3.2.1 Abstract Data Model

  • Article

This section describes a conceptual model and possible data organization that an implementation maintains to participate in this protocol. The described organization is provided to facilitate the explanation of how the protocol behaves. This protocol does not mandate that implementations adhere to this model as long as the external behavior is consistent with that described in this protocol.

  • Management Server: The management server is an entity representing the management server installation. The management server has the following attribute:

    • Server URL: MUST be a string representing the HTTP address of the management server. The address MUST use http://hostname/gms.dll syntax, where hostname is the name of the management server in a domain name form (such as contoso.com).<4>

  • Management Domains: A collection of entries corresponding to management domains defined on the management server. A domain GUID uniquely identifies each entry. Each entry includes the following attributes:

    • Domain Name: A string containing name of the domain. The name is unique among all domains on the management server.

    • Enterprise PKI: A Boolean value that is set to false for member contacts to be signed by the management server.

    • Certification authority (CA) Name: The name to be represented in the domain certificate.

    • Domain Certificate: A X.509.v3 certificate as defined in section 3.1.3, containing two sets of 2048-bit RSA public keys, one for encryption and one for signing.

    • Data Recovery Certificate: A X.509.v3 certificate as defined in section 3.1.3, containing two sets of 2048-bit RSA public keys, one for encryption and one for signing.

  • Accounts: A collection of entries corresponding to the client accounts. An account can either be associated with a device or with a user. The account GUID in conjunction with the domain GUID uniquely identifies an entry in this collection. Each entry includes the following attributes:

    • Account GUID: This GUID is the same as the account GUID on the client.

    • Domain GUID: In conjunction with the account GUID, uniquely identifies an account entry.

    • Secret Key: A 192-bit symmetric secret key used for integrity protecting and encrypting messages between the client and the management server.

  • Device Accounts: A collection of entries corresponding to client device accounts. Device GUID MUST uniquely identify an entry in this collection. Each entry includes the following attributes:

    • Domain GUID: A value representing the domain to which the device belongs.

    • Device GUID: This GUID is the Account GUID for the device and is in the accounts table.

    • DPG GUID: An optional value representing the device policy group entry provisioned to the device account.

    • Status: Represents the management status of the device. The value is one of the following:

      • 0 = Not Managed (default)

      • 1 = Managed

      • -1 = Deleted

  • Members: A collection of entries representing the members managed on the management server. A member GUID uniquely identifies each member. The configuration code and configuration code hash is unique for each entry. Each entry includes the following attributes:

    • Member GUID: A unique GUID used to identify the member.

    • Pre-Authentication Token: A unique identifier for the member on this management server; could be the same as the member GUID.

    • Full Name: Represents full name of the member.

    • E-mail Address: A value representing the e-mail address of the member.

    • Account Configuration Code:  A unique GUID used for binding the member to a client identity.

    • KeyID: The SHA1 hash of the SHA1 hash of the account configuration code. For computing the SHA1 hash, the account configuration string is treated as a Unicode string.  The SHA1 hash is computed by interpreting the string as bytes, in little-endian order, not including the terminating NULL character. The SHA1 hash is first performed on the account configuration code and then the SHA1 hash is applied to the results of the first SHA1 hash.

    • First Name: An optional value that specifies the member's first name.

    • Last Name: An optional value that specifies member's last name.

    • Organization: An optional value that specifies the member's organization.

    • Title: An optional value that specifies the member's organization title.

    • ORG Street 1: An optional value that specifies line 1 of a member's organization street.

    • ORG Street 2: An optional value that specifies line 2 of a member's organization street.

    • ORG City: An optional value that specifies the member's organization city name.

    • ORG State: An optional value that specifies the member's organization state name.

    • ORG Postal Code: An optional value that specifies the member's organization postal code.

    • ORG Phone: An optional value that specifies the member's organization phone number.

    • ORG Cell: An optional value that specifies the member's organization cell phone number.

    • ORG Fax: An optional value that specifies the member's organization fax number.

    • Remote User: An optional value that specifies the member's login name.

    • Status: Represents the state of a member. The value is one of the following

      • 1: Pending (default)

      • 2: Active

      • 3: Disabled

      • -1: Deleted

      • -2: Migrated

    • Identity URL: A unique identifier issued to an identity by the client.

    • Account GUID: A unique identifier issued by the client to identify an account. In conjunction with Identity URL, uniquely identifies a member.

    • IPG GUID: A GUID representing the identity policy group provisioned to member. If the value is null on creation, then this column inherits the domain's default identity policy group GUID.

    • RSG GUID: A GUID representing the relay server group provisioned to the member. If the value is null on creation, then this column inherits the domain's default relay server group GUID.

    • Contact URL: Same as the identity URL. Set during the enrollment process.

    • Contact Security: Contains contact security data.

    • MigrationStatus: A Boolean value that is set to true to migrate the member to another domain or server.

    • Migration Server: Contains the URL of the management server to which the member is to be migrated, if migration status is set to true.

    • Affiliation: Contains a string representing the member's affiliation. See section 3.2.5.1.5.

  • Relay Server Sets: A collection of entries corresponding to the relay server sets available on the server. Each relay server set can contain one or more relay servers. A GUID uniquely identifies each entry in the collection. Each entry can include the following attribute:

    • RSG GUID: A unique GUID used to identify a relay server set.

