The wbemadmin utility starts Sun WBEM User Manager,
a graphical user interface that enables you to add and delete authorized WBEM users and to set their access privileges. Use this application to manage access to groups of managed resources, such as disks and installed software, in the Solaris operating environment.
The wbemadmin utility allows you to perform the following tasks:
- Manage user access rights
- Use the wbemadmin utility to add, delete, or modify an individual user's access rights to a namespace on a WBEM-enabled system.
- Manage namespace access rights
- Use the wbemadmin utility to add, delete, or modify access rights for all users to a namespace.
The Sun WBEM User Manager displays a Login dialog box. You must log in as root or a user with write access to the root\security namespace to grant access rights to users. By default, Solaris users have guest privileges, which grants them read access to the
default namespaces.
Managed resources are described using a standard information model called Common Information Model (CIM). A CIM object is a computer representation, or model, of a managed resource, such as a printer, disk drive, or CPU. CIM objects can be shared by any WBEM-enabled system, device, or application.
CIM objects are grouped into meaningful collections called schema. One or more schemas can be stored in directory-like structures called namespaces.
All programming operations are performed within a namespace. Two namespaces are created by default during installation:
-
root\cimv2 -- Contains the default CIM classes that represent objects on your system.
-
root\security -- Contains the security classes used by the CIM Object Manager to represent access rights for users and namespaces.
When a WBEM client application connects to the CIM Object Manager in a particular namespace, all subsequent operations occur within that namespace. When you connect to a namespace, you can access the classes and instances in that namespace (if they exist) and in any namespaces contained in that
namespace.
When a WBEM client application accesses CIM data, the WBEM system validates the user's login information on the current host. By default, a validated WBEM user is granted read access to the Common Information Model (CIM) Schema. The CIM Schema describes managed objects on your system in a standard
format that all WBEM-enabled systems and applications can interpret.
You can set access privileges on individual namespaces or for a user-namespace combination. When you add a user and select a namespace, by default the user is granted read access to CIM objects in the selected namespace. An effective way to combine user and namespace access rights is to first restrict
access to a namespace. Then grant individual users read, read and write, or write access to that namespace.
You cannot set access rights on individual managed objects. However you can set access rights for all managed objects in a namespace as well as on a per-user basis.
If you log in to the root account, you can set the following types of access to CIM objects:
- Read Only -- Allows read-only access to CIM Schema objects. Users with this privilege can retrieve instances and classes, but cannot create, delete, or modify CIM objects.
- Read/Write -- Allows full read, write, and delete access to all CIM classes and instances.
- Write -- Allows write and delete, but not read access to all CIM classes and instances.
- None -- Allows no access to CIM classes and instances.
Context help is displayed in the left side of the wbemadmin dialog boxes. When you click on a field, the help content changes to describe the selected field. No context help is available on the main User Manager window.
The wbemadmin security administration tool updates the following Java classes in the root\security namespace:
-
Solaris_UserAcl -- Updated when access rights are granted or changed for a user.
-
Solaris_namespaceAcl -- Updated when access rights are granted or changed for a namespace.
|