Network Working Group J. Halpern Internet-Draft Ericsson Intended status: Informational J. Strassner Expires:January 20,April 3, 2017 Huawei TechnologiesJuly 20,S. Van der Meer Ericsson October 1, 2016 Generic Policy Data Model for Simplified Use of Policy Abstractions (SUPA)draft-ietf-supa-generic-policy-data-model-00draft-ietf-supa-generic-policy-data-model-01 Abstract This document defines two YANG policy datamodels.modules. The first is a generic policy model that is meant to be extended on an application- specific basis. The second is an exemplary extension of the first generic policy model, and defines rules as event-condition-action policies. Both models are independent of the level of abstraction of the content and meaning of a policy. Status of this Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at http://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire onJanuary 20,April 3, 2017. Copyright Notice Copyright (c) 2016 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Table of Contents 1. Overview ....................................................... 2 2. Conventions Used in This Document .............................. 2 3. Terminology .................................................... 3 3.1. Acronyms................................................................................................... 3 3.2. Definitions............................................................................................. 3 3.3. Symbology................................................. 4................................................ 5 4. Design of the SUPA Policy Data Models.......................... 4......................... 5 4.1. Objectives ............................................... 5 4.2 Yang Data Model Maintenance ................................ 5 4.3 YANG Data Model Overview ................................... 6 4.4. YANG Tree Diagram ........................................ 7 5. SUPA Policy Data Model YANG Module............................. 5............................ 11 6. IANA Considerations....................................................................................... 47 7. Security Considerations............................................................................... 47 8. Acknowledgments............................................................................................... 47 9. References......................................................................................................... 47 9.1. Normative References........................................................................... 48 9.2. Informative References....................................................................... 48 Authors' Addresses ................................................ 48 1. Overview This document defines two YANG [RFC6020] [RFC6991] policy data models. The first is a generic policy model that is meant to be extended on an application-specific basis. It is derived from the Generic Policy Information Model (GPIM) defined in [1]. The second is an exemplary extension of the first (generic policy) model, and defines policy rules as event-condition-action tuples. Both models are independent of the level of abstraction of the content and meaning of a policy. The GPIM defines a common framework as a set of model elements (e.g., classes, attributes, and relationships) that specify a common set of policy management concepts that are independent of the type of policy (e.g., imperative, procedural, declarative, or otherwise). The first YANG data model is a translation of the GPIM to a YANG module. TheEcaECA Policy Rule Information Model (EPRIM), also defined in [1], extends the GPIM to represent policy rules that use the Event-Condition-Action (ECA) paradigm. The second YANG data model maps the EPRIM to YANG. The second YANG data model MAY be used to augment the functionality of the first YANG data model. 2. Conventions Used in This Document The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119]. In this document, these words will appear with that interpretation only when in ALL CAPS. Lower case uses of these words are not to be interpreted as carrying [RFC2119] significance. 3. Terminology This section defines acronyms, terms, and symbology used in the rest of this document. 3.1. Acronyms CNF Conjunctive Normal Form DNF Disjunctive Normal Form ECA Event-Condition-Action EPRIM (SUPA) ECA Policy Rule Information Model [1] FQDN Fully Qualified Domain Name FQPN Fully Qualified Path Name GPIM (SUPA) Generic Policy Information Model [1] GUID Globally Unique IDentifier NETCONF Network Configuration protocol OAM&P Operations, Administration, Management, and Provisioning OCL Object Constraint Language {2] [3] OID Object IDentifier SUPA Simplified Use of Policy Abstractions UML Unified Modeling Language URI Uniform Resource Identifier UUID Universally Unique IDentifier 3.2. Definitions Action: a set ofpurposefulactivities that have a set of associated behavior. Boolean Clause: a logical statement that evaluates to either TRUE or FALSE. Also called Boolean Expression. Condition: a set of attributes, features, and/or values that are to be compared with a set of known attributes, features, and/or values in order to make a decision. A Condition, when used in the context of a Policy Rule, is used to determine whether or not the set of Actions in that PolicyRulRule can be executed or not. Constraint: A constraint is a limitation or restriction. Constraints may be added to any type of object (e.g., events, conditions, and actions in Policy Rules).Constraint Programming: a type of programming that uses constraints to define relations between variables in order to find a feasible (and not necessarily optimal) solution.Data Model: a data model is a representation of concepts of interest to an environment in a form that is dependent on data repository, data definition language, query language, implementation language, and protocol (typically one or more of these). This definition is taken from [1]. ECA: Event - Condition - Actionpolicy.(a type of policy). Event: an Event is defined as any important occurrence in timeof a changein the system being managed, and/or in the environment of the system being managed. An Event may represent the changing or maintaining of the state of a managed object. An Event, when used in the context of a Policy Rule, is used to determine whether theconditionCondition clause of an imperative (i.e., ECA) Policy Rule can be evaluated or not. FQPN (FUlly Qualified Path Name) The specification of a path to a file in a system that unambiguously resolves to only that specific file. In this sense, "fully qualified" is independent of context. However, in a distributed system, it may be dependent on the specific format of an operating system. Hence, implementations should consider such issues before allowing the use of FQPNs. Information Model: an information model is a representation of concepts of interest to an environment in a form that is independent of data repository, data definition language, query language, implementation language, and protocol. This definition is taken from [1]. Metadata: metadata is data that provides descriptive and/or prescriptive information about the object(s) to which it isattached. Policy Rule:associated. This enables structure and content of the object(s) to which it applies, as well as usage and other information, to be represented in an extensible manner. It avoids "burying" common information in specific classes, and increases reuse. SUPAPolicy: A SUPAPolicy is, in this version of this document, an ECA policy rule that MUST contain an ECA policy rule, SHOULD contain one or more SUPAPolicyMetadata objects, and MAY contain other elements that define the semantics of the policy rule. An ECA Policy RuleisMUST contain an event clause, aset of rules thatcondition clause, and an action clause. Policies areusedgenerically defined as a means tomanagemonitor and control the changingorand/or maintaining of the state of one or more managed objects. This definition is based on the definition of SUPAPolicy in [1]. 3.3. Symbology The following representation is used to describe YANG data modules defined in this draft. o Brackets "[" and "]" enclose list keys. o Abbreviations before data node names: "rw" means configuration data (read-write), and "ro" means state data (read-only). o Symbols after data node names: "?" means an optional node, "!" means a presence container, and "*" denotes a list and leaf-list. o Parentheses enclose choice and case nodes, and case nodes are also marked with a colon (":"). o Ellipsis ("...") stands for contents of subtrees that are not shown. 4. Design of the SUPA Policy Data Models This section describes the design philosophy of the YANG data model, and how they will becompleted inmaintained. 4.1. Objectives These Data Models are derived from thenext version of this draft. Three important points are: - different policy modelsSUPA Generic Policy Information Model [1]. The overall objective is to faithfully transform that information model into a YANG data model that can be used for communicating policy. The policy scope to be covered is that defined by [1]; please refer to it for more details and background information. This model is an extensible framework that is independent of the implementation approach for storing polices, as well as being independent of the content and meaning of specific policies. These models can be extended (generally by using the groupings here and defining additional containers for concrete classes) to represent domain- and/or application-specific policies. The ECA model in this document is an example of extending the general policy model towards specific policies. By using this approach, different policy models will use common semantics, enabling them to be more easily integrated. One of the important goals of this work is for the semantics of these models to align with those of the generic policy information model. Thus, most of this model was generate by a quasi-algorithmic transformation of the information model. This was done by hand. Certain changes were made to reflect the fact that this is a YANG data model, and therefore, does not need to generically allow for all data modelling languages. Details of the process are described below in section 4.3. 4.2 Yang Data Model maintenance All model changes should be done to both the information model and the data model in parallel. Care is being taken during development of this model to ensure that is the case. In general, structural changes will be applied to both the information model and the data model, and then any necessary YANG repairs taken to preserve the validity of the YANG data model. 4.3 YANG Data Model Overview This YANG data model is generated by applying suitable YANG constructs to represent the information in the information model. There are three key information modeling concepts that this data model needs to represent consistently. These are classes, class inheritance (also known as subclassing) and associations. The SUPA generic policy information model [1] makes extensive use of these concepts. Each class in the model is represented by a YANG identity and by a YANG grouping. The use of groupings enables us to define these classes abstractly. Each grouping begins with two leaves (either defined in the grouping or inherited via a using clause), which provide common functionality. One leaf is used for the system-wide unique identifier for this instance. This is either named supa-policy-ID (for the SUPAPolicyObject tree, which contains everything EXCEPT metadata objects) or supa-policy-metadata-id (for the SUPAPolicyMetadata tree, which ONLY contains metadata). All associations use supa-policy-IDs. The second leaf is always called the entity-class. It is an identityref which is set to the identity of the instance. The default value for this leaf is always correctly defined by the grouping. It is read-write in the YANG formalism due to restrictions on the use of MUST clauses. Class inheritance (or subclassing) is done by defining an identity and a grouping for the new class. The identity is based on the parent identity, and is given a new name to represent this class. The new grouping uses the parent grouping. It refines the entity-class of the parent, replacing the default value of the entity-class with the correct value for this class. Associations are represented by the use of instance-identifiers and association classes. Association classes are classes, using the above construction, which contain leaves representing the set of instance-identifiers for each end of the association, along with any other properties the information model assigns to the association. The two associated classes each havecommon semantics - capture those semantics withinacommon framework (GPIM) - extend these semanticsleaf with an instance-identifier that points to the association class instance. Each instance-identifier leaf is defined with a must clause. That must clause references the entity-class of the target of the instance-identifier, and specifies that the entity class type must be the same as, or subclassed from, a specificECA example (EPRIM)named class. Thus, associations can point to any instance of a selected class, or any instance of any subclass of that target. While not mandated by the YANG, it is expected that the xpath for the instance-identifier will end with an array selection specifying the supa-policy-ID or supa-policy-metadata-id of the target. This enables us to construct the abstract class tree, with inheritance and associations. It is noted and accepted that this process does lose the distinction between containment, association, and aggregation used by the information model. The concrete class tree is constructed as follows. The YANG model defines a container for each class that is defined as concrete by the information model. That container contains a single list, keyed by either the supa-policy-id or the supa-policy-metadata-id. The content of the list is defined by a uses clause referencing the grouping that defines the class. After this was done, certain additional modifications were made. Specifically, any information model constructs intended to represent lists of possible values were recast as YANG enumerations. Where these lists are used more than once, they are factored out into reusable enumerations. Certain attributes that are not needed in the YANG (e.g., to represent the range of choices different data models might use for policy identification) were removed for simplicity and clarity. 