[Docs] [txt|pdf] [Tracker] [Email] [Nits]

Versions: 00 01 02 03 04 05 06 07 RFC 4104

Policy Framework Working Group                           Angelica Reyes
Internet Draft                                             Antoni Barba
                                                            David Moron
                                      Technical University of Catalonia

                                                         Marcus Brunner
                                                                    NEC
                                                          December 2002

                 Policy Core Extension LDAP Schema (PCELS)
                <draft-reyes-policy-core-ext-schema-00.txt>

Status of this Memo

   This document is an Internet-Draft and is in full conformance with
   all provisions of Section 10 of RFC2026.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF), its areas, and its working groups. Note that other
   groups may also distribute working documents as Internet-Drafts.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time. It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   The list of current Internet-Drafts can be accessed at
   http://www.ietf.org/ietf/1id-abstracts.txt

   The list of Internet-Draft Shadow Directories can be accessed at
   http://www.ietf.org/shadow.html.

Abstract

   This document defines a number of changes and extensions to the
   Policy Cores LDAP Schema [PCLS] based on Policy Core Information
   Model Extensions [PCIM_EXT]. The changes include additional classes
   previously not covered, and a change to the existing classes in PCLS.

Conventions used in this document

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED",  "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in RFC-2119.

Table of contents

   1. Introduction....................................................2
   2. Relationship to other Policy Framework Documents................2
   3. Inheritance Hierarchy for PCELS.................................3
   4. General Discussion of Mapping the Model Extensions to LDAP......5
   4.1 Summary of Class and Association Mappings......................5
   4.2 Attaching PolicyVariable and PolicyValues to
   PolicySimpleCondition and PolicySimpleAction.......................7

                               Expires                       [Page 1]

Internet Draft    Policy Core Extension LDAP Schema     December 2002


   5. Class Definitions...............................................7
   5.1 The five PolicySet Classes.....................................7
   5.2 The Auxiliary Class pcimeSimplePolicyCondition.................9
   5.3 The Class pcimeSimpleConditionAssociation.....................10
   5.4 The Auxiliary Class pcimeCompoundPolicyCondition..............10
   5.5 The Class pcimeConditionStructuresContainmentAuxClass.........11
   5.6 The Class pcimeRuleConditionAssociation.......................11
   5.7 The Class pcimeConditionAssociation...........................11
   5.8 The class definition is as follows:...........................12
   5.9 The Auxiliary Class pcimeSimplePolicyAction...................12
   5.10 The Class pcimeSimpleActionAssociation.......................12
   5.11 The five PolicyVariable Classes..............................12
   6. Security Considerations........................................15
   7. IANA Considerations............................................15
   7.1 Object Identifiers............................................15
   7.2 Object Identifier Descriptors.................................15
   8. References.....................................................16
   9. Authors" Addresses.............................................16
   10. Full Copyright Statement......................................16

1. Introduction

   Within the context of this document, the term ?PCELS? (Policy Core
   Extensions LDAP Scheme) is used to refer to the LDAP class definition
   that this document contains.

2. Relationship to other Policy Framework Documents

  This document contains an LDAP schema representing the classes
  defined in the Policy Core Information Model Extensions [PCIM_EXT].
  Other documents may subsequently be produced, with mappings of the
  same PCIM extensions to other storage or transport technologies.
  The document is an extension to [PCLS], which defines the LDAP
  mapping of the Policy Core Information Model [PCIM] to an LDAP
  schema.


















Reyes et al.
                          Expires June 2003                  [Page 2]

Internet Draft    Policy Core Extension LDAP Schema     December 2002



3. Inheritance Hierarchy for PCELS

   The following diagram illustrates the class hierarchy for the LDAP
   Classes defined in the draft ?Policy Core LDAP scheme?[4] and the
   LDAP classes defined in this document:

