Policy Framework Working Group Angelica Reyes Internet Draft Antoni Barba David Moron Technical University of Catalonia Marcus Brunner NEC December 2002 Policy Core Extension LDAP Schema (PCELS) Status of this Memo This document is an Internet-Draft and is in full conformance with all provisions of Section 10 of RFC2026. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet-Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. Abstract This document defines a number of changes and extensions to the Policy Cores LDAP Schema [PCLS] based on Policy Core Information Model Extensions [PCIM_EXT]. The changes include additional classes previously not covered, and a change to the existing classes in PCLS. Conventions used in this document The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC-2119. Table of contents 1. Introduction....................................................2 2. Relationship to other Policy Framework Documents................2 3. Inheritance Hierarchy for PCELS.................................3 4. General Discussion of Mapping the Model Extensions to LDAP......5 4.1 Summary of Class and Association Mappings......................5 4.2 Attaching PolicyVariable and PolicyValues to PolicySimpleCondition and PolicySimpleAction.......................7 Expires [Page 1] Internet Draft Policy Core Extension LDAP Schema December 2002 5. Class Definitions...............................................7 5.1 The five PolicySet Classes.....................................7 5.2 The Auxiliary Class pcimeSimplePolicyCondition.................9 5.3 The Class pcimeSimpleConditionAssociation.....................10 5.4 The Auxiliary Class pcimeCompoundPolicyCondition..............10 5.5 The Class pcimeConditionStructuresContainmentAuxClass.........11 5.6 The Class pcimeRuleConditionAssociation.......................11 5.7 The Class pcimeConditionAssociation...........................11 5.8 The class definition is as follows:...........................12 5.9 The Auxiliary Class pcimeSimplePolicyAction...................12 5.10 The Class pcimeSimpleActionAssociation.......................12 5.11 The five PolicyVariable Classes..............................12 6. Security Considerations........................................15 7. IANA Considerations............................................15 7.1 Object Identifiers............................................15 7.2 Object Identifier Descriptors.................................15 8. References.....................................................16 9. Authors" Addresses.............................................16 10. Full Copyright Statement......................................16 1. Introduction Within the context of this document, the term ?PCELS? (Policy Core Extensions LDAP Scheme) is used to refer to the LDAP class definition that this document contains. 2. Relationship to other Policy Framework Documents This document contains an LDAP schema representing the classes defined in the Policy Core Information Model Extensions [PCIM_EXT]. Other documents may subsequently be produced, with mappings of the same PCIM extensions to other storage or transport technologies. The document is an extension to [PCLS], which defines the LDAP mapping of the Policy Core Information Model [PCIM] to an LDAP schema. Reyes et al. Expires June 2003 [Page 2] Internet Draft Policy Core Extension LDAP Schema December 2002 3. Inheritance Hierarchy for PCELS The following diagram illustrates the class hierarchy for the LDAP Classes defined in the draft ?Policy Core LDAP scheme?[4] and the LDAP classes defined in this document: top | +---dlm1ManagedElement (abstract) | +---pcimPolicy (abstract) | | | +---pcimePolicySet (abstract new) | | | | | +---pcimePolicySetAuxClass (auxiliary new) | | | | | +---pcimePolicySetInstance (structural new) | | | | | +---pcimGroup (abstract moved) | | | | | | | +--pcimGroupAuxClass (auxiliary moved) | | | | | | | +---pcimGroupInstance (structural moved) | | | | | +---pcimRule (abstract moved) | | | | | | | +---pcimRuleAuxClass (auxiliary moved) | | | | | | | +---pcimRuleInstance (structural moved) | | | | | +---pcimeSetComponentsContainmentAuxClass (new) | | | | | +---pcimeSystemContainmentAuxClass (new) | | | +---pcimRuleConditionAssociation (structural) | | | +---pcimRuleValidityAssociation (structural) | | | +---pcimRuleActionAssociation (structural) | | | +---pcimPolicyInstance (structural) | | | +---pcimElementAuxClass (auxiliary) | | | +---dlm1ManagedSystemElement (abstract) | | | +---dlm1LogicalElement (abstract) | | | +---dlm1System (abstract) | | | +-dlm1AdminDomain (abstract) | | Reyes et al. Expires June 2003 [Page 3] Internet Draft Policy Core Extension LDAP Schema December 2002 | +-pcimRepository (abstract deprecated) | | | | | +-pcimRepositoryAuxClass auxiliary deprecated) | | | | | +-cimRepositoryInstance (structural deprecated) | | | +-pcimeReusablePolicyContainer (abstract new) | +--pcimConditionAuxClass (auxiliary) | | | +-pcimTPCAuxClass (auxiliary) | | | +-pcimConditionVendorAuxClass (auxiliary) | | | +-pcimeSimplePolicyCondition (auxiliary new) | | | |-pcimeCompoundPolicyCondition (new) | | | +-pcimeSympleConditionAssociation (new) | | | +-pcimeConditionStructuresContainmentAuxClass (Abstract new) | | | | | +---pcimeConditionAssociation (new) | | | | +---pcimeRuleConditionAssociation (new) | | | +-pcimeCompoundFilterCondition (new) | +--pcimActionAuxClass (auxiliary) | | | +-pcimActionVendorAuxClass (auxiliary) | | | +-pcimeSimplePolicyAction (auxiliary new) | | | +-pcimeSympleActionAssociation (new) | +-pcimePolicyVariable (abstract new) | | | +--pcimePolicyVariableAuxClass (auxiliary new) | | | +--pcimePolicyVariableInstance (structural new) | | | +--pcimePolicyExplicitVariable (auxiliary new) | | | +--pcimePolicyImplicitVariable (structural new) | +--pcimePolicyValue (auxiliary new) | +--pcimSubtreesPtrAuxClass (auxiliary) | +--pcimGroupContainmentAuxClass (auxiliary) | +--pcimRuleContainmentAuxClass (auxiliary) Reyes et al. Expires June 2003 [Page 4] Internet Draft Policy Core Extension LDAP Schema December 2002 4. General Discussion of Mapping the Model Extensions to LDAP The classes described below contain certain optimizations for a directory that uses LDAP as an access protocol. One example is the use of auxiliary classes to represent some of the associations defined in the information model. Note that other storage types might need to implement the association differently. 4.1 Summary of Class and Association Mappings Twenty of the classes in the PCELS come directly from the sixteen corresponding classes in the information model extensions. The prefix ?pcime? is used to identify these LDAP classes. +------------------------------------------------------------------+ | Information Model (PCIM ext) | LDAP Classes | +------------------------------------------------------------------+ | PolicySet | pcimePolicySet | | | pcimePolicySetAuxClass | | | pcimePolicySetInstance | +------------------------------------------------------------------+ | SimplePolicyCondition | pcimeSimplePolicyCondition | +------------------------------------------------------------------+ | CompoundPolicyCondition | pcimeCompoundPolicyCondition | +------------------------------------------------------------------+ | CompoundFilterCondition | pcimeCompoundFilterCondition | +------------------------------------------------------------------+ | SimplePolicyAction | pcimeSimplePolicyAction | +------------------------------------------------------------------+ | CompoundPolicyAction | pcimeCompoundPolicyAction | +------------------------------------------------------------------+ | PolicyVariable | pcimePolicyVariable | | | pcimePolicyVariableAuxClass | | | pcimePolicyVariableInstance | +------------------------------------------------------------------+ | PolicyExplicitVariable | pcimePolicyExplicitVariable | +------------------------------------------------------------------+ | PolicyImplicitVariable | pcimePolicyImplicitVariable | +------------------------------------------------------------------+ | PolicyValue | pcimePolicyValue | +------------------------------------------------------------------+ | PolicyRoleCollection | pcimePolicyroleCollection | +------------------------------------------------------------------+ | ReusablePolicyContainer | pcimeReusablePolicyContainer | +------------------------------------------------------------------+ | FilterEntryBase | pcimeFilterEntryBase | +------------------------------------------------------------------+ | IPHeadersfilter | pcimeIPHeadersfilter | +------------------------------------------------------------------+ | 8021Filter | pcime8021Filter | +------------------------------------------------------------------+ | FilterList | pcimeFilterList | +------------------------------------------------------------------+ Reyes et al. Expires June 2003 [Page 5] Internet Draft Policy Core Extension LDAP Schema December 2002 +------------------------------------------------------------------+ | Information Model Association | LDAP Attribute / Class | +------------------------------------------------------------------+ | PolicySetComponent |pcimeSetComponentsAuxContained | | |Set in pcimeSetComponentsContain| | |mentAuxClass | +------------------------------------------------------------------+ | PolicySetInSystem |pcimeSetsAuxContainedSet in | | |pcimeSystemContainmentAuxClass | +------------------------------------------------------------------+ | PolicyGroupInSystem |pcimeGroupsAuxContainedSet in | | |pcimeSystemContainmentAuxClass | +------------------------------------------------------------------+ | PolicyRuleInSystem |pcimeRulesAuxContainedSet in | | |pcimeSystemContainmentAuxClass | +------------------------------------------------------------------+ | PolicyConditionStructure |pcimeConditionStructuresAux | | |ContainedSet in pcimeCondition | | |StructuresContainmentAuxClass | +------------------------------------------------------------------+ | PolicyConditionInPolicyRule |DIT containment or | | |pcimeRuleConditionList | | |in pcimeRule or pcimeConditionDN| | |in pcimeRuleConditionAssociation| +------------------------------------------------------------------+ | PolicyConditionInPolicyCondition|pcimeConditionDN in | | |pcimeConditionAssociation | +------------------------------------------------------------------+ | PolicyActionStructure |pcimeActionDN in | | |pcimeActionStructureAssociation | +------------------------------------------------------------------+ | PolicyActionInPolicyRule |DIT containment or | | |pcimeRuleActionList in pcimeRule| | |or pcimeActionDN in | | |pcimeRuleActionAssociation | +------------------------------------------------------------------+ | PolicyActionInPolicyAction |pcimeActionDN in | | |pcimeActionAssociation | +------------------------------------------------------------------+ | PolicyVariableInSimplePolicy |pcimeVariableDN in | | Condition |pcimeSimpleConditionAssociation | +------------------------------------------------------------------+ | PolicyValueInSimplePolicy |pcimeValueDN in | | Condition |pcimeSimpleConditionAssociation | +------------------------------------------------------------------+ | PolicyVariableInSimplePolicy |pcimeVariableDN in | | Action |pcimeSimpleActionAssociation | +------------------------------------------------------------------+ | PolicyValueInSimplePolicyAction |pcimeValueDN in | | |pcimeSimpleActionAssociation | +------------------------------------------------------------------+ | ReusablePolicy |DIT containment | +------------------------------------------------------------------+ Reyes et al. Expires June 2003 [Page 6] Internet Draft Policy Core Extension LDAP Schema December 2002 | ExpectedPolicyValuesForVariable |DIT containment or | | |pcimeVariableValuesList in | | |pcimeVariable | +------------------------------------------------------------------+ | ContainedDomain |DIT containment | +------------------------------------------------------------------+ | EntriesInFilterList |DIT containment or | | |pcimeFilterListEntriesList in | | |pcimeFilterList | +------------------------------------------------------------------+ | ElementInPolicyRoleCollection |DIT containment | +------------------------------------------------------------------+ | PolicyRoleCollectionInSystem |pcimeRoleCollectionsSet in | | |pcimeSystemContainmentAuxClass | +------------------------------------------------------------------+ 4.2 Attaching PolicyVariable and PolicyValues to PolicySimpleCondition and PolicySimpleAction A PolicySimpleCondition as well as a PolicySimpleAction includes a single PolicyValue and a single PolicyVariable. Each of them can be attached or referenced by a DN. Both values and variables SHOULD be attached only, because referencing them by a DN places reusability on too low level. Referencing would allow for reusability of a varibale or value but makes it unrealisiticly to retrive policies in a large number, if they contain a number of references to other objects. Using attachment allows the retrieval of the association class and the condition itself in a single LDAP search. 