4.4. YANG Tree Diagram The YANG Tree Diagram starts on the next page. It uses the following abbreviations for datatypes: - B: Boolean - E: enumeration - II: instance-identifier - IR: identityref - PC: policy-constraint-language-list - PD: policy-data-type-encoding-list - S: string - YD: yang:date-and-time - UI: uint32 module: ietf-supa-policydatamodel +--rw supa-encoding-clause-container | +--rw supa-encoding-clause-list* [supa-policy-ID] | +--rw supa-policy-ID S | +--rw entity-class? IR | +--rw supa-policy-name? S | +--rw supa-policy-object-description? S | +--rw supa-has-policy-metadata-agg-ptr* II | +--rw supa-has-policy-component-decorator-part-ptr II | +--rw supa-policy-clause-deploy-status E | +--rw supa-has-policy-clause-part-ptr* II I +--rw supa-encoded-clause-content S I +--rw supa-encoded-clause-language E +--rw supa-policy-variable-container | +--rw supa-policy-variable-list* [supa-policy-ID] | +--rw supa-policy-ID S | +--rw entity-class? IR | +--rw supa-policy-name? S | +--rw supa-policy-object-description? S | +--rw supa-has-policy-metadata-agg-ptr* II | +--rw supa-has-policy-component-decorator-part-ptr II | +--rw supa-has-policy-component-decorator-agg-ptr* II | +--rw supa-decorator-constraints* S | +--rw supa-has-decorator-constraint-encoding? PC | +--rw supa-policy-term-is-negated? B | +-rw supa-policy-variable-name? S +--rw supa-policy-operator-container | +--rw supa-policy-operator-list* [supa-policy-ID] | +--rw supa-policy-ID S | +--rw entity-class? IR | +--rw supa-policy-name? S | +--rw supa-policy-object-description? S | +--rw supa-has-policy-metadata-agg-ptr* II | +--rw supa-has-policy-component-decorator-part-ptr II | +--rw supa-has-policy-component-decorator-agg-ptr* II | +--rw supa-decorator-constraints* S | +--rw supa-has-decorator-constraint-encoding? PC | +--rw supa-policy-term-is-negated? B | +--rw supa-policy-value-op-type E +--rw supa-policy-value-container | +--rw supa-policy-value-list* [supa-policy-ID] | +--rw supa-policy-ID S | +--rw entity-class? IR | +--rw supa-policy-name? S | +--rw supa-policy-object-description? S | +--rw supa-has-policy-metadata-agg-ptr* II | +--rw supa-has-policy-component-decorator-part-ptr II | +--rw supa-has-policy-component-decorator-agg-ptr* II | +--rw supa-decorator-constraints* S | +--rw supa-has-decorator-constraint-encoding? PC | +--rw supa-policy-term-is-negated? B | +--rw supa-policy-value-content* S | +--rw supa-policy-value-encoding? PD +--rw supa-policy-generic-decorated-container | +--rw supa-encoding-clause-list* [supa-policy-ID] | +--rw supa-policy-ID S | +--rw entity-class? IR | +--rw supa-policy-name? S | +--rw supa-policy-object-description? S | +--rw supa-has-policy-metadata-agg-ptr* II | +--rw supa-has-policy-component-decorator-part-ptr II | +--rw supa-has-policy-component-decorator-agg-ptr* II | +--rw supa-decorator-constraints* S | +--rw supa-has-decorator-constraint-encoding? PC | +--rw supa-policy-generic-decorated-content* S | +--rw supa-policy-generic-decorated-encoding? PD +--rw supa-policy-concrete-metadata-container | +--rw supa-policy-concrete-metadata-list* [supa-policy-metadata-ID] | +--rw supa-policy-metadata-id S | +--rw entity-class? IR | +--rw supa-policy-metadata-description? S | +--rw supa-policy-metadata-name? S | +--rw supa-has-policy-metadata-part-ptr* II | +--rw supa-has-policy-metadata-dec-part-ptr* II | +--rw supa-policy-metadata-valid-period-end? YD | +--rw supa-policy-metadata-valid-period-start? YD +--rw supa-policy-metadata-decorator-access-container | +--rw supa-policy-metadata-decorator-access-list* [supa-policy-metadata-ID] | +--rw supa-policy-metadata-id S | +--rw entity-class? IR | +--rw supa-policy-metadata-description? S | +--rw supa-policy-metadata-name? S | +--rw supa-has-policy-metadata-part-ptr* II | +--rw supa-has-policy-metadata-dec-part-ptr* II | +--rw supa-has-policy-metadata-dec-agg-ptr? II +--rw supa-policy-metadata-decorator-version-container | +--rw supa-policy-metadata-decorator-version-list* [supa-policy-metadata-ID] | +--rw supa-policy-metadata-ID S | +--rw entity-class? IR | +--rw supa-policy-metadata-description? S | +--rw supa-policy-metadata-name? S | +--rw supa-has-policy-metadata-part-ptr* II | +--rw supa-has-policy-metadata-dec-part-ptr* II | +--rw supa-has-policy-metadata-dec-agg-ptr? II +--rw supa-policy-metadata-detail-container | +--rw supa-policy-metadata-detail-list [supa-policy-ID] | +--rw supa-policy-id S | +--rw entity-class? IR | +--rw supa-policy-name? S | +--rw supa-policy-object-description? S | +--rw supa-has-policy-metadata-agg-ptr* II | +--rw supa-has-policy-metadata-detail-agg-ptr? II | +--rw supa-has-policy-metadata-detail-part-ptr? II | +--rw supa-policy-metadata-detail-is-applicable? B | +--rw supa-policy-metadata-detail-constraint* S | +--rw supa-policy-metadata-detail-constraint-encoding? PC +--rw supa-policy-component-decorator-detail-container | +--rw supa-policy-component-decorator-detail-list* [supa-policy-ID] | +--rw supa-policy-id S | +--rw entity-class? IR | +--rw supa-policy-name? S | +--rw supa-policy-object-description? S | +--rw supa-has-policy-metadata-agg-ptr* II | +--rw supa-has-policy-component-decorator-agg-ptr? II | +--rw supa-has-policy-component-decorator-part-ptr? II | +--rw supa-has-decorator-constraint* S | +--rw supa-has-decorator-constraint-encoding PC +--rw supa-policy-source-detail-container | +--rw supa-policy-source-detail-list* [supa-policy-ID] | +--rw supa-policy-id S | +--rw entity-class? IR | +--rw supa-policy-name? S | +--rw supa-policy-object-description? S | +--rw supa-has-policy-metadata-agg-ptr* II I +--rw supa-has-policy-source-detail-agg-ptr? II I +--rw supa-has-policy-source-detail-part-ptr? II I +--rw supa-policy-source-is-authenticated? B I +--rw supa-policy-source-is-trusted? B +--rw supa-policy-target-detail-container | +--rw supa-policy-target-detail-list* [supa-policy-ID] | +--rw supa-policy-id S | +--rw entity-class? IR | +--rw supa-policy-name? S | +--rw supa-policy-object-description? S | +--rw supa-has-policy-metadata-agg-ptr* II I +--rw supa-has-policy-target-detail-agg-ptr? II I +--rw supa-has-policy-target-detail-part-ptr? II I +--rw supa-policy-target-is-authenticated? B I +--rw supa-policy-target-is-enabled? B +--rw supa-policy-clause-detail-container | +--rw supa-policy-clause-detail-list* [supa-policy-ID] | +--rw supa-policy-id S | +--rw entity-class? IR | +--rw supa-policy-name? S | +--rw supa-policy-object-description? S | +--rw supa-has-policy-metadata-agg-ptr* II | +--rw supa-policy-admin-status E | +--rw supa-policy-continuum-level? UI | +--rw supa-policy-deploy-status E | +--rw supa-policy-exec-fail-strategy E | +--rw supa-has-policy-source-agg-ptr* II | +--rw supa-has-policy-target-agg-ptr* II | +--rw supa-has-policy-clause-agg-ptr* II | +--rw supa-has-policy-exec-fail-action-agg-ptr* II | +--rw supa-has-policy-exec-fail-action-part-ptr* II | +--rw supa-has-policy-clause-detail-agg-ptr? II | +--rw supa-has-policy-clause-detail-part-ptr? II +--rw supa-policy-exec-fail-take-action-detail-container | +--rw supa-policy-exec-fail-take-action-detail-list* [supa-policy-ID] | +--rw supa-policy-id S | +--rw entity-class? IR | +--rw supa-policy-name? S | +--rw supa-policy-object-description? S | +--rw supa-has-policy-metadata-agg-ptr* II | +--rw supa-policy-admin-status E | +--rw supa-policy-continuum-level? UI | +--rw supa-policy-deploy-status E | +--rw supa-policy-exec-fail-strategy E | +--rw supa-has-policy-source-agg-ptr* II | +--rw supa-has-policy-target-agg-ptr* II | +--rw supa-has-policy-clause-agg-ptr* II | +--rw supa-has-policy-exec-fail-action-agg-ptr* II | +--rw supa-has-policy-exec-fail-action-part-ptr* II | +--rw supa-has-exec-fail-action-detail-agg-ptr? II | +--rw supa-has-exec-fail-action-detail-part-ptr? II | +--rw supa-policy-exec-fail-take-action-name* S +--rw supa-policy-metadata-decorator-detail-container +--rw supa-policy-metadata-decorator-detail-list* [supa-policy-metadata-ID] +--rw supa-policy-metadata-id S +--rw entity-class? IR +--rw supa-policy-metadata-description? S +--rw supa-policy-metadata-name? S +--rw supa-has-policy-metadata-part-ptr* II +--rw supa-has-policy-metadata-dec-part-ptr* II +--rw supa-has-policy-metadata-detail-dec-agg-ptr? II +--rw supa-has-policy-metadata-detail-dec-part-ptr? II 5. SUPA Policy Data Model YANG Module The SUPA YANG data model module is divided into two main parts: 1) a set of containers that represent the objects that make updated a Policy Rule and its Policy Rule Components 2) a set of containers that represent the objects that define and apply metadata to Policy Rules and/or Policy Rule Components [Editor's note] < This will be finished in version 02 > <CODE BEGINS> file"ietf-supa-policydatamodel@2016-03-21.yang""ietf-supa-policydatamodel@2016-10-01.yang" module ietf-supa-policydatamodel { yang-version 1.1; namespace "urn:ietf:params:xml:ns:yang:ietf-supa-policydatamodel"; prefix supa-pdm; import ietf-yang-types { prefix yang; } organization "IETF"; contact "Editor: Joel Halpern email: jmh@joelhalpern.com; Editor: John Strassner email: strazpdj@gmail.com;"; description "This module defines a data model for generic high level definition of policies to be applied to a network. This module is derived from and aligns withdraft-strassner-supa-generic-policy-info-model-04.draft-ietf-supa-generic-policy-info-model-01. Details on all classes, associations, and attributes can be found there. Copyright (c) 2015 IETF Trust and the persons identified as the document authors. All rights reserved. Redistribution and use in source and binary forms, with or without modification, is permitted pursuant to, and subject to the license terms contained in, the Simplified BSD License set forth in Section 4.c of the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info)."; revision2016-07-20"2016-10-01" { description"Conversion"20161001: Minor edits in association definitions. 20160928: Generated yang tree. 20160924: Rewrote association documentation; rebuilt how all classes are named for consistency. 20160904: Optimization of module by eliminating leaves that are not needed; rewrote section 4. 20160824: Edits to sync data model to info model. 20160720: Conversion to WGdraft, 20160720.draft. Fixed pyang 1.1 compilation errors. Fixed must clause derefencing used in grouping statements. Reformatted and expanded descriptions. Fixed various typos. 20160321: Initialversion, 20160321";version."; reference "draft-ietf-supa-policy-data-model-00"; } typedef policy-constraint-language-list { type enumeration { enum"undefined""error" { description "Thismay be used as an initialization and/orsignifies an errorstate.";state. OAM&P Policies SHOULD NOT use this SUPAPolicy if the value of this attribute is error."; } enum "init" { description "This signifies a generic initialization state. A suitable Policy Constraint Language (e.g., OCL [2] or Alloy[4]) may now be defined."; } enum "OCL2.4" { description "Object Constraint Languagev2.4.v2.4 [2]. This is a declarative language for describing rules for defining constraints and query expressions."; } enum "OCL2.x" { description "Object Constraint Language, v2.0 through2.3.1.";2.3.1 [2]."; } enum "OCL1.x" { description "Object Constraint Language, any version prior tov2.0.";v2.0 [3]."; } enum "QVT1.2R" { description "QVT RelationalLanguage.";Language [5]."; } enum "QVT1.2O" { description "QVT Operationallanguage.";language [5]."; } enum "Alloy" { description "A language for defining structures and and relations usingconstraints.";constraints [4]."; } } description "The language used to encode the constraints relevant to the relationship between the metadata and the underlying policy object."; } typedef policy-data-type-id-encoding-list { type enumeration { enum"undefined""error" { description "Thiscan be used for either initialization or for signifyingsignifies an error state. OAM&P Policies SHOULD NOT use this SUPAPolicy if the value of this attribute is error."; } enum"String""init" { description"The clause is directly present"This signifies an initialization state."; } enum "primary_key" { description "This represents the primary key of a table, which uniquely identifies each record in that table. It MUST NOT be NULL. It MAY consist of a single or multiple fields. Note that a YANG data model implementation does NOT have to implement this enumeration."; } enum "foreign_key" { description "This represents thecontent.";foreign key, which is a set or more fields in one table that uniquely identify a row in another table. It MAY be NULL. Note that a YANG data model implementation does NOT have to implement this enumeration."; } enum "GUID" { description "Theclauseobject is referenced by this GUID."; } enum "UUID" { description "Theclauseobject is referenced by this UUID."; } enum "URI" { description "Theclauseobject is referenced by this URI."; } enum "FQDN" { description "Theclauseobject is referenced by this FQDN."; } enum "FQPN" { description "The object is referenced by this FQPN. Note that FQPNs assume that all components can access a single logical file repostory."; } enum "string_instance_id" { description "A string that is the canonical representation, in ASCII, of an instance ID of this object."; } } description "The list of possible data types used to represent object IDs in theSUPA policy hierarchy.";SUPA policy hierarchy."; } typedef policy-data-type-encoding-list { type enumeration { enum "error" { description "This signifies an error state. OAM&P Policies SHOULD NOT use this SUPAPolicy if the value of this attribute is error."; }typedef policy-data-type-encoding-list { type enumeration {enum"undefined""init" { description "Thiscan be used for either initialization or for signifyingsignifies anerror.";initialization state."; } enum "string" { description "This represents a string data type."; } enum "integer" { description "This represents an integer data type."; } enum "boolean" { description "This represents a Boolean data type."; } enum "floating point" { description "This represents a floating point data type."; } enum "date-and-time" { description "This represents a data type that can specify date and/or time."; } enum "GUID" { description "This represents a GUID data type."; } enum "UUID" { description "This represents a UUID data type."; } enum "URI" { description "This represents aUniform Resource Identifier (URI)URI data type."; } enum "DN" { description "This represents aDistinguished Name (DN)DN data type."; } enum "FQDN" { description "The object is referenced by this FQDN."; } enum "FQPN" { description "The object is referenced by this FQPN. Note that FQPNs assume that all components can access a single logical file repostory."; } enum "NULL" { description "This represents a NULL data type. NULL means the absence of an actual value. NULL is frequently used to represent a missing or invalid value."; } enum "string_instance_id" { description "A string that is the canonical representation, in ASCII, of an instance ID of this object."; } } description "The set of allowable data types used to encode multi-valued SUPA Policy attributes."; } //identitiesIdentities are used in this model as a means to provide simple //reflectionintrospection to allow an instance-identifier to be tested as towhat// what class it represents.In turn, thisThis allows must clauses to specify // that the target of a particular instance-identifier leaf must be a // specific class, or within a certain branch of the inheritance tree. // This depends upon the ability to refine the entity class default // value. The entity class should be read-only.HowevermHowever, as this is // the target of a MUST condition, it cannot be config-false. Also, // it appears that we cannot put a MUST condition on its definition, // as the default (actual) value changesatfor eachinheritance.inherited object. identity POLICY-OBJECT-TYPE { description "The identity corresponding to a SUPAPolicyObject object instance."; } grouping supa-policy-object-type { leaf supa-policy-ID { type string; mandatory true; description "The string identifier of this policyobject. It mustobject, which functions as the unique object identifier of this object instance. This attribute MUST be unique within the policysystem.";system. This attribute is named supaObjectIDContent in [1], and is used with another attribute (supaObjectIDEncoding); since the YANG data model does not need this genericity, the supaObjectIDContent attribute was renamed, and the supaObjectIDEncoding attribute was not mapped."; } leaf entity-class { type identityref { base POLICY-OBJECT-TYPE; } default POLICY-OBJECT-TYPE; description "The identifier of the class of this grouping."; } leafsupa-policy-object-ID-encodingsupa-policy-name { typepolicy-data-type-id-encoding-list; mandatory true;string; description"The encoding used by"A human-readable name for this policy object. Note that this is NOT thesupa-object-ID.";object ID."; } leaf supa-policy-object-description { type string; description"Human readable"A human-readable description of the characteristics and behavior of this policy object."; }leaf supa-policy-name { type string; description "A human-readable name for this policy."; }leaf-listsupa-has-policy-metadata-aggsupa-has-policy-metadata-agg-ptr { type instance-identifier; must "derived-from-or-self (deref(.)