   top
   |
   +---dlm1ManagedElement (abstract)
       |
       +---pcimPolicy (abstract)
       |   |
       |   +---pcimePolicySet (abstract new)
       |   |   |
       |   |   +---pcimePolicySetAuxClass (auxiliary new)
       |   |   |
       |   |   +---pcimePolicySetInstance (structural new)
       |   |   |
       |   |   +---pcimGroup (abstract moved)
       |   |   |   |
       |   |   |   +--pcimGroupAuxClass (auxiliary moved)
       |   |   |   |
       |   |   |   +---pcimGroupInstance (structural moved)
       |   |   |
       |   |   +---pcimRule (abstract moved)
       |   |   |  |
       |   |   |  +---pcimRuleAuxClass (auxiliary moved)
       |   |   |  |
       |   |   |  +---pcimRuleInstance (structural moved)
       |   |   |
       |   |   +---pcimeSetComponentsContainmentAuxClass (new)
       |   |   |
       |   |   +---pcimeSystemContainmentAuxClass (new)
       |   |
       |   +---pcimRuleConditionAssociation (structural)
       |   |
       |   +---pcimRuleValidityAssociation (structural)
       |   |
       |   +---pcimRuleActionAssociation (structural)
       |   |
       |   +---pcimPolicyInstance (structural)
       |   |
       |   +---pcimElementAuxClass (auxiliary)
       |   |
       |   +---dlm1ManagedSystemElement (abstract)
       |   |
       |   +---dlm1LogicalElement (abstract)
       |       |
       |       +---dlm1System (abstract)
       |           |
       |           +-dlm1AdminDomain (abstract)
       |           |
Reyes et al.
                          Expires June 2003                  [Page 3]

Internet Draft    Policy Core Extension LDAP Schema     December 2002


       |           +-pcimRepository (abstract deprecated)
       |           | |
       |           | +-pcimRepositoryAuxClass auxiliary deprecated)
       |           | |
       |           | +-cimRepositoryInstance (structural deprecated)
       |           |
       |           +-pcimeReusablePolicyContainer (abstract new)
       |
       +--pcimConditionAuxClass (auxiliary)
       |  |
       |  +-pcimTPCAuxClass (auxiliary)
       |  |
       |  +-pcimConditionVendorAuxClass (auxiliary)
       |  |
       |  +-pcimeSimplePolicyCondition (auxiliary new)
       |  |
       |  |-pcimeCompoundPolicyCondition (new)
       |  |
       |  +-pcimeSympleConditionAssociation (new)
       |  |
       |  +-pcimeConditionStructuresContainmentAuxClass (Abstract new)
       |  |  |
       |  |  +---pcimeConditionAssociation (new)
       |  |  |
          |  +---pcimeRuleConditionAssociation (new)
       |  |
       |  +-pcimeCompoundFilterCondition (new)
       |
       +--pcimActionAuxClass (auxiliary)
       |  |
       |  +-pcimActionVendorAuxClass (auxiliary)
       |  |
       |  +-pcimeSimplePolicyAction (auxiliary new)
       |  |
       |  +-pcimeSympleActionAssociation (new)
       |
       +-pcimePolicyVariable (abstract new)
       |  |
       |  +--pcimePolicyVariableAuxClass (auxiliary new)
       |  |
       |  +--pcimePolicyVariableInstance (structural new)
       |  |
       |  +--pcimePolicyExplicitVariable (auxiliary new)
       |  |
       |  +--pcimePolicyImplicitVariable (structural new)
       |
       +--pcimePolicyValue (auxiliary new)
       |
       +--pcimSubtreesPtrAuxClass (auxiliary)
       |
       +--pcimGroupContainmentAuxClass (auxiliary)
       |
       +--pcimRuleContainmentAuxClass (auxiliary)
Reyes et al.
                          Expires June 2003                  [Page 4]

Internet Draft    Policy Core Extension LDAP Schema     December 2002


4. General Discussion of Mapping the Model Extensions to LDAP

   The classes described below contain certain optimizations for a
   directory that uses LDAP as an access protocol. One example is the
   use of auxiliary classes to represent some of the associations
   defined in the information model. Note that other storage types might
   need to implement the association differently.

4.1 Summary of Class and Association Mappings

   Twenty of the classes in the PCELS come directly from the sixteen
   corresponding classes in the information model extensions. The prefix
   ?pcime? is used to identify these LDAP classes.

