draft-ietf-supa-generic-policy-info-model-01.txt   draft-ietf-supa-generic-policy-info-model-02.txt 
Network Working Group J. Strassner Network Working Group J. Strassner
Internet Draft Huawei Technologies Internet Draft Huawei Technologies
Intended status: Standard Track J. Halpern Intended status: Standard Track J. Halpern
Expires: January 19, 2017 S. van der Meer Expires: July 20, 2017 S. van der Meer
Ericsson Ericsson
July 19, 2016 January 18, 2017
Generic Policy Information Model for Generic Policy Information Model for
Simplified Use of Policy Abstractions (SUPA) Simplified Use of Policy Abstractions (SUPA)
draft-ietf-supa-generic-policy-info-model-01 draft-ietf-supa-generic-policy-info-model-02
Abstract Abstract
This document defines an information model for representing This document defines an information model for representing
policies using a common extensible framework that is independent policies using a common extensible framework that is independent
of language, protocol, repository. It is also independent of the of language, protocol, repository. It is also independent of the
level of abstraction of the content and meaning of a policy. level of abstraction of the content and meaning of a policy.
Status of this Memo Status of this Memo
skipping to change at page 1, line 36 skipping to change at page 1, line 36
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current working documents as Internet-Drafts. The list of current
Internet-Drafts is at http://datatracker.ietf.org/drafts/current/. Internet-Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six Internet-Drafts are draft documents valid for a maximum of six
months and may be updated, replaced, or obsoleted by other months and may be updated, replaced, or obsoleted by other
documents at any time. It is inappropriate to use Internet-Drafts documents at any time. It is inappropriate to use Internet-Drafts
as reference material or to cite them other than as "work in as reference material or to cite them other than as "work in
progress." progress."
This Internet-Draft will expire on January 19, 2017. This Internet-Draft will expire on July 20, 2017.
Copyright Notice Copyright Notice
Copyright (c) 2016 IETF Trust and the persons identified as the Copyright (c) 2017 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with carefully, as they describe your rights and restrictions with
respect to this document. Code Components extracted from this respect to this document. Code Components extracted from this
document must include Simplified BSD License text as described in document must include Simplified BSD License text as described in
Section 4.e of the Trust Legal Provisions and are provided Section 4.e of the Trust Legal Provisions and are provided
without warranty as described in the Simplified BSD License. without warranty as described in the Simplified BSD License.
Table of Contents Table of Contents
*** Note: this is out of date, will be fixed in next version ***
1. Overview ....................................................... 9 1. Overview ....................................................... 9
1.1. Introduction .............................................. 9 1.1. Introduction .............................................. 9
1.2. Changes Since Version -03 ................................ 11 1.2. Changes Since Version -03 ................................ 11
2. Conventions Used in This Document ............................. 11 2. Conventions Used in This Document ............................. 11
3. Terminology ................................................... 12 3. Terminology ................................................... 12
3.1. Acronyms ................................................. 12 3.1. Acronyms ................................................. 12
3.2. Definitions .............................................. 12 3.2. Definitions .............................................. 12
3.2.1. Core Terminology .................................... 12 3.2.1. Core Terminology .................................... 12
3.2.1.1. Information Model .............................. 12 3.2.1.1. Information Model .............................. 12
skipping to change at page 3, line 51 skipping to change at page 3, line 51
5.2.1.5. The Attribute "supaPolicyName" ................. 51 5.2.1.5. The Attribute "supaPolicyName" ................. 51
5.2.2. SUPAPolicy Relationships ............................ 52 5.2.2. SUPAPolicy Relationships ............................ 52
5.2.2.1. The Relationship "SUPAHasPolicyMetadata" ....... 52 5.2.2.1. The Relationship "SUPAHasPolicyMetadata" ....... 52
5.2.2.2. The Association Class 5.2.2.2. The Association Class
"SUPAHasPolicyMetadataDetail" .................. 52 "SUPAHasPolicyMetadataDetail" .................. 52
5.3. The Abstract Class "SUPAPolicyStructure" ................. 52 5.3. The Abstract Class "SUPAPolicyStructure" ................. 52
5.3.1. SUPAPolicyStructure Attributes ...................... 53 5.3.1. SUPAPolicyStructure Attributes ...................... 53
5.3.1.1. The Attribute "supaPolAdminStatus" ............. 53 5.3.1.1. The Attribute "supaPolAdminStatus" ............. 53
5.3.1.2. The Attribute "supaPolContinuumLevel" .......... 53 5.3.1.2. The Attribute "supaPolContinuumLevel" .......... 53
5.3.1.3. The Attribute "supaPolDeployStatus" ............ 54 5.3.1.3. The Attribute "supaPolDeployStatus" ............ 54
5.3.1.4. The Attribute "supaPolExecStatus" .............. 54 5.3.1.4. The Attribute "supaPolExecFailStrategy" ........ 54
5.3.1.5. The Attribute "supaPolExecFailStrategy" ........ 54
Table of Contents (continued) Table of Contents (continued)
5.3.2. SUPAPolicyStructure Relationships ................... 55 5.3.2. SUPAPolicyStructure Relationships ................... 55
5.3.2.1. The Aggregation "SUPAHasPolicySource" .......... 55 5.3.2.1. The Aggregation "SUPAHasPolicySource" .......... 55
5.3.2.2. The Association Class 5.3.2.2. The Association Class
"SUPAHasPolicySourceDetail" .................... 55 "SUPAHasPolicySourceDetail" .................... 55
5.3.2.2.1. The Attribute "supaPolSrcIsAuthenticated" . 55 5.3.2.2.1. The Attribute "supaPolSrcIsAuthenticated" . 55
5.3.2.2.2. The Attribute "supaPolSrcIsTrusted" ....... 56 5.3.2.2.2. The Attribute "supaPolSrcIsTrusted" ....... 56
5.3.2.3. The Aggregation "SUPAHasPolicyTarget" .......... 56 5.3.2.3. The Aggregation "SUPAHasPolicyTarget" .......... 56
5.3.2.4. The Association Class 5.3.2.4. The Association Class
"SUPAHasPolicyTargetDetail" ................... 56 "SUPAHasPolicyTargetDetail" ................... 56
5.3.2.4.1. The Attribute "supaPolTgtIsAuthenticated" . 56 5.3.2.4.1. The Attribute "supaPolTgtIsAuthenticated" . 56
5.3.2.4.2. The Attribute "supaPolTgtIsEnabled" ....... 56 5.3.2.4.2. The Attribute "supaPolTgtIsEnabled" ....... 56
5.3.2.5. The Association "SUPAHasPolExecFailTakeAction" . 57 5.3.2.5. The Association "SUPAHasPolExecFailTakeAction" . 57
5.3.2.6. The Association Class 5.3.2.6. The Association Class
"SUPAHasPolExecFailTakeActionDetail" ........... 57 "SUPAHasPolExecFailTakeActionDetail" ........... 57
5.3.2.6.1. The Attribute 5.3.2.6.1. The Attribute