/entity-class, SUPA-HAS-POLICY-METADATA-ASSOC)"; description"The SUPAPolicyObject object instance"This leaf-list holds instance-identifiers thataggregates this set ofreference a SUPAHasPolicyMetadata association [1]. This association is represented by the grouping supa-has-policy-metadata-detail. This association describes how each SUPAPolicyMetadataobject instances. As there are attributes oninstance is related to a given SUPAPolicyObject instance. Since thisassociation,association class contains attributes, the instance-identifier MUST point to an instance using the grouping supa-has-policy-metadata-detail (which includes subclasses of this association class)."; } description "This represents the SUPAPolicyObject [1] class. It is the superclass for all SUPAobjects. ItPolicy objects (i.e., all objects that are either Policies or components of Policies). Note that SUPA Policy Metadata objects are NOT subclassed from this class; they are instead subclassed from the SUPAPolicyMetadata (i.e., supa-policy-metadata-type) object. This class (supa-policy-object-type) is used to define common attributes and relationships that all SUPA Policy subclassesinherit.";inherit. It MAY be augmented with a set of zero or more SUPAPolicyMetadata objects using the SUPAHasPolicyMetadata association, which is represented by the supa-has-policy-metadata-agg leaf-list."; } identity POLICY-COMPONENT-TYPE { base POLICY-OBJECT-TYPE; description "The identity corresponding to a SUPAPolicyComponentStructure object instance."; } grouping supa-policy-component-structure-type { uses supa-policy-object-type { refine entity-class { defaultPOLICY-COMPONENT-TYPE;POLICY-OBJECT-TYPE; } } leafsupa-has-policy-component-decorator-partsupa-has-policy-component-decorator-part-ptr { type instance-identifier; must "derived-from-or-self (deref(.)/entity-class, SUPA-HAS-POLICY-COMPONENT-DECORATOR-ASSOC)"; mandatory true; description"A"This leaf holds instance-identifiers that referenceto thea SUPAHasDecoratedPolicyComponent associationclass for relating policy component decorators to the policy components they decorate. This[1], and is represented by theset ofgrouping supa-has-decorator-policy-component-detail. This association describes how each SUPAPolicyComponentStructureobject instances that are aggregated byinstance is related to a given SUPAPolicyComponentDecoratorobjectinstance.As there are attributes onMultiple SUPAPolicyComponentDecorator instances may be attached to a SUPAPolicyComponentStructure instance that is referenced in thisassociation,association by using the Decorator pattern [1]. Since this association class contains attributes, the instance-identifier MUST point to an instance using thespecified grouping. This defines the object class thatgrouping supa-has-decorator-policy-component-detail (which includes subclasses of thisinstance-identifier points to.";association class)."; } description"A"This represents the SUPAPolicyComponent class [1], which is the superclass for all objects that represent differenttypes ofcomponents of aPolicy Rule.Policy. Important subclasses include the SUPAPolicyClause and the SUPAPolicyComponentDecorator. This object is the root of thedecorator pattern;Decorator pattern [1]; as such, it enables all of its concrete subclasses to bedecorated.";wrapped with other concrete subclasses of the SUPAPolicyComponentDecorator class."; } identity POLICY-COMPONENT-DECORATOR-TYPE { base POLICY-COMPONENT-TYPE; description "The identity corresponding to a SUPAPolicyComponentDecorator object instance."; } grouping supa-policy-component-decorator-type { uses supa-policy-component-structure-type { refine entity-class { defaultPOLICY-COMPONENT-DECORATOR-TYPE;POLICY-COMPONENT-TYPE; } } leaf-listsupa-has-policy-component-decorator-aggsupa-has-policy-component-decorator-agg-ptr { type instance-identifier; must "derived-from-or-self (deref(.)/entity-class, SUPA-HAS-POLICY-COMPONENT-DECORATOR-ASSOC)";max-elementsmin-elements 1; description"The SUPAPolicyComponentDecorator object instance"This leaf-list holds instance-identifiers thataggregates this set of SUPAPolicyComponentStructure object instances.reference a SUPAHasDecoratedPolicyComponent association [1]. This association isa listrepresented by the grouping supa-has-decorator-policy-component-detail. This leaf-list helps implement the Decorator pattern [1], which enables all or part ofassociationsone or more object instances tothe SUPA policy components that this decorator decorates. As there are attributes onwrap another object instance. For example, any concrete subclass of SUPAPolicyClause, such as SUPAEncodedClause, may be wrapped by any concrete subclass of SUPAPolicyComponentDecorator (e.g., SUPAPolicyEvent). Since thisassociation,association class contains attributes, the instance-identifier MUST point to an instance using thespecified grouping. This defines the object class thatgrouping supa-has-decorator-policy-component-detail (which includes subclasses of thisinstance-identifier points to.";association class)."; } leaf-list supa-decorator-constraints { type string; description"A"This is a set of constraintexpression applyingexpressions that are applied to this decorator, allowing the specification of details not captured in its subclasses, using an appropriate constraintlanguage.";language that is specified in the supa-has-decorator-constraint-encoding leaf."; } leaf supa-has-decorator-constraint-encoding { type policy-constraint-language-list; description "The language in which the constraints on the policy component decorator isexpressed.";expressed. Examples include OCL 2.4 [2], Alloy [3], and English text."; } description "This object implements thedecorator pattern,Decorator pattern [1], which enables all or part of one or more concrete objects to wrap another concrete object."; } identity POLICY-COMPONENT-CLAUSE-TYPE { basePOLICY-COMPONENT-TYPE;POLICY-OBJECT-TYPE; description "The identity corresponding to a SUPAPolicyClause object instance."; } grouping supa-policy-clause-type { uses supa-policy-component-structure-type { refine entity-class { default POLICY-COMPONENT-CLAUSE-TYPE; } } leafsupa-policy-clause-exec-statussupa-policy-clause-deploy-status { type enumeration { enum"Unknown""error" { description "Thismay be used as an initialization and/orsignifies an errorstate.";state. OAM&P Policies SHOULD NOT use this SUPAPolicyClause if the value of this attribute is error."; } enum"Completed""init" { description "This signifiesthat this particular policy clause has run successfully, and is now idle.";an initialization state."; } enum"Working""deployed and enabled" { description "Thissignifies that this particular policy clause is currentlySUPAPolicyClause has been deployed inuse,the system andno errors have been reported.";is currently enabled."; } enum"Not Working""deployed and in test" { description "Thissignifies that this particular policy clauseSUPAPolicyClause has been deployed in the system, but is currently inuse, but one or more errors have been reported.";test and SHOULD NOT be used in OAM&P policies."; } enum"Available""deployed but not enabled" { description "Thissignifies that this particular policy clause could be used, but currently is notSUPAPolicyClause has been deployed inuse.";the system, but has been administratively disabled."; } enum"In Test""ready to be deployed" { description "Thissignifies that this particular policy clauseSUPAPolicyClause has been properly initialized, and isnot for use in operational policies.";now ready to be deployed."; } enum"Disabled""cannot be deployed" { description "Thissignifies that this particular policy clause is not available for use.";SUPAPolicyClause has been administratively disabled, and SHOULD NOT be used as part of an OAM&P policy."; } } mandatory true; description "Thisdescribesdefines whether thispolicy clause is in use andSUPAPolicy has been deployed and, ifsoso, whether it isworking properly.";enabled and ready to be used or not."; } leaf-listsupa-has-policy-clause-partsupa-has-policy-clause-part-ptr { type instance-identifier; must "derived-from-or-self (deref(.)/entity-class, SUPA-HAS-POLICY-CLAUSE-ASSOC)"; min-elements 1; description"The set"This leaf-list holds instance-identifiers that reference a SUPAHasPolicyClause association [1], and is represented by the grouping supa-has-policy-clause-detail. This association describes how each SUPAPolicyClause instance is related to this particular SUPAPolicyStructure instance. For example, this association may restrict which concrete subclasses of the SUPAPolicyStructure class can be associated with which contrete subclasses of the SUPAPolicyClauseobject instances that are aggregatedclass. The set of SUPAPolicyClauses, identified by thisSUPAPolicyStructure (i.e., this SUPA Policy Rule) object instance. This definesleaf-list, define theobject class thatcontent of this SUPAPolicyStructure. Since this association class contains attributes, the instance-identifierpoints to.";MUST point to an instance using the grouping supa-has-policy-clause-detail (which includes subclasses of this association class)."; } description "The parent class for all SUPA PolicyClauses.";Clauses. A SUPAPolicyClause is a fundamental building block for creating SUPA Policies. A SUPAPolicy is a set of statements, and a SUPAPolicyClause can be thought of as all or part of a statement. The Decorator pattern [1] is used, which enables the contents of a SUPAPolicyClause to be adjusted dynamically at runtime without affecting other objects of either type."; } identity POLICY-ENCODED-CLAUSE-TYPE { base POLICY-COMPONENT-CLAUSE-TYPE; description "The identity corresponding to aSUPAPolicyEncodedClauseSUPAEncodedClause object instance."; } grouping supa-encoded-clause-type { uses supa-policy-clause-type { refine entity-class { default POLICY-ENCODED-CLAUSE-TYPE; } } leaf supa-encoded-clause-content { type string; mandatory true; description"Either a reference to a source for this clause or"This defines thestring representationcontent of this SUPAEncodedClause; theclause."; } leaf supa-encoded-clause-encoding { type policy-data-type-id-encoding-list; mandatory true; description "The encoding forlanguage used to express this content is defined by theencoding clause content.";supa-encoded-clause-language attribute."; } leaf supa-encoded-clause-language { type enumeration { enum"undefined""error" { description "Thismay be used as an initialization and/orsignifies an error state. OAM&P Policies SHOULD NOT use this SUPAEncodedClause if the value of this attribute is error."; } enum "init" { description "This signifies an initialization state."; } enum"CLI""YANG" { description "This defines the language used in this SUPAEncodedClause as a type of YANG. Additional details may be provided by attaching a SUPAPolicyMetadata object to this SUPAEncodedClause object instance."; } enum "XML" { description "This defines the language as a type ofCommand Line Interface.";XML. Additional details may be provided by attaching a SUPAPolicyMetadata object to this SUPAEncodedClause object instance."; } enum "TL1" { description "This defines the language as a type of Transaction Language1.";1. Additional details may be provided by attaching a SUPAPolicyMetadata object to this SUPAEncodedClause object instance."; } enum"YANG""Text" { description "Thisdefinesis a textual string that can be used to define a language choice that is not listed by a specific enumerated value. This string MUST be parsed by the policy system to identify the language being used. A SUPAPolicyMetadata object (represented as a supa-policy-metadata-type leaf) can be used to provide further details about thelanguage as a type of YANG.";language"; } } mandatory true; description "Indicates thelanaguagelanguage used for this SUPAEncodedClause objectinstance."; } leaf supa-encoded-clause-response { type boolean; description "If present, this representsinstance. Prescriptive and/or descriptive information about thesuccess or failureusage of this SUPAEncodedClause may be provided by one or more SUPAPolicyMetadata objects, which are each attached to thelast invocationobject instance of thisclause.";SUPAEncodedClause."; } description "This class refines the behavior of the supa-policy-clause by encoding the contents of the clause into the attributes of this object. This enables clauses that are not based on other SUPA objects to bemodeled."; } container supa-encoding-clause-container { description "This is a container to collect all object instances of type SUPAEncodedClause."; list supa-encoding-clause-list { key supa-policy-ID; uses supa-encoded-clause-type; description "List of all instances of supa-encoding-clause-type. If a module defines subclasses of the encoding clause, those will be stored inmodeled. For example, aseparate container."; } } identity POLICY-COMPONENT-TERM-TYPE { base POLICY-COMPONENT-DECORATOR-TYPE; description "The identity corresponding toPOLICY Application could define aSUPAPolicyComponentDecorator object instance."; } grouping supa-policy-term-type { uses supa-policy-component-decorator-type { refine entity-class { default POLICY-COMPONENT-TERM-TYPE; } } leaf supa-policy-term-is-negated { type boolean; description "If the value of this attribute is true, then this particular term is negated."; } description "This is the superclass of all SUPA policy objects that are used to testCLI orset the value of a variable."; } identity POLICY-COMPONENT-VARIABLE-TYPE { base POLICY-COMPONENT-TERM-TYPE; description "The identity corresponding toYANG configuration snippet and encode that snipped into aSUPAPolicyVariable object instance."; } grouping supa-policy-variable-type { uses supa-policy-term-type { refine entity-class { default POLICY-COMPONENT-VARIABLE-TYPE; } } leaf supa-policy-variable-name { type string; description "A human-readable name for this policy variable."; } description "This is one formulation ofSUPAEncodedClause. Note that aSUPA Policy Clause. It uses an object, defined in the SUPA hierarchy, to representSUPAEncodedClause simply defines thevariable portioncontent of the clause. In particular, it does NOT provide aSUPA Policy Clause.response. Theattribute defined bypolicy engine that is parsing and evaluating thesupa-policy-variable-name specifies an attribute whose content should be comparedSUPAPolicy needs to assign avalue, which is typically specified by supa-policy-value-type.";response to any SUPAEncodedClause that it encounters."; } containersupa-policy-variable-containersupa-encoding-clause-container { description "This is a container to collect all object instances of typeSUPAPolicyVariable.";SUPAEncodedClause."; listsupa-policy-variable-listsupa-encoding-clause-list { key supa-policy-ID; usessupa-policy-variable-type;supa-encoded-clause-type; description"List"A list of all instances ofsupa-policy-variable-type.supa-encoding-clause-type. If a module defines subclasses ofthis class,the encoding clause, those will be stored in a separate container."; } } identityPOLICY-COMPONENT-OPERATOR-TYPEPOLICY-COMPONENT-TERM-TYPE { basePOLICY-COMPONENT-TERM-TYPE;POLICY-COMPONENT-DECORATOR-TYPE; description "The identity corresponding to aSUPAPolicyOperatorSUPAPolicyTerm object instance."; } groupingsupa-policy-operator-typesupa-policy-term-type { usessupa-policy-term-typesupa-policy-component-decorator-type { refine entity-class { defaultPOLICY-COMPONENT-OPERATOR-TYPE;POLICY-COMPONENT-TYPE; } } leafsupa-policy-value-op-typesupa-policy-term-is-negated { typeenumeration { enum "unknown" { description "This may be used as an initialization and/or an error state."; } enum "greater than" { description "A greater-than operator."; } enum "greater than or equal to" { description "A greater-than-or-equal-to operator."; } enum "less than" { description "A less-than operator."; } enum "less than or equal to" { description "A less-than-or-equal-to operator."; } enum "equal to" { description "An equal-to operator."; } enum "not equal to"{ description "A not-equal-to operator."; } enum "IN" {boolean; description"An operator that determines whether a given value matches any of"If thespecified values."; } enum "NOT IN" { description "An operator that determines whether a givenvaluedoes not match anyofthe specified values.";this attribute is true, then this particular term is negated."; }enum "SET" {description"An operator that makes"This is thevaluesuperclass ofthe result equal to the input value."; } enum "CLEAR"{ description "An operatorall SUPA policy objects thatdeletesare used to test or set the value of a variable. It does this by defining a {variable-operator-value} three-tuple, where each element of thespecified object.";three-tuple is defined by a concrete subclass of the appropriate type (e.g., SUPAPolicyVariable, SUPAPolicyOperator, or SUPAPolicyVariable)."; }enum "BETWEEN"identity POLICY-COMPONENT-VARIABLE-TYPE { base POLICY-COMPONENT-TERM-TYPE; description"An operator that determines whether a given value is within"The identity corresponding to aspecified range of values.";SUPAPolicyVariable object instance."; } grouping supa-policy-variable-type { uses