RFC 4104
Policy Core Extension Lightweight Directory Access Protocol Schema (PCELS)
4. General Discussion of Mapping the Policy Core Information Model Extensions to LDAP
The object classes described in this document contain certain optimizations for a directory that uses LDAP as its access protocol. An example is the use of auxiliary class attachment to LDAP entries for the realization of some of the associations defined in the information model. For instance, the aggregation of a specific SimplePolicyCondition to a reusable PolicyRule [PCIM_EXT] may be realized by attaching a pcelsSimpleConditionAuxClass to a pcelsRuleInstance entry. Note that other data stores might need to implement the associations differently.4.1. Summary of Class Mappings
The classes and their properties defined in the information model [PCIM_EXT] map directly to LDAP object classes and attribute types. The details of this mapping are discussed case by case in section 5. +----------------------------------------------------------------------+ | Information Model (PCIM_EXT) | LDAP Class(es) | +----------------------------------------------------------------------+ | PolicySet | pcelsPolicySet | +----------------------------------------------------------------------+ | PolicyGroup | pcelsGroup | | | pcelsGroupAuxClass | | | pcelsGroupInstance | +----------------------------------------------------------------------+ | PolicyRule | pcelsRule | | | pcelsRuleAuxClass | | | pcelsRuleInstance | +----------------------------------------------------------------------+ | SimplePolicyCondition | pcelsSimpleConditionAuxClass | +----------------------------------------------------------------------+ | CompoundPolicyCondition | pcelsCompoundConditionAuxClass | +----------------------------------------------------------------------+
| CompoundFilterCondition | pcelsCompoundFilterConditionAuxClass |
+----------------------------------------------------------------------+
| SimplePolicyAction | pcelsSimpleActionAuxClass |
+----------------------------------------------------------------------+
| CompoundPolicyAction | pcelsCompoundActionAuxClass |
+----------------------------------------------------------------------+
| PolicyVariable | pcelsVariable |
+----------------------------------------------------------------------+
| -------------- | pcelsVendorVariableAuxClass |
+-------------------------------+--------------------------------------+
| PolicyExplicitVariable | pcelsExplicitVariableAuxClass |
+----------------------------------------------------------------------+
| PolicyImplicitVariable | pcelsImplicitVariableAuxClass |
+----------------------------------------------------------------------+
| PolicySourceIPv4Variable | pcelsSourceIPv4VariableAuxClass |
+----------------------------------------------------------------------+
| PolicySourceIPv6Variable | pcelsSourceIPv6VariableAuxClass |
+----------------------------------------------------------------------+
| PolicyDestinationIPv4Variable | pcelsDestinationIPv4VariableAuxClass |
+----------------------------------------------------------------------+
| PolicyDestinationIPv6Variable | pcelsDestinationIPv6VariableAuxClass |
+----------------------------------------------------------------------+
| PolicySourcePortVariable | pcelsSourcePortVariableAuxClass |
+----------------------------------------------------------------------+
| PolicyDestinationPortVariable | pcelsDestinationPortVariableAuxClass |
+----------------------------------------------------------------------+
| PolicyIPProtocolVariable | pcelsIPProtocolVariableAuxClass |
+----------------------------------------------------------------------+
| PolicyIPVersionVariable | pcelsIPVersionVariableAuxClass |
+----------------------------------------------------------------------+
| PolicyIPToSVariable | pcelsIPToSVariableAuxClass |
+----------------------------------------------------------------------+
| PolicyDSCPVariable | pcelsDSCPVariableAuxClass |
+----------------------------------------------------------------------+
| PolicyFlowIDVariable | pcelsFlowIDVariableAuxClass |
+----------------------------------------------------------------------+
| PolicySourceMACVariable | pcelsSourceMACVariableAuxClass |
+----------------------------------------------------------------------+
| PolicyDestinationMACVariable | pcelsDestinationMACVariableAuxClass |
+----------------------------------------------------------------------+
| PolicyVLANVariable | pcelsVLANVariableAuxClass |
+----------------------------------------------------------------------+
| PolicyCoSVariable | pcelsCoSVariableAuxClass |
+----------------------------------------------------------------------+
| PolicyEthertypeVariable | pcelsEthertypeVariableAuxClass |
+----------------------------------------------------------------------+
| PolicySourceSAPVariable | pcelsSourceSAPVariableAuxClass |
+----------------------------------------------------------------------+