"supaPolExecFailTakeActionEncoding" ....... 57 "supaPolExecFailActionEncoding" ........... 57
5.3.2.6.2. The Attribute 5.3.2.6.2. The Attribute
"supaPolExecFailTakeActionName[1..n]" ..... 58 "supaPolExecFailActionName[1..n]" ......... 58
5.3.2.7. The Aggregation "SUPAHasPolicyClause" .......... 58 5.3.2.7. The Aggregation "SUPAHasPolicyClause" .......... 58
5.3.2.8. The Association Class 5.3.2.8. The Association Class
"SUPAHasPolicyClauseDetail" .................... 58 "SUPAHasPolicyClauseDetail" .................... 58
5.4. The Abstract Class "SUPAPolicyComponentStructure" ........ 59 5.4. The Abstract Class "SUPAPolicyComponentStructure" ........ 59
5.4.1. SUPAPolicyComponentStructure Attributes ............. 59 5.4.1. SUPAPolicyComponentStructure Attributes ............. 59
5.4.2. SUPAPolicyComponentStructure Relationships .......... 59 5.4.2. SUPAPolicyComponentStructure Relationships .......... 59
5.5. The Abstract Class "SUPAPolicyClause" .................... 59 5.5. The Abstract Class "SUPAPolicyClause" .................... 59
5.5.1. SUPAPolicyClause Attributes ......................... 60 5.5.1. SUPAPolicyClause Attributes ......................... 60
5.5.1.1. The Attribute "supaPolClauseExecStatus" ........ 60 5.5.1.1. The Attribute "supaPolClauseDeployStatus" ...... 60
5.5.2. SUPAPolicyClause Relationships ...................... 61 5.5.2. SUPAPolicyClause Relationships ...................... 61
5.6. The Concrete Class "SUPAEncodedClause" ................... 61 5.6. The Concrete Class "SUPAEncodedClause" ................... 61
5.6.1. SUPAEncodedClause Attributes ........................ 61 5.6.1. SUPAEncodedClause Attributes ........................ 61
5.6.1.1. The Attribute "supaEncodedClauseContent" ....... 61 5.6.1.1. The Attribute "supaEncodedClauseContent" ....... 61
5.6.1.2. The Attribute "supaEncodedClauseEncoding" ...... 61 5.6.1.2. The Attribute "supaEncodedClauseEncoding" ...... 61
5.6.1.3. The Attribute "supaEncodedClauseResponse" ...... 62 5.6.1.3. The Attribute "supaEncodedClauseLanguage" ...... 62
5.6.1.4. The Attribute "supaEncodedClauseLang[0..n]" .... 62 5.6.1.4. The Attribute "supaEncodedClauseResponse" ...... 62
5.6.1.5. The Attribute "supaEncodedClauseResponse" ...... 62
5.6.2. SUPAEncodedClause Relationships ..................... 62 5.6.2. SUPAEncodedClause Relationships ..................... 62
5.7. The Abstract Class "SUPAPolicyComponentDecorator" ........ 62 5.7. The Abstract Class "SUPAPolicyComponentDecorator" ........ 62
5.7.1. The Decorator Pattern ............................... 63 5.7.1. The Decorator Pattern ............................... 63
5.7.2. SUPAPolicyComponentDecorator Attributes ............. 64 5.7.2. SUPAPolicyComponentDecorator Attributes ............. 64
5.7.2.1. The Attribute "supaPolCompConstraintEncoding" .. 65 5.7.2.1. The Attribute "supaPolCompConstraintEncoding" .. 65
5.7.2.2. The Attribute "supaAPolCompConstraint[0..n]" ... 65 5.7.2.2. The Attribute "supaAPolCompConstraint[0..n]" ... 65
5.7.3. SUPAPolicyComponentDecorator Relationships .......... 65 5.7.3. SUPAPolicyComponentDecorator Relationships .......... 65
5.7.3.1. The Aggregation 5.7.3.1. The Aggregation
"SUPAHasDecoratedPolicyComponent" .............. 66 "SUPAHasDecoratedPolicyComponent" .............. 66
5.7.3.2. The Association Class 5.7.3.2. The Association Class
skipping to change at page 11, line 28 skipping to change at page 11, line 28
module MUST extend the GPIM to define a new type of policy rule by module MUST extend the GPIM to define a new type of policy rule by
adding to the GPIM. Each additoinal module MUST NOT alter any of adding to the GPIM. Each additoinal module MUST NOT alter any of
the model elements of the GPIM. The use of extensions preserves the the model elements of the GPIM. The use of extensions preserves the
interoperability of this approach; if the base GPIM was modified, interoperability of this approach; if the base GPIM was modified,
then this would adversely compromise interoperability. then this would adversely compromise interoperability.
The SUPA ECA Policy Rule Information Model (EPRIM) extends the The SUPA ECA Policy Rule Information Model (EPRIM) extends the
GPIM to represent policy rules that use the Event-Condition-Action GPIM to represent policy rules that use the Event-Condition-Action
(ECA) paradigm. (ECA) paradigm.
1.2. Changes Since Version -00 1.2. Changes Since Version -01
There are several changes in this version of this document There are several changes in this version of this document
compared to the previous versions of this document. They are: compared to the previous versions of this document. They are:
1) Rewrote parts of the Introduction. 1) Clarified figure 7 and figure 17
2) Clarified how to extend the GPIM and EPRIM 2) Aligned enumerations in IM with those in DM and standardized
3) Redesigned the SUPAPolicyVersionMetadataDef class values in the IM version and their explanations
4) Added Fully Qualified Path Names where applicable 3) Removed supaPolExecStatus and supaPolClauseExecStatus
5) Removed Appendices B and C (declarative policies) 4) Added supaPolClauseDeployStatus attribute
6) Fixed typos 5) Rewrote SUPAPolicyComponentStructure definition
6) Rewrote SUPAPolicyClause definition
7) Synchronized information and data models.
8) Deleted the attribute "supaEncodedClauseLang[0..n]"
9) Fixed typos
2. Conventions Used in This Document 2. Conventions Used in This Document
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in
this document are to be interpreted as described in [RFC2119]. In this document are to be interpreted as described in [RFC2119]. In
this document, these words will appear with that interpretation this document, these words will appear with that interpretation
only when in ALL CAPS. Lower case uses of these words are not to only when in ALL CAPS. Lower case uses of these words are not to
be interpreted as carrying [RFC2119] significance. be interpreted as carrying [RFC2119] significance.
skipping to change at page 31, line 52 skipping to change at page 31, line 52
| | | | | | | | | | | |
| | | SUPAHasPolicyClause #1 | | | | | | SUPAHasPolicyClause #1 | | |
| | +------------------------------+ | | | | +------------------------------+ | |
| | | | | | | |
| | SUPAHasPolicyClause #2 | | | | SUPAHasPolicyClause #2 | |
| +----------------------------------------+ | | +----------------------------------------+ |
| | | |
| SUPAHasPolicyClause #3 | | SUPAHasPolicyClause #3 |
+--------------------------------------------------+ +--------------------------------------------------+
note: all 3 aggregations have a multiplicity of 1..n - 0..n
Figure 7. Instantiating a SUPAECAPolicyRule, part 1 Figure 7. Instantiating a SUPAECAPolicyRule, part 1
In figure 7, SUPAECAPolicyRule is shown as "owning" these three In figure 7, SUPAECAPolicyRule is shown as "owning" these three
aggregations, since it inherits them from its superclass aggregations, since it inherits them from its superclass
(SUPAPolicyStructure). The three aggregations represent the (SUPAPolicyStructure). The three aggregations represent the
event, condition, and action clauses of a SUPAECAPolicyRule. event, condition, and action clauses of a SUPAECAPolicyRule.