supa-policy-term-type { refine entity-class { default POLICY-COMPONENT-TYPE; } }mandatory true; description "Theleaf supa-policy-variable-name { typeof operator used to compare the variable and value portions ofstring; description "A human-readable name for thisSUPA Policy Clause.";policy variable."; } description "This is one formulation of a SUPA Policy Clause. It uses the canonical form of anobject, definedexpression, which is a three-tuple in theSUPA hierarchy, to representform {variable, operator, value}. In this approach, each of theoperator portionthree terms can either be a subclass of the appropriate SUPAPolicyTerm class, or another object that plays the role (i.e., aSUPA Policy Clause.variable) of that term. The attribute defined by thesupa-policy-op-typesupa-policy-variable-name specifies the name of an attribute whose contentdefines the type of operator usedshould be compared tocomparethevariable andvalueportionsportion ofthis policy clause.";a SUPAPolicyTerm, which is typically specified by a SUPAPolicyValue object."; } containersupa-policy-operator-containersupa-policy-variable-container { description "This is a container to collect all object instances of typeSUPAPolicyOperator.";SUPAPolicyVariable."; listsupa-policy-operator-listsupa-policy-variable-list { key supa-policy-ID; usessupa-policy-operator-type;supa-policy-variable-type; description "List of all instances ofsupa-policy-operator-type.supa-policy-variable-type. If a module defines subclasses of this class, those will be stored in a separate container."; } } identityPOLICY-COMPONENT-VALUE-TYPEPOLICY-COMPONENT-OPERATOR-TYPE { base POLICY-COMPONENT-TERM-TYPE; description "The identity corresponding to aSUPAPolicyValueSUPAPolicyOperator object instance."; } groupingsupa-policy-value-typesupa-policy-operator-type { uses supa-policy-term-type { refine entity-class { defaultPOLICY-COMPONENT-VALUE-TYPE;POLICY-COMPONENT-TYPE; } }leaf-list supa-policy-value-contentleaf supa-policy-value-op-type { typestring;enumeration { enum "error" { description"The content of"This signifies an error state. OAM&P Policies SHOULD NOT use this SUPAPolicyOperator if the valueportionof thisSUPA Policy Clause. The data type of the contentattribute isspecifiederror."; } enum "init" { description "This signifies an initialization state."; } enum "greater than" { description "A greater-than operator."; } enum "greater than or equal to" { description "A greater-than-or-equal-to operator."; } enum "less than" { description "A less-than operator."; } enum "less than or equal to" { description "A less-than-or-equal-to operator."; } enum "equal to" { description "An equal-to operator."; } enum "not equal to"{ description "A not-equal-to operator."; } enum "IN" { description "An operator that determines whether a given value of a variable in a SUPAPolicyTerm matches a value inthe supa-policy-value-encoding.";a SUPAPolicyTerm."; }leaf supa-policy-value-encodingenum "NOT IN" {type policy-data-type-encoding-list;description"The data type"An operator that determines whether a given variable in a SUPAPolicyTerm does not match any of thesupa-policy-value-content.";specified values in a SUPAPolicyTerm."; } enum "SET" { description"This is one formulation"An operator that makes the value ofa SUPA Policy Clause. It uses an object, defined intheSUPA hierarchy,result equal torepresentthe input value."; } enum "CLEAR"{ description "An operator that sets the valueportionofa SUPA Policy Clause. The attribute defined bythesupa-policy-value-content specifies an attribute whose content should be comparedspecified object to avariable, whichvalue that istypically specified by supa-policy-variable-type.";0 for integer datatypes, an empty string for textual datatypes, and FALSE for Boolean datatypes. This value MUST NOT be NULL."; }container supa-policy-value-containerenum "BETWEEN" { description"This is"An operator that determines whether acontainer to collect all object instances of type SUPAPolicyValue."; list supa-policy-value-list { key supa-policy-ID; uses supa-policy-value-type; description "List of all instances of supa-policy-value-type. Ifgiven value is within amodule defines subclassesspecified range of values. Note that thisclass, those will be stored in a separate container.";is an inclusive operator."; } }identity POLICY-GENERIC-DECORATED-TYPE { base POLICY-COMPONENT-DECORATOR-TYPE;mandatory true; description "Theidentity correspondingtype of operator used toa SUPAGenericDecoratedComponent object instance."; } grouping supa-policy-generic-decorated-type { uses supa-policy-component-decorator-type { refine entity-class { default POLICY-GENERIC-DECORATED-TYPE; }compare the variable and value portions of this SUPAPolicyTerm."; }leaf-list supa-policy-generic-decorated-content { type string;description"The content"This is one formulation ofthisa SUPA Policy Clause.The data type of this attribute is specified inIt uses thesupa-policy-generic-decorated-encoding."; } leaf supa-policy-generic-decorated-encoding { type policy-data-type-encoding-list; description "The data typecanonical form ofthe supa-policy-generic-decorated-content attribute."; } description "This object enables a generic object to be defined and used asan expression, which is adecoratorthree-tuple ina SUPA Policy Clause. This should not be confused withtheSUPAEncodedClause class. This class representsform {variable, operator, value}. In this approach, each of the three terms can either be asingle, atomic, vendor-specificsubclass of the appropriate SUPAPolicyTerm class, or another object thatdefines a portionplays the role (i.e., an operator) of that term. The value of the supa-policy-value-op-type attribute specifies an operator that SHOULD be used to compare the variable and value portions of aSUPA Policy Clause, whereasSUPAPolicyTerm. This is typically specified by aSUPA Policy Encoded Clause represents the entire policy clause.";SUPAPolicyOperator object."; } containersupa-policy-generic-decorated-containersupa-policy-operator-container { description "This is a container to collect all object instances of typeSUPAGenericDecoratedComponent.";SUPAPolicyOperator."; listsupa-encoding-clause-listsupa-policy-operator-list { key supa-policy-ID; usessupa-policy-generic-decorated-type;supa-policy-operator-type; description "List of all instances ofsupa-policy-generic-decorated-type.supa-policy-operator-type. If a module defines subclasses of this class, those will be stored in a separate container."; } } identityPOLICY-COLLECTIONPOLICY-COMPONENT-VALUE-TYPE { basePOLICY-COMPONENT-DECORATOR-TYPE;POLICY-COMPONENT-TERM-TYPE; description "The identity corresponding to aSUPAPolicyCollectionSUPAPolicyValue object instance."; } groupingsupa-policy-collectionsupa-policy-value-type { usessupa-policy-component-decorator-typesupa-policy-term-type { refine entity-class { defaultPOLICY-COLLECTION;POLICY-COMPONENT-TYPE; } } leaf-listsupa-policy-collection-contentsupa-policy-value-content { type string; description "The content of the value portion of thiscollection object.SUPA Policy Clause. The data type of the content is specified insupa-policy-collection-encoding.";the supa-policy-value-encoding attribute."; } leafsupa-policy-collection-encodingsupa-policy-value-encoding { typeenumeration { enum "undefined" { description "This may be used as an initialization and/or an error state."; } enum "by regex" {policy-data-type-encoding-list; description"This defines the"The data type of thecontent of this collection instance to be a regular expression that contains all or part of a string to match the class name of the object that is to be collected by this instance of a SUPAPolicyCollection class.";supa-policy-value-content attribute."; }enum "by URI" {description "Thisdefines the data type of the contentis one formulation ofthis collection instance to beaUniform Resource Identifier.SUPA Policy Clause. Itidentifiesuses theobject instance that is to be collected by this instancecanonical form of an expression, which is aSUPAPolicyCollection class."; } } mandatory true; description "The data typethree-tuple in the form {variable, operator, value}. In this approach, each of thesupa-policy-collection-content."; } leaf supa-policy-collection-function { type enumeration { enum "undefined" { description "This maythree terms can either beused as an initialization and/or an error state."; } enum "event collection" { description "This collection contains objectsa subclass of the appropriate SUPAPolicyTerm class, or another object thatare used to populateplays theevent clauserole (i.e., a value) of that term. The attribute defined by supa-policy-value-content specifies aSUPA Policy."; } enum "condition collection" { description "This collection contains objectsa value (which is typically specified by a subclass of SUPAPolicyVariable) thatare usedshould be compared topopulatea value in thecondition clausevariable portion ofa SUPA Policy.";the SUPAPolicyTerm."; }enum "action collection"container supa-policy-value-container { description "Thiscollection contains objects that are usedis a container topopulate the action clausecollect all object instances ofa SUPA Policy."; } enum "logic collection"type SUPAPolicyValue."; list supa-policy-value-list { key supa-policy-ID; uses supa-policy-value-type; description"This collection contains objects that define logic for processing"List of all instances of supa-policy-value-type. If aSUPA Policy."; } } description "Defines howmodule defines subclasses of thiscollection instance is toclass, those will beused.";stored in a separate container."; }leaf supa-policy-collection-is-ordered} identity POLICY-GENERIC-DECORATED-TYPE {type boolean;base POLICY-COMPONENT-DECORATOR-TYPE; description"If the value of this leaf is true, then all elements in this collection are ordered.";"The identity corresponding to a SUPAGenericDecoratedComponent object instance."; }leaf supa-policy-collection-typegrouping supa-policy-generic-decorated-type {type enumerationuses supa-policy-component-decorator-type {enum "undefined"refine entity-class {description "This may be used as an initialization and/or an error state.";default POLICY-COMPONENT-TYPE; }enum "set" { description "An unordered collection of elements that MUST NOT have duplicates.";}enum "bag"leaf-list supa-policy-generic-decorated-content { type string; description"An unordered collection"The content ofelements that MAY have duplicates."; } enum "dictionary" { description "A listthis SUPAGenericDecoratedComponent object instance. The data type ofvalues thatthis attribute isinterpreted as a set of pairs, with the first entry of each pair interpreted as a dictionary key, andspecified in thesecond entry interpreted as a value for that key. As a result, collections using this value of supa-policy-collection-type MUST have supa-policy-collection-is-ordered set to true."; }leaf supa-policy-generic-decorated-encoding."; }mandatory true;leaf supa-policy-generic-decorated-encoding { type policy-data-type-encoding-list; description "Thetypedatatype of thesupa-policy-collection.";supa-policy-generic-decorated-content attribute."; } description "This class enables acollection of arbitrary objectsgeneric object to be defined and used as a decorator in a SUPA Policy Clause. This class should not be confused with the SUPAEncodedClause class.This classA SUPAGenericDecoratedComponent object represents a single,atomic,atomic object that defines a portion of the contents of aSUPA Policy Clause,SUPAPolicyClause, whereas aSUPA Policy Encoded ClauseSUPAPolicyEncodedClause represents the entirepolicy clause.";contents of a SUPAPolicyClause."; } containersupa-policy-collection-containersupa-policy-generic-decorated-container { description "This is a container to collect all object instances of typeSUPAPolicyCollection.";SUPAGenericDecoratedComponent."; listsupa-policy-collection-listsupa-encoding-clause-list { key supa-policy-ID; usessupa-policy-collection;supa-policy-generic-decorated-type; description "List of all instances ofsupa-policy-collection.supa-policy-generic-decorated-type. If a module defines subclasses of this class, those will be stored in a separate container."; } } identity POLICY-STRUCTURE-TYPE { base POLICY-OBJECT-TYPE; description "The identity corresponding to a SUPAPolicyStructure object instance."; } grouping supa-policy-structure-type { uses supa-policy-object-type { refine entity-class { default POLICY-STRUCTURE-TYPE; } } leaf supa-policy-admin-status { type enumeration { enum"unknown""error" { description "Thismay be used as an initialization and/orsignifies an error state. OAM&P Policies SHOULD NOT use this SUPAPolicy if the value of this attribute is error."; } enum "init" { description "This signifies an initialization state."; } enum "enabled" { description "ThisSUPA Policy Rulesignifies that this SUPAPolicy has been administratively enabled."; } enum "disabled" { description "ThisSUPA Policy Rulesignifies that this SUPAPolicy has been administratively disabled."; } enum "in test" { description "ThisSUPA Policy Rulesignifies that this SUPAPolicy has been administratively placed into test mode, and SHOULD NOT be used as part of an operational policy rule."; } } mandatory true; description "The current admnistrative status of thisSUPA POLICY Rule.";SUPAPolicy."; } leaf supa-policy-continuum-level { type uint32; description "This is the current level of abstraction of this particularSUPA Policy Rule.";SUPAPolicyRule. By convention, the values 0 and 1 should be used for error and initialization states; a value of 2 is the most abstract level, and higher values denote more concrete levels."; } leaf supa-policy-deploy-status { type enumeration { enum"undefined""error" { description "Thismay be used as an initialization and/orsignifies an errorstate."; } enum "deployed and enabled" { description "This SUPA Policy Rule has been deployed and enabled."; } enum "disabled" { description "This SUPA Policy Rule has been administratively disabled."; } enum "in test" { description "This SUPA Policy Rule has been administratively placed into test mode, andstate. OAM&P Policies SHOULD NOTbe used as part of an operational policy rule."; } } mandatory true; description "This isuse this SUPAPolicy if thecurrent level of abstractionvalue of thisparticular SUPA Policy Rule.";attribute is error."; }leaf supa-policy-exec-status { type enumeration {enum"undefined""init" { description "Thismay be used assignifies an initializationand/or an errorstate."; } enum"operational success" { description "This SUPA Policy Rule has been executed in operational mode,"deployed andproduced no errors."; } enum "operational failure"enabled" { description "ThisSUPA Policy RuleSUPAPolicy has beenexecuted in operational mode, but has produced at least one error."; } enum "currentlydeployed inoperation" { description "This SUPA Policy Rulethe system and is currentlystill executing in operational mode.";enabled."; } enum"ready""deployed and in test" { description "ThisSUPA Policy RuleSUPAPolicy has been deployed in the system, but isready tocurrently in test and SHOULD NOT beexecutedused inoperational mode.";OAM&P policies."; } enum"test success""deployed but not enabled" { description "ThisSUPA Policy RuleSUPAPolicy has beenexecuteddeployed intest mode, and produced no errors.";the system, but has been administratively disabled."; } enum"test failure""ready to be deployed" { description "ThisSUPA Policy RuleSUPAPolicy has beenexecuted in test mode, but has produced at least one error.";properly initialized, and is now ready to be deployed."; } enum"currently in test""cannot be deployed" { description "ThisSUPA Policy Rule is currently still executing in test mode.";SUPAPolicy has been administratively disabled, and SHOULD NOT be used as part of an OAM&P policy."; } } mandatory true; description "Thisis the current level of abstraction ofattribute defines whether thisparticular SUPA Policy Rule.";SUPAPolicy has been deployed and, if so, whether it is enabled and ready to be used or not."; } leaf supa-policy-exec-fail-strategy { type enumeration { enum"undefined""error" { description "Thismay be used as an initialization and/orsignifies an error state. OAM&P Policies SHOULD NOT use this SUPAPolicy if the value of this attribute is error."; } enum "init" { description "This signifies an initialization state."; } enum "rollback all" { description "This means that execution of thisSUPA Policy Rule isSUPAPolicy SHOULD be stopped, and rollback of allactionsSUPAPolicyActions (whethersuccessfulthey were successfully executed or not) performed by this particular SUPAPolicy isattempted, andattempted. Also, allSUPA Policy RulesSUPAPolicies that otherwise would have been executed as a result of this SUPAPolicy areignored.";NOT executed."; } enum "rollbackfailure"single" { description "This means that execution of thisSUPA Policy Rule isSUPAPolicy SHOULD be stopped, and rollback is attempted foronlyONLY theSUPA Policy RuleSUPAPolicyAction (belonging to this particular SUPAPolicy) that failed to executecorrectly.";correctly. All remaining actions including SUPAPolicyActions and SUPAPolicies that otherwise would have been executed as a result of this SUPAPolicy, are NOT executed."; } enum "stop execution" { description "This means that execution of thisSUPA Policy RuleSUPAPolicy SHOULD bestopped.";stopped without any other action being performed; this includes corrective actions, such as rollback, as well as any SUPAPolicyActions or SUPAPolicies that otherwise would have been executed."; } enum "ignore" { description "This means that any failures produced by thisSUPA Policy RuleSUPAPolicy SHOULD be ignored, and hence, no corrective actions, such as rollback, will be performed at this time. Hence, any other SUPAPolicyActions or SUPAPolicies SHOULD continue to beignored.";executed."; } } mandatory true; description "This defines what actions, if any, should be taken by this particular SUPA Policy Rule if it fails to execute correctly. Some implementations may not be able to accommodate the rollback failure option; hence, this option may be skipped."; } leaf-listsupa-has-policy-source-aggsupa-has-policy-source-agg-ptr { type instance-identifier; must "derived-from-or-self (deref(.)