objects in the root\molly namespace.*/
ci.setProperty("capability", new CIMValue(new String("rw")); 
ci.setProperty("nspace", new CIMValue(new String("root\molly")); 
ci.setProperty("username", new CIMValue(new String("guest"));
...
  3. Update the instance.

    For example:

    ...
// Pass the updated instance to the CIM Object Manager 
cc.createInstance(new CIMObjectPath(), ci);
...

Solaris_NamespaceAcl Class

The Solaris_NamespaceAcl inherits the string property capability with a default value -r (read-only for all users) from the Solaris_Acl class. The Solaris_NamespaceAcl class defines this key property.

Property
Data Type
Purpose
nspace
string
Identifies the namespace to which this access control list applies. Only one instance of the namespace ACL can exist in a namespace.

How to Set Access Control for a Namespace

  1. Create an instance of the Solaris_namespaceAcl class.

    For example:

    ...
/* Create a namespace object initialized with root\security
(name of namespace) on the local host. */ 
CIMNameSpace cns = new CIMNameSpace("", "root\security");

// Connect to the root\security namespace as root.
cc = new CIMClient(cns, user, user_passwd);

// Get the Solaris_namespaceAcl class 
cimclass = cc.getClass(new CIMObjectPath("Solaris_namespaceAcl");

// Create a new instance of the Solaris_namespaceAcl 
class ci = cimclass.newInstance();
...
  2. Set the capability property to the desired access rights.

    For example:

    ...
/* Change the access rights (capability) to read/write 
to the root\molly namespace. */
ci.setProperty("capability", new CIMValue(new String("rw")); 
ci.setProperty("nspace", new CIMValue(new String("root\molly"));
...
  3. Update the instance.

    For example:

    // Pass the updated instance to the CIM Object Manager 
cc.createInstance(new CIMObjectPath(), ci);
Copyright © 1999, 2010, Oracle and/or its affiliates. All rights reserved. Legal Notices
Previous Next