Note that each of these clauses MAY consist of one or more Note that each of these clauses MAY consist of one or more
SUPAPolicyClauses. Similarly, each SUPAPolicyClause MAY consist SUPAPolicyClauses. Similarly, each SUPAPolicyClause MAY consist
of one or more predicates. In this way, complex event, condition, of one or more predicates. In this way, complex event, condition,
and action clauses, which are combinations of Boolean expressions and action clauses, which are combinations of Boolean expressions
skipping to change at page 35, line 44 skipping to change at page 35, line 44
I I
I I
I I
+------------+-------------+----------------+ +------------+-------------+----------------+
I I I I I I I I
A I I C I I A I I C I I
+--------+-------+ I +---------+------------+ I +--------+-------+ I +---------+------------+ I
| SUPAPolicyTerm | I | SUPAPolicyCollection | I | SUPAPolicyTerm | I | SUPAPolicyCollection | I
+----------------+ I +----------------------+ I +----------------+ I +----------------------+ I
(for defining I (for defining sets and/or I (for defining I (for defining sets and/or I
clauses in I groups of objects) I clauses in a I groups of objects) I
canonical form) I I canonical form) I I
I I I I
C I A I C I A I
+----------------+--------------+ +---------+--------+ +----------------+--------------+ +---------+--------+
| SUPAGenericDecoratedComponent | | SUPAECAComponent | | SUPAGenericDecoratedComponent | | SUPAECAComponent |
+-------------------------------+ +------------------+ +-------------------------------+ +------------------+
(for decorating concrete (for defining reusable (for decorating concrete (for defining reusable
subclasses of SUPAPolicyClause) event, condition, subclasses of SUPAPolicyClause) event, condition,
and action objects) and action objects)
skipping to change at page 43, line 44 skipping to change at page 43, line 44
to a given object. to a given object.
SUPAPolicyMetadata objects (see sections 5.16 - 5.20) may be SUPAPolicyMetadata objects (see sections 5.16 - 5.20) may be
attached to the SUPAECAPolicyRule and/or any of its components attached to the SUPAECAPolicyRule and/or any of its components
to define additional semantics of the SUPAECAPolicyRule. For to define additional semantics of the SUPAECAPolicyRule. For
example, SUPAAccessMetadataDef (see section 5.19) and/or example, SUPAAccessMetadataDef (see section 5.19) and/or
SUPAVersionMetadataDef (see section 5.20) may be attached to SUPAVersionMetadataDef (see section 5.20) may be attached to
define the access privileges and version information, define the access privileges and version information,
respectively, of a policy rule and/or its components. respectively, of a policy rule and/or its components.
The SUPAPolicyStructure contains two attributes, The SUPAPolicyStructure defines an attribute, supaPolDeployStatus,
supaPolDeployStatus and supaPolExecStatus (see sections 5.3.1.3. (see section 5.3.1.3.) that SUPAPolicyMetadata objects can
and 5.3.1.4., respectively) that SUPAPolicyMetadata objects can
use to get and set the deployment and execution status of a use to get and set the deployment and execution status of a
SUPAPolicy. This allows metadata to be used to alter the SUPAPolicy. This allows metadata to be used to alter the
deployment and/or execution state of a policy (or a set of deployment and/or execution state of a policy (or a set of
policy components) without having to affect other parts of the policy components) without having to affect other parts of the
policy-based management system. The supaPolDeployStatus attribute policy-based management system. The supaPolDeployStatus attribute
indicates that this SUPAPolicy can or cannot be deployed. If it indicates that this SUPAPolicy can or cannot be deployed. If it
cannot be deployed. Similarly, the supaPolExecStatus attribute cannot be deployed. Similarly, the supaPolExecStatus attribute
is used to indicate if a particular SUPAPolicy has executed, is is used to indicate if a particular SUPAPolicy has executed, is
currently executing, or is ready to execute, and whether or not currently executing, or is ready to execute, and whether or not
the execution of that SUPAPolicy had any failures. the execution of that SUPAPolicy had any failures.
skipping to change at page 48, line 42 skipping to change at page 48, line 42
| | | | | | | |
| | | +---SUPAPolicyValue (5.11) | | | +---SUPAPolicyValue (5.11)
| | | | | |
| | +---SUPAGenericDecoratedComponent (5.12) | | +---SUPAGenericDecoratedComponent (5.12)
| | | | | |
| | +---SUPAPolicyCollection (5.13) | | +---SUPAPolicyCollection (5.13)
| | | |
| +---SUPAPolicySource (5.14) | +---SUPAPolicySource (5.14)
| | | |
| +---SUPAPolicyTarget (5.15) | +---SUPAPolicyTarget (5.15)
(Class of another model that SUPAPolicyMetadata is integrating into)
| |
+---SUPAPolicyMetadata (5.16) +---SUPAPolicyMetadata (5.16)
| |
+---SUPAPolicyConcreteMetadata (5.17) +---SUPAPolicyConcreteMetadata (5.17)
| |
+---SUPAPolicyMetadataDecorator (5.18) +---SUPAPolicyMetadataDecorator (5.18)
| |
+---SUPAPolicyAccessMetadataDef (5.19) +---SUPAPolicyAccessMetadataDef (5.19)
| |
+---SUPAPolicyVersionMetadataDef (5.20) +---SUPAPolicyVersionMetadataDef (5.20)
Figure 16: Main Classes of the GPIM Figure 16: Main Classes of the GPIM
SUPAPolicy is the root of the SUPA class hierarchy. For SUPAPolicy is the root of the SUPA class hierarchy. For
implementations, it is assumed that SUPAPolicy is subclassed from implementations, it is assumed that SUPAPolicy is subclassed from
a class from another model. a class from another model. Note that SUPAPolicyMetadata MAY be
subclassed from the same or (preferably) a different class in the
external model.
Classes, attributes, and relationships that are marked as Classes, attributes, and relationships that are marked as
"mandatory" MUST be part of a conformant implementation (i.e., a "mandatory" MUST be part of a conformant implementation (i.e., a
schema MUST contain these entities). This does not mean that these schema MUST contain these entities). This does not mean that these
entities must be instantiated; rather it means that they must be entities must be instantiated; rather it means that they must be
able to be instantiated. Classes, attributes, and relationships able to be instantiated. Classes, attributes, and relationships
that are marked as "optional" MAY be part of a conformant that are marked as "optional" MAY be part of a conformant
implementation. implementation.
Unless otherwise stated, all classes (and attributes) defined in Unless otherwise stated, all classes (and attributes) defined in
this section were abstracted from DEN-ng [2], and a version of this section were abstracted from DEN-ng [2], and a version of
them are in the process of being added to [5]. However, the work them are in the process of being added to [5]. However, the work
in [5] has been put on hold, and the names of many of the classes, in [5] has been put on hold, and the names of many of the classes,
attributes, and relationships are slightly different. attributes, and relationships are slightly different.
5.2. The Abstract Class "SUPAPolicyObject" 5.2. The Abstract Class "SUPAPolicyObject"
This is a mandatory abstract class. Figure 17 shows the This is a mandatory abstract class. Figure 17 shows the
SUPAPolicyObject class, and its four subclasses. SUPAPolicyObject class, and its four subclasses.