/entity-class, SUPA-HAS-POLICY-SOURCE-ASSOC)"; description"The SUPAPolicyStructure (i.e., the type of SUPA Policy Rule) object instance"This leaf-list holds instance-identifiers thataggregatesreference SUPAHasPolicySource associations [1]. This association is represented by the grouping supa-has-policy-source-detail, and describes how thissetSUPAPolicyStructure instance is related to a set of SUPAPolicySourceobjectinstances.ThisEach SUPAPolicySource instance definesthe object class thata set of unambiguous sources of this SUPAPolicy. Since this association class contains attributes, the instance-identifierpoints to.";MUST point to an instance using the grouping supa-has-policy-source-detail (which includes subclasses of this association class)."; } leaf-listsupa-has-policy-target-aggsupa-has-policy-target-agg-ptr { type instance-identifier; must "derived-from-or-self (deref(.)/entity-class, SUPA-HAS-POLICY-TARGET-ASSOC)"; description "Thisrepresents the aggregation of Policy Target objects by this particular SUPA Policy Rule. Itleaf-list holds instance-identifiers that reference SUPAHasPolicyTarget associations [1]. This association is represented by the grouping supa-has-policy-target-detail, and describes how this SUPAPolicyStructureobjectinstancethat aggregates thisis related to a set of SUPAPolicyTargetobjectinstances.ThisEach SUPAPolicyTarget instance definesthe object class thata set of unambiguous managed entities to which this SUPAPolicy will be applied to. Since this association class contains attributes, the instance-identifierpoints to.";MUST point to an instance using the grouping supa-has-policy-target-detail (which includes subclasses of this association class)."; } leaf-listsupa-has-policy-clause-aggsupa-has-policy-clause-agg-ptr { type instance-identifier; must "derived-from-or-self (deref(.)/entity-class, SUPA-HAS-POLICY-CLAUSE-ASSOC)"; description"The"This leaf-list holds instance-identifiers that reference SUPAHasPolicyClause associations [1]. This association is represented by the grouping supa-has-policy-clause-detail. This association describes how this particular SUPAPolicyStructureobjectinstancethat aggregatesis related to this set of SUPAPolicyClauseobjectinstances. Since this association class contains attributes, the instance-identifier MUST point to an instance using the supa-has-policy-clause-detail (which includes subclasses of this association class)."; } leaf-list supa-has-policy-exec-fail-action-agg-ptr { type instance-identifier; must "derived-from-or-self (deref(.)/entity-class, SUPA-HAS-POLICY-EXEC-ACTION-ASSOC)"; description "This leaf-list holds instance-identifiers that reference a SUPAHasPolExecFailtActionToTake association [1]. Thisdefinesassociation is represented by the supa-has-policy-exec-action-detail grouping. This association relates this SUPAPolicyStructure instance (the parent) to one or more SUPAPolicyStructure instances (the children), where each child SUPAPolicyStructure contains one or more SUPAPolicyActions to be executed if the parent SUPAPolicyStructure instance generates an error while it is executing. Since this association class contains attributes, the instance-identifier MUST point to an instance using theobject class thatgrouping supa-has-policy-exec-action-detail (which includes subclasses of thisinstance-identifier points to.";association class)."; } leaf-listsupa-has-policy-exec-action-assoc-src-ptrsupa-has-policy-exec-fail-action-part-ptr { type instance-identifier; must "derived-from-or-self (deref(.)/entity-class, SUPA-HAS-POLICY-EXEC-ACTION-ASSOC)"; min-elements 1; description "Thisassociatesleaf-list holds instance-identifiers that reference a SUPAHasPolExecFailtActionToTake association [1]. This association is represented by the supa-has-policy-exec-action-detail grouping. This association relates this SUPAPolicyStructure(i.e., a SUPA Policy Rule) objectinstance (the child) tozeroanother SUPAPolicyStructure instance (the parent). The child SUPAPolicyStructure contains one or moreSUPA Policy ActionsSUPAPolicyActions to beused to correct errors causedexecuted ifthis SUPA Policy Rule does not execute correctly."; } leaf-list supa-has-policy-exec-action-assoc-dst-ptr { type instance-identifier; must "derived-from-or-self (deref(.)/entity-class, SUPA-HAS-POLICY-EXEC-ACTION-ASSOC)"; min-elements 1; description "The set of zerothe parent SUPAPolicyStructure instance generates an error while it is executing; the parent SUPAPolicyStructure contains one or moreSUPA Policy Actionschild SUPAPolicyStructure instances tobe used byenable it to choose how to handle each type of failure. Since thisparticular SUPAPolicyStructure (i.e., SUPA Policy Ruleassociation class contains attributes, the instance-identifier MUST point tocorrect errors caused ifan instance using the grouping supa-has-policy-exec-action-detail (which includes subclasses of thisSUPA Policy Rule does not execute correctly.";association class)."; } description "A superclass for all objects that represent different types ofPolicy Rules.SUPAPolicies. Currently, this is limited to a singletype -type, which is the event-condition-action (ECA)policy rule.Policy Rule. A SUPA Policy may be an individual policy, or a set of policies.This is supportedSubclasses MAY support this feature byapplyingimplementing the compositepattern to this class.";pattern."; } identity POLICY-SOURCE-TYPE { base POLICY-OBJECT-TYPE; description "The identity corresponding to a SUPAPolicySource object instance."; } grouping supa-policy-source-type { uses supa-policy-object-type { refine entity-class { default POLICY-SOURCE-TYPE; } } leaf-listsupa-has-policy-source-partsupa-has-policy-source-part-ptr { type instance-identifier; must "derived-from-or-self (deref(.)/entity-class, SUPA-HAS-POLICY-SOURCE-ASSOC)"; description "Thisrepresentsleaf-list holds theaggregation of one or more SUPA Policy Source objects to this particular SUPA Policy Rule object. In other words, itinstance-identifiers that reference a SUPAHasPolicySource association [1], which is represented by theset ofsupa-has-policy-source-detail grouping. This association describes how each SUPAPolicySourceobject instances that are aggregated byinstance is related to this particular SUPAPolicyStructure(i.e.,instance. Since thisSUPA Policy Rule). This defines the objectassociation classthat thiscontains attributes, the instance-identifierpoints to.";MUST point to an instance using the grouping supa-has-policy-source-detail (which includes subclasses of this association class)."; } description "This object defines a set of managed entities that authored, or are otherwise responsible for, thisSUPA Policy Rule.SUPAPolicy. Note that aSUPA Policy SourceSUPAPolicySource does not evaluate or execute SUPAPolicies. Its primary use is for auditability and theimplementationimplementation of deontic and/or alethic logic. It is expected that this grouping will be extended (i.e., subclassed) when used, so that the system can add specific information appropriate to sources ofdeontic and/or alethic logic.";policy of that particular system."; } identity POLICY-TARGET-TYPE { base POLICY-OBJECT-TYPE; description "The identity corresponding to a SUPAPolicyTarget object instance."; } grouping supa-policy-target-type { uses supa-policy-object-type { refine entity-class { default POLICY-TARGET-TYPE; } } leaf-listsupa-has-policy-target-partsupa-has-policy-target-part-ptr { type instance-identifier; must "derived-from-or-self (deref(.)/entity-class, SUPA-HAS-POLICY-TARGET-ASSOC)"; description "Thisrepresentsleaf-list holds instance-identifiers that reference a SUPAHasPolicyTarget association. This is represented by theaggregation of one or more SUPA Policy Target objectssupa-has-policy-target-detail grouping. This association describes how each SUPAPolicyTarget instance is related tothisa particularSUPA Policy Rule object. In other words, it is the set ofSUPAPolicyStructure instance. For example, this association may restrict which SUPAPolicyTargetobjectinstancesthat are aggregatedcan be used bythiswhich SUPAPolicyStructure(i.e., this SUPA Policy Rule). Thisinstances. The SUPAPolicyTarget definesthe object classa set of managed entities that this SUPAPolicyStructure will be applied to. Since this association class contains attributes, the instance-identifierpoints to.";MUST point to an instance using the grouping supa-has-policy-target-detail (which includes subclasses of this association class)."; } description "This object defines a set of managed entities that aSUPA Policy RuleSUPAPolicy is appliedto.";to. It is expected that this grouping will be extended (i.e., subclassed) when used, so that the system can add specific information appropriate to policy targets of that particular system."; } identity POLICY-METADATA-TYPE { description "The identity corresponding to a SUPAPolicyMetadata object instance."; } grouping supa-policy-metadata-type { leaf supa-policy-metadata-id { type string; mandatory true; description "This representspart ofthe object identifier of an instance of this class.It definesThis attribute is named supaPolMetadataIDContent in [1], and is used with another attribute (supaPolMetadataIDEncoding); since thecontent ofYANG data model does not need this genericity, theobject identifier.";supaPolMetadataIDContent attribute was renamed, and the supaPolMetadataIDEncoding attribute was not mapped."; } leaf entity-class { type identityref { base POLICY-METADATA-TYPE; } default POLICY-METADATA-TYPE; description "The identifier of the class of this grouping."; } leafsupa-policy-metadata-id-encoding { type policy-data-type-id-encoding-list; mandatory true; description "This represents part of the object identifier of an instance of this class. It defines the format of the object identifier."; } leafsupa-policy-metadata-description { type string; description "This contains a free-form textual description of this metadataobject.";object (e.g., what it may be used for)."; } leaf supa-policy-metadata-name { type string; description "This contains a human-readable name for this metadata object."; } leaf-listsupa-has-policy-metadata-partsupa-has-policy-metadata-part-ptr { type instance-identifier; must "derived-from-or-self (deref(.)/entity-class, SUPA-HAS-POLICY-METADATA-ASSOC)"; description "Thisrepresentsleaf-list holds instance-identifiers that reference a SUPAHasPolicyMetadata association [1], which is represented by the grouping supa-has-policy-metadata-detail. Each instance- identifier defines a unique set of information that describe and/or prescribe additional information, provided by this SUPAPolicyMetadataobject instancesinstance, that can be associated with this SUPAPolicyObject instance. Multiple SUPAPolicyMetadata objects may be attached to a concrete subclass of the SUPAPolicyObject class thatare aggregated byis referenced in thisSUPAPolicyObject objectassociation by using the Decorator pattern [1]. For example, a SUPAPolicyVersionMetadataDef instance(i.e.,could wrap a SUPAECAPolicyRuleAtomic instance; thisiswould define thesetversion ofpolicy metadata aggregated bythisSUPAPolicyObject). As there are attributes onparticular SUPAECAPolicyRuleAtomic instance. Since thisassociation,association class contains attributes, the instance-identifier MUST point to an instance using the grouping supa-has-policy-metadata-detail (which includesthesubclasses ofthethis association class)."; }leaf supa-policy-metadata-decorator-partleaf-list supa-has-policy-metadata-dec-part-ptr { type instance-identifier; must "derived-from-or-self (deref(.)/entity-class,SUPA-HAS-POLICY-COMPONENT-DECORATOR-ASSOC)"; mandatory true;SUPA-HAS-POLICY-METADATA-DECORATOR-DETAIL-ASSOC)"; min-elements 1; description "Thisobject implements the decorator pattern, whichleaf-list holds instance-identifiers that reference a SUPAHasMetadaDecorator association [1]. This association isapplied to SUPA metadata objects.represented by the grouping supa-has-policy-metadata-dec-detail. Thisenables all or partassociation describes how a SUPAPolicyMetadataDecorator instance wraps a given SUPAPolicyMetadata instance using the Decorator pattern [1]. Multiple concrete subclasses ofone or more metadata objectsSUPAPolicyMetadataDecorator may be used to wrapanother concrete metadata object.";the same SUPAPolicyMetadata instance. Since this association class contains attributes, the instance-identifier MUST point to an instance using the grouping supa-has-policy-metadata-dec-detail (which includes subclasses of this association class)."; } description "This is the superclass of all metadata classes. Metadata is information that describes and/or prescribes the characteristics and behavior of another object that is not an inherent, distinguishing characteristics or behavior of that object."; } identity POLICY-METADATA-CONCRETE-TYPE { base POLICY-METADATA-TYPE; description "The identity corresponding to a SUPAPolicyConcreteMetadata object instance."; } grouping supa-policy-concrete-metadata-type { uses supa-policy-metadata-type { refine entity-class { defaultPOLICY-METADATA-TYPE;POLICY-METADATA-CONCRETE-TYPE; } } leaf supa-policy-metadata-valid-period-end { type yang:date-and-time; description "This defines the ending date and time that this metadata object is valid for."; } leaf supa-policy-metadata-valid-period-start { type yang:date-and-time; description "This defines the starting date and time that this metadata object is valid for."; } description "This is a concrete class that will be wrapped by concrete instances of the SUPA Policy Metadata Decorator class. It can be viewed as a container for metadata that will be attached to a subclass of SUPA Policy Object. It may contain all or part of one or more metadata subclasses."; } container supa-policy-concrete-metadata-container { description "This is a container to collect all object instances of type SUPAPolicyConcreteMetadata."; list supa-policy-concrete-metadata-list { key supa-policy-metadata-id; uses supa-policy-concrete-metadata-type; description "A list of all supa-policy-metadata instances in the system."; } } identity POLICY-METADATA-DECORATOR-TYPE { base POLICY-METADATA-TYPE; description "The identity corresponding to a SUPAPolicyMetadataDecorator object instance."; } grouping supa-policy-metadata-decorator-type { uses supa-policy-metadata-type { refine entity-class { default POLICY-METADATA-DECORATOR-TYPE; } }leaf-list supa-policy-metadata-decorator-aggleaf supa-has-policy-metadata-dec-agg-ptr { type instance-identifier; must "derived-from-or-self (deref(.)