Solaris WBEM Developer's Guide

Setting Access Control

You can set access control on a per-user basis or namespace basis. The following access control classes are stored in the root\security namespace:

Solaris_Acl – Base class for Solaris access control lists (ACLs). This class defines the string property capability and sets its default value to r (read only).
Solaris_UserAcl – Represents a user's access control to the CIM objects within the specified namespace.
Solaris_NamespaceAcl – Represents the access control on a namespace.

You can set access control for individual users to CIM objects within a namespace. Create an instance of the Solaris_UserACL class and then change the access rights for that instance. Similarly, you can set access control for a namespace by creating an instance of the Solaris_NameSpaceACL class and then using the createInstance method to set the access rights for that instance.

Combine the use of these two classes by using the Solaris_NameSpaceACL class to first restrict access for all users to the objects in a namespace. Then, you can use the Solaris_UserACL class to grant selected users access to the namespace.

`Solaris_UserAcl` Class

The Solaris_UserAcl class extends the Solaris_Acl base class, from which it inherits the string property capability with a default value of r (read only). You can set the capability property to any one of the values for access privileges shown in the following table.

Access Right	Description
`r`	Read
`rw`	Read and Write
`w`	Write
none	No access

The Solaris_UserAcl class defines the key properties that are shown in the following table. Only one instance of the namespace and user name ACL pair can exist in a namespace.

Property	Data Type	Purpose
`nspace`	`string`	Identifies the namespace to which the ACL applies
`username`	`string`	Identifies the user to which the ACL applies

To Set Access Control for a User

Create an instance of the Solaris_UserAcl class.

... 
/* Create a namespace object initialized with root\security
(name of namespace) on the local host. */

CIMNameSpace cns = new CIMNameSpace("", "root\security");

// Connect to the root\security namespace as root. 
cc = new CIMClient(cns, user, user_passwd);

// Get the Solaris_UserAcl class 
cimclass = cc.getClass(new CIMObjectPath("Solaris_UserAcl");

// Create a new instance of the Solaris_UserAcl
class ci = cimclass.newInstance();
...

Set the capability property to the desired access rights.

...
/* Change the access rights (capability) to read/write for user Guest
on objects in the root\molly namespace.*/
ci.setProperty("capability", new CIMValue(new String("rw")); 
ci.setProperty("nspace", new CIMValue(new String("root\molly")); 
ci.setProperty("username", new CIMValue(new String("guest"));
...

Update the instance.

...
// Pass the updated instance to the CIM Object Manager 
cc.createInstance(new CIMObjectPath(), ci);
...

`Solaris_NamespaceAcl` Class

The Solaris_NamespaceAcl extends the Solaris_Acl base class and inherits the string property capability with a default value r (read-only for all users). The Solaris_NamespaceAcl class defines this key property.

Property	Data Type	Purpose
`nspace`	`string`	Identifies the namespace to which the access control list applies. Only one instance of the namespace ACL can exist in a namespace.

To Set Access Control for a Namespace

Create an instance of the Solaris_namespaceAcl class.

...
/* Create a namespace object initialized with root\security  
(name of namespace) on the local host. */   
CIMNameSpace cns = new CIMNameSpace("", "root\security"); 

// Connect to the root\security namespace as root. 
cc = new CIMClient(cns, user, user_passwd);

// Get the Solaris_namespaceAcl class 
cimclass = cc.getClass(new CIMObjectPath("Solaris_namespaceAcl");

// Create a new instance of the Solaris_namespaceAcl 
class ci = cimclass.newInstance();
...