A 0..n 0..n A A 0..n 0..n A
+----------------+/ \ \+------------------+ +----------------+/ \ \+------------------+
|SUPAPolicyObject+ A ------------------------+SUPAPolicyMetadata| |SUPAPolicyObject+ A --------------------------+SUPAPolicyMetadata|
+--------+-------+\ / SUPAHasPolicyMetadata /+------------------+ +--------+-------+\ / SUPAHasPolicyMetadata /+------------------+
/ \ / \
I I
I I
+-----------------+----------------+-----------+ +-----------------+----------------+-----------+
I I I I I I I I
A I I I I A I I I I
+--------+------------+ I I I +--------+------------+ I I I
| SUPAPolicyStructure | I I I | SUPAPolicyStructure | I I I
+---------------------+ I I I +---------------------+ I I I
A I I I A I I I
skipping to change at page 51, line 28 skipping to change at page 51, line 28
This is a mandatory non-zero enumerated integer attribute that This is a mandatory non-zero enumerated integer attribute that
represents part of the object identifier of an instance of this represents part of the object identifier of an instance of this
class. It defines the format of the object identifier. It works class. It defines the format of the object identifier. It works
with another class attribute, called supaPolObjIDContent, which with another class attribute, called supaPolObjIDContent, which
defines the content of the object ID. These two attributes form defines the content of the object ID. These two attributes form
a tuple, and together enable a machine to understand the syntax a tuple, and together enable a machine to understand the syntax
and value of an object identifier for the object instance of and value of an object identifier for the object instance of
this class. The supaPolObjIDEncoding attribute is mapped to the this class. The supaPolObjIDEncoding attribute is mapped to the
following values: following values:
0: undefined 0: error
1: GUID 1: init
2: UUID 2: primary_key
3: primary key 3: foreign_key
4: foreign key 4: GUID
5: URI 5: UUID
6: FQDN 6: URI
7: FQPN 7: FQDN
8: FQPN
9: string_instance_id
The value 0 may be used to initialize the system, or to signal The values 0 and 1 represent an error state and an initialization
that there is a problem with this particular SUPAPolicyObject. state, respectively. The value 9 defines the canonical
representation, in ASCII, of an instance ID of this object.
5.2.1.4. The Attribute "supaPolicyDescription" 5.2.1.4. The Attribute "supaPolicyDescription"
This is an optional string attribute that defines a free-form This is an optional string attribute that defines a free-form
textual description of this object. textual description of this object.
5.2.1.5. The Attribute "supaPolicyName" 5.2.1.5. The Attribute "supaPolicyName"
This is an optional string attribute that defines the name of this This is an optional string attribute that defines the name of this
Policy. This enables any existing generic naming attribute to be Policy. This enables any existing generic naming attribute to be
used for generic naming, while allowing this attribute to be used used for generic naming, while allowing this attribute to be used
to name Policy entities in a common manner. Note that this is NOT to name Policy entities in a common manner. Note that this is NOT
the same as the commonName attribute of the Policy class defined the same as the commonName attribute of the Policy class defined
in [RFC3060], as that attribute is intended to be used with just in [RFC3060], as that attribute is intended to be used with just
X.500 cn attributes. X.500 cn attributes.
5.2.2. SUPAPolicyObject Relationships 5.2.2. SUPAPolicyObject Relationships
The SUPAPolicyObject class currently defines a single relationship, The SUPAPolicyObject class currently defines a single relationship,
as defined in the subsections below. as defined in the subsection below.
5.2.2.1. The Aggregation "SUPAHasPolicyMetadata" 5.2.2.1. The Aggregation "SUPAHasPolicyMetadata"
This is a mandatory aggregation that defines the set of This is a mandatory aggregation that defines the set of
SUPAPolicyMetadata that are aggregated by this particular SUPAPolicyMetadata that are aggregated by this particular
SUPAPolicyObject. This aggregation is defined in section SUPAPolicyObject. This aggregation is defined in section
5.16.2. 5.16.2.
5.2.2.2. The Association Class "SUPAHasPolicyMetadataDetail" 5.2.2.2. The Association Class "SUPAHasPolicyMetadataDetail"
skipping to change at page 53, line 24 skipping to change at page 53, line 24
Care must be taken in adding attributes to this class, Care must be taken in adding attributes to this class,
because the behavior of future subclasses of this class (e.g., because the behavior of future subclasses of this class (e.g.,
declarative and functional policies) is very different than the declarative and functional policies) is very different than the
behavior of SUPAECAPolicyRules. behavior of SUPAECAPolicyRules.
5.3.1.1. The Attribute "supaPolAdminStatus" 5.3.1.1. The Attribute "supaPolAdminStatus"
This is an optional attribute, which is an enumerated non-negative This is an optional attribute, which is an enumerated non-negative
integer. It defines the current administrative status of this integer. It defines the current administrative status of this
SUPAPolicyClause. SUPAPolicyClause. Values include:
This attribute can be used to place this particular
SUPAPolicyStructure object instance into a specific administrative
state, such as enabled, disabled, or in test. Values include:
0: Unknown (an error state) 0: error
1: Enabled 1: init
2: Disabled 2: enabled
3: In Test (i.e., no operational traffic can be passed) 3: disabled
4: in test (i.e., no operational traffic can be passed)
Value 0 denotes an error that prevents this SUPAPolicyStructure The values 0 and 1 represent an error state and an initialization
from being used. Values 1 and 2 mean that this SUPAPolicyStructure state, respectively. Values 2 and 3 mean that this
is administratively enabled or disabled, respectively. A value of SUPAPolicyStructure is administratively enabled or disabled,
3 means that this SUPAPolicyStructure is in a special test mode respectively. A value of 4 means that this SUPAPolicyStructure is
and SHOULD NOT be used as part of an OAM&P policy. currently in a special test mode and SHOULD NOT be used as part of
an OAM&P policy.
5.3.1.2. The Attribute "supaPolContinuumLevel" 5.3.1.2. The Attribute "supaPolContinuumLevel"
This is an optional non-negative integer attribute. It defines This is an optional non-negative integer attribute. It defines
the level of abstraction, or policy continuum level [10], of this the level of abstraction, or policy continuum level [10], of this
particular SUPAPolicy. The value assignment of this class is particular SUPAPolicy. The value assignment of this class is
dependent on the application; however, it is recommended that dependent on the application; however, it is recommended that
for consistency with other SUPA attributes, the value of 0 is for consistency with other SUPA attributes, the values of 0 and 1
reserved for initialization and/or error conditions. are reserved for error and initialization states.
By convention, lower values represent more abstract levels of the By convention, lower values represent more abstract levels of the
policy continuum. For example, a value of 1 could represent policy continuum. For example, a value of 1 could represent
business policy, a value of 2 could represent application-specific business policy, a value of 2 could represent application-specific
policies, and a value of 3 could represent low=level policies for policies, and a value of 3 could represent low=level policies for
network administrators. network administrators.
5.3.1.3. The Attribute "supaPolDeployStatus" 5.3.1.3. The Attribute "supaPolDeployStatus"
This is an optional enumerated, non-negative integer attribute. The This is an optional enumerated, non-negative integer attribute. The
purpose of this attribute is to indicate that this SUPAPolicy can purpose of this attribute is to indicate that this SUPAPolicy can
or cannot be deployed by the policy management system. This or cannot be deployed by the policy management system. This
attribute enables the policy manager to know which SUPAPolicies to attribute enables the policy manager to know which SUPAPolicies to
retrieve, and may be useful for the policy execution system for retrieve, and may be useful for the policy execution system for
planning the staging of SUPAPolicies. Values include: planning the staging of SUPAPolicies. Values include:
0: undefined 0: error
1: deployed and enabled 1: init
2: deployed and in test 2: deployed and enabled
3: deployed but not enabled 3: deployed and in test
4: ready to be deployed 4: deployed but not enabled
5: cannot be deployed 5: ready to be deployed
6: cannot be deployed
If the value of this attribute is 0 or 5, then the policy
management system SHOULD ignore this SUPAPolicy. Otherwise, the
policy management MAY use this SUPAPolicy.
5.3.1.4. The Attribute "supaPolExecStatus"
This is an optional attribute, which is an enumerated,
non-negative integer. It defines the current execution status
of this SUPAPolicy. Values include:
0: undefined The values 0 and 1 represent an error state and an initialization
1: executed and SUCCEEDED (operational mode) state, respectively. A value of 2 means that the policy management
2: executed and FAILED (operational mode) system MAY use this SUPAPolicy. A value of 3-5 means that the
3: currently executing (operational mode) policy management system SHOULD NOT use this SUPAPolicy until it is
4: ready to execute (operational mode) put into an enabled state.