/entity-class,SUPA-HAS-POLICY-COMPONENT-DECORATOR-ASSOC)"; max-elements 1;SUPA-HAS-POLICY-METADATA-DECORATOR-DETAIL-ASSOC)"; description "Thisrepresents the decorator pattern being applied to metadata.leaf-list holds instance-identifiers that reference a SUPAHasMetadaDecorator association [1]. This association is represented by theaggregate part (i.e., the concrete subclass of thegrouping supa-has-policy-metadata-dec-detail. This association describes how a SUPAPolicyMetadataDecoratorclass thatinstance wraps a given SUPAPolicyMetadata instance using the Decorator pattern [1]. Multiple concretesubclasssubclasses ofSUPAPolicyMetadata; currently,SUPAPolicyMetadataDecorator may be used to wrap theonly suchsame SUPAPolicyMetadata instance. Since this association classis SUPAPolicyConcreteMetadata).";contains attributes, the instance-identifier MUST point to an instance using the grouping supa-has-policy-metadata-dec-detail (which includes subclasses of this association class)."; } description "This object implements thedecorator pattern,Decorator pattern [1] for SUPA, which is applied to SUPA metadata objects. This enables all or part of one or more metadata objects to wrap another concrete metadataobject.";object. The only concrete subclass of SUPAPolicyMetadata in this document is the SUPAPolicyConcreteMetadata class."; } identity POLICY-METADATA-DECORATOR-ACCESS-TYPE { base POLICY-METADATA-DECORATOR-TYPE; description "The identity corresponding to a SUPAPolicyAccessMetadataDef object instance."; } grouping supa-policy-metadata-decorator-access-type { uses supa-policy-metadata-decorator-type { refine entity-class { defaultPOLICY-METADATA-DECORATOR-ACCESS-TYPE;POLICY-METADATA-TYPE; } } leaf supa-policy-metadata-access-priv-def { type enumeration { enum "error" { description "This signifies an error state. OAM&P Policies SHOULD NOT use this SUPAPolicyAccessMetadataDef if the value of this attribute is error."; }leaf supa-policy-metadata-access-priv-def { type enumeration {enum"undefined""init" { description "Thismay be used assignifies an initializationand/or an errorstate."; } enum "read only" { description "This defines access as read only for ALLSUPA Policy object instancesSUPAPolicyObject objects that are adorned with thismetadata object.";SUPAPolicyAccessMetadataDef object. As such, an explicit access control model, such as RBAC [7], is NOT present."; } enum "read write" { description "This defines access as read and/or write for ALLSUPA Policy object instancesSUPAPolicyObject objects that are adorned with thismetadata object.";SUPAPolicyAccessMetadataDef object. As such, an explicit access control model, such as RBAC [7], is NOT present."; } enum "specified by MAC" { description "Thisdefines access as defined byuses an external Mandatory Access Controlmodel.(MAC) [7] model to define access control for ALL SUPAPolicyObject objects that are adorned with this SUPAPolicyAccessMetadataDef object. The name and location of this access control model arespecifiedspecified, respectively, in the supa-policy-metadata-access-priv-model-name and supa-policy-metadata-access-priv-model-ref attributes of thismetadataSUPAPolicyAccessMetadataDef object."; } enum "specified by DAC" { description "Thisdefines access as defined byuses an external Discretionary Access Controlmodel.(DAC) [7] model to define access control for ALL SUPAPolicyObject objects that are adorned with this SUPAPolicyAccessMetadataDef object. The name and location of this access control model arespecifiedspecified, respectively, in the supa-policy-metadata-access-priv-model-name and supa-policy-metadata-access-priv-model-ref attributes of thismetadataSUPAPolicyAccessMetadataDef object."; } enum "specified by RBAC" { description "Thisdefines access as defined byuses an externalRole BasedRole-Based Access Controlmodel.(RBAC) [7] model to define access control for ALL SUPAPolicyObject objects that are adorned with this SUPAPolicyAccessMetadataDef object. The name and location of this access control model arespecifiedspecified, respectively, in the supa-policy-metadata-access-priv-model-name and supa-policy-metadata-access-priv-model-ref attributes of thismetadataSUPAPolicyAccessMetadataDef object."; } enum "specified by ABAC" { description "Thisdefines access as defined byuses an externalAttribute BasedAttribute-Based Access Controlmodel.(ABAC) [8] model to define access control for ALL SUPAPolicyObject objects that are adorned with this SUPAPolicyAccessMetadataDef object. The name and location of this access control model arespecifiedspecified, respectively, in the supa-policy-metadata-access-priv-model-name and supa-policy-metadata-access-priv-model-ref attributes of thismetadataSUPAPolicyAccessMetadataDef object."; } enum "specified by custom" { description "Thisdefines access as defined byuses an external Custom Access Controlmodel.model to define access control for ALL SUPAPolicyObject objects that are adorned with this SUPAPolicyAccessMetadataDef object. The name and location of this access control model arespecifiedspecified, respectively, in the supa-policy-metadata-access-priv-model-name and supa-policy-metadata-access-priv-model-ref attributes of thismetadataSUPAPolicyAccessMetadataDef object."; } } description "This defines the type of access control model that is used by this SUPAPolicyObject object instance."; } leaf supa-policy-metadata-access-priv-model-name { type string; description "This contains the name of the access control model being used. If the value of the supa-policy-metadata-access-priv-model-ref is0-2,error, then this SUPAPolicyAccessMetadataDef object MUST NOT be used. If the value of the supa-policy-metadata-access-priv-model-ref is init, then this SUPAPolicyAccessMetadataDef object has been properly initialized, and is ready to be used. If the value of the supa-policy-metadata-access-priv-model-ref is read only or read write, then the value of this attribute is notapplicable.applicable (because a type of model is NOT being defined; instead, the access control for all SUPAPolicyObjects is being defined). Otherwise, the text in this class attributeshouldSHOULD be interpreted according to the value of the supa-policy-metadata-access-priv-model-ref class attribute."; } leaf supa-policy-metadata-access-priv-model-ref { type enumeration { enum"undefined""error" { description "Thiscan be used for either initialization or for signifyingsignifies an error state. OAM&P Policies SHOULD NOT use this SUPAPolicyAccessMetadataDef object if the value of this attribute is error."; } enum "init" { description "This signifies an initialization state."; } enum "URI" { description "Theclauseaccess control model is referenced by this URI."; } enum "GUID" { description "Theclauseaccess control model is referenced by this GUID."; } enum "UUID" { description "Theclauseaccess control model is referenced by this UUID."; } enum "FQDN" { description "Theclauseaccess control model is referenced by this FQDN."; } enum "FQPN" { description "The access control model is referenced by this FQPN."; } enum "string_instance_id" { description "A string that is the canonical representation, in ASCII, of an instance ID of this object."; } } description "This defines the data type of the supa-policy-metadata-access-priv-model-name attribute."; } description "This is a concrete class that defines metadata for access control information that can be added toa SUPA Policy object.any SUPAPolicyObject object instance. This is done using the SUPAHasPolicyMetadataaggregation.";association in conjunction with the Decorator pattern [1]."; } container supa-policy-metadata-decorator-access-container { description "This is a container to collect all object instances of type SUPAPolicyAccessMetadataDef."; list supa-policy-metadata-decorator-access-list { key supa-policy-metadata-id; uses supa-policy-metadata-decorator-type; description "A list of all supa-policy-metadata-decorator-access instances in the system. Instances of subclasses will be in a separate list."; } } identity POLICY-METADATA-DECORATOR-VERSION-TYPE { base POLICY-METADATA-DECORATOR-TYPE; description "The identity corresponding to a SUPAPolicyVersionMetadataDef object instance."; } grouping supa-policy-metadata-decorator-version-type { uses supa-policy-metadata-decorator-type { refine entity-class { default POLICY-METADATA-DECORATOR-VERSION-TYPE; } } leafsupa-policy-metadata-version-majorsupa-policy-metadata-version-major { type string; description "This contains a string representation of an integer that is greater than or equal to zero. It indicates that a significant increase in functionality is present in this version. It MAY also indicate that this version has changes that are NOT backwards-compatible (the supa-policy-metadata-version-build class attribute is used to denote such changes). The string 0.1.0 defines an initial version that MUST NOT be considered stable. Improvements to this initial version are denoted by incrementing the minor and patch class attributes (supa-policy-metadata-version-major and supa-policy-metadata-version-patch, respectively). The major version X (i.e., X.y.z, where X > 0) MUST be incremented if any backwards-incompatible changes are introduced. It MAY include minor and patch level changes. The minor and patch version numbers MUST be reset to 0 when the major version number is incremented."; } leaf supa-policy-metadata-version-minor { type string; description "This contains a string representation of an integer that is greater than or equal to zero. It indicates that this release contains a set of features and/or bug fixes that MUST be backwards-compatible. The minor version Y (i.e., x.Y.z, where x > 0) MUST be incremented if new, backwards-compatible changes are introduced. It MUST be incremented if any features are marked as deprecated. It MAY be incremented if new functionality or improvements are introduced, and MAY include patch level changes. The patch version number MUST be reset to 0 when the minor version number is incremented."; } leaf supa-policy-metadata-version-patch { type string; description "This contains a string(typically representingrepresentation of an integerin the overall version format)thatindicates a significant increase in functionalityispresent ingreater than or equal to zero. It indicates that thisversion.";version contains ONLY bug fixes. The patch version Z (i.e., x.y.Z, where x > 0) MUST be incremented if new, backwards-compatible changes are introduced. A bug fix is defined as an internal change that fixes incorrect behavior."; } leafsupa-policy-metadata-version-minorsupa-policy-metadata-version-prerelease { type string; description "This contains a string(typically representing an integer inthat defines theoverallpre-release version. A pre-release versionformat) that indicates that this release containsMAY be denoted by appending asethyphen and a series offeatures and/or bug fixesdot-separated identifiers immediately following the patch version. Identifiers MUST comprise only ASCII alphanumerics and a hyphen. Identifiers MUST NOT be empty. Numeric identifiers MUST NOT include leading zeroes. Pre-release versions have a lower precedence than the associated normal version. A pre-release version indicates thatcollectively dothe version is unstable and might notwarrant incrementingsatisfy thesupa-policy-metadata-version-major attribute.";intended compatibility requirements as denoted by its associated normal version. Examples include: 1.0.0-alpha and 1.0.0-0.3.7."; } leafsupa-policy-metadata-version-rel-typesupa-policy-metadata-version-build { typeenumeration { enum "undefined" {string; description "Thiscancontains a string that defines the metadata of this build. Build metadata is optional. If present, build metadata MAY beused fordenoted by appending a plus (+) sign to the version, followed by a series of dot-separated identifiers. This may follow eitherinitializationthe patch orfor signifying an error.";pre-release portions of the version. If build metadata is present, then any identifiers that it uses MUST be made up of only ASCII alphanumerics and a hyphen. The identifier portion of the build metadata MUST NOT be empty. Build metadata SHOULD be ignored when determining version precedence. Examples include: 1.0.0.-alpha+1, 1.0.0.-alpha+1.1, 1.0.0+20130313144700, and 1.0.0-beta+exp.sha.5114f85."; }enum "internal" {description "Thisindicatesis a concrete class that defines metadata for version control information that can be added to any SUPAPolicyObject. This is done using the SUPAHasPolicyMetadata association. This class uses the Semantic Versioning Specification [6] as follows: <major>.<minor>.<patch>[<pre-release>][<build-metadata>] where the first three components (major, minor, and patch) MUST be present, and the latter two components (pre-release and build-metadata) MAY be present. A version number MUST take the form <major>.<minor>.<patch>, where <major>, <minor>, and <patch> are each non-negative integers that MUST NOT contain leading zeros. In addition, the value of each of these three elements MUST increase numerically. In this approach, supaVersionMajor denotes a new release; supaVersionMinor denotes a minor release; supaVersionPatch denotes a versionshould onlythat consists ONLY of bug fixes. Version precedence MUST beusedcalculated by separating the version into major, minor, patch, and pre-release identifiers, in that order. See [1] forinternal (development) purposes.";more information."; }enum "alpha"container supa-policy-metadata-decorator-version-container { description "Thisindicates that this versionisconsidereda container to collect all object instances of type SUPAPolicyVersionMetadataDef."; list supa-policy-metadata-decorator-version-list { key supa-policy-metadata-id; uses supa-policy-metadata-decorator-type; description "A list of all supa-policy-metadata-decorator-version instances in the system. Instances of subclasses will bealpha quality.";in a separate list."; }enum "beta"} identity SUPA-HAS-POLICY-METADATA-DECORATOR-TYPE { base POLICY-COMPONENT-TYPE; description"This indicates that this version is considered"The identity corresponding tobe beta quality.";a SUPAHasPolicyMetadataDetail association class object instance."; }enum "release candidate"grouping supa-has-policy-metadata-detail { uses supa-policy-object-type { refine entity-class { default SUPA-HAS-POLICY-METADATA-DECORATOR-TYPE; } } leaf supa-has-policy-metadata-detail-agg-ptr { type instance-identifier; must "derived-from-or-self (deref(.)/entity-class, POLICY-OBJECT-TYPE)"; description "Thisindicatesleaf is an instance-identifier that references the SUPAPolicyObject instance end point of the association represented by thisversioninstance of the SUPAHasPolicyMetadata association [1]. The groupings supa-policy-object-type and supa-policy-metadata-type represent the SUPAPolicyObject and SUPAPolicyMetadata classes, respectively. Thus, the instance identified by this leaf isconsideredthe SUPAPolicyObject instance that is associated by this association tobe a candidate for full production.";the set of SUPAPolicyMetadata instances referenced by the supa-has-policy-metadata-detail-part-ptr leaf of this grouping."; }enum "release production"leaf supa-has-policy-metadata-detail-part-ptr { type instance-identifier; must "derived-from-or-self (deref(.)