5. Class Definitions 5.1 The five PolicySet Classes The abstract class PolicySet in the PCIMe is introduced to provide an abstraction for a set of rules. The class value ?pcimePolicySet? is used as the mechanism for identifying group and rule- related instances in the DIT. PCLS maps this class into three LDAP classes called pcimePolicySet, pcimePolicySetAuxClass and pcimePolicySetInstance. In PCIMe [PCIM EXT], PolicyGroup Class and PolicyRule Class are moved, so that they are now derived from PolicySet Class. The class definitions for the other three-remainder classes are listed below. These class definitions do not include attributes to realize the PolicySetComponent, PolicySetInSystem, PolicyGroupInSystem and PolicyRuleInSystem associations from the pcime. This is because a pcimeSetComponent object refers to instances of pcimePolicySetComponent via the attribute pcimeSetComponentAuxContainedSet in the pcimeSetComponentsContainmentAuxClass object class. Reyes et al. Expires June 2003 [Page 7] Internet Draft Policy Core Extension LDAP Schema December 2002 Also, the pcimeSet object refers to instances of pcimSet, pcimeGroup and pcimeRule via, respectively, the attributes: pcimeSetAuxContainedSet, pcimeGroupsAuxContainedSet and pcimeRulesAuxContainedSet in the pcimeSystemContainmentAuxClass object Class. First, the definition of the abstract class pcimePolicySet: ( NAME "pcimePolicySet" DESC "An abstract class that is the base class for all classes that describe group and rule-related instances." SUP pcimPolicy ABSTRACT MAY (pcimePolicySetName $ pcimRoles) ) There are two attributes in the pcimePolicySet: The attribute pcimRoles, which is already defined in [2] and the pcimePolicySetName attribute. The pcimePolicySetName attribute definition is: ( NAME "pcimePolicySetName" DESC "The user-friendly name of this policy set." EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX SINGLE-VALUE ) The subclasses of PolicySet are defined as follows. The class pcimePolicySetAuxClass is an auxiliary class that is used to define the evaluation relationship among the rules in the policy set. ( NAME "pcimePolicySetAuxClass" DESC "An auxiliary class that define the evaluation among the rules in the policy set." SUP pcimPolicySet AUXILIARY MAY (pcimePolicyDecisionStrategy) ) The attribute pcimePolicyDecisionStrategy is used to define the evaluation relationship among the rules in the policy set. ( NAME "pcimePolicyDecisionStrategy" DESC "This is the evaluation method used for policies contained in the PolicySet." MAY (FirstMatching $ AllMatching) ) The subclass pcimePolicySetInstance is defined as follows: ( NAME "pcimePolicySetInstance" Reyes et al. Expires June 2003 [Page 8] Internet Draft Policy Core Extension LDAP Schema December 2002 DESC "A structural class that define the evaluation among the rules in the policy set." SUP pcimPolicySet STRUCTURAL MAY (pcimePolicyDecisionStrategy) ) The subclasses pcimGroup and pcimRule are now derived from pcimPolicySet. The classes definitions are as follows: ( NAME "pcimGroup" DESC "A container for a set of related pcimRules and/or a set of related pcimGroups." SUP pcimePolicySet ABSTRACT MAY (pcimGroupName) ) ( NAME "pcimRule" DESC "The base class for representing the ?If Condition then Action? semantics associated with a Policy Rule" SUP pcimePolicySet ABSTRACT MAY (pcimRuleName $ pcimRuleEnabled $ pcimRuleconditionListType $ pcimRuleConditionList $ pcimRuleActionList $ pcimRuleValidityPeropdList $ pcimRuleUsage $ pcimRulePriority $ pcimRuleMandatory $ pcimRuleSequencedActions $) ) A DIT content rule could be written to enable an instance of pcimePoliySetComponent to have attached to it references to one or more policy set components (using pcimeSetComponentsContainmentAuxClass). Since these semantics do not include specifying any properties of the SetComponent class, the content rule would not need to specify any attribute. 5.2 The Auxiliary Class pcimeSimplePolicyCondition This class indicates if a specific match with a specific . The "match" relationship is to be interpreted by analyzing the variable and value instances associated with the simple condition. There is an attribute to realize pcimePolicyValueinSimplePolicyCondition and pcimePolicyVariableinSimplePolicyCondition associations The class definition is as follows: ( NAME "pcimeSimplePolicyCondition" DESC "An auxiliary class that evaluate the matching between the value and the variable". SUP pcimConditionAuxClass AUXILIARY Reyes et al. Expires June 2003 [Page 9] Internet Draft Policy Core Extension LDAP Schema December 2002 MUST (pcimeVariable $ pcimeValue) ) There are two attributes that must be in the pcimeSimplePolicyCondition class: The attribute pcimeVariable and pcimeValue. The pcimeVariable attribute definition is: ( NAME "pcimeVariable" DESC "It is a flow or an event that should be matched when evaluating the Policy condition." EQUALITY FirstComponentMatch ORDERING FirstComponentMatch SUBSTR SYNTAX SINGLE-VALUE ) 5.3 The Class