| PolicyDestinationSAPVariable | pcelsDestinationSAPVariableAuxClass | +----------------------------------------------------------------------+ | PolicySNAPOUIVariable | pcelsSNAPOUIVariableAuxClass | +----------------------------------------------------------------------+ | PolicySNAPTypeVariable | pcelsSNAPTypeVariableAuxClass | +----------------------------------------------------------------------+ | PolicyFlowDirectionVariable | pcelsFlowDirectionVariableAuxClass | +----------------------------------------------------------------------+ | PolicyValue | pcelsValueAuxClass | +----------------------------------------------------------------------+ | ------------- | pcelsVendorValueAuxClass | +-------------------------------+--------------------------------------+ | PolicyIPv4AddrValue | pcelsIPv4AddrValueAuxClass | +----------------------------------------------------------------------+ | PolicyIPv6AddrValue | pcelsIPv6AddrValueAuxClass | +----------------------------------------------------------------------+ | PolicyMACAddrValue | pcelsMACAddrValueAuxClass | +----------------------------------------------------------------------+ | PolicyStringValue | pcelsStringValueAuxClass | +----------------------------------------------------------------------+ | PolicyBitStringValue | pcelsBitStringValueAuxClass | +----------------------------------------------------------------------+ | PolicyIntegerValue | pcelsIntegerValueAuxClass | +----------------------------------------------------------------------+ | PolicyBooleanValue | pcelsBooleanValueAuxClass | +----------------------------------------------------------------------+ | PolicyRoleCollection | pcelsRoleCollection | +----------------------------------------------------------------------+ | ReusablePolicyContainer | pcelsReusableContainer | | | pcelsReusableContainerAuxClass | | | pcelsReusableContainerInstance | +----------------------------------------------------------------------+ | FilterEntryBase | pcelsFilterEntryBase | +----------------------------------------------------------------------+ | IPHeadersFilter | pcelsIPHeadersFilter | +----------------------------------------------------------------------+ | 8021Filter | pcels8021Filter | +----------------------------------------------------------------------+ | FilterList | pcelsFilterListAuxClass | +----------------------------------------------------------------------+ Figure 2. Mapping of Information Model Extension Classes to LDAP The pcelsVendorVariableAuxClass and pcelsVendorValueAuxClass classes are not mapped from [PCIM_EXT]. These classes are introduced in this document as a new extension mechanism for vendor-specific policy variables and values that have not been specifically modeled. Just like for any other schema elements defined in this document or in
[PCLS], a particular submodel schema generally will not need to use vendor specific variable and value classes. Submodel schemas SHOULD apply the recommendations of section 5.10 of [PCIM_EXT] with regards to the supported and unsupported elements.4.2. Summary of Association Mappings
The associations in the information model map to one or more of the following options: 1. Attributes that reference DNs (Distinguished Names) 2. Directory Information Tree (DIT) containment (i.e., superior-subordinate relationships) in LDAP 3. Auxiliary class attachment 4. Association object classes and attributes that reference DNs The details of this mapping are discussed case by case in section 5. +----------------------------------------------------------------------+ | Information Model Association | LDAP Attribute/Class | +----------------------------------------------------------------------+ | PolicySetComponent | pcelsPolicySetComponentList in | | | pcelsPolicySet and | | | pcelsPolicySetDN in | | | pcelsPolicySetAsociation | +----------------------------------------------------------------------+ | PolicySetInSystem | DIT Containment and | | | pcelsPolicySetDN in | | | pcelsPolicySetAsociation | +----------------------------------------------------------------------+ | PolicyGroupInSystem | DIT Containment and | | | pcelsPolicySetDN in | | | pcelsPolicySetAsociation | +----------------------------------------------------------------------+ | PolicyRuleInSystem | DIT Containment and | | | pcelsPolicySetDN in | | | pcelsPolicySetAsociation | +----------------------------------------------------------------------+ | PolicyConditionStructure | pcimConditionDN in | | | pcelsConditionAssociation | +----------------------------------------------------------------------+ | PolicyConditionInPolicyRule | pcelsConditionList in | | | pcelsRule and | | | pcimConditionDN in | | | pcelsConditionAssociation | +----------------------------------------------------------------------+ | PolicyConditionInPolicyCondition | pcelsConditionList in | | | pcelsCompoundConditionAuxClass |
| | and pcimConditionDN in | | | pcelsConditionAssociation | +----------------------------------------------------------------------+ | PolicyActionStructure | pcimActionDN in | | | pcelsActionAssociation | +----------------------------------------------------------------------+ | PolicyActionInPolicyRule | pcelsActionList in | | | pcelsRule and | | | pcimActionDN in | | | pcelsActionAssociation | +----------------------------------------------------------------------+ | PolicyActionInPolicyAction | pcelsActionList in | | | pcelsCompoundActionAuxClass | | | and pcimActionDN in | | | pcelsActionAssociation | +----------------------------------------------------------------------+ | PolicyVariableInSimplePolicy | pcelsVariableDN in | | Condition | pcelsSimpleConditionAuxClass | +----------------------------------------------------------------------+ | PolicyValueInSimplePolicy | pcelsValueDN in | | Condition | pcelsSimpleConditionAuxClass | +----------------------------------------------------------------------+ | PolicyVariableInSimplePolicy | pcelsVariableDN in | | Action | pcelsSimpleActionAuxClass | +----------------------------------------------------------------------+ | PolicyValueInSimplePolicyAction | pcelsValueDN in | | | pcelsSimpleActionAuxClass | +----------------------------------------------------------------------+ | ReusablePolicy | DIT containment | +----------------------------------------------------------------------+ | ExpectedPolicyValuesForVariable | pcelsExpectedValueList in | | | pcelsVariable | +----------------------------------------------------------------------+ | ContainedDomain | DIT containment or | | | pcelsReusableContainerList in | | | pcelsReusableContainer | +----------------------------------------------------------------------+ | EntriesInFilterList | pcelsFilterEntryList in | | | pcelsFilterListAuxClass | +----------------------------------------------------------------------+ | ElementInPolicyRoleCollection | DIT containment or | | | pcelsElementList in | | | pcelsRoleCollection | +----------------------------------------------------------------------+ | PolicyRoleCollectionInSystem | DIT Containment | +----------------------------------------------------------------------+ Figure 3. Mapping of Information Model Extension Associations to LDAP
Two [PCIM_EXT] associations are mapped to DIT containment: - PolicyRoleCollectionInSystem is a weak association and weak associations map well to DIT containment [CIM_LDAP] (without being limited to this mapping). In the absence of additional constraints, DIT containment is chosen here as the optimal association mapping. - ReusablePolicy is mapped to DIT containment for scalability reasons. It is expected that applications will associate a large number of policy instances to a ReusablePolicyContainer and DIT containment is a type of association that scales well.4.3. Summary of Changes since PCLS
This section provides an overview of the changes relative to [PCLS] defined in this document: 1. The concept of a set of policies is introduced by two new object classes: pcelsPolicySet and pcelsPolicySetAssociation. These classes enable the aggregation and relative prioritization of policies (rules and/or groups). The attribute pcelsPriority is used by pcelsPolicySetAssociation instances to indicate the priority of a policy relative to the other policies aggregated by the same set. Applications may use this attribute to apply appropriate ordering to the aggregated policies. This new policy aggregation mechanism provides an alternative to the aggregation mechanism defined by [PCLS] (that defines pcimRuleContainmentAuxClass and/or pcimGroupContainmentAuxClass for attaching components to a pcimGroup). 2. The attribute pcimRoles defined by [PCLS] is used here by the pcelsPolicySet object class. Thus, the role based policy selection mechanism is extended to all the subclasses of pcelsPolicySet. 3. A new attribute pcelsDecisionStrategy is added on the pcelsPolicySet class as a mapping from the decision mechanism. 4. A new class pcelsGroup (with two subclasses), implements the modified semantics of the PolicyGroup in accordance with [PCIM_EXT]. This new class inherits from its superclass pcelsPolicySet the ability to aggregate (with relative priority) other policy rules or groups. 5. A new class pcelsRule (with two subclasses), implements the modified semantics of the PolicyRule in accordance with [PCIM_EXT]. It does not include an absolute priority attribute,
but instances of non-abstract subclasses of pcelsRule can be
prioritized relative to each other within a System (behavior
inherited from its superclass: pcelsPolicySet). The pcelsRule
class also inherits from pcelsPolicySet the ability to aggregate
other policy rules or groups, and thus, the ability to construct
nested rule structures of arbitrary complexity.
6. A new attribute pcelsExecutionStrategy is added to the pcelsRule
and pcelsCompoundActionAuxClass classes to allow the
specification of the expected behavior in case of multiple
actions aggregated by a rule or by a compound action.
7. Compound Conditions: The pcelsCompoundConditionAuxClass class is
added in order to map the CompoundPolicyCondition class. A new
class, pcelsConditionAssociation is used to aggregate policy
conditions in a pcelsCompoundConditionAuxClass. The same class
is also used to aggregate policy conditions in a pcelsRule.
8. Compound Actions: The pcelsCompoundActionAuxClass class is added
in order to map the CompoundPolicyAction class. A new class,
pcelsActionAssociation is used to aggregate policy actions in a
pcelsCompoundActionAuxClass. The same class is also used to
aggregate policy actions in a pcelsRule.
9. Simple Conditions, Simple Actions, Variables and Values: The
simple condition, simple action, variable and value classes
defined by [PCIM_EXT] are directly mapped to LDAP object classes.
These are: pcelsSimpleConditionAuxClass,
pcelsSimpleActionAuxClass, pcelsVariable and its subclasses, and
pcelsValueAuxClass and its subclasses.
10. A general extension mechanism is introduced for representing
policy variables and values that have not been specifically
modeled. The mechanism is intended for vendor-specific
extensions.
11. Reusable Policy Repository: A new class (with two subclasses),
pcelsReusableContainer is created as a subclass of
pcimRepository. While maintaining compatibility with older
[PCLS] implementations, the addition of this class acknowledges
the intent of [PCIM_EXT] to avoid the potential for confusion
with the Policy Framework component named Policy Repository.
The new class enables many-to-many associations between reusable
policy containers.
12. The ReusablePolicy association defined in [PCIM_EXT] is realized
through subordination to an instance of a non-abstract subclass
of pcelsReusableContainer. Thus, reusable policy components
(groups, rules, conditions, actions, variables and values) may
be defined as stand-alone entries or stand-alone groups of
related entries subordinated (DIT contained) to a
pcelsReusableContainer.