5: executed and SUCCEEDED (test mode)
6: executed and FAILED (test mode)
7: currently executing (test mode)
8: ready to execute (test mode)
5.3.1.5. The Attribute "supaPolExecFailStrategy" 5.3.1.4. The Attribute "supaPolExecFailStrategy"
This is an optional non-negative, enumerated integer that defines This is an optional non-negative, enumerated integer that defines
what actions, if any, should be taken by this what actions, if any, should be taken by this
SUPAPolicyStructure object if it fails to execute correctly. SUPAPolicyStructure object if it fails to execute correctly.
Note that some systems may not be able to support all options Note that some systems may not be able to support all options
specified in this enumeration. If rollback is supported by the specified in this enumeration. If rollback is supported by the
system, then option 2 may be skipped. Options 3 and 4 can be used system, then option 2 may be skipped. Options 3 and 4 can be used
by systems that do and do not support rollback. Values include: by systems that do and do not support rollback. Values include:
0: undefined 0: error
1: attempt rollback of all actions taken and stop execution 1: init
2: attempt rollback of only the action that failed and stop 2: attempt rollback of all actions taken and stop execution
3: attempt rollback of only the action that failed and stop
execution execution
3: stop execution but do not rollback any actions 4: stop execution but do not rollback any actions
4: ignore failure and continue execution 5: ignore failure and continue execution
A value of 0 can be used as an error condition. A value of 1 means The values 0 and 1 represent an error state and an initialization
that ALL execution is stopped, rollback of all actions (whether state, respectively. A value of 2 means that ALL execution is
successful or not) is attempted, and that SUPAPolicies that stopped, rollback of all actions (whether successful or not) is
otherwise would have been executed are ignored. A value of 2 means attempted, and that SUPAPolicies that otherwise would have been
that execution is stopped, and rollback is attempted for ONLY the executed are ignored. A value of 3 means that execution is stopped,
SUPAPolicy that failed to execute correctly. and rollback is attempted for ONLY the SUPAPolicy that failed to
execute correctly. A value of 4 means that execution is stopped, but
no actions are rolled back. A value of 5 means that the failure is
ignored, and execution continues.
5.3.2. SUPAPolicyStructure Relationships 5.3.2. SUPAPolicyStructure Relationships
The SUPAPolicyStructure class owns four relationships, which are The SUPAPolicyStructure class owns four relationships, which are
defined in the following subsections. defined in the following subsections.
5.3.2.1. The Aggregation "SUPAHasPolicySource" 5.3.2.1. The Aggregation "SUPAHasPolicySource"
This is an optional aggregation, and defines the set of This is an optional aggregation, and defines the set of
SUPAPolicySource objects that are attached to this particular SUPAPolicySource objects that are attached to this particular
skipping to change at page 57, line 50 skipping to change at page 57, line 32
| |\ ^ | |\ ^
+---------------------------+ 1..n | +---------------------------+ 1..n |
| |
C | C |
+------------------+-----------------+ +------------------+-----------------+
| SUPAHasPolExecFailTakeActionDetail | | SUPAHasPolExecFailTakeActionDetail |
+------------------------------------+ +------------------------------------+
Figure 18. SUPAHasPolExecFailTakeAction Association Figure 18. SUPAHasPolExecFailTakeAction Association
5.3.2.6.1. The Attribute "supaPolExecFailTakeActionEncoding" 5.3.2.6.1. The Attribute "supaPolExecFailActionEncoding"
This is an optional enumerated, non-negative integer attribute This is an optional enumerated, non-negative integer attribute
that defines how to find the set of SUPAPolicyActions contained that defines how to find the set of SUPAPolicyActions contained
in each element of the supaPolExecFailTakeActionName class in each element of the supaPolExecFailTakeActionName class
attribute. Values include: attribute. Values include:
0: undefined 0: error
1: String 1: init
2: GUID 2: URI
3: UUID 3: GUID
4: URI 4: UUID
5: FQDN 5: FQDN
6: FQPN 6: FQPN
7: string
8: string_instance_id
5.3.2.6.2. The Attribute "supaPolExecFailTakeActionName[1..n]" The values 0 and 1 represent an error state and an initialization
state, respectively. Values 2-6 define a representation for the
SUPAPolicyAction. A value of 7 defines an ASCII string that
contains the name of the SUPAPolicyAction to be executed (e.g., to
be used in a regex search). A value of 8 defines the canonical
representation, in ASCII, of an instance ID of this object.
5.3.2.6.2. The Attribute "supaPolExecFailActionName[1..n]"
This is an optional array of string attributes that identifies the This is an optional array of string attributes that identifies the
set of policy actions to take if the SUPAPolicyStructure object set of SUPAPolicyActions to take if the SUPAPolicyStructure object
that owns this association failed to execute properly. The that owns this association failed to execute properly. The
interpretation of this string attribute is defined by the interpretation of this string attribute is defined by the
supaPolExecFailTakeActionEncoding class attribute. The association supaPolExecFailTakeActionEncoding class attribute. The association
defines the SUPAPolicyStructure that contains the set of policy defines the SUPAPolicyStructure that contains the set of policy
actions to execute, and this attribute defines which of these actions to execute, and this attribute defines which of these
actions are to be executed. Note that there is no need to execute actions are to be executed. That there is no need to execute a
a SUPAPolicy, since the event and failure have already occurred. SUPAPolicy, since the event and failure have already occurred.
Note: [1..n] means that this is a multi-valued property that has Note: [1..n] means that this is a multi-valued property that has
at least one (and possibly more) attributes. at least one (and possibly more) attributes.
5.3.2.7. The Aggregation "SUPAHasPolicyClause" 5.3.2.7. The Aggregation "SUPAHasPolicyClause"
This is an optional aggregation that defines the set of This is an optional aggregation that defines the set of
SUPAPolicyClauses that are aggregated by this particular SUPAPolicyClauses that are aggregated by this particular
SUPAPolicyStructure instance. The semantics of this SUPAPolicyStructure instance. The semantics of this
aggregation are defined by the SUPAHasPolicyClauseDetail aggregation are defined by the SUPAHasPolicyClauseDetail
association class. association class.
skipping to change at page 59, line 10 skipping to change at page 59, line 20
determine which SUPAPolicyClauses are aggregated by which determine which SUPAPolicyClauses are aggregated by which
SUPAPolicyStructure objects. SUPAPolicyStructure objects.
Attributes will be added to this class at a later time. Attributes will be added to this class at a later time.
5.4. The Abstract Class "SUPAPolicyComponentStructure" 5.4. The Abstract Class "SUPAPolicyComponentStructure"
This is a mandatory abstract class that is the superclass of all This is a mandatory abstract class that is the superclass of all
objects that represent different types of components of a objects that represent different types of components of a
SUPAPolicy. Different types of policies have different types of SUPAPolicy. Different types of policies have different types of
structural components. However, all of these are used in at least structural components. This is accommodated by defining two generic
one type of policy. This class represents a convenient control subclasses, called SUPAPolicyClause and SUPAPolicyComponentDecorator,
point for defining characteristics and behavior that are common which are common to different policy types. These two classes
to objects that serve as components of a policy. represent convenient control points for defining characteristics
and behavior that are common to objects that serve as components of
a SUPAPolicy.
SUPAPolicyClause defines a basic building block for writing
parts of a SUPAPolicy. It is analogous to a clause in a sentence.
