Class CIM_Account
extends CIM_EnabledLogicalElement

CIM_Account is the information held by a SecurityService to track identity and privileges managed by that service. Common examples of an Account are the entries in a UNIX /etc/passwd file. Several kinds of security services use various information from those entries - the /bin/login program uses the account name ('root') and hashed password to authenticate users, and the file service, for instance, uses the UserID field ('0') and GroupID field ('0') to record ownership and determine access control privileges on files in the file system. This class is defined so as to incorporate commonly-used LDAP attributes to permit implementations to easily derive this information from LDAP-accessible directories. The semantics of Account overlap with that of the class, CIM_Identity. However, aspects of Account - such as its specific tie to a System - are valuable and have been widely implemented. For this reason, the Account and Identity classes are associated using a subclass of LogicalIdentity (AccountIdentity), instead of deprecating the Account class in the CIM Schema. When an Account has been authenticated, the corresponding Identity's TrustEstablished Boolean would be set to TRUE. Then, the Identity class can be used as defined for authorization purposes.

Table of Contents
Hierarchy
Direct Known Subclasses
Class Qualifiers
Class Properties
Class Methods


Class Hierarchy

CIM_ManagedElement
   |
   +--CIM_ManagedSystemElement
   |
   +--CIM_LogicalElement
   |
   +--CIM_EnabledLogicalElement
   |
   +--CIM_Account

Direct Known Subclasses

Class Qualifiers

NameData TypeValue
DescriptionstringCIM_Account is the information held by a SecurityService to track identity and privileges managed by that service. Common examples of an Account are the entries in a UNIX /etc/passwd file. Several kinds of security services use various information from those entries - the /bin/login program uses the account name ('root') and hashed password to authenticate users, and the file service, for instance, uses the UserID field ('0') and GroupID field ('0') to record ownership and determine access control privileges on files in the file system. This class is defined so as to incorporate commonly-used LDAP attributes to permit implementations to easily derive this information from LDAP-accessible directories. The semantics of Account overlap with that of the class, CIM_Identity. However, aspects of Account - such as its specific tie to a System - are valuable and have been widely implemented. For this reason, the Account and Identity classes are associated using a subclass of LogicalIdentity (AccountIdentity), instead of deprecating the Account class in the CIM Schema. When an Account has been authenticated, the corresponding Identity's TrustEstablished Boolean would be set to TRUE. Then, the Identity class can be used as defined for authorization purposes.
UMLPackagePathstringCIM::User::Account
Versionstring2.27.0