13. Device level filter classes are added to the schema.
14. The pcelsRoleCollection class is added to the schema to allow
the association of policy roles to resources represented as LDAP
entries.
4.4. Relationship to PCLS Classes
Several [PCLS] classes are used in this document to derive other
classes. If a PCELS application requires a functionality provided by
any of derived classes, then the [PCLS] class MUST also be supported
by PCELS implementations. These classes are:
pcimPolicy
pcimRuleConditionAssociation
pcimRuleActionAssociation
pcimConditionAuxClass
pcimActionAuxClass
pcimRepository
Other [PCLS] classes are neither derived to nor superseded by classes
defined in this document. If a PCELS application requires a
functionality provided by any of these classes, then the [PCLS] class
SHOULD be used. These classes are:
pcimRuleValidityAssociation
pcimTPCAuxClass
pcimConditionVendorAuxClass
pcimActionVendorAuxClass
pcimPolicyInstance
pcimElementAuxClass
pcimSubtreesPtrAuxClass
Among the classes defined in this document some implement concepts
that supersede the concepts implemented by similar [PCLS] classes.
PCELS implementations MAY support such [PCLS] classes. These classes
are:
pcimGroup and its subclasses
pcimRule and its subclasses
pcimGroupContainmentAuxClass
pcimRuleContainmentAuxClass
the subclasses of pcimRepository
4.5. Impact on Existing Implementations of the Policy Core LDAP Schema
In general, the intent of PCELS is to extend the functionality offered by the Policy Core LDAP Schema. For the most part, the compatibility with [PCLS] is preserved. The few cases in which compatibility cannot be achieved due to fundamental changes imposed by [PCIM_EXT], are defined here as alternatives to the original implementation. PCELS does not obsolete nor deprecate the concepts implemented by [PCLS]. The new LDAP schema items are defined in this document in a way that avoids, to the extent possible, interference with the normal operation of a reasonably well-executed implementation of [PCLS]. The intent is to permit at least a harmless coexistence of the two models in the same data repository. However, it should be noted that the PCELS introduces the following changes that may have an impact on some [PCLS] implementations: 1. Some attributes originally used only by pcimRule or pcimGroup are now also used by classes unknown to [PCLS] implementations (pcelsPolicySet, pcelsRule and pcelsGroup). In particular, the attribute pcimRoles is also used by pcelsPolicySet for role based policy selection. 2. Condition and action association classes originally used by only pcimRule are now used (through subclasses) by pcelsRule as well. 3. pcimRepository containers may include entries of types unknown to [PCLS] implementations. When the choice exists, PCELS implementations SHOULD support the new schema and MAY also support the one defined by [PCLS]. For example, if PolicyRule support is required, an implementation SHOULD be able to read or read-write (as applicable) pcelsRule entries. The same implementation MAY be able to read or read-write pcimRule.4.6. The Association of PolicyVariable and PolicyValues to PolicySimpleCondition and PolicySimpleAction
A PolicySimpleCondition, as well as a PolicySimpleAction, includes a single PolicyValue and a single PolicyVariable. Each of them can be attached or referenced by a DN.
The attachment helps create compact PolicyCondition and PolicyAction definitions that can be efficiently provisioned and retrieved from the repository. On the other hand, referenced PolicyVariables and PolicyValues instances can be reused in the construction of multiple policies and permit an administrative partitioning of the data and policy definitions.4.7. The Aggregation of PolicyRules and PolicyGroups in PolicySets
In [PCIM_EXT], the two aggregations PolicyGroupInPolicyGroup and PolicyRuleInPolicyGroup, are combined into a single aggregation PolicySetComponent. This aggregation and the capability of association between a policy and the ReusablePolicyContainer offer new possibilities of reusability. Furthermore, these aggregations introduce new semantics representing the execution of one PolicyRule within the scope of another PolicyRule. Since PolicySet is defined in [PCIM_EXT], it is mapped in this document to a new class pcelsPolicySet in order to provide an abstraction for a set of policy rules or groups. The aggregation class PolicySetComponent in [PCIM_EXT] is mapped to a multi-value attribute pcelsPolicySetList in the pcelsPolicySet class and the attribute pcelsPolicySetDN in the pcelsPolicySetAssociation. These attributes refer to the nested rules and groups. It is possible to store a rule/group nested in another rule/group in two ways. The first way is to define the nested rule/group as specific to the nesting rule/group. The second way is to define the nested rules/groups as reusable.
