Share via

3.3.1 Abstract Data Model

  • Article

This section describes a conceptual model and possible data organization that an implementation maintains to participate in this protocol. The described organization is provided to facilitate the explanation of how the protocol behaves. This document does not mandate that implementations adhere to this model as long as the external behavior is consistent with that described in this document.

Management Server: An entry in this collection represents a management server. A server URL uniquely identifies a server. The server entry MUST have the following attributes:

  • Server URL: MUST contain a string representing the HTTP address of the management server. The address MUST use http://hostname/gms.dll syntax, where hostname is name of the management server in a domain name form (such as fabrikam.com).<11>

Management Domains: A collection of entries corresponding to the domains that are available on the management server. A domain GUID MUST uniquely identify each entry. Each entry MUST include the following attributes:

  • Domain GUID: A unique GUID used as the domain identifier.

  • Server URL: A URL representing the domain's management server.

  • Domain Certificate: An X.509.v3 certificate as defined in section 3.1.3, containing two sets of 2048-bit RSA public keys, one for encryption and one for signing.

Accounts: Each entry in this collection corresponds to an application-defined entity associated with users and devices. An account GUID MUST uniquely identify an entry in this collection. The account entry SHOULD have the following attributes:

  • Account GUID: A unique GUID to identify an account.

  • Account Data: Serialized account data.

  • Master Key, Secret Master Key: Keys used for securing account data.

  • Backup Enabled: A Boolean flag, true if backup is enabled.

  • Last Backup Date: The date of the last account backed up to the management server.

  • Backup Frequency: An integer representing the backup interval in milliseconds.

Device Account: Represents the computer that is hosting the client. A device GUID MUST uniquely identify a device account. The device account entry SHOULD have the following attributes:

  • Device GUID: A GUID uniquely identifies a device account.

  • Identity URL:  Identifies the identity associated with this device account.

  • Status: Represents status of device management. The status MUST be one of the following values:

    • 0: Not managed

    • 1: Managed

Managed Objects: A managed device account MUST contain the following managed objects:

  • Account Services Policy

  • Data Recovery Policy

  • Passphrase Policy

  • Component Update Policy

Managed Object Status Check Date: The date of the last test of the managed object status.

Domain Accounts: An entry in this set corresponds to a domain user account combination. Domain GUID in conjunction with Account GUID uniquely identifies a domain user account entry. Each entry MUST include the following attributes:

  • Domain GUID: Identifies the domain for the entry.

  • Account GUID: Identifies the account for the entry.

  • Secret Key: 192-bit symmetric key used for integrity-protecting and encrypting messages between the client and the management server.

Identity: An identity represents a persona using the client. An account MUST contain one or more identities. An identity URL MUST uniquely identify an entry in this collection. An identity SHOULD have the following attributes:

  • Identity URL: A unique identifier MUST identify an Identity.

  • Account GUID: Represents the account to which identity belongs.

  • Domain GUID: Represents the domain managing the identity.

  • Managed Objects: MUST contain the following managed objects:

    • Identity Template

    • Data Recovery Policy

    • Domain Trust Policy

    • Identity Policy

  • Managed Object Status Check Date: The date of the last test of the managed object status.

  • Contact: Contains the member's contact.

  • Identity Relay Devices: Each entry represents relay servers assigned to an Identity.

  • Identity URL: Identifies the identity.

  • Device URL: Relay server URL.

  • Sequence: A number indicating access order of relay servers.

Identity Presence Devices: Each entry represents presence servers assigned to an Identity.

  • Identity URL: Identifies the identity.

  • Device URL: Relay server URL.

  • Sequence: A number indicating access order of presence servers.

Managed Object: Represents a managed object received from the management server. Each managed object MUST have the following attributes:

  • Object GUID: A unique GUID to identify the object.

  • Object Name: Name of the object.

  • Object Type: Type of managed object, which MUST be one of the following:

    • Identity Template

    • Data Recovery Policy

    • Domain Trust Policy

    • Identity Policy

    • Account Services Policy

    • Data Recovery Policy

    • Passphrase Policy

    • Component Update Policy

  • Object Data: A string representing the managed object.

  • Issued Time: Represents the time the managed object was created in milliseconds since midnight of 01/01/1970.

Audit Log Events:

  • Account GUID: GUID of the account sending this data.

  • Sequence number: Increasing sequence number, unique for each log event.

  • Log Data: XML document containing the audit event log entry.

Audit Files:

  • Hash: A unique string representing the digest of the binary file

  • Hash Algo: Name of the algorithm used for computing the digest.

  • File Data: File content.