pcimeSimpleConditionAssociation This class contains an attribute to represent one property of the PCIMe PolicyVariableInSimplePolicyCondition association, pcimeVariableDN and one property of the PCIMe PolicyValueInSimplePolicyCondition association, pcimeValueDN. The first property is used to attach a variable to a SimplePolicyCondition and the second one is used to attach a value to a SimplePolicyCondition. The SimpleConditions themselves are represented by auxiliary subclasses of the auxiliary class pcimeSimplePolicyCondition. The class definition is as follows: ( NAME "pcimeSimpleConditionAssociation" DESC "This class contains attributes characterizing the relationship between a Simple Policy Condition and one variable and one value." SUP pcimConditionAuxClass MUST (pcimeVariableDN pcimeValueDN) ) 5.4 The Auxiliary Class pcimeCompoundPolicyCondition This class represents a compound policy condition, formed by aggregation of simple policy conditions. There is an attribute representing a Boolean combination of simpler conditions. The class definition is as follows: ( NAME "pcimeCompoundPolicyCondition" DESC "An auxiliary class that represents a Boolean combination of simpler conditions". SUP pcimConditionAuxClass AUXILIARY Reyes et al. Expires June 2003 [Page 10] Internet Draft Policy Core Extension LDAP Schema December 2002 MUST (pcimeConditionListType) ) The attribute pcimeConditionListType is used to specify whether the list of policy conditions associated with this compound policy condition is in disjunctive normal form (DNF) or conjunctive normal form (CNF). It is defined as follows: ( NAME "pcimeConditionListType" DESC "This attribute specifies whether the list of policy conditions is in DNF or in CNF". SYNTAX uint16 VALUE (DNF & CNF) DEFAULT VALUE (DNF) ) 5.5 The Class pcimeConditionStructuresContainmentAuxClass The compound policy conditions apply the DNF/CNF logic from PCIMe policyConditionInPolicyRule aggregation to a compound condition that aggregates simpler conditions, to achieve this purpose there is a class pcimeConditionStructuresContainmentAuxClass that has two sublcasses: pcimeConditionAssociation and pcimeRuleConditionAssociation (moved from PCIM). ( NAME "pcimeConditionStructureContainmentAuxClass" DESC "A class that has two subclasses: pcimeConditionAssociation and pcimeRuleconditionAssociation". SUP pcimConditionAuxClass ABSTRACT MUST (GroupNumber & ConditionNegated & pcimeConditionStructuresAuxContainedSet) ) The attribute pcimeConditionStructuresAuxContainedSet is used to enable an instance of the pcimePolicyConditionStructure association via the auxiliary class pcimeConditionStructureContainmentAuxClass. 5.6 The Class pcimeRuleConditionAssociation This class is moved from the PCIM [PCIM]. The class definition is as follows: ( NAME "pcimeRuleConditionAssociation" DESC "This class contain attributes characterizing the relationship between a policy rule and one of its policy conditions". SUP pcimeConditionStructureContainmentAuxClass MUST (pcimeConditionDN) ) 5.7 The Class pcimeConditionAssociation Reyes et al. Expires June 2003 [Page 11] Internet Draft Policy Core Extension LDAP Schema December 2002 This class contains attributes to represent the properties of the PCIMe PolicyConditionInpolicyCondition association. Instances of this class are related to an instance of pcimPolicy via an attribute pcimeConditionDN 5.8 The class definition is as follows: ( NAME "pcimeConditionAssociation" DESC "A class representing the aggregation of PolicyConditions by another PolicyCondition". SUP pcimeConditionStructureContainmentAuxClass MUST (pcimeConditionDN) ) 5.9 The Auxiliary Class pcimeSimplePolicyAction This class overwrites an old value of the and set the new . There is an attribute to realize pcimePolicyValueinSimplePolicyAction and pcimePolciyVariableinSimplePolicyAction associations The class definition is as follows: ( NAME "pcimeSimplePolicyAction" DESC "An auxiliary class that set the value to the variable" SUP pcimActionAuxClass AUXILIARY MUST (pcimeVariable $ pcimeValue) ) 5.10 The Class pcimeSimpleActionAssociation This class contains an attribute to represent one property of the PCIMe PolicyVariableInSimplePolicyAction association, pcimeVariableDN and one property of the PCIMe PolicyValueInSimplePolicyAction association, pcimeValueDN. The first property is used to attach a variable to a SimplePolicyAction and the second one is used to attach a value to a SimplePolicyAction. The SimpleActions themselves are represented by auxiliary subclasses of the auxiliary