First case: Specific nested sets (rules/groups). +----------+ |Rule/Group| | | +-----|- -|-----+ | +----------+ | | * * | | * * | | **** **** | | * * | v * * v +-----------+ +-----------+ | SA1+Set1 | | SA2+Set2 | +-----------+ +-----------+ +------------------------------+ |LEGEND: | | ***** DIT containment | | + auxiliary attachment | | ----> DN reference | +------------------------------+ #: Number. Set#: pcelsRuleAuxClass or pcelsGroupAuxClass auxiliary class. SA#: pcelsPolicySetAssocation structural class. Figure 4. Policy Set with Specific Components The nesting pcelsPolicySet refers to instances of pcelsPolicySetAssociation using the attribute pcelsPolicySetList. These structural association classes are subordinated (DIT contained) to an instance of a non-abstract subclass of pcelsPolicySet and represent the association between the PolicySet and its nested rules/groups. The nested instances of auxiliary subclasses of pcelsPolicySet are attached to the association entries.
Second case: Reusable nested sets (rules/groups). +----------+ +-------------+ |Rule/Group| | ContainerX | +-|- -|--+ | | | +----------+ | +-------------+ | * * | * * | *** **** | * * | * * v * * | * +---+ * * | * |SA2| +-------+ * v * | -|-------->|S1+Set2| * +---+ +---+ +-------+ * |SA1| +-------+ | -|------------------------------>|S2+Set3| +---+ +-------+ +------------------------------+ |LEGEND: | | ***** DIT containment | | + auxiliary attachment | | ----> DN reference | +------------------------------+ Set#: pcelsRuleAuxClass or pcelsGroupAuxClass auxiliary class. SA#: PolicySetAssocation structural class. S#: structural class. Figure 5. Policy Set with Reusable Components The nesting pcelsPolicySet refers to instances of pcelsPolicySetAssociation using the attribute pcelsPolicySetList. These structural association classes are subordinated (DIT contained) to an instance of a non-abstract subclass of pcelsPolicySet and represent the association between the PolicySet and its nested rules/groups. The reusable rules/groups are instantiated here as auxiliary classes and attached to pcimPolicyInstance entries in the reusable container. Another option is to use the structural subclasses for defining reusable rules/groups. The association classes belonging to a nesting policy set are reference the reusable rules/groups using the attribute pcelsPolicySetDN. A combination of both specific and reusable components is also allowed for the same policy set.
4.8. The Aggregation of Actions/Conditions in PolicyRules and CompoundActions/CompoundConditions
[PCIM_EXT] defines two new classes that allow the designer to create more complex conditions and actions. CompoundPolicyCondition and CompoundPolicyAction classes are mapped in this document to pcelsCompoundConditionAuxClass and pcelsCompoundActionAuxClass classes that are subclasses of pcimConditionAuxClass/pcimActionAuxClass. The compound conditions/actions defined in [PCIM_EXT] extend the capability of the rule to associate, group and evaluate conditions or execute actions. The conditions/actions are associated to compounds conditions/actions in the same way as they are associated to the rules. In this section, how to store instances of these classes in an LDAP Directory is explained. As a general rule, specific conditions/actions are subordinated (DIT contained) to the rule or compound condition/action that aggregates them and are attached to association class instances. Reusable conditions/actions are subordinated to pcelsReusableContainer instances and attached to pcimPolicyInstance instances. The examples below illustrate the four possible cases combining specific/reusable compound/non-compound condition/action. The rule has two compound conditions, each one has two different conditions. The schemes can be extended in order to store actions. The examples below are based on and extend those illustrated in the section 4.4 of [PCLS].
First case: Specific compound condition/action with specific
conditions/actions.
+--------------+
+------| Rule |------+
| +--------------+ |
| * * |
| ********* ********* |
v * * v
+---------+ +---------+
+-| CA1+cc1 |-+ +-| CA2+cc2 |-+
| +---------+ | | +---------+ |
| * * | | * * |
| **** **** | | **** **** |
v * * v v * * v
+------+ +------+ +------+ +------+
|CA3+c1| |CA4+c2| |CA5+c3| |CA6+c4|
+------+ +------+ +------+ +------+
+------------------------------+
|LEGEND: |
| ***** DIT containment |
| + auxiliary attachment |
| ----> DN reference |
+------------------------------+
#: Number.
CA#: pcelsConditionAssociation structural class.
cc#: pcelsCompoundConditionAuxClass auxiliary class.
c#: subclass of pcimConditionAuxClass.
Figure 6. Specific Compound Conditions with Specific Components
Because the compound conditions/actions are specific to the Rule,
They are auxiliary attachments to instances of the structural classes
pcelsConditionAssociation or pcelsActionAssociation. These
structural classes represent the association between the rule and the
compound condition/action. The rule specific conditions/actions are
therefore subordinated (DIT contained) to the rule entry.
The conditions/actions are tied to the compound conditions/actions in
the same way the compound conditions/actions are tied to rules.
Association classes realize the association between the aggregating
compound conditions/actions and the specific conditions/actions.
Second case: Rule specific compound conditions/actions with
reusable conditions/actions.