  • Identity Policy Templates: A collection of entries, each entry referencing a unique set of identity policy managed objects. A GUID uniquely identifies each entry in the collection. Each entry can include the following attribute:

    • IPG GUID: A unique GUID used to identify an identity policy template.

  • Device Policy Templates: A collection of entries referencing a set of device policy managed objects. A GUID uniquely identifies each entry in the collection. Each entry can include the following attribute:

    • DPG GUID: A unique GUID used to identify a device policy template.

  • Relay Servers: A collection of entries corresponding to one or more relay servers registered with the management server. A GUID uniquely identifies each entry. A relay server entry can contain following attributes:

    • RS GUID: A unique GUID used to identify the Relay Server.

    • RSG GUID: A unique GUID MUST identify the Relay Server Set to which this relay server belongs.

    • RSG Sequence: A number defining the ordering of this relay server within the relay server set.

    • Device URL: Contains a string representing a relay device URL. The address uses "grooveDNS://hostname" syntax, where hostname is the name of the server in domain name format (such as fabrikam.com). The client uses the device URL to contact the relay server.

    • SOAP URL: Contains a string representing the HTTP address of the relay server. The address uses http://hostname/ syntax, where hostname is the name of the server in domain name format (such as fabrikam.com). Management server to contact relay server uses the SOAP URL.

    • SSTP Certificate: An X.509.v3 certificate, containing two sets of asymmetric key pairs, one for encryption and one for signing. Used for securing the registration message between client and relay server. See [MS-GRVSPMR] for details.

    • SOAP Certificate: An X.509.v3 certificate, containing two sets of asymmetric key pairs, one for encryption and one for signing. Used for securing the registration message between management server and relay server. See [MS-GRVSPMR] for details.

  • Account Backups: A collection of entries representing client account data. An account backup can be spread across one or more account backup entries. The backup GUID binds all account backup entries belonging to the same account. The backup GUID in conjunction with the fragment index uniquely identifies an account backup entry. Each entry can include the following attributes:

    • Account GUID: GUID of the account to which the account backup belongs.

    • Backup GUID: A unique GUID used in conjunction with the fragment index to identify an account backup entry.

    • Fragment Index: Represents the sequence number of the account backup fragment.

    • Fragment Count: Represents the number of fragments in the account backup.

    • Backup Data: Contains the account backup fragment.

  • Passphrase Reset Requests: A collection of short-lived entries, representing manual passphrase reset request data. An account GUID uniquely identifies a passphrase reset request entry. Each entry can include the following attributes:

    • Account GUID: An account GUID to bind the request to one or more Members.

    • Digest Algorithm: This value is "SHA1".

    • Admin Public Key Hash: This value is the SHA1 hash of the domain's DER-encoded encryption public key.

    • Encrypted Master Key: This is a client-generated secret key encrypted in the domain's encryption public key.

    • Encrypted Secret Master Key: This is a client-generated secret key encrypted in the domain's encryption public key.

    • Temporary Contact: Contact element from the request. This attribute is used for generating the identity cipher key used to obtain an encryption public key used to re-encrypt the storage master key before sending it to the client as part of the manual password reset transaction.

    • Status: Represents the state of the PassphraseResetRequest. The valid states are:

      • 0: Request is approved

      • 1: Request is not approved

      • 3: Request is pending

    • Password:  Password to be used for securing a manual passphrase reset request.

    • Server Encrypted Master Key:  This is a management server encrypted master key using the encryption public key from the temporary contact sent by the client.

    • Server Encrypted Secret Master Key: This is a management server encrypted secret master key using the encryption public key from the temporary contact sent by the client.

  • Managed Objects: A collection of entries corresponding to the managed objects available on the management server. An Object GUID uniquely identifies a managed object. Each entry contains the following attributes:

    • Object GUID: A GUID used to identify the managed object. If the managed object is an identity template managed object, then this value is the same as a member GUID in the Members collection.

    • PG GUID: An optional policy group GUID to bind the managed object to an identity or device policy group.

    • Object Type: An integer value representing the type of managed object contained in the entry.

    • Object Template: A Unicode string that contains the object template.

    • Object Data: An optional base64-encoded string containing the managed object data.

    • IssuedTime: The time at which the object data column was updated or created, represented in milliseconds since midnight 01/01/1970.

  • Audit Chunk Data Storage:

    • GUID: A GUID to identify fragments belonging to the same audit event data.

    • Account GUID: The GUID of the account sending this data.

    • Version: The version of the client.

    • Index Count: Represents the sequence number of the current data fragment.

    • Fragment Count: The number of fragments in this event data.

    • Fragment Size: Size of the fragment.

    • Total Size: Total size of the event data.

  • Audit Devices:

    • Device Guid: A unique GUID to identify the auditing device.

    • Device GUID Hash: This element contains the SHA1 hash of the device GUID. For computing SHA1 hash, the device GUID string is treated as a Unicode string.  The SHA1 hash is computed by interpreting the string as bytes, in little-endian order, not including the terminating NULL character.

    • Device Lock On Key: A secret key shared between the client device and the management server for securing audit-related messages.

    • Last Purge Sequence: An integer representing the sequence number of the last audit log event from this device.

  • Audit File Storage:

    • Hash: A unique string representing the SHA1 hash of the file content.

    • Hash Algo: The name of the algorithm used for computing the digest.

    • Status: A representation of the current state of the file upload:

      • 0: Not present

      • 1: Present

      • 2: Processing

    • Length: Length of the file

    • File Data: File content