For example, in an ECA Policy Rule, the Event, Condition, and Action
clauses are each made up of at least one (subclass of a)
SUPAPolicyClause. Similalry, declarative Policy Rules can also be
defined using (its own subclasses of) SUPAPolicyClauses. This class
is defined in section 5.5.
SUPAPolicyComponentDecorator is used to implement the decorator
pattern [11]. The decorator pattern enables all or part of one or
more objects to "wrap" another concrete object. This enables the
definition of an extensible set of subclasses that can augment the
definition of a SUPAPolicyClause. This class is defined in
section 5.7.
Note that there are significant differences between the definition Note that there are significant differences between the definition
of this class, and its attributes, and the definition of the of the SUPAPolicyComponentStructure class, and its attributes and
corresponding class (and its attributes) in [5]. relationships, and the definition of the corresponding class (and
its attributes and relationships) in [5].
5.4.1. SUPAPolicyComponentStructure Attributes 5.4.1. SUPAPolicyComponentStructure Attributes
No attributes are currently defined for the No attributes are currently defined for the
SUPAPolicyComponentStructure class. SUPAPolicyComponentStructure class.
5.4.2. SUPAPolicyComponentStructure Relationships 5.4.2. SUPAPolicyComponentStructure Relationships
SUPAPolicyComponentStructure participates in a single relationship, SUPAPolicyComponentStructure participates in a single relationship,
SUPAHasDecoratedPolicyComponent, as defined in section 5.7.3. SUPAHasDecoratedPolicyComponent, as defined in section 5.7.3.
skipping to change at page 59, line 39 skipping to change at page 60, line 15
5.5. The Abstract Class "SUPAPolicyClause" 5.5. The Abstract Class "SUPAPolicyClause"
This is a mandatory abstract class that separates the This is a mandatory abstract class that separates the
representation of a SUPAPolicy from its implementation. representation of a SUPAPolicy from its implementation.
SUPAPolicyClause was abstracted from DEN-ng [2]. This abstraction SUPAPolicyClause was abstracted from DEN-ng [2]. This abstraction
is missing in [RFC3060], [RFC3460], [4], and [6]. This class is is missing in [RFC3060], [RFC3460], [4], and [6]. This class is
called PolicyStatement in [5], but the class and relationship called PolicyStatement in [5], but the class and relationship
definitions differ significantly from the corresponding designs definitions differ significantly from the corresponding designs
in this document. in this document.
A SUPAPolicyClause contains an individual or group of related A SUPAPolicy, regardless of its structure and semantics, can be
functions that are used to define the content of a policy. More abstracted into a set of sentences. Each sentence can in turn be
specifically, since the number and type of functions that make up abstracted into a set of clauses. A SUPAPolicyClause is, as its
a SUPAPolicyClause can vary, the decorator pattern is used, so name implies, a clause (i.e., a part of a statement), and defines
that the contents of a SUPAPolicyClause can be adjusted the content of a SUPAPolicy. The decorator pattern is used to
enable an extensible set of objects to "wrap" the SUPAPolicyClause;
this enables the contents of a SUPAPolicyClause to be adjusted
dynamically at runtime without affecting other objects. dynamically at runtime without affecting other objects.
This document defines two different types of policy clauses: This document defines two different types of policy clauses:
SUPAEncodedClause (which is generic, and can be used by any SUPAEncodedClause (which is generic, and can be used by any
type of policy), and SUPABooleanClause (which is also generic, type of policy), and SUPABooleanClause (which is also generic,
but is typically used by SUPAECAPolicyRule objects). but is typically used by SUPAECAPolicyRule objects, since it is
used specifically to represent Boolean clauses).
SUPAPolicyClauses are objects in their own right, which SUPAPolicyClauses are objects in their own right, which
facilitates their reuse. SUPAPolicyClauses can aggregate a set facilitates their reuse. SUPAPolicyClauses can aggregate a set
of any of the subclasses of SUPAPolicyComponentDecorator, which of any of the subclasses of SUPAPolicyComponentDecorator, which
was shown in Figure 10. These four subclasses provide four was shown in Figure 10. These four subclasses (i.e., SUPAPolicyTerm,
different ways to construct a SUPAPolicyClause: SUPAGenericDecoratedComponent, SUPAECAComponent, and SUPACollection)
provide four different ways to construct a SUPAPolicyClause:
1) SUPAPolicyTerm, which enables constructing a {variable, 1) a SUPAPolicyClause can be made up of a set of three
SUPAPolicyTerms, which enables constructing a {variable,
operator, value} expression for building SUPAPolicyClauses operator, value} expression for building SUPAPolicyClauses
2) SUPAEncodedClause, which enables policy clauses to be 2) a SUPAPolicyClause can be made up of one or more
SUPAEncodedClauses, which enables a SUPAPolicyClause to be
formed as an encoded object (e.g., to pass YANG or CLI code) formed as an encoded object (e.g., to pass YANG or CLI code)
3) SUPAPolicyCollection, which defines a collection of objects 3) a SUPAPolicyClause can be made up of a set of SUPACollections,
that requires further processing by the policy management which define a Collection (e.g., set, bad, associative arrays)
system in order to be made into a SUPAPolicyClause of objects that can be assembled into SUPAPolicyClauses
4) SUPAECAComponent, which enables policy clauses to be formed 4) a SUPAPolicyClause can be made up of one or more
using (reusable) Event, Condition, and/or Action objects SUPAECAComponents, which enables a SUPAPolicyClause to be
formed using (reusable) Event, Condition, and/or Action
objects
SUPAPolicyClauses are aggregated by a SUPAPolicyStructure SUPAPolicyClauses are aggregated by a SUPAPolicyStructure
object, which enables all types of SUPAPolicies to uniformly be object, which enables all types of SUPAPolicies to uniformly be
made up of one or more SUPAPolicyClauses. made up of one or more SUPAPolicyClauses.
5.5.1. SUPAPolicyClause Attributes 5.5.1. SUPAPolicyClause Attributes
This section defines the attributes of the SUPAPolicyClause This section defines the attributes of the SUPAPolicyClause
class, which are inherited by all SUPAPolicyClause subclasses. class, which are inherited by all SUPAPolicyClause subclasses.
5.5.1.1. The Attribute "supaPolClauseExecStatus" 5.5.1.1. The Attribute "supaPolClauseDeployStatus"
This is an optional enumerated non-negative integer attribute. It This is an optional enumerated, non-negative integer attribute. The
defines whether this SUPAPolicyClause is currently in use and, if purpose of this attribute is to indicate that this SUPAPolicyClause
so, what its execution status is. This attribute can also be used can or cannot be deployed by the policy management system. This
to place this particular SUPAPolicyClause into a specific execution attribute enables the policy manager to know which SUPAPolicyClauses
state, such as enabled (values 1-4), in test (value 5) or disabled to retrieve, and may be useful for the policy execution system for
(value 6). Values include: planning the staging of SUPAPolicies. Values include:
0: Unknown (an error state) 0: error
1: Completed (i.e., successfully executed, but now idle) 1: init
2: Working (i.e., in use and no errors reported) 2: deployed and enabled
3: Not Working (i.e., in use, but errors have been reported) 3: deployed and in test
4: Available (i.e., could be used, but currently isn't) 4: deployed but not enabled
5: In Test (i.e., cannot be used as part of an OAM&P policy) 5: ready to be deployed
6: Disabled (i.e., not available for use) 6: cannot be deployed
Value 0 denotes an error that prevents this SUPAPolicyClause The values 0 and 1 represent an error state and an initialization
from being used. Value 1 means that this SUPAPolicyClause has state, respectively. If the value of this attribute is 0 or 6, then
successfully finished execution, and is now idle and available. the policy management system SHOULD ignore this SUPAPolicy.