+-------------+ +---------------+
+------| Rule |-----+ | ContainerX |
| +-------------+ | +---------------+
| * * | * * * *
| * * | **** * * *
| ********* ******** | * * * ********
| * * v * * * *
| * +---------+ * * **** *
| * +-| CA2+cc2 |-+ * * * *
| * | +---------+ | * * * *
v * | * * | * * * *
+---------+ | **** **** | * * * *
+-| CA1+cc1 |-+ | * * v * * * *
| +---------+ | | * +------+ +-----+ * * *
| * * | v * | CA6 |->|S1+c4| * * *
| **** **** | +------+ +------+ +-----+ +-----+ * *
| * * v | CA5 |------------------>|S2+c3| * *
| * +------+ +------+ +-----+ +-----+ *
v * | CA4 |------------------------------------->|S3+c2| *
+------+ +------+ +-----+ +-----+
| CA3 |------------------------------------------------------>|S4+c1|
+------+ +-----+
+------------------------------+
|LEGEND: |
| ***** DIT containment |
| + auxiliary attachment |
| ----> DN reference |
+------------------------------+
#: Number.
CA#: pcelsConditionAssociation structural class.
cc#: pcelsCompoundConditionAuxClass auxiliary class.
c#: subclass of pcimConditionAuxClass.
S#: structural class
Figure 7. Specific Compound Conditions with Reusable Components
This case is similar to the first one. The conditions/actions are
reusable and are therefore not attached to the association classes,
but rather to structural classes in the reusable container. The
association classes tie the conditions/actions in located in a
reusable container to their aggregators using DN references.
Third case: Reusable compound condition/action with specific
conditions/actions.
+--------------+ +--------------+
| Rule | | RepositoryX |
+---+--------------+----+ +--------------+
| * * | * *
| ******* ******* | ******** ********
| * * v * *
| * +----------+ +---------+ *
| * | CA2 |--->| S1+cc2 | *
| * +----------+ +-+---------+-+ *
| * | * * | *
| * | **** **** | *
| * v * * v *
| * +------+ +------+ *
| * |CA5+c3| |CA6+c4| *
v * +------+ +------+ *
+----------+ +---------+
| CA1 |----------------------------------------->| S2+cc1 |
+----------+ +-+---------+-+
| * * |
| **** **** |
v * * v
+------+ +------+
|CA3+c1| |CA4+c2|
+------+ +------+
+------------------------------+
|LEGEND: |
| ***** DIT containment |
| + auxiliary attachment |
| ----> DN reference |
+------------------------------+
#: Number.
CA#: pcelsConditionAssociation structural class.
cc#: pcelsCompoundConditionAuxClass auxiliary class.
c#: subclass of pcimConditionAuxClass.
S#: structural class
Figure 8. Reusable Compound Conditions with Specific Components
Re-usable compound conditions/actions are attached to structural
classes and stored in a reusable policy container. They are related
to the rule through a DN reference attribute in the association
classes.
Specific conditions/actions are attached to association entries and
subordinated (DIT contained) to the aggregating compound
conditions/actions.
Fourth case: Reusable conditions/actions and compound
conditions/actions.
+------+ +---------------+ +---------------+
+-----| Rule |-----+ | ContainerX | | ContainerY |
| +------+ | +---------------+ +---------------+
| * * | * * * * * *
| ****** ****** | *** *** *** * * *****
| * * v * * * * * *
| * +-------+ +------+ * * * *** *
| * | CA2 |->|S1+ca1| * * * * *
| * +-------+ +------+ * * * * *
| * / * * \ * * * * *
| * |** ** | * * * * *
| * |* * v * * * * *
| * |* +---+ * +-----+ * * *
| * |* |CA6|----*--->|S3+c4| * * *
| * v* +---+ * +-----+ * * *
| * +---+ * +-----+ * *
| * |CA5|-----------*--------->|S4+c3| * *
v * +---+ * +-----+ * *
+-------+ +------+ * *
| CA1 |-------------------------->|S2+cc1| * *
+-------+ +------+ * *
/ * * \ * *
| ** ** | * *
| * * v * *
| * +---+ +-----+ *
| * |CA4|---------->|S5+c2| *
v * +---+ +-----+ *
+---+ +-----+
|CA3|--------------------->|S6+c1|
+---+ +-----+
+------------------------------+
|LEGEND: |
| ***** DIT containment |
| + auxiliary attachment |
| ----> DN reference |
+------------------------------+
#: Number.
CA#: pcelsConditionAssociation structural class.
cc#: pcelsCompoundConditionAuxClass auxiliary class.
