1. Overview of Solaris Web-Based Enterprise Management
2. Using the CIM Object Manager
7. Creating JavaBeans Components Using the MOF Compiler
Using Sun WBEM User Manager to Set Access Control
What You Can and Cannot Do With Sun WBEM User Manager
How to Start Sun WBEM User Manager
How to Grant Default Access Rights to a User
How to Change Access Rights for a User
How to Remove Access Rights for a User
How to Set Access Rights for a Name Space
How to Remove Access Rights for a Name Space
Troubleshooting Problems With WBEM Security
If a Client (User) Cannot Be Authenticated by the CIMOM on the WBEM Server
If Other CIM Security Exceptions Appear
You can use the WBEM SDK's application programming interfaces (SDK APIs) to set access control on a name space or on a per-user basis. These security classes are stored in the root\security name space:
Solaris_Acl – Base class for Solaris OS access control lists (ACLs). This class defines the string property capability and sets its default value to r (read only).
Solaris_UserAcl – Represents the access control that a user has to the CIM objects within the specified name space.
Solaris_NamespaceAcl – Represents the access control on a name space.
You can set access control for individual users to the CIM objects within a name space by creating an instance of the Solaris_UserACL class. Then use the APIs to change the access rights for that instance. Similarly, you can set access control for name spaces by first creating an instance of the Solaris_NameSpaceACL class. Then using APIs, such as the createInstance method, to set the access rights for that instance.
You can combine the use of these two classes. First, use the Solaris_NameSpaceACL class to restrict access to all users for the objects in a name space. Then, use the Solaris_UserACL class to grant selected users access to the name space.
The Solaris_UserAcl class inherits the string property capability with a default value r (read only) from theSolaris_Acl class.
You can set the capability property to any one of these values for access privileges.
|
The Solaris_UserAcl class defines the following two key properties. Only one instance of the name space and user-name ACL pair can exist in a name space.
|
For example:
... /* Create a name space object initialized with root\security (name of name space) on the local host. */ CIMNameSpace cns = new CIMNameSpace("", "root\security"); // Connect to the root\security name space as root. cc = new CIMClient(cns, user, user_passwd); // Get the Solaris_UserAcl class cimclass = cc.getClass(new CIMObjectPath("Solaris_UserAcl"); // Create a new instance of the Solaris_UserAcl class ci = cimclass.newInstance(); ...
For example:
... /* Change the access rights (capability) to read/write for user Guest on objects in the root\molly name space.*/ ci.setProperty("capability", new CIMValue(new String("rw")); ci.setProperty("nspace", new CIMValue(new String("root\molly")); ci.setProperty("username", new CIMValue(new String("guest")); ...
For example:
... // Pass the updated instance to the CIM Object Manager cc.createInstance(new CIMObjectPath(), ci); ...
The Solaris_NamespaceAcl inherits the string property capability with a default value r (read-only for all users) from the Solaris_Acl class. The Solaris_NamespaceAcl class defines this key property.
|
For example:
... /* Create a name space object initialized with root\security (name of name space) on the local host. */ CIMNameSpace cns = new CIMNameSpace("", "root\security"); // Connect to the root\security name space as root. cc = new CIMClient(cns, user, user_passwd); // Get the Solaris_namespaceAcl class cimclass = cc.getClass(new CIMObjectPath("Solaris_namespaceAcl"); // Create a new instance of the Solaris_namespaceAcl class ci = cimclass.newInstance(); ...
For example:
... /* Change the access rights (capability) to read/write to the root\molly name space. */ ci.setProperty("capability", new CIMValue(new String("rw")); ci.setProperty("nspace", new CIMValue(new String("root\molly")); ...
For example:
// Pass the updated instance to the CIM Object Manager cc.createInstance(new CIMObjectPath(), ci);