class pcimeSimplePolicyAction. The class definition is as follows: ( NAME "pcimeSimpleActionAssociation" DESC "This class contains attributes characterizing the relationship between a Simple PolicyAction and one variable and one value." SUP pcimActionAuxClass MUST (pcimeVariableDN pcimeValueDN) ) 5.11 The five PolicyVariable Classes Reyes et al. Expires June 2003 [Page 12] Internet Draft Policy Core Extension LDAP Schema December 2002 The PCIMe [1] defines a PolicyVariable abstract class. PCLS maps this class into three LDAP classes called pcimePolicyVariable, pcimePolicyVariableAuxClass and pcimePolicyVariableInstance. Also, pcimePolicyExplicitVariableAuxClass and pcimePolicyImplicitVariableInstance are subclasses of the pcimePolicyVariable. Variables specify the property of a flow or an event that should be matched when evaluating the condition. A given variable selects the set of matchable value types through the ExpectedPolicyValuesForVariable association. The classes definitions are as follows. First, the definition of the abstract class pcimePolicyVariable: ( NAME "pcimePolicyVariable" DESC "An auxiliary class that set the value to the variable" SUP pcimPolicy AUXILIARY MUST (pcimeVariable $ pcimeValue) ) The subclasses of pcimePolicyVariable are defined as follows. The class pcimePolicyVariableAuxClass is an auxiliary class that is used to define the relationship among the variables into Simple Policy Actions ( NAME "pcimePolicyVariableAuxClass" DESC "..." SUP pcimPolicyVariable AUXILIARY MAY () ) The subclass pcimePolicyVariableInstance is defined as follows: ( NAME "pcimePolicyVariableInstance" DESC "." SUP pcimPolicyVariable STRUCTURAL MAY () ) The subclass pcimePolicyExplicitVariableAuxClass is defined as follows: ( NAME "pcimePolicyExplicitVariableAuxClass" DESC " ? " SUP pcimPolicyVariable AUXILIARY MAY () ) The subclass pcimePolicyImplicitVariableInstance is defined as follows: Reyes et al. Expires June 2003 [Page 13] Internet Draft Policy Core Extension LDAP Schema December 2002 ( NAME "pcimePolicyImplicitVariableInstance" DESC " ? " SUP pcimPolicyVariable AUXILIARY MAY () ) 5.12 The auxiliary class pcimeCompoundPolicyActionAuxClass. This class maps the CompoundPolicyAction class of the PCIMe. The class definition is as follows. ( NAME "pcimeCompoundPolicyActionAuxClass" DESC "An auxiliary class that represents group of actions". SUP pcimActionAuxClass AUXILIARY MUST (pcimeSequencedActions $ pcimeExecutionStrategy) ) The attributes are mapped directly from the PCIMe. 5.13 The abstract class pcimeActionStructuresContaintment. This class is the base class for pcimeRuleActionAssociationAuxClass and pcimeActionAssociationAuxClass that represent the PolicyActionInPolicyRule and PolicyActionInPolicyAction aggregations. The class definition is as follows. ( NAME "pcimeActionStructureContainment" DESC "A class that has two subclasses: pcimeActionAssociation and pcimeRuleActionAssociation". SUP pcimActionAuxClass ABSTRACT MUST ( pcimActionOrder & pcimeActionStructuresAuxContainedSet) ) 5.14 The auxiliary class pcimeRuleActionAssociationAuxClass This class represents the PolicyActionInPolicyRule aggregation. The class definition is as follows: ( NAME "pcimeRuleActionAssociationAuxClass" DESC "A class representing the aggregation of PolicyActions via a PolicyRule". SUP pcimeActionStructureContainmentAuxClass MUST (pcimeActionDN) AUXILIARY ) Reyes et al. Expires June 2003 [Page 14] Internet Draft Policy Core Extension LDAP Schema December 2002 5.15 The auxiliary class pcimeActionAssociationAuxClass. This class represents the PolicyActionInPolicyAction aggregation. The class definition would be as follows: ( NAME "pcimeActionAssociationAuxClass" DESC "A class representing the aggregation of PolicyActions via another PolicyAction". SUP pcimeActionStructureContainmentAuxClass MUST (pcimeActionDN) AUXILIARY ) 6. Security Considerations The security considerations for this document are the same as those of [PCLS] and are not further addressed in this version of the draft. 7. IANA Considerations Reference [LDAP-IANA]. 7.1 Object Identifiers It is requested that IANA register an LDAP Object Identifer for use in this technical specification according to the following template: Subject: Request for LDAP OID Registration Person & email address to contact for further information: XXX Specification: RFC XXXX Author/Change Controller: IESG Comments: The assigned OID will be used as a base for identifying a number of schema elements defined in this document. 