c#: subclass of pcimConditionAuxClass. S#: structural class Figure 9. Reusable Compound Conditions with Reusable Components All the conditions/actions are reusable so they are stored in reusable containers. The figure above illustrates two different reusable policy containers, but the number of containers in the system is decided based on administrative reasons. The conditions, actions, etc. may be stored in the same or different containers with no impact on the policy definition semantics.5. Class Definitions
The semantics for the policy information classes that are to be mapped directly from the information model to an LDAP representation are detailed in [PCIM_EXT]. Consequently, this document presents only a brief reference to those semantics. The focus here is on the mapping from the information model (which is independent of repository type and access protocol) to a form that can be accessed using LDAP. For various reasons including LDAP specific optimization, this mapping is not always 1:1. Some new classes and attributes (that were not part of [PCIM] or [PCIM_EXT]) needed to be created in order to implement the LDAP mapping. These new LDAP-only classes are fully defined in this document. The following notes apply to this section in its entirety. Note 1: The formal language for specifying the classes, attributes, and DIT structure and content rules is that defined in [LDAP_SYNTAX]. In the following definitions, the class and attribute definitions follow [LDAP_SYNTAX] but they are line-wrapped to enhance human readability. Note 2: Even though not explicitly noted in the following class and attribute definitions, implementations may define DIT structure and content rules where applicable and supported by the underlying LDAP infrastructure. In such cases, the DIT structure rule considerations discussed in section 5 of [PCLS] must be applied to PCELS implementations as well. The reasons and details are presented in [X.501]. Note 3: Wherever possible, an equality, a substrings and an ordering matching rule are defined for a particular attribute. This provides additional implementation flexibility. However, in some cases, the LDAP matching semantics may not cover all the application needs. For instance, different values of pcelsIPv4AddrList may be semantically equivalent. The equality matching rule, caseIgnoreMatch, associated
to this attribute type is not suitable for detecting this equivalence. Implementers should not rely solely on LDAP syntaxes and matching rules for being consistent with this specification. Note 4: The following attribute definitions use only LDAP matching rules and syntax definitions from [LDAP_SYNTAX], [LDAP_SCHEMA] and [LDAP_MATCH]. The corresponding X.500 matching rules are defined in [X.520]. Note 5: Some of the following attribute types MUST conform to additional constraints on various data types (e.g., the only valid values for pcelsDecisionStrategy are 1 and 2). Just like the attribute semantics, the definition of the value structures, valid ranges, etc. is covered by [PCIM_EXT] for the corresponding properties while such constraints are only briefly mentioned in this document. In all cases, if a constraint is violated, the entry SHOULD be treated as invalid and the policy rules or groups that refer to it SHOULD be treated as being disabled, meaning that the execution of such policy rules or groups SHOULD be stopped. Note 6: Some of the object classes defined in this section cannot or should not be directly instantiated because they are either defined as abstract or do not implement stand-alone semantics (e.g., pcelsValueAuxClass). Regarding instances of objects that inherit from such classes, the text refers to "instances of <class_name>" when in fact the strictly correct expression would be "instances of objects that belong to non-abstract subclasses of <class_name>". The omission is intentional; it makes the text easier to read.5.1. The Abstract Class pcelsPolicySet
The pcelsPolicySet class represents a set of policies with a common decision strategy and a common set of policy roles. This class together with the pcelsPolicySetAssociation class defined in a subsequent section of this document provide sufficient information to allow applications to apply appropriate ordering to a set of policies. The pcelsPolicySet is mapped from the PolicySet class [PCIM_EXT]. The pcelsPolicySet class is an abstract object class and it is derived from the pcimPolicy class [PCLS]. The pcelsPolicySetList attribute of a pcelsPolicySet instance references subordinated pcelsPolicySetAssociation entries. The aggregated pcelsPolicySet instances are either attached to the pcelsPolicySetAssociation entries as auxiliary object classes or referenced by the pcelsPolicySetAssociation entries using the pcelsPolicySetDN attribute.
The pcelsPolicySet class is defined as follows:
( 1.3.6.1.1.9.1.1
NAME 'pcelsPolicySet'
DESC 'Set of policies'
SUP pcimPolicy
ABSTRACT
MAY ( pcelsPolicySetName
$ pcelsDecisionStrategy
$ pcimRoles
$ pcelsPolicySetList )
)
One of the attributes of the pcelsPolicySet class, pcimRoles is
defined in the section 5.3 of [PCLS]. In the pcelsPolicySet class
the pcimRole attribute preserves its syntax and semantics as defined
by [PCLS] and [PCIM].
The pcelsPolicySetName attribute type may be used as naming attribute
for pcelsPolicySet entries. This attribute type is of syntax
Directory String [LDAP_SYNTAX]. It has an equality matching rule of
caseIgnoreMatch, an ordering matching rule of caseIgnoreOrderingMatch
and a substrings matching rule of caseIgnoreSubstringsMatch
[LDAP_SYNTAX]. Attributes of this type can only have a single value.
This attribute type is defined as follows:
( 1.3.6.1.1.9.2.1
NAME 'pcelsPolicySetName'
DESC 'User-friendly name of a policy set'
EQUALITY caseIgnoreMatch
ORDERING caseIgnoreOrderingMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE
)
The pcelsDecisionStrategy attribute type indicates the evaluation
method for the policies aggregated in the policy set. It is mapped
from the PolicySet.PolicyDecisionStrategy property [PCIM_EXT]. This
attribute type is of syntax Integer [LDAP_SYNTAX]. It has an
equality matching rule of integerMatch [LDAP_SYNTAX] and an ordering
matching rule of integerOrderingMatch [LDAP_MATCH]. Attributes of
this type can only have a single value. The only allowed values for
attributes of this type are 1 (FirstMatching) and 2 (AllMatching).
