Running providers in a designated user context

Generally, the vendor of a provider (implementing a certain CIM class) defines if a provider should run under a designated user context and also supplies the according documentation describing the specific setup steps.

When an invocation is caused by an external CIM operation, by default the provider is processed in the context of the requestor's user ID. As the provider runs under the identity of the requestor's user ID, all resource access authorization occurs against this user ID. So the requestor must be authorized for all resources that a provider accesses during a request.

To avoid that a CIM client user ID needs global access to all the resources that a provider uses for gathering data, a provider can be registered with a designated user ID. The designated user ID specifies a separate security context which is used to process the provider. The designated user ID must be authorized to access all the resources accessed by the provider. Instead of directly using a requestor's user ID when accessing the resource, the provider code now has to perform custom authorization checks based on the requestor's user ID, to prevent unauthorized access to resources. The security definitions for the designated user ID should be similar to those of regular client users, as described in Switching identity (surrogate), but it is recommend to make the designated user ID a protected user ID by disabling password, passphrase and oidcard.

ALTUSER <designated-user-ID> NOPASSWORD NOOIDCARD NOPHRASE

The properties UserContext and DesignatedUserContext of CIM class PG_ProviderModule specify the provider's processing context. You can specify the values for these properties in the provider registration MOF file for each provider module. By default, it is installed at /usr/lpp/wbem/provider/schemas/.... For further details, see PG_ProviderModule.