Value 2 means that this SUPAPolicyClause is in use; in addition, Otherwise, the policy management system MAY use this SUPAPolicyClause
this SUPAPolicyClause is working correctly. Value 3 is the same as (once this SUPAPolicyClause is deployed and enabled). However, a
value 2, except that this SUPAPolicyClause is not working value of 4 means that this policy is not admininstratively enabled
correctly. Value 4 means that this SUPAPolicyClause is available, for use and SHOULD NOT be used in OAM&P policies.
but not currently in use. Value 5 means that this SUPAPolicyClause
is in a special test state. A test state signifies that it SHOULD
NOT be used to evaluate OAM&P policies. A value of 6 means that
this SUPAPolicyClause is unavailable for use.
5.5.2. SUPAPolicyClause Relationships 5.5.2. SUPAPolicyClause Relationships
SUPAPolicyClause participates in a single relationship, SUPAPolicyClause participates in a single relationship,
SUPAHasPolicyClause, as defined in section 5.3.2.7. Note that SUPAHasPolicyClause, as defined in section 5.3.2.7. Note that
SUPAPolicyClause uses the decorator pattern to "wrap" this object SUPAPolicyClause uses the decorator pattern to "wrap" this object
with instances of the (concrete) subclasses of the with instances of the (concrete) subclasses of the
SUPAPolicyComponentDecorator object. SUPAPolicyComponentDecorator object.
5.6. The Concrete Class "SUPAEncodedClause" 5.6. The Concrete Class "SUPAEncodedClause"
skipping to change at page 61, line 32 skipping to change at page 62, line 11
SUPAEncodedClause. Hence, SUPAEncodedClause objects are reusable SUPAEncodedClause. Hence, SUPAEncodedClause objects are reusable
at the object level, whereas SUPABooleanClause clauses are reusable at the object level, whereas SUPABooleanClause clauses are reusable
at the individual Boolean expression level. at the individual Boolean expression level.
This class uses two of its attributes (supaEncodedClauseContent and This class uses two of its attributes (supaEncodedClauseContent and
supaEncodedClauseEncoding) for defining the content and type of supaEncodedClauseEncoding) for defining the content and type of
encoding used in a given SUPAPolicyClause. The benefit of a encoding used in a given SUPAPolicyClause. The benefit of a
SUPAEncodedClause is that it enables direct encoding of the text of SUPAEncodedClause is that it enables direct encoding of the text of
the SUPAPolicyClause, without having the "overhead" of using other the SUPAPolicyClause, without having the "overhead" of using other
objects. However, note that while this method is efficient, it objects. However, note that while this method is efficient, it
does not reuse other SUPAPolicy objects. does not reuse other SUPAPolicy objects. Furthermore, its potentially
for reuse is reduced, as only SUPAPolicies that can use the exact
encoding of this clause can reuse this object.
5.6.1. SUPAEncodedClause Attributes 5.6.1. SUPAEncodedClause Attributes
This section defines the attributes of the SUPAEncodedClause class. This section defines the attributes of the SUPAEncodedClause class.
Prescriptive and/or descriptive information about the usage of this
SUPAEncodedClause may be provided by one or more SUPAPolicyMetadata
objects, which are each attached to the object instance of this
SUPAEncodedClause.
5.6.1.1. The Attribute "supaEncodedClauseContent" 5.6.1.1. The Attribute "supaEncodedClauseContent"
This is a mandatory string attribute, and defines the content of This is a mandatory string attribute, and defines the content of
this clause. It works with another class attribute, called this clause. It works with another class attribute, called
supaEncodedClauseEncoding, which defines how to interpret the supaEncodedClauseEncoding, which defines how to interpret the
value of this attribute (e.g., as a string or reference). These value of this attribute (e.g., as a string or reference). These
two attributes form a tuple, and together enable a machine to two attributes form a tuple, and together enable a machine to
understand the syntax and value of this object instance. understand the syntax and value of this object instance.
5.6.1.2. The Attribute "supaEncodedClauseEncoding" 5.6.1.2. The Attribute "supaEncodedClauseEncoding"
This is a mandatory non-negative integer attribute, and defines This is a mandatory non-negative integer attribute, and defines
how to interpret the value of this encoded clause. It works with how to interpret the value of the supaEncodedClauseContent. It
another class attribute (supaEncodedClauseContent), which defines works with another class attribute (supaEncodedClauseContent),
the content of the encoded clause. These two attributes form a which defines the content of the encoded clause. These two
tuple, and together enable a machine to understand the syntax and attributes form a tuple, and together enable a machine to
value of the encoded clause for the object instance of this class. understand the syntax and value of the encoded clause for the
Values include: object instance of this class. This attribute is NOT required in
all data model implementations. Values include:
0: undefined 0: error (i.e., an error state)
1: String 1: init (i.e., an initialization state)
2: GUID 2: primary_key
3: UUID 3: foreign_key
4: URI 4: GUID
5: FQDN 5: UUID
6: FQPN 6: URI
7: FQDN
8: FQPN
9: string_instance_id
The values 0 and 1 represent an error state and an initialization
state, respectively. The value 9 defines the canonical
representation, in ASCII, of an instance ID of this object.
5.6.1.3. The Attribute "supaEncodedClauseLanguage" 5.6.1.3. The Attribute "supaEncodedClauseLanguage"
This is mandatory non-negative integer attribute, and defines This is mandatory non-negative integer attribute, and defines
the type of language used in this encoded clause. Values include: the type of language used in this encoded clause. Values include:
0: undefined 0: error
1: Text 1: init
2: YANG 2: Text
3: XML 3: YANG
4: CLI 4: XML
5: TL1 5: TL1
5.6.1.4. The Attribute "supaEncodedClauseLang[0..n]" The values 0 and 1 represent an error state and an initialization
state, respectively.
This is an optional array of string attribute that contains
descriptive information about the type of language used in the
supaEncodedClauseLanguage class attribute. Text is in comma
separated value (i.e., vendorName, vendorVersion) format.
5.6.1.5. The Attribute "supaEncodedClauseResponse" 5.6.1.4. The Attribute "supaEncodedClauseResponse"
This is an optional Boolean attribute that emulates a Boolean This is an optional Boolean attribute that emulates a Boolean
response of this clause, so that it may be combined with other response of this clause, so that it may be combined with other
subclasses of the SUPAPolicyClause that provide a status as to subclasses of the SUPAPolicyClause that provide a status as to
their correctness and/or evaluation state. This enables this their correctness and/or evaluation state. This enables this
object to be used to construct more complex Boolean clauses. object to be used to construct more complex Boolean clauses.
Note that this attribute does NOT have to be implemented by all
data model implementations (e.g., [15]).
5.6.2. SUPAEncodedClause Relationships 5.6.2. SUPAEncodedClause Relationships
SUPAPolicyClause participates in a single inherited relationship, SUPAPolicyClause participates in a single inherited relationship,
SUPAHasPolicyClause, as defined in section 5.3.2.7. SUPAHasPolicyClause, as defined in section 5.3.2.7.