   +------------------------------------------------------------------+
   | Information Model (PCIM ext) | LDAP Classes                      |
   +------------------------------------------------------------------+
   | PolicySet                    | pcimePolicySet                    |
   |                              |    pcimePolicySetAuxClass         |
   |                              |    pcimePolicySetInstance         |
   +------------------------------------------------------------------+
   | SimplePolicyCondition        | pcimeSimplePolicyCondition        |
   +------------------------------------------------------------------+
   | CompoundPolicyCondition      | pcimeCompoundPolicyCondition      |
   +------------------------------------------------------------------+
   | CompoundFilterCondition      | pcimeCompoundFilterCondition      |
   +------------------------------------------------------------------+
   | SimplePolicyAction           | pcimeSimplePolicyAction           |
   +------------------------------------------------------------------+
   | CompoundPolicyAction         | pcimeCompoundPolicyAction         |
   +------------------------------------------------------------------+
   | PolicyVariable               | pcimePolicyVariable               |
   |                              |    pcimePolicyVariableAuxClass    |
   |                              |    pcimePolicyVariableInstance    |
   +------------------------------------------------------------------+
   | PolicyExplicitVariable       | pcimePolicyExplicitVariable       |
   +------------------------------------------------------------------+
   | PolicyImplicitVariable       | pcimePolicyImplicitVariable       |
   +------------------------------------------------------------------+
   | PolicyValue                  | pcimePolicyValue                  |
   +------------------------------------------------------------------+
   | PolicyRoleCollection         | pcimePolicyroleCollection         |
   +------------------------------------------------------------------+
   | ReusablePolicyContainer      | pcimeReusablePolicyContainer      |
   +------------------------------------------------------------------+
   | FilterEntryBase              | pcimeFilterEntryBase              |
   +------------------------------------------------------------------+
   | IPHeadersfilter              | pcimeIPHeadersfilter              |
   +------------------------------------------------------------------+
   | 8021Filter                   | pcime8021Filter
                                                                      |
   +------------------------------------------------------------------+
   | FilterList                   | pcimeFilterList                   |
   +------------------------------------------------------------------+
Reyes et al.
                          Expires June 2003                  [Page 5]

Internet Draft    Policy Core Extension LDAP Schema     December 2002


   +------------------------------------------------------------------+
   | Information Model Association   | LDAP Attribute / Class         |
   +------------------------------------------------------------------+
   | PolicySetComponent              |pcimeSetComponentsAuxContained  |
   |                                 |Set in pcimeSetComponentsContain|
   |                                 |mentAuxClass
                                                                      |
   +------------------------------------------------------------------+
   | PolicySetInSystem               |pcimeSetsAuxContainedSet in     |
   |                                 |pcimeSystemContainmentAuxClass  |
   +------------------------------------------------------------------+
   | PolicyGroupInSystem             |pcimeGroupsAuxContainedSet in   |
   |                                 |pcimeSystemContainmentAuxClass  |
   +------------------------------------------------------------------+
   | PolicyRuleInSystem              |pcimeRulesAuxContainedSet in    |
   |                                 |pcimeSystemContainmentAuxClass  |
   +------------------------------------------------------------------+
   | PolicyConditionStructure        |pcimeConditionStructuresAux     |
   |                                 |ContainedSet in pcimeCondition  |
   |                                 |StructuresContainmentAuxClass   |
   +------------------------------------------------------------------+
   | PolicyConditionInPolicyRule     |DIT containment or              |
   |                                 |pcimeRuleConditionList          |
   |                                 |in pcimeRule or pcimeConditionDN|
   |                                 |in pcimeRuleConditionAssociation|
   +------------------------------------------------------------------+
   | PolicyConditionInPolicyCondition|pcimeConditionDN in             |
   |                                 |pcimeConditionAssociation       |
   +------------------------------------------------------------------+
   | PolicyActionStructure           |pcimeActionDN in                |
   |                                 |pcimeActionStructureAssociation |
   +------------------------------------------------------------------+
   | PolicyActionInPolicyRule        |DIT containment or              |
   |                                 |pcimeRuleActionList in pcimeRule|
   |                                 |or pcimeActionDN in             |
   |                                 |pcimeRuleActionAssociation      |
   +------------------------------------------------------------------+
   | PolicyActionInPolicyAction      |pcimeActionDN in                |
   |                                 |pcimeActionAssociation          |
   +------------------------------------------------------------------+
   | PolicyVariableInSimplePolicy    |pcimeVariableDN in              |
   | Condition                       |pcimeSimpleConditionAssociation |
   +------------------------------------------------------------------+
   | PolicyValueInSimplePolicy       |pcimeValueDN in                 |
   | Condition                       |pcimeSimpleConditionAssociation |
   +------------------------------------------------------------------+
   | PolicyVariableInSimplePolicy    |pcimeVariableDN in              |
   | Action                          |pcimeSimpleActionAssociation    |
   +------------------------------------------------------------------+
   | PolicyValueInSimplePolicyAction |pcimeValueDN in                 |
   |                                 |pcimeSimpleActionAssociation    |
   +------------------------------------------------------------------+
   | ReusablePolicy                  |DIT containment                 |
   +------------------------------------------------------------------+
Reyes et al.
                          Expires June 2003                  [Page 6]