7.2 Object Identifier Descriptors It is requested that IANA register the LDAP Descriptors used in this technical specification as detailed in the following template: Subject: Request for LDAP Descriptor Registration Update Descriptor (short name): see comment Object Identifier: see comment Person & email address to contact for further information: Bob Moore (remoore@us.ibm.com) Usage: see comment Specification: RFC XXXX Author/Change Controller: IESG Comments: Reyes et al. Expires June 2003 [Page 15] Internet Draft Policy Core Extension LDAP Schema December 2002 The following descriptors should be added: NAME Type OID -------------- ---- ------------ pcimeXXX O IANA-ASSIGNED-OID.1.1 8. References [CIM] Distributed Management Task Force, Inc., "Common Information Model (CIM) Schema, version 2.3, March 2000. The components of the CIM v2.3 schema are available via links on the following DMTF web page: http://www.dmtf.org/spec/cims.html [PCIM] B. Moore, E. Ellesson, J. Strassner, "Policy Core Information Model -- Version 1 Specification", RFC 3060, May, 2000. [PCIM_EXT] B. Moore et al., "Policy Framework Core Information Model Extensions", Internet Draft, work in progress, draft-ietf-policy-pcim-ext-08.txt. [PCLS] J. Strassner, E. Ellesson, B. Moore, R. Moats, ?Policy Core LDAP Schema?, Internet Draft, work in progress, draft-ietf-policy-core-schema-16.txt. [LDAP-IANA] Zeilenga, K., "Internet Assigned Numbers Authority (IANA) Considerations for the Lightweight Directory Access Protocol (LDAP)", BCP 64, RFC 3383, September 2002. 9. Authors" Addresses Angelica Reyes, Antoni Barba, David Moron Technical University of Catalonia Jordi-Girona 1-3 08034 Barcelona Spain [angelica|telabm|moron]@mat.upc.es Marcus Brunner NEC Europe Ltd. Kurfuersten Anlage 34 D-69115 Heidelberg Germany brunner@ccrle.nec.de Full Copyright Statement Copyright (C) The Internet Society (2002). All Rights Reserved. This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared, copied, published and distributed, in whole or in part, without restriction of any Reyes et al. Expires June 2003 [Page 16] Internet Draft Policy Core Extension LDAP Schema December 2002 kind, provided that the above copyright notice and this paragraph are included on all such copies and derivative works. However, this document itself may not be modified in any way, such as by removing the copyright notice or references to the Internet Society or other Internet organizations, except as needed for the purpose of developing Internet standards in which case the procedures for copyrights defined in the Internet Standards process must be followed, or as required to translate it into languages other than English. The limited permissions granted above are perpetual and will not be revoked by the Internet Society or its successors or assigns. This document and the information contained herein is provided on an "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDIN BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Open issues Some classes need to be added: 1. pcimeReusablePolicyContainer subclasses. Since pcimeRepository and its two subclasses are deprecated we have needed to add the pcimeReusablePolicyContainer and two subclasses: pcimeReusablePolicyContainerInstance (structural) and pcimeReusablePolicyContainerAuxClass(auxiliary). The class pcimeReusablePolicyContainer is defined as an abstract class so pcimeReusablePolicyContainer subclasses are needed in order to instanciate classes in the directory. 2.We have to add the subclasses pcimeRuleActionAssociationAuxClass and pcimeActionAssociationauxClass 3. We have to clarify next classes pcimePolicyVariableAuxClass. pcimePolicyVariableInstance. pcimePolicyExplicitVariableAuxClass. pcimePolicyImplicitVariableInstance. 4. We have to clarify the mapping of next classes PolicyValue and their subclasses. PolicyImpliciyVariable subclasses. We also consider the next points: 5. To define classes to search errors and classes to detect failures in the system 6. Because of the policy server is centralized and the LDAP is distributed hierarchically could be necessary to add classes in order Reyes et al. Expires June 2003 [Page 17] Internet Draft Policy Core Extension LDAP Schema December 2002 to find duplicates in the information. It can occur, for example when updating is excessively often. 7. Mapping between Network domains and the updating of information. Servers via resource management programs could manage some of these topics, even though it is necessary to add specific classes. Reyes et al. Expires June 2003 [Page 18]