Class Properties

Local Class Properties

NameData TypeDefault ValueQualifiers
NameData TypeValue
CreationClassNamestring
DescriptionstringCreationClassName indicates the name of the class or the subclass used in the creation of an instance. When used with the other key properties of this class, this property allows all instances of this class and its subclasses to be uniquely identified.
Keybooleantrue
MaxLenuint32256
InactivityTimeoutdatetime
DescriptionstringInactivityTimeout specifies the interval after which if an account has been inactive, it shall be Disabled. The value may be expressed in interval format, as an absolute date-time, or be NULL. An absolute date-time shall indicate when the password will be disabled due to inactivity. An interval value shall indicate the time remaining before the password is disabled due to inactivity. A value of NULL shall indicate that the Account will not be disabled due to inactivity.
LastLogindatetime
DescriptionstringLastLogin shall be an absolute date-time that specifies the last successful authentication that occurred for this Account.A value of 99990101000000.000000+000 shall indicate the Account has never been used. A value of NULL shall indicate the last successful login is unknown.
MaximumSuccessiveLoginFailuresuint16
DescriptionstringMaximumSuccessiveLoginFailures indicates the number of successive failed login attempts that shall result in the Account being disabled. A value of zero shall indicate that the Account will not be disabled due to successive failed login attempts.
Namestring
DescriptionstringThe Name property defines the label by which the object is known. The value of this property may be set to be the same as that of the UserID property or, in the case of an LDAP-derived instance, the Name property value may be set to the distinguishedName of the LDAP-accessed object instance.
Keybooleantrue
MaxLenuint321024
OverridestringName
OtherUserPasswordEncryptionAlgorithmstring
DescriptionstringIf the UserPasswordEncryptionAlgorithm property is set to 1 ("Other") this property contains a free form string that provides more information about the encryption algorithm. If UserPasswordEncryptionAlgorithm is not set to 1 ("Other") this property has no meaning.
ModelCorrespondencestringCIM_Account.UserPasswordEncryptionAlgorithm
PasswordExpirationdatetime
DescriptionstringPasswordExpiration indicates the maximum password age enforced for the Account. The value may be expressed as an absolute date-time as an interval, or may be NULL. An absolute date-time shall indicate the date and time when the password will expire. An interval value shall indicate the time remaining until the password expires. A value of NULL shall indicate the password never expires.
PasswordHistoryDepthuint16
DescriptionstringPasswordHistoryDepth indicates the number of previous passwords that shall be maintained for the Account. The Account shall preclude the selection of a password if it occurs in the password history. A value of zero shall indicate that a password history is not maintained.
SystemCreationClassNamestring
DescriptionstringThe scoping System's CCN.
Keybooleantrue
MaxLenuint32256
PropagatedstringCIM_System.CreationClassName
SystemNamestring
DescriptionstringThe scoping System's Name.
Keybooleantrue
MaxLenuint32256
PropagatedstringCIM_System.Name
UserIDstring
DescriptionstringUserID is the value used by the SecurityService to represent identity. For an authentication service, the UserID may be the name of the user, or for an authorization service the value which serves as a handle to a mapping of the identity.
MaxLenuint32256
UserPasswordEncodinguint32
DescriptionstringUserPasswordEncoding specifies encoding used for the UserPassword property. "kbd" denotes a string in hexadecimal format containing keyboard scan code input. An example of a UserPassword structured in this format would be "321539191E1F1F11181320", which is the representation of "my password" in US English keyboard scan codes. " ascii" denotes clear text that complies with the ASCII character set. An example would be "my password". "pin" denotes that only numeric input in ASCII text is allowed for the UserPassword. An example would be "1234". "UTF-8" denotes that the UserPassword is a Unicode string that is encoded using UTF-8 character set. "UTF-16" denotes that the UserPassword is a Unicode string that is encoded using UTF-16 character set. The byte order mark (BOM) shall be the first character of the string. "UTF-16LE" denotes that the UserPassword is a Unicode string that is encoded using UTF-16 character set in little-endian byte order. "UTF-16BE" denotes that the UserPassword is a Unicode string that is encoded using UTF-16 character set in big-endian byte order. "UCS-2" denotes that the UserPassword is a Unicode string that is encoded using UCS-2 character set.
ValueMapstring2, 3, 4, 5, 6, 7, 8, 9, .., 65536..4294967295
Valuesstringascii, kbd, pin, UTF-8, UTF-16, UTF-16LE, UTF-16BE, UCS-2, DMTF Reserved, Vendor Reserved
UserPasswordEncryptionAlgorithmuint16
DescriptionstringThe encryption algorithm (if any) used by the client to produce the value in the UserPassword property when creating or modifying an instance of CIM_Account. The original password is encrypted using the algorithm specified in this property, and UserPassword contains the resulting encrypted value. In response to an operation request that would return the value of the UserPassword property to a client, an implementation shall instead return an array of length zero. The value of UserPasswordEncryptionAlgorithm in an instance of CIM_Account shall be 0 ("None") unless the SupportedUserPasswordEncryptionAlgorithms[] property in the CIM_AccountManagementCapabilities instance associated with the CIM_AccountManagementService instance associated with the CIM_Account instance contains a non-null entry other than 0 ("None"). This property does not prevent the use of encryption at the transport, network, or data-link layer to protect communications between a management client and the server, nor is it meant to encourage communications without such encryption. The supported values for this property are: - 0 ("None"): Indicates that the contents of UserPassword are not encrypted. - 1 ("Other"): Indicates that the contents of UserPassword are encrypted using an algorithm not specifically identified in the value map for this property, and that this algorithm is described in OtherUserPasswordEncryptionAlgorithm. - 2 ("HTTP Digest MD5(A1)"): The MD5 hash algorithm, applied to the string A1 defined in RFC2617 as the concatenation username-value ":" realm-value ":" passwd, where username-value is provided by the client as the value of the UserID property. passwd is the underlying user password. realm-value is the HTTP digest realm value, and is provided by the server. The semantics of the HTTP digest realm are specified in RFC 2617. The server may surface the realm-value in the UserPasswordEncryptionSalt property of CIM_AccountManagementCapabilities.
ModelCorrespondencestringCIM_Account.UserPassword, CIM_Account.OtherUserPasswordEncryptionAlgorithm, CIM_AccountManagementCapabilities.SupportedUserPasswordEncryptionAlgorithms, CIM_AccountManagementCapabilities.UserPasswordEncryptionSalt
ValueMapstring0, 1, 2, ..
ValuesstringNone, Other, HTTP Digest MD5(A1), DMTF Reserved
ComplexPasswordRulesEnforceduint16[]
DescriptionstringComplexPasswordRulesEnforced indicates the rules for constructing a complex password enforced by the Account. Minimum Length a minimum length is enforced for passwords for the account. Preclude User ID inclusion precluding the password from including the user ID is supported. Maximum Repeating Characters a limit will be enforced on the number of times a character can occur consecutively. Lower Case Alpha at least one lower case alpha character is required. Upper Case Alpha at least one upper case alpha character is required. Numeric Character at least one numeric character is required. Special Character at least one special character is required.
ValueMapstring2, 3, 4, 5, 6, 7, 8, .., 0x8000..0xFFFF
ValuesstringMinimum Length, Preclude User ID Inclusion, Maximum Repeating Characters, Lower Case Alpha, Upper Case Alpha, Numeric Character, Special Character, DMTF Reserved, Vendor Reserved
Descriptionsstring[]
DescriptionstringThe Descriptions property values may contain human-readable descriptions of the object. In the case of an LDAP-derived instance, the description attribute may have multiple values that, therefore, cannot be placed in the inherited Description property.
MaxLenuint321024
Hoststring[]
DescriptionstringBased on RFC1274, the host name of the system(s) for which the account applies. The host name may be a fully-qualified DNS name or it may be an unqualified host name.
LocalityNamestring[]
DescriptionstringThis property contains the name of a locality, such as a city, county or other geographic region.
ObjectClassstring[]
DescriptionstringIn the case of an LDAP-derived instance, the ObjectClass property value(s) may be set to the objectClass attribute values.
OrganizationNamestring[]
DescriptionstringThe name of the organization related to the account.
Requiredbooleantrue
OUstring[]
DescriptionstringThe name of an organizational unit related to the account.
SeeAlsostring[]
DescriptionstringIn the case of an LDAP-derived instance, the SeeAlso property specifies distinguished name of other Directory objects which may be other aspects (in some sense) of the same real world object.
UserCertificatestring[]
DescriptionstringBased on inetOrgPerson and for directory compatibility, the UserCertificate property may be used to specify a public key certificate for the person.
OctetStringbooleantrue
UserPasswordstring[]
DescriptionstringIn the case of an LDAP-derived instance, the UserPassword property may contain an encrypted password used to access the person's resources in a directory.
OctetStringbooleantrue