Internet Draft    Policy Core Extension LDAP Schema     December 2002


   | ExpectedPolicyValuesForVariable |DIT containment or              |
   |                                 |pcimeVariableValuesList in      |
   |                                 |pcimeVariable                   |
   +------------------------------------------------------------------+
   | ContainedDomain                 |DIT containment                 |
   +------------------------------------------------------------------+
   | EntriesInFilterList             |DIT containment or              |
   |                                 |pcimeFilterListEntriesList in   |
   |                                 |pcimeFilterList                 |
   +------------------------------------------------------------------+
   | ElementInPolicyRoleCollection   |DIT containment                 |
   +------------------------------------------------------------------+
   | PolicyRoleCollectionInSystem    |pcimeRoleCollectionsSet in      |
   |                                 |pcimeSystemContainmentAuxClass  |
   +------------------------------------------------------------------+

4.2 Attaching PolicyVariable and PolicyValues to PolicySimpleCondition
   and PolicySimpleAction

   A PolicySimpleCondition as well as a PolicySimpleAction includes a
   single PolicyValue and a single PolicyVariable. Each of them can be
   attached or referenced by a DN. Both values and variables SHOULD be
   attached only, because referencing them by a DN places reusability on
   too low level. Referencing would allow for reusability of a varibale
   or value but makes it unrealisiticly to retrive policies in a large
   number, if they contain a number of references to other objects.
   Using attachment allows the retrieval of the association class and
   the condition itself in a single LDAP search.

5. Class Definitions

5.1 The five PolicySet Classes

   The abstract class PolicySet in the PCIMe is introduced to provide an
   abstraction for a set of rules. The class value ?pcimePolicySet? is
   used as the mechanism for identifying group and rule- related
   instances in the DIT. PCLS maps this class into three LDAP classes
   called pcimePolicySet, pcimePolicySetAuxClass and
   pcimePolicySetInstance.

   In PCIMe [PCIM EXT], PolicyGroup Class and PolicyRule Class are
   moved, so that they are now derived from PolicySet Class. The class
   definitions for the other three-remainder classes are listed below.
   These class definitions do not include attributes to realize the
   PolicySetComponent, PolicySetInSystem, PolicyGroupInSystem and
   PolicyRuleInSystem associations from the pcime. This is because a
   pcimeSetComponent object refers to instances of
   pcimePolicySetComponent via the attribute
   pcimeSetComponentAuxContainedSet in the
   pcimeSetComponentsContainmentAuxClass object class.


Reyes et al.
                          Expires June 2003                  [Page 7]

Internet Draft    Policy Core Extension LDAP Schema     December 2002


   Also, the pcimeSet object refers to instances of pcimSet, pcimeGroup
   and pcimeRule via, respectively, the attributes:
   pcimeSetAuxContainedSet, pcimeGroupsAuxContainedSet and
   pcimeRulesAuxContainedSet in the pcimeSystemContainmentAuxClass
   object Class. First, the definition of the abstract class
   pcimePolicySet:

   (<oid- >    NAME "pcimePolicySet"
      DESC    "An abstract class that is the base class for all classes
               that describe group and rule-related instances."
      SUP      pcimPolicy
      ABSTRACT
      MAY     (pcimePolicySetName $ pcimRoles)
   )

   There are two attributes in the pcimePolicySet: The attribute
   pcimRoles, which is already defined in [2] and the pcimePolicySetName
   attribute.
   The pcimePolicySetName attribute definition is:

   (<oid- >    NAME "pcimePolicySetName"
      DESC    "The user-friendly name of this policy set."
      EQUALITY caseIgnoreMatch
      ORDERING caseIgnoreOrderingMatch
      SUBSTR   caseIgnoreSubstringsMatch
      SYNTAX
      SINGLE-VALUE
   )

   The subclasses of PolicySet are defined as follows. The class
   pcimePolicySetAuxClass is an auxiliary class that is used to define
   the evaluation relationship among the rules in the policy set.

   (<oid- >   NAME "pcimePolicySetAuxClass"
      DESC   "An auxiliary class that define the evaluation among the
              rules in the policy set."
      SUP     pcimPolicySet
      AUXILIARY
      MAY    (pcimePolicyDecisionStrategy)
   )

   The attribute pcimePolicyDecisionStrategy is used to define the
   evaluation relationship among the rules in the policy set.

