Purpose of the PCIM • Provide a set of classes and relationships that provide an extensible means for defining policy control of managed objects » Represents the structure, not the contents, of a policy » Content provided by subclassing classes to derive technology- and vendor-specific conditions, actions, and other elements Strassner-Policy Theory and Practice – IM2001 1 PCIM Overview (1) • Policy-based management assumes that the network is modeled as a state machine • Classes and relationships are used to model: » the state of an entity » settings to be applied to an entity that either maintain an entity’s state or move the entity to a new state » policies that control the application of settings Strassner-Policy Theory and Practice – IM2001 2 PCIM Overview (2) • Thus, policy is applied using a set of rules » Each rule has a set of conditions that specify when the policy should be applied – Conditions can be specified in CNF or DNF » Each rule has a set of actions that are executed if the conditions are TRUE – Execution order can be specified » Rules may be prioritized and grouped together to model an administrative hierarchy Strassner-Policy Theory and Practice – IM2001 3 Policy Core Model: Groups & Rules * Dependency * ManagedElement 0..1 PolicyInSystem * * PolicyComponent * Policy (ABSTRACT) CommonName: string PolicyKeywords: string[ ] * * System SystemComponent 1 1 PolicyGroupInPolicyGroup * * PolicyGroup InSystem PolicyRuleInSystem PolicyGroup w * CreationClassName: string[key] PolicyGroupName: string[key] AdminDomain w * PolicyRuleInPolicyGroup PolicyRule * * PolicyConditionInPolicyRule Strassner-Policy Theory and Practice – IM2001 * CreationClassName: string[key] PolicyRuleName: string[key] Enabled: uint16 ConditionListType: uint16 RuleUsage: string Priority: uint16 Mandatory: boolean SequencedActions: uint16 PolicyRoles: string[ ] * * PolicyRepositoryInPolicyRepository * PolicyRepository 0..1 PolicyConditionIn PolicyRepository 0..1 PolicyActionIn PolicyRepository 4 Policy Class • Policy Class (Abstract) » Root of the policy tree » Carries common attributes to all policy classes – Caption, Description from CIM ME – OrderedCIMKeys to represent CIM hierarchy – cn from X.520 – PolicyKeywords » PolicyElementAuxClass is an aux class to represent this class and enables any object in the DIT to be identified as a policy class Strassner-Policy Theory and Practice – IM2001 5 PolicyRule • A PolicyRule consists of a set of conditions and a set of actions » Boolean logic assumed » If condition clause is TRUE, then action clause may execute » Rule-specific and reusable policy rules are supported by using the PolicyConditionInPolicyRule and PolicyActionInPolicyRule aggregations » Multiple time periods may be used to define a schedule for which this PolicyRule is active by using the PolicyRuleValidityPeriod aggregation » Rules may be prioritized Strassner-Policy Theory and Practice – IM2001 6 Types of PolicyRules • Rule-specific PolicyRules are those whose components are embedded in the PolicyRule itself. » The terms making up the PolicyRule can NOT be reused by other PolicyRules • Reusable PolicyRules share one or more components with other PolicyRules » PolicyRule components are stored in a common Policy Repository and referenced by the PolicyRules using them • Each has implementation implications Strassner-Policy Theory and Practice – IM2001 7 PolicyGroup • PolicyRules may be aggregated into PolicyGroups, which may be nested » Enables hierarchical representation of policy (per-user, per-domain, etc.) • Special semantics defined in QoS information model to represent different administrative scopes and groupings of rules Strassner-Policy Theory and Practice – IM2001 8 PolicyRepository • Represents an administratively-defined container for holding REUSABLE policy conditions and actions » May be extended to hold other types of reusable policy “building blocks” » May be nested to provide more granular domain control Strassner-Policy Theory and Practice – IM2001 9 PCIM: Conditions & Actions Policy (ABSTRACT) PolicyGroup CommonName: string PolicyKeywords: string[ ] CreationClassName: string[key] PolicyGroupName: string[key] * PolicyRuleInPolicyGroup PolicyComponent AdminDomain PolicyRule * PolicyRule ValidityPeriod * CreationClassName: string[key] PolicyRuleName: string[key] Enabled: uint16 ConditionListType: uint16 RuleUsage: string Priority: uint16 Mandatory: boolean SequencedActions: uint16 PolicyRoles: string[ ] PolicyConditionIn PolicyRule * PolicyCondition (ABSTRACT) SystemCreationClassName: string[key] SystemName: string[key] PolicyRuleCreationClassName: string[key] PolicyRuleName: string[key] CreationClassName: string[key] PolicyConditionName: string[key] * PolicyTimePeriodCondition TimePeriod: string MonthOfYearMask: uint8[ ][Octetstring] DayOfMonthMask: uint8[ ][Octetstring] DayOfWeekMask: uint8[ ][Octetstring] TimeOfDayMask: string LocalOrUtcTime: uint16 Strassner-Policy Theory and Practice – IM2001 * PolicyRepository 0..1 0..1 PolicyConditionIn PolicyRepository * PolicyActionIn PolicyRepository PolicyActionInPolicyRule * VendorPolicyCondition * PolicyAction (ABSTRACT) SystemCreationClassName: string[key] SystemName: string[key] PolicyRuleCreationClassName: string[key] PolicyRuleName: string[key] CreationClassName: string[key] PolicyActionName: string[key] * Constraint: Octetstring[ ] ConstraintEncoding: string[OID] VendorPolicyAction ActionData: Octetstring[ ] ActionEncoding: string[OID] 10 Policy Conditions • Abstract base class for domain-specific conditions that will be defined by domainspecific models (e.g., QoS model, IPSec model) • Boolean condition expressed in CNF or DNF » Individual condition terms can be negated • Only defines keys (7 - System, PolicyRule, and its own CCN, Name, and a user-friendly name) Strassner-Policy Theory and Practice – IM2001 11 Expressing Policy Conditions • PolicyRule.ConditionListType defines how to interpret the condition (e.g., CNF or DNF) • PolicyConditionInPolicyRule contains two additional properties: » GroupNumber indicates the group to which the PolicyCondition belongs » ConditionNegated is a boolean that, if TRUE, indicates that this condition is negated Strassner-Policy Theory and Practice – IM2001 12 Reusable PolicyConditions • Stored in a PolicyRepository and referenced using the association PolicyConditionInPolicyRepository » Rule-specific PolicyConditions do NOT use this association; thus: – Cardinality is 0 for rule-specific, 1 for reusable » QPIM extends this so that different conditions can be stored in different portions of the repository – Different portions implies different scopes and application Strassner-Policy Theory and Practice – IM2001 13 PolicyTimePeriodCondition • Subclass of PolicyCondition to represent time when PolicyRule is active » If not specified, then rule is always active » PolicyRuleValidityPeriod is an aggregation that defines the set of time periods for a given PolicyRule • Instances may have up to 5 properties that together specify the time period » Property values are ANDed to determine the validity period; properties not present are treated as having their value always enabled Strassner-Policy Theory and Practice – IM2001 14 Policy Actions • Abstract base class for domain-specific actions that will be defined by domain-specific models » Deployed actions are bound to a System; reusable actions exist in a PolicyRepository » Only defines keys (7 - System, PolicyRule, and its own CCN and Name, and a user-friendly name) • Stored in a PolicyRepository and referenced using PolicyActionInPolicyRepository association » Rule-specific PolicyConditions do NOT use this association; thus, cardinality is 0 for rule-specific, 1 for reusable Strassner-Policy Theory and Practice – IM2001 15 Policy Actions (2) • PolicyActionInPolicyRule aggregation contains the set of action clauses for a given PolicyRule » ActionOrder property indicates relative position of an action in the sequence of actions associated with a PolicyRule – If n is a positive integer, it defines the order, with smaller integers being ordered first – 0 is a special value that indicates “don’t care” – Two or more properties with the same value can be executed in any order, as long as they are executed in the correct overall order in the sequence Strassner-Policy Theory and Practice – IM2001 16 Rule-Specific Policy Structure • PolicyRule is a container that holds PolicyConditions and PolicyActions » QPIM extends this so that a condition is treated as a container • To do this attachment » PolicyRule is a structural class » PolicyCondition and PolicyAction are both auxiliary classes Strassner-Policy Theory and Practice – IM2001 17 Rule-Specific Example Rule 1 (structural) DN Pointer Represents association between Rule 1 and Condition 1 DN Pointer Represents association between Rule 1 (structural) (structural) and Action 1 DIT Represents the condition Condition 1 Containment Action 1 Represents the action itself (aux attached) (aux attached) itself Strassner-Policy Theory and Practice – IM2001 Condition 1 Action 1 18 Reusable Components • Policy components can be specific to a rule or reusable among many rules » Rule-specific information is attached to the rule itself » Reusable information is stored in a container that is referenced by the rule • The only difference between a reusable and a rule-specific component is in the intent of the administrator » No difference in functionality Strassner-Policy Theory and Practice – IM2001 19 Reusable Components (2) • PCIM defines a policy repository to store reusable information. This causes some subtle differences, including: » access control can be specified for rule-specific conditions and actions, but not for reusable ones » referential integrity should be enforced for rulespecific elements; harder to due in the reusable case » mapping to a data model is more difficult Strassner-Policy Theory and Practice – IM2001 20 Reusable Rule Example Rule 1 (structural) DIT Containment Represents association between Rule 1 and Condition 1 DIT Containment Represents association between Rule 1 (structural) and Action 1 Condition 1 Action 1 (structural) DN Pointer DN Pointer Represents the condition itself Condition 1 Aux Action 1 Aux (aux attachment) (aux attachment) ConditionInstance ActionInstance (structural) (structural) DIT Containment