/entity-class, POLICY-METADATA-TYPE)"; description "Thisindicatesleaf is an instance-identifier that references the SUPAPolicyMetadata instance end point of the association represented by thisversioninstance of the SUPAHasPolicyMetadata association [1]. The groupings supa-policy-object-type and supa-policy-metadata-type represents the SUPAPolicyObject and SUPAPolicyMetadata classes, respectively. Thus, the instance identified by this leaf isconsideredthe SUPAPolicyMetadata instance that is associated by this association tobe ready for full production.";the set of SUPAPolicyObject instances referenced by the supa-has-policy-metadata-detail-agg-ptr leaf of this grouping."; }enum "maintenance"leaf supa-policy-metadata-detail-is-applicable { type boolean; description "Thisindicates that this versionattribute controls whether the associated metadata is currently considered applicable to this SUPAPolicyObject; this enables metadata to befor maintenance purposes."; } } description "This definesturned on and off when needed without disturbing thetypestructure ofthis version's release.";the object that the metadata applies to, or affecting other objects in the system."; }leaf supa-policy-metadata-version-rel-type-numleaf-list supa-policy-metadata-detail-constraint { type string; description"This contains a string (typically representing an integer"A list of constraints, expressed as strings, in theoverall version format) that indicates a significant increase in functionality is present inlanguage defined by the supa-policy-metadata-detail-encoding attribute. If there are no constraints on using thisversion.";SUPAPolicyMetadata object with this particular SUPAPolicyObject object, then this leaf-list will consist of a list of a single null string."; } leaf supa-policy-metadata-detail-constraint-encoding { type policy-constraint-language-list; description "The language used to encode the constraints relevant to the relationship between the SUPAPolicyMetadata object and the underlying SUPAPolicyObject."; } description "This is a concrete association class that definesmetadata for version control information that can be added to a SUPA Policy object. This is done usingthe semantics of the SUPAHasPolicyMetadataaggregation.";association. This enables the attributes and relationships of the SUPAHasPolicyMetadataDetail class to be used to constrain which SUPAPolicyMetadata objects can be associated by this particular SUPAPolicyObject instance."; } containersupa-policy-metadata-decorator-version-containersupa-policy-metadata-detail-container { description "This is a container to collect all object instances of typeSUPAPolicyVersionMetadataDef.";SUPAPolicyMetadataDetail."; listsupa-policy-metadata-decorator-version-listsupa-policy-metadata-detail-list { keysupa-policy-metadata-id;supa-policy-ID; usessupa-policy-metadata-decorator-type;supa-has-policy-metadata-detail; description"A"This is a list of allsupa-policy-metadata-decorator-versionsupa-policy-metadata-detail instances in the system. Instances of subclasses will be in a separatelist.";list. Note that this association class is made concrete for exemplary purposes. To be useful, it almost certainly needs refinement."; } } identitySUPA-HAS-POLICY-METADATA-ASSOCSUPA-HAS-POLICY-COMPONENT-DECORATOR-ASSOC { base POLICY-COMPONENT-TYPE; description "The identity corresponding to aSUPAHasPolicyMetadataDetailSUPAHasDecoratedPolicyComponentDetail association class object instance."; } groupingsupa-has-policy-metadata-detailsupa-has-decorator-policy-component-detail { uses supa-policy-object-type { refine entity-class { default SUPA-HAS-POLICY-COMPONENT-DECORATOR-ASSOC; } } leafsupa-policy-IDsupa-has-policy-component-decorator-agg-ptr { typestring;instance-identifier; must "derived-from-or-self (deref(.)/entity-class, POLICY-COMPONENT-DECORATOR-TYPE)"; description "This leaf isa globally unique ID for this association instance inan instance-identifier that references theoverall policy system."; } leaf entity-class { type identityref { base SUPA-HAS-POLICY-METADATA-ASSOC; } default SUPA-HAS-POLICY-METADATA-ASSOC; description "The identifierSUPAPolicyComponentDecorator instance end point of theclassassociation represented by this instance of the SUPAHasDecoratedPolicyComponent association [1]. The groupings supa-policy-component-decorator-type and supa-policy-component-structure-type represent the SUPAPolicyComponentDecorator and SUPAPolicyComponentStructure classes, respectively. Thus, the instance identified by thisassocation."; }leafsupa-has-policy-metadata-object-ptr { type instance-identifier; must "derived-from-or-self (deref(.)/entity-class, POLICY-OBJECT-TYPE)"; description "Thisisa reference fromtheSUPAPolicyObject objectSUPAPolicyComponentDecorator instance that isaggregating SUPAPolicyMetadata object instances using the SUPAHasPolicyMetadata aggregation. This SUPAPolicyMetadataDetailassociated by this associationclass is usedtodefine part ofthesemanticsset ofthe SUPAHasPolicyMetadata aggregation. For example, it can define which SUPAPolicyMetadata objectSUPAPolicyComponentStructure instancescan be aggregatedreferenced by the supa-has-policy-component-decorator-part-ptr leaf of thisparticular SUPAPolicyObject object instance.";grouping."; } leafsupa-has-policy-metadata-ptrsupa-has-policy-component-decorator-part-ptr { type instance-identifier; must "derived-from-or-self (deref(.)/entity-class,POLICY-METADATA-TYPE)";POLICY-COMPONENT-TYPE)"; description "This leaf isa reference from the SUPAPolicyMetadata object instance(s)an instance-identifier thatare being aggregatedreferences the SUPAPolicyComponentStructure instance end point of the association represented by thisSUPAPolicyObject objectinstanceusingof theSUPAHasPolicyMetadata aggregation. The class SUPAPolicyMetadataDetailSUPAHasDecoratedPolicyComponent associationclass is used to define part of[1]. The groupings supa-policy-component-decorator-type and supa-policy-component-structure-type represent thesemantics ofSUPAPolicyComponentDecorator and SUPAPolicyComponentStructure classes, respectively. Thus, theSUPAHasPolicyMetadata aggregation. For example, it can define which SUPAPolicyMetadata object instances can be aggregatedinstance identified by thisparticular SUPAPolicyObject object instance."; }leafsupa-policy-metadata-detail-is-applicable { type boolean; description "This attributes controls whetheris theassociated metadataSUPAPolicyComponentStructure instance that iscurrently considered applciable to this policy object;associated by thisenables metadataassociation tobe turned on and off when needed without disturbingthestructureset of SUPAPolicyComponentStructure instances referenced by theobject that the metadata applies to.";supa-has-policy-component-decorator-agg-ptr leaf of this grouping."; } leaf-listsupa-policy-metadata-detail-constraintsupa-has-decorator-constraint { type string; description "Alistconstraint expression applying to this association between a SUPAPolicyComponentDecorator and the decorated component (which is a concrete subclass ofconstraints, expressedthe SUPAPolicyComponentStructure class, such asstrings inSUPAEncodedClause or SUPABooleanClauseAtomic). The supa-has-decorator-constraint-encoding attribute specifies the languagedefined byused to write thesupa-policy-metadata-detail-encoding.";set of constraint expressions."; } leafsupa-policy-metadata-detail-encodingsupa-has-decorator-constraint-encoding { typestring;policy-constraint-language-list; description "Thelangaugelanguage used to encode the constraints relevant to the relationship between themetadata and the underlying policy object.";SUPAPolicyComponentDecorator and the SUPAPolicyComponentStructure object instances."; } description "This is a concrete association class that defines the semantics of theSUPAPolicyMetadata aggregation. This enables the attributes and relationshipsSUPAHasDecoratedPolicyComponent association. The purpose ofthe SUPAPolicyMetadataDetailthis class is tobe useduse the Decorator pattern [1] toconstraindetemine whichSUPAPolicyMetadata objects can be aggregated by this particular SUPAPolicyObject instance.";SUPAPolicyComponentDecorator object instances, if any, are required to augment the functionality of a concrete subclass of SUPAPolicyClause that is being used."; } containersupa-policy-metadata-detail-containersupa-policy-component-decorator-detail-container { description "This is a container to collect all object instances of typeSUPAPolicyMetadataDetail.";SUPAPolicyComponentDecoratorDetail."; listsupa-policy-metadata-detail-listsupa-policy-component-decorator-detail-list { key supa-policy-ID; usessupa-has-policy-metadata-detail;supa-has-decorator-policy-component-detail; description "This is a list of allsupa-policy-metadata-detail instances in the system. Instances of subclasses will be in a separate list. Note that this policy is made concrete for exemplary purposes. To be useful, it almost certainly needs refinement.";supa-policy-component-decorator-details."; } } identitySUPA-HAS-POLICY-COMPONENT-DECORATOR-ASSOCSUPA-HAS-POLICY-SOURCE-ASSOC { base POLICY-OBJECT-TYPE; description "The identity corresponding to aSUPAHasMetadataDecoratorSUPAHasPolicySource association class object instance."; } groupingsupa-has-decorator-policy-component-detailsupa-has-policy-source-detail {leaf supa-policy-IDuses supa-policy-object-type {type string; description "This is a globally unique ID for this association instance in the overall policy system."; } leafrefine entity-class {type identityref { base SUPA-HAS-POLICY-COMPONENT-DECORATOR-ASSOC; }defaultSUPA-HAS-POLICY-COMPONENT-DECORATOR-ASSOC; description "The identifier of the class of this assocation.";SUPA-HAS-POLICY-SOURCE-ASSOC; } } leafsupa-policy-component-decorator-ptrsupa-has-policy-source-detail-agg-ptr { type instance-identifier; must "derived-from-or-self (deref(.)/entity-class,SUPA-POLICY-COMPONENT-DECORATOR-TYPE)";POLICY-STRUCTURE-TYPE)"; description "Thisassociatesleaf is an instance-identifier that references a SUPAPolicyStructure instance end point of theSUPAPolicyComponentStructure objectassociation represented by this instanceparticipating in a SUPAHasDecoratedPolicyComponent aggregation toof theSUPAHasDecoratedPolicyComponentDetailSUPAHasPolicySource associationclass that provides[1]. The grouping supa-has-policy-source-detail represents thesemantics ofSUPAHasPolicySourceDetail class. Thus, the instance identified by thisaggregation. This definesleaf is theobject classSUPAPolicyStructure instance that is associated by thisinstance-identifier points to.";association to the SUPAPolicySource instance referenced by the supa-has-policy-source-detail-part-ptr leaf of this grouping."; } leafsupa-policy-component-ptrsupa-has-policy-source-detail-part-ptr { type instance-identifier; must "derived-from-or-self (deref(.)/entity-class,SUPA-POLICY-COMPONENT-TYPE)";POLICY-SOURCE-TYPE)"; description "Thisassociatesleaf is an instance-identifier that references a SUPAPolicySource instance end point of theSUPAPolicyComponentDecorator objectassociation represented by this instanceparticipating in a SUPAHasDecoratedPolicyComponent aggregationof the SUPAHasPolicySource association [1]. The grouping supa-has-policy-source-detail represents the SUPAHasPolicySourceDetail class. Thus, the instance identified by this leaf is the SUPAPolicySource instance that is associated by this association to theSUPAHasDecoratedPolicyComponentDetail association class that providesSUPAPolicyStructure instance referenced by thesemanticssupa-has-policy-source-detail-agg-ptr leaf of thisaggregation. This defines the object class that this instance-identifier points to.";grouping."; }leaf-list supa-has-decorator-constraintleaf supa-policy-source-is-authenticated { typestring;boolean; description"A constraint expression applying to"If the value of thisassociation betweenattribute is true, then this SUPAPolicySource object has been authenticated by a policycomponent decorator and the decorated component.";engine or application that is executing this particular SUPAPolicyStructure object."; } leafsupa-has-decorator-constraint-encodingsupa-policy-source-is-trusted { typestring;boolean; description"The language in which the constraints on"If the value of this attribute is true, then this SUPAPolicySource object has been verified to be trusted by a policycomponent-decorationengine or application that isexpressed.";executing this particular SUPAPolicyStructure object."; } description "This isa concretean associationclass thatclass, and defines the semantics of theSUPAHasDecoratedPolicyComponent aggregation.SUPAHasPolicySource association. Thepurposeattributes and relationships of this classiscan be used touse the Decorator patterndefine which SUPAPolicySource objects can be attached todeteminewhichSUPAPolicyComponentDecoratorparticular set of SUPAPolicyStructure objects. Note that a SUPAPolicySource objectinstances, if any, are required to augmentis NOT responsible for evaluating or executing SUPAPolicies; rather, it identifies thefunctionalityset of entities that are responsible for managing this SUPAPolicySource object. Its primary uses are for auditability, as well as processing deontic logic. This object represents theconcrete subclasssemantics ofSUPAPolicyClause that is being used.";associating a SUPAPolicySource to a SUPAPolicyTarget."; } containersupa-policy-component-decorator-detail-containersupa-policy-source-detail-container { description "This is a container to collect all object instances of typeSUPAPolicyComponentDecoratorDetail.";SUPAPolicySourceDetail."; listsupa-policy-component-decorator-detail-listsupa-policy-source-detail-list { key supa-policy-ID; usessupa-has-decorator-policy-component-detail;supa-has-policy-source-detail; description "This is a list of allsupa-policy-component-decorator-details.";supa-policy-source-detail objects."; } } identitySUPA-HAS-POLICY-SOURCE-ASSOCSUPA-HAS-POLICY-TARGET-ASSOC { base POLICY-OBJECT-TYPE; description "The identity corresponding to aSUPAHasPolicySourceSUPAHasPolicyTarget association class object instance."; } groupingsupa-has-policy-source-detail { leaf supa-policy-ID { type string; description "This is a globally unique ID for this association instance in the overall policy system."; } leaf entity-class { type identityrefsupa-has-policy-target-detail {base SUPA-HAS-POLICY-SOURCE-ASSOC; } default SUPA-HAS-POLICY-SOURCE-ASSOC; description "The identifier of the class of this assocation.";uses supa-policy-object-type { refine entity-class { default SUPA-HAS-POLICY-TARGET-ASSOC; } } leafsupa-policy-source-structure-ptrsupa-has-policy-target-detail-agg-ptr { type instance-identifier; must "derived-from-or-self (deref(.)/entity-class, POLICY-STRUCTURE-TYPE)"; description "Thisassociates theleaf is an instance-identifier that references a SUPAPolicyStructureobjectinstanceparticipating in a SUPAHasPolicySource aggregation toend point of theSUPAHasPolicySourceDetailassociationclass that provides the semanticsrepresented by this instance of the SUPAHasPolicyTarget association [1]. The grouping supa-has-policy-target-detail represents the SUPAHasPolicyTargetDetail class. Thus, the instance identified by thisaggregation. This definesleaf is theobject classSUPAPolicyStructure instance that is associated by thisinstance-identifier points to.";association to the SUPAPolicyTarget instance referenced by the supa-has-policy-target-detail-part-ptr leaf of this grouping."; } leafsupa-policy-source-ptrsupa-has-policy-target-detail-part-ptr { type instance-identifier; must "derived-from-or-self (deref(.)