   (<oid- >   NAME "pcimePolicyDecisionStrategy"
      DESC   "This is the evaluation method used for policies contained
              in the PolicySet."
      MAY    (FirstMatching $ AllMatching)
   )

   The subclass pcimePolicySetInstance is defined as follows:

   (<oid- >   NAME "pcimePolicySetInstance"
Reyes et al.
                          Expires June 2003                  [Page 8]

Internet Draft    Policy Core Extension LDAP Schema     December 2002


      DESC   "A structural class that define the evaluation among the
              rules in the policy set."
      SUP     pcimPolicySet
      STRUCTURAL
      MAY    (pcimePolicyDecisionStrategy)
   )

   The subclasses pcimGroup and pcimRule are now derived from
   pcimPolicySet. The classes definitions are as follows:

   (<oid- >   NAME "pcimGroup"
      DESC   "A container for a set of related pcimRules and/or a set
              of related pcimGroups."
      SUP     pcimePolicySet
      ABSTRACT
      MAY    (pcimGroupName)
   )

   (<oid- >   NAME "pcimRule"
      DESC   "The base class for representing the ?If Condition then
              Action? semantics associated with a Policy Rule"
      SUP     pcimePolicySet
      ABSTRACT
      MAY    (pcimRuleName $ pcimRuleEnabled $
              pcimRuleconditionListType $ pcimRuleConditionList $
              pcimRuleActionList $ pcimRuleValidityPeropdList $
              pcimRuleUsage $ pcimRulePriority  $ pcimRuleMandatory $
              pcimRuleSequencedActions $)
   )

   A DIT content rule could be written to enable an instance of
   pcimePoliySetComponent to have attached to it references to one or
   more policy set components (using
   pcimeSetComponentsContainmentAuxClass). Since these semantics do not
   include specifying any properties of the SetComponent class, the
   content rule would not need to specify any attribute.


5.2 The Auxiliary Class pcimeSimplePolicyCondition

   This class indicates if a specific <variable> match with a specific
   <value>. The "match" relationship is to be interpreted by analyzing
   the variable and value instances associated with the simple
   condition.
   There is an attribute to realize
   pcimePolicyValueinSimplePolicyCondition and
   pcimePolicyVariableinSimplePolicyCondition associations
   The class definition is as follows:
   (<oid- >   NAME "pcimeSimplePolicyCondition"
      DESC   "An auxiliary class that evaluate the matching between the
              value and the variable".
      SUP     pcimConditionAuxClass
      AUXILIARY
Reyes et al.
                          Expires June 2003                  [Page 9]

Internet Draft    Policy Core Extension LDAP Schema     December 2002


      MUST   (pcimeVariable $ pcimeValue)
   )

   There are two attributes that must be in the
   pcimeSimplePolicyCondition class: The attribute pcimeVariable and
   pcimeValue.
   The pcimeVariable attribute definition is:

   (<oid- >   NAME "pcimeVariable"
      DESC   "It is a flow or an event that should be matched when
              evaluating the Policy condition."
      EQUALITY FirstComponentMatch
      ORDERING FirstComponentMatch
      SUBSTR
      SYNTAX
      SINGLE-VALUE
   )

5.3 The Class pcimeSimpleConditionAssociation

   This class contains an attribute to represent one property of the
   PCIMe PolicyVariableInSimplePolicyCondition association,
   pcimeVariableDN and one property of the PCIMe
   PolicyValueInSimplePolicyCondition association, pcimeValueDN.  The
   first property is used to attach a variable to a
   SimplePolicyCondition and the second one is used to attach a value to
   a SimplePolicyCondition. The SimpleConditions themselves are
   represented by auxiliary subclasses of the auxiliary class
   pcimeSimplePolicyCondition.

   The class definition is as follows:

   (<oid- >   NAME "pcimeSimpleConditionAssociation"
      DESC   "This class contains attributes characterizing the
              relationship between a Simple Policy Condition and one
              variable and one value."
      SUP     pcimConditionAuxClass
      MUST   (pcimeVariableDN pcimeValueDN)
   )

5.4 The Auxiliary Class pcimeCompoundPolicyCondition

   This class represents a compound policy condition, formed by
   aggregation of simple policy conditions. There is an attribute
   representing a Boolean combination of simpler conditions.

   The class definition is as follows:

   (<oid- >   NAME "pcimeCompoundPolicyCondition"
      DESC   "An auxiliary class that represents a Boolean combination
              of simpler conditions".
      SUP     pcimConditionAuxClass
      AUXILIARY
Reyes et al.
                          Expires June 2003                 [Page 10]

Internet Draft    Policy Core Extension LDAP Schema     December 2002


      MUST   (pcimeConditionListType)
   )

   The attribute pcimeConditionListType is used to specify whether the
   list of policy conditions associated with this compound policy
   condition is in disjunctive normal form (DNF) or conjunctive normal
   form (CNF). It is defined as follows:

   (<oid- >   NAME "pcimeConditionListType"
      DESC   "This attribute specifies whether the list of policy
              conditions is in DNF or in CNF".
      SYNTAX  uint16
      VALUE  (DNF & CNF)
      DEFAULT VALUE (DNF)
   )

5.5 The Class pcimeConditionStructuresContainmentAuxClass

   The compound policy conditions apply the DNF/CNF logic from PCIMe
   policyConditionInPolicyRule aggregation to a compound condition that
   aggregates simpler conditions, to achieve this purpose there is a
   class pcimeConditionStructuresContainmentAuxClass that has two
   sublcasses: pcimeConditionAssociation and
   pcimeRuleConditionAssociation (moved from PCIM).