Represents the action itself DIT Containment PolicyRepository (structural) Strassner-Policy Theory and Practice – IM2001 21 PolicyInstance • Uses DIT content rules to allow a PolicyConditionAuxClass or a PolicyActionAuxClass to be attached to it • Uses DIT structure rules to enable it to be named using either PolicyInstanceName, cn, or OrderedCIMKeys Strassner-Policy Theory and Practice – IM2001 22 PolicySubtreesPtrAuxClass • This aux class provides a single multivalued attribute to point to the root of a set of subtrees that contain policy information » Attaching this attribute to other class instances enables the administrator to define entry points to related policy information – Can be used to define the order of visiting information in the policy tree (e.g., for a PDP) – Can be used to tie different subtrees together Strassner-Policy Theory and Practice – IM2001 23 PolicyElementAuxClass • This class is the aux equivalent of the Policy class » Enables tagging of selected instances that are outside of the policy class hierarchy, but are nevertheless policy-related » This works through searching on oc=policy » Note that some directories don’t support this, so in these cases, policy-related entries must be tagged with the keyword Policy and searched on using an attribute search Strassner-Policy Theory and Practice – IM2001 24 Aux Containment Classes • PolicyGroupContainmentAuxClass and PolicyRuleContainmentAuxClass » Each contains a single multi-valued attribute that points to a set of PolicyGroups and PolicyRules, respectively » Enables the administrator to bind PolicyGroups/PolicyRules to a container Strassner-Policy Theory and Practice – IM2001 25 PCIM Extensions • New draft to simplify and encourage use of PCIM PolicyRepository broadened & renamed Rules may contain groups & other rules (context) Priorities & decision strategies clarified Refinements in the use of PolicyRoles Compound conditions & actions (reusable) Transactional semantics for action execution Variables & values, for conditions & actions Packet filtering in policy conditions based on variables/values Strassner-Policy Theory and Practice – IM2001 26 Building PolicyConditions • The PolicyConditionInPolicyRule association has properties that require special mapping » PolicyRuleConditionAssociation represents the properties and is attached via DIT containment » The conditions themselves are represented by the PolicyConditionAuxClass (and its subclasses) which are either – attached directly to instances of the PolicyRuleConditionAssociation for rule-specific classes, or – indirectly, using a DN pointer to refer to an instance of a PolicyConditionInstance class Strassner-Policy Theory and Practice – IM2001 27 PolicyRuleConditionAssociation (1) • Contains properties characterizing the relationship between a rule and a condition » PolicyConditionGroupNumber - used to group conditions according to CNF or DNF » PolicyConditionNegated - flag defining if a condition is negated or not » PolicyConditionDN - pointer to a reusable PolicyCondition (should be NULL if rule-specific) Strassner-Policy Theory and Practice – IM2001 28 PolicyRuleConditionAssociation (2) • Semantics defined using DIT structure and content rules » PolicyConditionAuxClass subclasses are attached using DIT content rules » Structure rules define naming, scoped by a PolicyRule, using either the OrderedCIMKeys, cn, or PolicyConditionName Strassner-Policy Theory and Practice – IM2001 29 PolicyConditionAuxClass • Used to bind conditions to rules » Rule-specific conditions defined by attaching this aux class to either an instance of the PolicyRuleConditionAssociation or the PolicyRule classes » Reusable conditions defined by attaching this aux class to an instance of the PolicyConditionInstance class » Note: this class is derived from Top because it attaches to classes already derived from Policy – otherwise we have property conflict! Strassner-Policy Theory and Practice – IM2001 30 Building PolicyActions • The PolicyConditionInPolicyRule association has properties that require special mapping » PolicyRuleActionAssociation represents the property and is attached via DIT containment » The actions themselves are represented by the PolicyActionAuxClass (and its subclasses) which are either – attached directly to instances of the PolicyRuleActionAssociation for rule-specific classes, or – indirectly, using a DN pointer to refer to an instance of a PolicyActionInstance class Strassner-Policy Theory and Practice – IM2001 31 PolicyRuleActionAssociation • Two properties » PolicyActionOrder determines the order of executing actions associated with a policy rule » PolicyActionDN - pointer to a reusable PolicyAction (should be NULL if rule-specific) • Semantics » PolicyActionAuxClass subclasses are attached using DIT content rules » Structure rules define naming, scoped by a PolicyRule, using either the OrderedCIMKeys, cn, or PolicyActionName Strassner-Policy Theory and Practice – IM2001 32 PolicyActionAuxClass • Used to bind actions to rules » Rule-specific conditions defined by attaching this aux class to either an instance of the PolicyRuleActionAssociation or the PolicyRule classes » Reusable