Using the APIs to Set Access Control

You can use the Sun WBEM SDK APIs to set access control on a namespace or on a per-user basis. During installation, the MOF compiler compiles the security classes defined in the Solaris_Acl1.0.mof file into the /root/Security namespace. The Solaris_Acl1.0.mof file defines the following classes:

• Solaris_Acl - Base class for Solaris Access Control Lists (ACL). This class defines the string property capability and sets its default value to r (read only).

• Solaris_UserAcl - Represents the access control that a user has to the CIM objects within the specified namespace.

• Solaris_NamespaceAcl - Represents the access control on a namespace.

You can set access control on individual users to the CIM objects within a namespace by creating an instance of the Solaris_UserACL class and then using the APIs to change the access rights for that instance. Similarly, you can set access control on namespaces by creating an instance of the Solaris_NameSpaceACL class and then using APIs, such as the setInstance method, to set the access rights for that instance.

An effective way to combine the use of these two classes is to first use the Solaris_NameSpaceACL class to restrict access to all users to the objects in a namespace. Then use the Solaris_UserACL class to grant selected users access to the namespace.

Access Control Lists (ACL) are governed by a standard being developed by the DMTF. Although the Solaris ACL schema are currently CIM-compliant, they will need to change when the DMTF finalizes the ACL standard. Programs you write using the Solaris ACL schema classes are subject to that risk.

The Solaris_UserAcl Class

The Solaris_UserAcl class extends the Solaris_Acl base class, from which it inherits the string property capability with a default value r (read only).

You can set the capability property to any of the following values for access privileges.

The Solaris_UserAcl class defines the following two key properties. Only one instance of the namespace-username ACL pair can exist in a namespace.

How to Set Access Control on a User

1. Create an instance of the Solaris_UserAcl class. For example:

   // Get the Solaris_UserAcl class
   cimclass = cc.getClass(newCIMObjectPath("Solaris_UserAcl");
    
   // Create a new instance of the Solaris_UserAcl class
   ci = cimclass.newInstance();

2. Set the capability property to the desired access rights. For example:

   /* Change the access rights (capability) to read/write
   for user Guest on objects in the root\molly namespace.
   ci.updatePropertyValue("capability",new CIMValue("rw"));  
   ci.updatePropertyValue("nspace",new CIMValue("root\molly"));
   ci.updatePropertyValue("username",new CIMValue("guest"));	

3. Update the instance. For example:

   // Pass the updated instance to the CIM Object Manager
   cc.setInstance(new CIMObjectPath(), ci); 

The Solaris_NamespaceAcl Class

The Solaris_NamespaceAcl extends the Solaris_Acl base class, from which it inherits the string property capability with a default value r (read-only for GUEST and all users). The Solaris_NamespaceAcl class defines the following key property.

How to Set Access Control on a Namespace

1. Create an instance of the Solaris_namespaceAcl class. For example:

   // Get the Solaris_namespaceAcl class
   cimclass = cc.getClass(newCIMObjectPath("Solaris_namespaceAcl");
    
   // Create a new instance of the Solaris_namespaceAcl class
   ci = cimclass.newInstance();

2. Set the capability property to the desired access rights. For example:

   /* Change the access rights (capability) to read/write
   to the root\molly namespace. */
   ci.updatePropertyValue("capability",new CIMValue("rw"));  
   ci.updatePropertyValue("nspace",new CIMValue("root\molly"));

3. Update the instance. For example:

   // Pass the updated instance to the CIM Object Manager
   cc.setInstance(new CIMObjectPath(),ci);