    (<oid- >  NAME "pcimeConditionStructureContainmentAuxClass"
       DESC   "A class that has two subclasses:
              pcimeConditionAssociation and
              pcimeRuleconditionAssociation".
      SUP     pcimConditionAuxClass
      ABSTRACT
      MUST   (GroupNumber & ConditionNegated &
              pcimeConditionStructuresAuxContainedSet)
   )

   The attribute pcimeConditionStructuresAuxContainedSet is used to
   enable an instance of the pcimePolicyConditionStructure association
   via the auxiliary class pcimeConditionStructureContainmentAuxClass.

5.6 The Class pcimeRuleConditionAssociation

   This class is moved from the PCIM [PCIM]. The class definition is as
   follows:

   (<oid- >  NAME "pcimeRuleConditionAssociation"
       DESC   "This class contain attributes characterizing the
              relationship between a policy rule and one of its policy
              conditions".
      SUP     pcimeConditionStructureContainmentAuxClass
      MUST   (pcimeConditionDN)
   )

5.7 The Class pcimeConditionAssociation
Reyes et al.
                          Expires June 2003                 [Page 11]

Internet Draft    Policy Core Extension LDAP Schema     December 2002



   This class contains attributes to represent the properties of the
   PCIMe PolicyConditionInpolicyCondition association. Instances of this
   class are related to an instance of pcimPolicy via an attribute
   pcimeConditionDN

5.8 The class definition is as follows:

   (<oid- >  NAME "pcimeConditionAssociation"
      DESC   "A class representing the aggregation of PolicyConditions
              by another PolicyCondition".
      SUP    pcimeConditionStructureContainmentAuxClass
      MUST   (pcimeConditionDN)
   )

5.9 The Auxiliary Class pcimeSimplePolicyAction

   This class overwrites an old value of the <variable> and set the new
   <value>.
   There is an attribute to realize pcimePolicyValueinSimplePolicyAction
   and   pcimePolciyVariableinSimplePolicyAction associations

   The class definition is as follows:
   (<oid- >   NAME "pcimeSimplePolicyAction"
      DESC   "An auxiliary class that set the value to the variable"
      SUP     pcimActionAuxClass
      AUXILIARY
      MUST   (pcimeVariable $ pcimeValue)
   )

5.10 The Class pcimeSimpleActionAssociation

   This class contains an attribute to represent one property of the
   PCIMe PolicyVariableInSimplePolicyAction association, pcimeVariableDN
   and one property of the PCIMe PolicyValueInSimplePolicyAction
   association, pcimeValueDN.  The first property is used to attach a
   variable to a SimplePolicyAction and the second one is used to attach
   a value to a SimplePolicyAction. The SimpleActions themselves are
   represented by auxiliary subclasses of the auxiliary class
   pcimeSimplePolicyAction.

   The class definition is as follows:

   (<oid- >   NAME "pcimeSimpleActionAssociation"
      DESC   "This class contains attributes characterizing the
              relationship between a Simple PolicyAction and one
              variable and one value."
      SUP     pcimActionAuxClass
      MUST   (pcimeVariableDN pcimeValueDN)
   )
5.11 The five PolicyVariable Classes


Reyes et al.
                          Expires June 2003                 [Page 12]

Internet Draft    Policy Core Extension LDAP Schema     December 2002


   The PCIMe [1] defines a PolicyVariable abstract class. PCLS maps this
   class into three LDAP classes called pcimePolicyVariable,
   pcimePolicyVariableAuxClass and pcimePolicyVariableInstance. Also,
   pcimePolicyExplicitVariableAuxClass and
   pcimePolicyImplicitVariableInstance are subclasses of the
   pcimePolicyVariable.
   Variables specify the property of a flow or an event that should be
   matched when evaluating the condition. A given variable selects the
   set of matchable value types through the
   ExpectedPolicyValuesForVariable association.
   The classes definitions are as follows. First, the definition of the
   abstract class pcimePolicyVariable:

   (<oid- >   NAME "pcimePolicyVariable"
      DESC   "An auxiliary class that set the value to the variable"
      SUP     pcimPolicy
      AUXILIARY
      MUST   (pcimeVariable $ pcimeValue)
   )
   The subclasses of pcimePolicyVariable are defined as follows. The
   class pcimePolicyVariableAuxClass is an auxiliary class that is used
   to define the relationship among the variables into Simple Policy
   Actions

   (<oid- >   NAME "pcimePolicyVariableAuxClass"
      DESC   "..."
      SUP     pcimPolicyVariable
      AUXILIARY
      MAY    ()
   )

   The subclass pcimePolicyVariableInstance is defined as follows:

   (<oid- >   NAME "pcimePolicyVariableInstance"
      DESC   "."
      SUP     pcimPolicyVariable
      STRUCTURAL
      MAY    ()
   )

   The subclass pcimePolicyExplicitVariableAuxClass is defined as
   follows:

   (<oid- >   NAME "pcimePolicyExplicitVariableAuxClass"
      DESC   " ? "
      SUP     pcimPolicyVariable
      AUXILIARY
      MAY    ()
   )

   The subclass pcimePolicyImplicitVariableInstance is defined as
   follows:

Reyes et al.
                          Expires June 2003                 [Page 13]

Internet Draft    Policy Core Extension LDAP Schema     December 2002


   (<oid- >   NAME "pcimePolicyImplicitVariableInstance"
      DESC   " ? "
      SUP     pcimPolicyVariable
      AUXILIARY
      MAY    ()
   )

5.12 The auxiliary class pcimeCompoundPolicyActionAuxClass.

   This class maps the CompoundPolicyAction class of the PCIMe. The
   class definition is as follows.

   (<oid- >   NAME "pcimeCompoundPolicyActionAuxClass"
         DESC   "An auxiliary class that represents group of actions".
         SUP     pcimActionAuxClass
         AUXILIARY
         MUST   (pcimeSequencedActions $ pcimeExecutionStrategy)
   )

   The attributes are mapped directly from the PCIMe.

5.13 The abstract class pcimeActionStructuresContaintment.

   This class is the base class for pcimeRuleActionAssociationAuxClass
   and pcimeActionAssociationAuxClass that represent the
   PolicyActionInPolicyRule and PolicyActionInPolicyAction aggregations.

   The class definition is as follows.

   (<oid- >  NAME "pcimeActionStructureContainment"
         DESC   "A class that has two subclasses:
                 pcimeActionAssociation and
                 pcimeRuleActionAssociation".
         SUP     pcimActionAuxClass
         ABSTRACT
         MUST   ( pcimActionOrder &
                 pcimeActionStructuresAuxContainedSet)
   )

5.14 The auxiliary class pcimeRuleActionAssociationAuxClass

   This class represents the PolicyActionInPolicyRule aggregation.

   The class definition is as follows:

      (<oid- >  NAME "pcimeRuleActionAssociationAuxClass"
         DESC   "A class representing the aggregation of PolicyActions
                via a PolicyRule".
         SUP    pcimeActionStructureContainmentAuxClass
         MUST   (pcimeActionDN)
         AUXILIARY
      )

Reyes et al.
                          Expires June 2003                 [Page 14]

Internet Draft    Policy Core Extension LDAP Schema     December 2002


5.15 The auxiliary class pcimeActionAssociationAuxClass.

   This class represents the PolicyActionInPolicyAction aggregation.

   The class definition would be as follows:

      (<oid- >  NAME "pcimeActionAssociationAuxClass"
         DESC   "A class representing the aggregation of PolicyActions
                 via another PolicyAction".
         SUP    pcimeActionStructureContainmentAuxClass
         MUST   (pcimeActionDN)
         AUXILIARY
      )

6. Security Considerations

  The security considerations for this document are the same as those
  of [PCLS] and are not further addressed in this version of the draft.

7. IANA Considerations

   Reference [LDAP-IANA].

7.1 Object Identifiers

   It is requested that IANA register an LDAP Object Identifer
   for use in this technical specification according to the
   following template:

   Subject: Request for LDAP OID Registration
   Person & email address to contact for further information:
      XXX
   Specification: RFC XXXX
   Author/Change Controller: IESG
   Comments:
      The assigned OID will be used as a base for identifying
      a number of schema elements defined in this document.