conditions defined by attaching this aux class to an instance of the PolicyActionInstance class » Note: this class is derived from Top because it attaches to classes already derived from Policy – otherwise we have property conflict! Strassner-Policy Theory and Practice – IM2001 33 PolicyTimePeriodConditionAuxClass • Built as an aux class so it can be attached directly to a policy rule » Represents periods of time that define when a condition is valid – time period, plus month, day of month and week, and time of day masks Strassner-Policy Theory and Practice – IM2001 34 Structure of a Rule-Specific Policy • PolicyRule is a container that holds PolicyConditions and PolicyActions » QPIM extends this so that a condition is treated as a container • To do this attachment » PolicyRule is a structural class » PolicyCondition and PolicyAction are both auxiliary classes Strassner-Policy Theory and Practice – IM2001 35 Attachment • Info model defines PolicyRule relationships » PolicyConditionInPolicyRule attaches conditions to a PolicyRule » PolicyActionInPolicyRule attaches actions to a PolicyRule » PolicyRuleInPolicyGroup groups PolicyRules » PolicyRuleInSystem associates a PolicyRule with a System (e.g., a router or server) • There can be as many attached conditions and actions as required Strassner-Policy Theory and Practice – IM2001 36 Example Rule 1 (structural) DN Pointer Represents association between Rule 1 and Condition 1 DN Pointer Represents association between Rule 1 (structural) (structural) and Action 1 DIT Represents the condition Condition 1 Containment Action 1 Represents the action itself (aux attached) (aux attached) itself Strassner-Policy Theory and Practice – IM2001 Condition 1 Action 1 37 Defining Reusable Elements • Reusable elements are always stored in a special part of the DIT » Modeled using the PolicyRepository class » Attached (indirectly) using DN pointers to a rule • Since conditions and actions are aux classes, they need something to attach to » Rule-specific uses the PolicyRule itself » Reusable uses this class, which is stored in the PolicyRepository Strassner-Policy Theory and Practice – IM2001 38 PolicyInstance • Uses DIT content rules to allow a PolicyConditionAuxClass or a PolicyActionAuxClass to be attached to it • Uses DIT structure rules to enable it to be named using either PolicyInstanceName, cn, or OrderedCIMKeys Strassner-Policy Theory and Practice – IM2001 39 PolicyInstance Subclasses • Two subclasses, PolicyConditionInstance and PolicyActionInstance, are defined » Defines additional naming attributes (PolicyConditionName and PolicyActionName) » DIT content rules enable condition and action aux classes to be attached to it » DIT structure rules enable it to be named under an instance of PolicyRepository using any of its four attributes Strassner-Policy Theory and Practice – IM2001 40 PolicyRepository • This is a container for holding reusable policy elements » DIT structure rules enable it to be named under an instance of PolicyRepository using any of its four attributes Strassner-Policy Theory and Practice – IM2001 41 PolicySubtreesPtrAuxClass • This aux class provides a single multivalued attribute to point to the root of a set of subtrees that contain policy information » Attaching this attribute to other class instances enables the administrator to define entry points to related policy information – Can be used to define the order of visiting information in the policy tree (e.g., for a PDP) – Can be used to tie different subtrees together Strassner-Policy Theory and Practice – IM2001 42 Aux Containment Classes • PolicyGroupContainmentAuxClass and PolicyRuleContainmentAuxClass » Each contains a single multi-valued attribute that points to a set of PolicyGroups and PolicyRules, respectively » Enables the administrator to bind PolicyGroups/PolicyRules to a container Strassner-Policy Theory and Practice – IM2001 43 PolicyElementAuxClass • This class is the aux equivalent of the Policy class » Enables tagging of selected instances that are outside of the policy class hierarchy, but are nevertheless policy-related » This works through searching on oc=policy » Note that some directories don’t support this, so in these cases, policy-related entries must be tagged with the keyword Policy and searched on using an attribute search Strassner-Policy Theory and Practice – IM2001 44 Example Rule 1 (structural) DIT Containment Represents association between Rule 1 and Condition 1 DIT Containment Condition 1 Action 1 (structural) (structural) DN Pointer DN Pointer Represents the condition itself Represents association between Rule 1 and Action 1 Condition 1 Aux Action 1 Aux (aux attachment) (aux attachment) ConditionInstance ActionInstance (structural) (structural) DIT Containment Represents the action itself DIT Containment PolicyRepository (structural) Strassner-Policy Theory and Practice – IM2001 45 PolicyRepository • Used to define a “repository within a repository” for storing reusable data » DIT structure rules enable it to be named under an instance of PolicyRepository using any of its three attributes Strassner-Policy Theory and Practice – IM2001 46
© Copyright 2026 Paperzz