Inherited Properties

NameData TypeClass Origin
CaptionstringCIM_ManagedElement
CommunicationStatusuint16CIM_ManagedSystemElement
DescriptionstringCIM_ManagedElement
DetailedStatusuint16CIM_ManagedSystemElement
ElementNamestringCIM_ManagedElement
EnabledDefaultuint16CIM_EnabledLogicalElement
EnabledStateuint16CIM_EnabledLogicalElement
HealthStateuint16CIM_ManagedSystemElement
InstallDatedatetimeCIM_ManagedSystemElement
InstanceIDstringCIM_ManagedElement
OperatingStatusuint16CIM_ManagedSystemElement
OtherEnabledStatestringCIM_EnabledLogicalElement
PrimaryStatusuint16CIM_ManagedSystemElement
RequestedStateuint16CIM_EnabledLogicalElement
StatusstringCIM_ManagedSystemElement
TimeOfLastStateChangedatetimeCIM_EnabledLogicalElement
TransitioningToStateuint16CIM_EnabledLogicalElement
AvailableRequestedStatesuint16[]CIM_EnabledLogicalElement
OperationalStatusuint16[]CIM_ManagedSystemElement
StatusDescriptionsstring[]CIM_ManagedSystemElement

Class Methods

Inherited Class Methods

NameReturn TypeClass Origin
RequestStateChangeuint32CIM_EnabledLogicalElement