If this attribute is missing from a pcelsPolicySet instance,
applications MUST assume a FirstMatching decision strategy for the
policy set.
This attribute type is defined as follows:
( 1.3.6.1.1.9.2.2
NAME 'pcelsDecisionStrategy'
DESC 'Evaluation method for the components of a pcelsPolicySet'
EQUALITY integerMatch
ORDERING integerOrderingMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE
)
The pcelsPolicySetList attribute type is used in the realization of
the PolicySetComponent association [PCIM_EXT]. This attribute type
is of syntax DN [LDAP_SYNTAX]. It has an equality matching rule of
distinguishedNameMatch [LDAP_SYNTAX]. Attributes of this type can
have multiple values. The only allowed values for pcelsPolicySetList
attributes are DNs of pcelsPolicySetAssociation entries. In a
pcelsPolicySet, the pcelsPolicySetList attribute represents the
associations between this policy set and its components.
This attribute type is defined as follows:
( 1.3.6.1.1.9.2.3
NAME 'pcelsPolicySetList'
DESC 'Unordered set of DNs of pcelsPolicySetAssociation entries'
EQUALITY distinguishedNameMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
)
Note: A pcelsPolicySet instance aggregates other pcelsPolicySet
instances using pcelsPolicySetAssociation entries (defined in the
next section). Applications can sort the components of a
pcelsPolicySet using attributes of the pcelsPolicySetAssociation
entries. However, implementations should not expect the LDAP data
store to provide a useful ordering of the pcelsPolicySetList values
in a pcelsPolicySet instance or to return sets of matching
pcelsPolicySetAssociation entries in a meaningful order. Instead,
applications SHOULD implement their own means for post-retrieval
ordering of policy rules/groups based on
pcelsPolicySetAssociation.pcelsPriority values.
5.2. The Structural Class pcelsPolicySetAssociation
The pcelsPolicySetAssociation class is used to associate PolicySet instances [PCIM_EXT] to other entries. pcelsPolicySetAssociation entries are always subordinated to the aggregating entry. When subordinated to an instance of pcelsPolicySet, pcelsPolicySetAssociation realizes a PolicySetComponent association [PCIM_EXT]. When subordinated to an instance of dlm1System [CIM_LDAP], pcelsPolicySetAssociation realizes a PolicySetInSystem association [PCIM_EXT]. The pcelsPolicySetAssociation class is a structural object class and it is derived from the pcimPolicy class [PCLS]. The aggregation of a reusable pcelsPolicySet instance is realized via the pcelsPolicySetDN attribute. A non-reusable pcelsPolicySet instance is attached (as auxiliary subclass of pcelsPolicySet) directly to the pcelsPolicySetAssociation entry. When reading a pcelsPolicySetAssociation instance that has a pcelsPolicySet attached, the attribute pcelsPolicySetDN MUST be ignored. Applications SHOULD remove the pcelsPolicySetDN value from a pcelsPolicySetAssociation upon attachment of a pcelsPolicySet to the entry. The pcelsPolicySetAssociation class is defined as follows: ( 1.3.6.1.1.9.1.2 NAME 'pcelsPolicySetAssociation' DESC 'Associates a policy set to an aggregating entry' SUP pcimPolicy STRUCTURAL MUST ( pcelsPriority ) MAY ( pcelsPolicySetName $ pcelsPolicySetDN ) ) The pcelsPriority attribute type indicates the priority of a policy set component. This attribute type is of syntax Integer [LDAP_SYNTAX]. It has an equality matching rule of integerMatch [LDAP_SYNTAX] and an ordering matching rule of integerOrderingMatch [LDAP_MATCH]. Attributes of this type can only have single values. The only allowed values for attributes of this type are non-negative integers. Within the set of pcelsPolicySetAssociation entries directly subordinated to a pcelsPolicySet or a dlm1System [CIM_LDAP], the pcelsPriority values MUST be unique.
This attribute type is defined as follows:
( 1.3.6.1.1.9.2.4
NAME 'pcelsPriority'
DESC 'Priority of a component'
EQUALITY integerMatch
ORDERING integerOrderingMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE
)
The pcelsPolicySetDN attribute type is used in the aggregation of
PolicySet instances [PCIM_EXT]. This attribute type is of syntax DN
[LDAP_SYNTAX]. It has an equality matching rule of
distinguishedNameMatch [LDAP_SYNTAX]. Attributes of this type can
only have single values. The only allowed values for
pcelsPolicySetDN attributes are DNs of pcelsPolicySet entries.
This attribute type is defined as follows:
( 1.3.6.1.1.9.2.5
NAME 'pcelsPolicySetDN'
DESC 'DN of a pcelsPolicySet entry'
EQUALITY distinguishedNameMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
SINGLE-VALUE
)
(page 30 continued on part 3)