7.2 Object Identifier Descriptors

   It is requested that IANA register the LDAP Descriptors used
   in this technical specification as detailed in the following
   template:

   Subject: Request for LDAP Descriptor Registration Update
   Descriptor (short name): see comment
   Object Identifier: see comment
   Person & email address to contact for further information:
      Bob Moore (remoore@us.ibm.com)
   Usage: see comment
   Specification: RFC XXXX
   Author/Change Controller: IESG
   Comments:
Reyes et al.
                          Expires June 2003                 [Page 15]

Internet Draft    Policy Core Extension LDAP Schema     December 2002



   The following descriptors should be added:

   NAME                            Type    OID
   --------------                  ----    ------------
   pcimeXXX                        O       IANA-ASSIGNED-OID.1.1

8. References

  [CIM]   Distributed Management Task Force, Inc., "Common Information
          Model (CIM) Schema, version 2.3, March 2000.  The components
          of the CIM v2.3 schema are available via links on the
          following DMTF web page:  http://www.dmtf.org/spec/cims.html

  [PCIM]  B. Moore, E. Ellesson, J. Strassner, "Policy Core Information
          Model -- Version 1 Specification", RFC 3060, May, 2000.

  [PCIM_EXT] B. Moore et al., "Policy Framework Core Information Model
          Extensions", Internet Draft, work in progress,
          draft-ietf-policy-pcim-ext-08.txt.

  [PCLS]  J. Strassner, E. Ellesson, B. Moore, R. Moats, ?Policy Core
          LDAP Schema?, Internet Draft, work in progress,
          draft-ietf-policy-core-schema-16.txt.

   [LDAP-IANA] Zeilenga, K., "Internet Assigned Numbers Authority (IANA)
           Considerations for the Lightweight Directory Access Protocol
          (LDAP)", BCP 64, RFC 3383, September 2002.

9. Authors" Addresses

   Angelica Reyes, Antoni Barba, David Moron
   Technical University of Catalonia
   Jordi-Girona 1-3
   08034 Barcelona
   Spain
   [angelica|telabm|moron]@mat.upc.es

   Marcus Brunner
   NEC Europe Ltd.
   Kurfuersten Anlage 34
   D-69115 Heidelberg
   Germany
   brunner@ccrle.nec.de

Full Copyright Statement

  Copyright (C) The Internet Society (2002). All Rights Reserved.

  This document and translations of it may be copied and furnished to
  others, and derivative works that comment on or otherwise explain it
  or assist in its implementation may be prepared, copied, published
  and distributed, in whole or in part, without restriction of any
Reyes et al.
                          Expires June 2003                 [Page 16]

Internet Draft    Policy Core Extension LDAP Schema     December 2002


  kind, provided that the above copyright notice and this paragraph are
  included on all such copies and derivative works. However, this
  document itself may not be modified in any way, such as by removing
  the copyright notice or references to the Internet Society or other
  Internet organizations, except as needed for the purpose of
  developing Internet standards in which case the procedures for
  copyrights defined in the Internet Standards process must be
  followed, or as required to translate it into languages other than
  English.

  The limited permissions granted above are perpetual and will not be
  revoked by the Internet Society or its successors or assigns.

  This document and the information contained herein is provided on an
  "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
  TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDIN
  BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
  HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
  MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

Open issues

   Some classes need to be added:

   1. pcimeReusablePolicyContainer subclasses.
   Since pcimeRepository and its two subclasses are deprecated we have
   needed to add the pcimeReusablePolicyContainer and two subclasses:
   pcimeReusablePolicyContainerInstance (structural) and
   pcimeReusablePolicyContainerAuxClass(auxiliary). The class
   pcimeReusablePolicyContainer is defined as an abstract class so
   pcimeReusablePolicyContainer subclasses are needed in order to
   instanciate classes in the directory.

   2.We have to add the subclasses pcimeRuleActionAssociationAuxClass
   and pcimeActionAssociationauxClass

   3. We have to clarify next classes
   pcimePolicyVariableAuxClass.
    pcimePolicyVariableInstance.
    pcimePolicyExplicitVariableAuxClass.
    pcimePolicyImplicitVariableInstance.

   4. We have to clarify the mapping of next classes
   PolicyValue and their subclasses.
    PolicyImpliciyVariable subclasses.


   We also consider the next points:
   5. To define classes to search errors and classes to detect failures
   in the system
   6. Because of the policy server is centralized and the LDAP is
   distributed hierarchically could be necessary to add classes in order

Reyes et al.
                          Expires June 2003                 [Page 17]

Internet Draft    Policy Core Extension LDAP Schema     December 2002


   to find duplicates in the information. It can occur, for example when
   updating is excessively often.
   7. Mapping between Network domains and the updating of information.

   Servers via resource management programs could manage some of these
   topics, even though it is necessary to add specific classes.















































Reyes et al.
                          Expires June 2003                 [Page 18]


Html markup produced by rfcmarkup 1.108, available from http://tools.ietf.org/tools/rfcmarkup/