/entity-class,SUPA-POLICY-SOURCE-TYPE)";POLICY-TARGET-TYPE)"; description "Thisassociatesleaf is an instance-identifier that references a SUPAPolicyTarget instance end point of theSUPAPolicySource objectassociation represented by this instanceparticipating in a SUPAHasPolicySource aggregation toof theSUPAHasPolicySourceDetailSUPAHasPolicyTarget associationclass that provides[1]. The grouping supa-has-policy-target-detail represents thesemantics ofSUPAHasPolicyTargetDetail class. Thus, the instance identified by thisaggregation. This definesleaf is theobject classSUPAPolicyTarget instance that is associated by thisinstance-identifier points to.";association to the SUPAPolicyStructure instance referenced by the supa-has-policy-source-detail-agg-ptr leaf of this grouping."; } leafsupa-policy-source-is-authenticatedsupa-policy-target-is-authenticated { type boolean; description "If the value of this attribute is true, then thisSUPAPolicySourceSUPAPolicyTarget object has been authenticated by a policy engine or application that is executing this particular SUPAPolicyStructure object."; } leafsupa-policy-source-is-trustedsupa-policy-target-is-enabled { type boolean; description "If the value of this attribute is true, thenthis SUPAPolicySourceeach SUPAPolicyTarget objecthas been verifiedthat is referenced by this SUPAHasPolicyTarget aggregation is able to betrustedused as a SUPAPolicyTarget bythis particularthe SUPAPolicyStructureobject.";object that is referenced by this SUPAHasPolicyTarget aggregation. This means that this SUPAPolicyTarget has agreed to: 1) have SUPAPolicies applied to it, and 2) process (directly or with the aid of a proxy) one or more SUPAPolicies, or receive the results of a processed SUPAPolicy and apply those results to itself."; } description "This is an association class, and defines the semantics of theSUPAHasPolicySource aggregation.SUPAHasPolicyTarget association. The attributes and relationships of this class can be used to define whichSUPAPolicySourceSUPAPolicyTarget objects can be attached to which particular set of SUPAPolicyStructureobjects.";objects. Note that a SUPAPolicyTarget is used to identify a set of managed entities to which a SUPAPolicy should be applied; this object represents the semantics of applying a SUPAPolicy to a SUPAPolicyTarget."; } containersupa-policy-source-detail-containersupa-policy-target-detail-container { description "This is a container to collect all object instances of typeSUPAPolicySourceDetail.";SUPAPolicyTargetDetail."; listsupa-policy-source-detail-listsupa-policy-target-detail-list { key supa-policy-ID; usessupa-has-policy-source-detail;supa-has-policy-target-detail; description "This is a list of allsupa-policy-source-detailsupa-policy-target-detail objects."; } } identitySUPA-HAS-POLICY-TARGET-ASSOCSUPA-HAS-POLICY-CLAUSE-ASSOC { base POLICY-STRUCTURE-TYPE; description "The identity corresponding to aSUPAHasPolicyTargetSUPAHasPolicyClause association class object instance."; } groupingsupa-has-policy-target-detailsupa-has-policy-clause-detail {leaf supa-policy-IDuses supa-policy-structure-type {type string; description "This is a globally unique ID for this association instance in the overall policy system."; } leafrefine entity-class {type identityref { base SUPA-HAS-POLICY-TARGET-ASSOC; }defaultSUPA-HAS-POLICY-TARGET-ASSOC; description "The identifier of the class of this assocation.";SUPA-HAS-POLICY-CLAUSE-ASSOC; } } leafsupa-policy-target-structure-ptrsupa-has-policy-clause-detail-agg-ptr { type instance-identifier; must "derived-from-or-self (deref(.)/entity-class, POLICY-STRUCTURE-TYPE)"; description "Thisassociatesleaf is an instance-identifier that references a concrete subclass of the SUPAPolicyStructureobjectclass end point of the association represented by this instanceparticipating in a SUPAHasPolicyTarget aggregation toof theSUPAHasPolicyTargetDetailSUPAHasPolicyClause associationclass that provides[1]. The grouping supa-has-policy-clause-detail represents thesemantics ofSUPAHasPolicyClauseDetail association class. Thus, the instance identified by thisaggregation. This definesleaf is theobject classSUPAPolicyStructure instance that is associated by thisinstance-identifier points to.";association to the set of SUPAPolicyClause instances referenced by the supa-has-policy-clause-detail-part-ptr leaf of this grouping."; } leafsupa-policy-target-ptrsupa-has-policy-clause-detail-part-ptr { type instance-identifier; must "derived-from-or-self (deref(.)/entity-class,SUPA-POLICY-TARGET-TYPE)";POLICY-CLAUSE-TYPE)"; description "Thisassociates the SUPAPolicyTarget object instance participating inleaf is an instance-identifier that references aSUPAHasPolicyTarget aggregation toconcrete subclass of theSUPAHasPolicyTargetDetail associationSUPAPolicyClause classthat provides the semanticsend point ofthis aggregation. This definestheobject class thatassociation represented by thisinstance-identifier points to."; } leaf supa-policy-source-is-authenticated { type boolean; description "If the valueinstance ofthis attribute is true, then this SUPAPolicyTarget object has been authenticatedthe SUPAHasPolicyClause association [1]. The grouping supa-has-policy-clause-detail represents the SUPAHasPolicyClauseDetail association class. Thus, the instance identified by thisparticular SUPAPolicyStructure object."; }leafsupa-policy-source-is-enabled { type boolean; description "If the value of this attribute is true, then this SUPAPolicyTarget objectisable to be used as a SUPAPolicyTarget. This means that it has agreed to playtherole of a SUPAPolicyTarget, andSUPAPolicyClause instance thatitisable to either process (directly or withassociated by this association to theaidset ofa proxy) SUPAPolicies, or receiveSUPAPolicyStructure instances referenced by theresultssupa-has-policy-clause-detail-agg-ptr leaf ofa processed SUPAPolicy and apply those results to itself.";this grouping."; } description "This is an association class, and defines the semantics of theSUPAHasPolicyTarget aggregation.SUPAHasPolicyClause association. The attributes and relationships of this class can be used to define which SUPAPolicyTarget objects can beattached toused by which particular set of SUPAPolicyStructureobjects.";objects. Every SUPAPolicyStructure instance MUST aggregate at least one SUPAPolicyClause instance. However, the converse is NOT true. For example, a SUPAPolicyStructure instance MUST aggregate at least one SUPAPolicyClause instance. However, a SUPAPolicyClause object could be instantiated and then stored for later use in a policy repository."; } containersupa-policy-target-detail-containersupa-policy-clause-detail-container { description "This is a container to collect all object instances of typeSUPAPolicyTargetDetail.";SUPAPolicyClauseDetail."; listsupa-policy-target-detail-listsupa-policy-clause-detail-list { key supa-policy-ID; usessupa-has-policy-target-detail;supa-has-policy-clause-detail; description "This is a list of allsupa-policy-target-detailsupa-policy-clause-detail objects."; } } identitySUPA-HAS-POLICY-CLAUSE-ASSOCSUPA-HAS-POLICY-EXEC-ACTION-ASSOC { base POLICY-STRUCTURE-TYPE; description "The identity corresponding to aSUPAHasPolicyClauseSUPAHasPolExecFailActionToTake association class object instance."; } groupingsupa-has-policy-clause-detailsupa-has-policy-exec-action-detail { uses supa-policy-structure-type { refine entity-class { default SUPA-HAS-POLICY-EXEC-ACTION-ASSOC; } } leafsupa-policy-IDsupa-has-exec-fail-action-detail-agg-ptr { typestring;instance-identifier; must "derived-from-or-self (deref(.)/entity-class, POLICY-STRUCTURE-TYPE)"; description "This leaf is an instance-identifier that references a SUPAPolicyStructure instance end point of the association represented by this instance of the SUPAHasPolExecFailActionToTake association [1] that was executing a SUPAPolicy. This SUPAPolicyStructure is referred to as the 'parent' SUPAPolicyStructure instance, while the other instance end point of this association is called the 'child' SUPAPolicyStructure. The grouping supa-policy-structure-type represents the SUPAPolicyStructure class. Thus, the instance identified by this leaf is the parent SUPAPolicyStructure instance that is associated by this association to the child SUPAPolicyStructure instance referenced by the supa-has-exec-fail-action-detail-part-ptr leaf of this grouping."; } leaf supa-has-exec-fail-action-detail-part-ptr { type instance-identifier; must "derived-from-or-self (deref(.)/entity-class, POLICY-STRUCTURE-TYPE)"; description "This leaf is an instance-identifier that references a SUPAPolicyStructure instance end point of the association represented by this instance of the SUPAHasPolExecFailActionToTake association [1] that was NOT currently executing a SUPAPolicy. This SUPAPolicyStructure is referred to as the 'child' SUPAPolicyStructure instance, while the other instance end point of this association is called the 'parent' SUPAPolicyStructure. The grouping supa-policy-structure-type represents the SUPAPolicyStructure class. Thus, the instance identified by this leaf isa globally unique ID forthe child SUPAPolicyStructure instance that is associated by this association to the child SUPAPolicyStructure instanceinreferenced by theoverall policy system."; }supa-has-exec-fail-action-detail-part-ptr leafentity-class { type identityref { base SUPA-HAS-POLICY-CLAUSE-ASSOC; } default SUPA-HAS-POLICY-CLAUSE-ASSOC; description "The identifier of the classof thisassocation.";grouping."; }leaf supa-policy-clause-structure-ptrleaf-list supa-policy-exec-fail-take-action-name { typeinstance-identifier; must "derived-from-or-self (deref(.)/entity-class, POLICY-STRUCTURE-TYPE)";string; description "Thisassociates the SUPAPolicyStructure object instance participating inis aSUPAHasPolicyClause aggregation to the SUPAHasPolicyClauseDetail association classlist thatprovidescontains thesemanticsset ofthis aggregation. This definesnames for SUPAPolicyActions to use if the SUPAPolicyStructure objectclassthat owns thisinstance-identifier points to."; } leaf supa-policy-clause-ptr { type instance-identifier; must "derived-from-or-self (deref(.)/entity-class, SUPA-POLICY-CLAUSE-TYPE)"; description "This associates the SUPAPolicyClause object instance participating in a SUPAHasPolicyClause aggregationassociation failed tothe SUPAHasPolicyClauseDetailexecute properly. This associationclass that provides the semanticsdefines a set of child SUPAPolicyStructure objects to use if thisaggregation. This(the parent) SUPAPolicyStructure object fails to execute correctly. Each child SUPAPolicyStructure object has one or more SUPAPolicyActions; this attribute defines theobject classname(s) of each SUPAPolicyAction in each child SUPAPolicyStructure thatthis instance-identifier points to.";should be used to try and remediate the failure."; } description "This is an association class, and defines the semantics of theSUPAHasPolicyClause aggregation.SUPAHasPolExecFailTakeAction association. The attributes and relationships of this class can be used todefinedetermine whichSUPAPolicyTargetSUPAPolicyAction objectscan be attachedare executed in response towhich particular seta failure ofSUPAPolicyStructure objects. Everythe SUPAPolicyStructure object instanceMUST aggregate at least one SUPAPolicyClause object instance. However, the converse is NOT true. For example, a SUPAPolicyClause could be instantiated and then stored for later use in a policy repository.";that owns this association."; } containersupa-policy-clause-detail-containersupa-policy-exec-fail-take-action-detail-container { description "This is a container to collect all object instances of typeSUPAPolicyClauseDetail.";SUPAPolExecFailActionToTakeDetail."; listsupa-policy-clause-detail-listsupa-policy-exec-fail-take-action-detail-list { key supa-policy-ID; usessupa-has-policy-clause-detail;supa-has-policy-exec-action-detail; description "This is a list of allsupa-policy-clause-detailsupa-has-policy-exec-action-detail objects."; } } identitySUPA-HAS-POLICY-EXEC-ACTION-ASSOCSUPA-HAS-POLICY-METADATA-DECORATOR-DETAIL-ASSOC { base POLICY-METADATA-TYPE; description "The identity corresponding to aSUPAHasPolExecFailActionToTakeSUPAHasMetadataDecoratorDetail association class object instance."; } groupingsupa-has-policy-exec-action-detailsupa-has-policy-metadata-dec-detail {leaf supa-policy-ID { type string; description "This is a globally unique ID for this association instance in the overall policy system."; } leaf entity-classuses supa-policy-metadata-type {type identityrefrefine entity-class {base SUPA-HAS-POLICY-EXEC-ACTION-ASSOC; }defaultSUPA-HAS-POLICY-EXEC-ACTION-ASSOC; description "The identifier of the class of this assocation.";SUPA-HAS-POLICY-METADATA-DECORATOR-DETAIL-ASSOC; } } leafsupa-policy-structure-action-src-ptrsupa-has-policy-metadata-detail-dec-agg-ptr { type instance-identifier; must "derived-from-or-self (deref(.)/entity-class,POLICY-STRUCTURE-TYPE)";POLICY-METADATA-TYPE)"; description "Thisassociatesleaf is an instance-identifier that references a SUPAPolicyMetadataDecorator instance end point of theSUPAPolicyStructure objectassociation represented by this instanceparticipating in a SUPAHasPolExecFailActionToTakeof the SUPAHasMetadataDecorator associationto[1]. The grouping supa-has-policy-metadata-detail represents theSUPAHasPolExecFailActionToTakeDetailSUPAHasMetadataDecoratorDetail associationclass that providesclass. Thus, thesemantics ofinstance identified by thisaggregation. This definesleaf is theobject classSUPAPolicyMetadataDecorator instance that is associated by thisinstance-identifier points to.";association to the set of SUPAPolicyMetadata instances referenced by the supa-has-policy-metadata-detail-dec-part-ptr leaf of this grouping."; } leafsupa-policy-structure-action-dst-ptrsupa-has-policy-metadata-detail-dec-part-ptr { type instance-identifier; must "derived-from-or-self (deref(.)/entity-class,POLICY-STRUCTURE-TYPE)";POLICY-METADATA-TYPE)"; description "Thisassociatesleaf is an instance-identifier that references aSUPAPolicyAction objectSUPAPolicyMetadata instanceparticipating in a SUPAHasPolExecFailActionToTakeend point of the associationtorepresented by this instance of theSUPAHasPolExecFailActionToTakeDetailSUPAHasMetadataDecorator associationclass that provides[1]. The grouping supa-has-policy-metadata-detail represents thesemantics of this aggregation. This definesSUPAHasMetadataDecoratorDetail association class. Thus, theobject class thatinstance identified by thisinstance-identifier points to."; }leafsupa-policy-exec-fail-take-action-encoding { type policy-data-type-id-encoding-list; description "This defines how to find the set of SUPA Policy Action objects contained in each element of the supa-policy-exec-fail-take-action-name attribute object."; } leaf-list supa-policy-exec-fail-take-action-name { type string; description "This identifies the set of SUPA Policy Actions to take ifis theSUPAPolicyStructure objectSUPAPolicyMetadata instance thatownsis associated by this associationfailedtoexecute properly. The interpretationthe set ofthis string attribute is definedSUPAPolicyMetadataDecorator instances referenced by thesupa-policy-exec-fail-take-action-encoding class attribute.";supa-has-policy-metadata-detail-dec-agg-ptr leaf of this grouping."; } description "This is an association class, and defines the semantics of theSUPAHasPolExecFailTakeActionSUPAHasMetadataDecorator association. The attributes and relationships of this class can be used todeterminedefine whichSUPA Policy Action objects are executed in responseconcrete subclasses of the SUPAPolicyMetadataDecorator class can be used toa failurewrap which concrete subclasses of theSUPAPolicyStructure object instance that owns this association.";SUPAPolicyMetadata class."; } containersupa-policy-exec-fail-take-action-detail-containersupa-policy-metadata-decorator-detail-container { description "This is a container to collect all object instances of typeSUPAPolExecFailActionToTakeDetail.";SUPAHasMetadaDecoratorDetail."; listsupa-policy-exec-fail-take-action-detail-listsupa-policy-metadata-decorator-detail-list { keysupa-policy-ID;supa-policy-metadata-id; usessupa-has-policy-exec-action-detail;supa-has-policy-metadata-dec-detail; description "This is a list of allsupa-has-policy-exec-action-detailsupa-policy-metadata-detail objects."; } } } <CODE ENDS> 6. IANA Considerations No IANA considerations exist for this document. 7. Security Considerations TBD 8. Acknowledgments This document has benefited from reviews, suggestions, comments and proposed text provided by the following members, listed in alphabetical order: QinWu.Wu 9. References This section defines normative and informative references for this document. 9.1. Normative References [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. [RFC6020] Bjorklund, M., "YANG - A Data Modeling Language for the Network Configuration Protocol (NETCONF)", RFC 6020, October 2010. [RFC6991] Schoenwaelder, J., "Common YANG Data Types", RFC 6991, July 2013. 9.2. Informative References [1] Strassner, J., Halpern, J., Coleman, J., "Generic Policy Information Model for Simplified Use of Policy Abstractions (SUPA)",draft-strassner-supa-generic-policy-info-model-05March 21,20162016, draft-ietf-supa-generic-policy-info-model-01 [2] http://www.omg.org/spec/OCL/ [3] http://doc.omg.org/formal/2002-04-03.pdf [4] http://alloy.mit.edu/alloy/ [5] http://www.omg.org/spec/QVT/ [6] http://semver.org/ [7] Definitions of DAC, MAC, and RBAC may be found here: http://csrc.nist.gov/groups/SNS/rbac/faq.html#03 [8] ABAC is described here: http://csrc.nist.gov/groups/SNS/rbac/index.html Authors' Addresses Joel Halpern Ericsson P. O. Box 6049 Leesburg, VA 20178 Email: joel.halpern@ericsson.com John Strassner Huawei Technologies 2330 Central Expressway Santa Clara, CA 95138 USA Email: john.sc.strassner@huawei.com Sven van der Meer LM Ericsson Ltd. Ericsson Software Campus Garrycastle Athlone N37 PV44 Ireland Email: sven.van.der.meer@ericsson.com