5.7. The Abstract Class "SUPAPolicyComponentDecorator" 5.7. The Abstract Class "SUPAPolicyComponentDecorator"
This is a mandatory class, and is used to implement the decorator This is a mandatory class, and is used to implement the decorator
pattern. The decorator pattern enables all or part of one or more pattern. The decorator pattern enables all or part of one or more
skipping to change at page 63, line 24 skipping to change at page 64, line 24
+---------------+--------------+ / \ +---------------+--------------+ / \
I I A I I A
A I A I \ / 0..1 A I A I \ / 0..1
+----------+---------+ +--------------+-----+---------+ +----------+---------+ +--------------+-----+---------+
| SUPAPolicyClause | | SUPAPolicyComponentDecorator | | SUPAPolicyClause | | SUPAPolicyComponentDecorator |
+----------+---------+ +--------------+---------------+ +----------+---------+ +--------------+---------------+
I I I I
I I I I
/ \ / \ / \ / \
Concrete Subclasses, Concrete Subclasses Concrete Subclasses, Concrete Subclasses
(e.g., SUPAEncodedClause) (e.g., SUPAPolicyCollection) (e.g., SUPAEncodedClause) (e.g., SUPAPolicyEvent)
(object being wrapped) (wrapping object(s)) (object being wrapped) (wrapping object(s))
Figure 19. The PolicyComponent Decorator Pattern Figure 19. The PolicyComponent Decorator Pattern
5.7.1. The Decorator Pattern 5.7.1. The Decorator Pattern
Each SUPAPolicyComponentDecorator object HAS_A (i.e., wraps) a Each SUPAPolicyComponentDecorator object HAS_A (i.e., wraps) a
concrete instance of the SUPAPolicyClause object. This means that concrete instance of the SUPAPolicyClause object. This means that
the SUPAPolicyComponentDecorator object has an instance variable the SUPAPolicyComponentDecorator object has an instance variable
that holds a reference to a SUPAPolicyClause object. Since the that holds a reference to a SUPAPolicyClause object. Since the
SUPAPolicyComponentDecorator object has the same interface as the SUPAPolicyComponentDecorator object has the same interface as the
SUPAPolicyClause object, the SUPAPolicyComponentDecorator object SUPAPolicyClause object, the SUPAPolicyComponentDecorator object
(and all of its subclasses) are transparent to clients of the (and all of its subclasses) are transparent to clients of the
SUPAPolicyClause object (and its subclasses). This means that SUPAPolicyClause object (and its subclasses). This means that
SUPAPolicyComponentDecorator object instances can add attributes SUPAPolicyComponentDecorator object instances can add attributes
and/or methods to those of the concrete instance of the chosen and/or methods to those of the concrete instance of the chosen
subclass of SUPAPolicyClause. subclass of SUPAPolicyClause.
Figure 20 shows how this is done for methods. 20a shows the Figure 20 shows how this is done for methods.
initial object to be wrapped; 20b shows SUPAPolicyCollection - Figure 20a shows the initial object to be wrapped
wrapping SUPAEncodedClause; 20c shows SUPAGenericDecoratedComponent - Figure 20b shows the SUPAPolicyEvent object wrapping the
wrapping SUPAPolicyCollection. SUPAEncodedClause object
- Figure 20c shows SUPAGenericDecoratedComponent object
wrapping the SUPAPolicyEvent object.
+-------------------+ +-------------------+
| SUPAEncodedClause | | SUPAEncodedClause |
| eval() | | eval() |
+-------------------+ +-------------------+
(a) Initial Object (a) Initial Object
===> ===>
+------------------------+ +------------------------+
| SUPAPolicyCollection | | SUPAPolicyEvent |
| eval() | | eval() |
| +-------------------+ | | +-------------------+ |
| | SUPAEncodedClause | | | | SUPAEncodedClause | |
| | eval() | | | | eval() | |
| +-------------------+ | | +-------------------+ |
+------------------------+ +------------------------+
(b) SUPAPolicyCollection "wraps" SUPAEncodedClause (b) SUPAPolicyEvent "wraps" SUPAEncodedClause
===> ===>
+--------------------------------+ +--------------------------------+
| SUPAGenericDecoratedComponent | | SUPAGenericDecoratedComponent |
| eval() | | eval() |
| +-----------------------+ | | +-----------------------+ |
| | SUPAPolicyCollection | | | | SUPAPolicyEvent | |
| | eval() | | | | eval() | |
| | +-------------------+ | | | | +-------------------+ | |
| | | SUPAEncodedClause | | | | | | SUPAEncodedClause | | |
| | | eval() | | | | | | eval() | | |
| | +-------------------+ | | | | +-------------------+ | |
| +-----------------------+ | | +-----------------------+ |
+--------------------------------+ +--------------------------------+
(c) SUPAGenericDecoratedComponent "wraps" SUPAPolicyCollection (c) SUPAGenericDecoratedComponent "wraps" SUPAPolicyEvent
Figure 20. Conceptual Depiction of eval() Decorated Method Figure 20. Conceptual Depiction of eval() Decorated Method
When eval() is called in the outermost object When the eval() method is called in the outermost object
(SUPAGenericDecoratedComponent), it delegates to the eval() method (SUPAGenericDecoratedComponent), it delegates to the eval() method
of SUPAPolicyCollection, which in turn delegates to the eval() of SUPAPolicyEvent, which in turn delegates to the eval() method
method of SUPAEncodedClause. This method executes and returns the of SUPAEncodedClause. This method executes and returns the
results to SUPAPolicyCollection, which executes and returns the results to SUPAPolicyEvent, which executes and returns the results
results to SUPAGenericDecoratedComponent, which executes and returns to SUPAGenericDecoratedComponent, which executes and returns the
the final result. final result.
5.7.2. SUPAPolicyComponentDecorator Attributes 5.7.2. SUPAPolicyComponentDecorator Attributes
Currently, there are two attributes defined for this class, which Currently, there are two attributes defined for this class, which
are described in the following subsections. Both attributes are are described in the following subsections. Both attributes are
used by subclasses to constrain the behavior of that subclass; used by subclasses to constrain the behavior of that subclass;
they do **not** affect the relationship between the concrete they do **not** affect the relationship between the concrete
subclass of SUPAPolicyComponentDecorator that is wrapping the subclass of SUPAPolicyComponentDecorator that is wrapping the
concrete subclass of SUPAPolicyClause. concrete subclass of SUPAPolicyClause.
skipping to change at page 65, line 18 skipping to change at page 66, line 18
subclass of SUPAPolicyClause and the concrete subclass of the subclass of SUPAPolicyClause and the concrete subclass of the
SUPAPolicyComponentDecorator object that is wrapping it). SUPAPolicyComponentDecorator object that is wrapping it).
Note that [2] does not define any attributes for this class. Note that [2] does not define any attributes for this class.
5.7.2.1. The Attribute "supaPolCompConstraintEncoding" 5.7.2.1. The Attribute "supaPolCompConstraintEncoding"
This is a mandatory non-negative enumerated integer that defines This is a mandatory non-negative enumerated integer that defines
how to interpret each string in the supaPolCompConstraint class how to interpret each string in the supaPolCompConstraint class
attribute. Values include: attribute. Values include:
0: undefined 0: error
1: OCL 2.4 1: init
2: OCL 2.x 2: OCL 2.4
3: OCL 1.x 3: OCL 2.x
4: QVT 1.2 - Relations Language 4: OCL 1.x
5: QVT 1.2 - Operational language 5: QVT 1.2 - Relations Language
6: Alloy 6: QVT 1.2 - Operational language
7: English text 7: Alloy
8: ASCII Text
Enumerations 1-3 are dedicated to OCL (with OCL 2.4 being the Enumerations 1 and 2 signify an error state and an initialization
latest version as of this writing). QVT defines a set of languages state, respectively. Enumeraitons 3-5 are dedicated to OCL (with
(the two most powerful and useful are defined by enumerations 4 OCL 2.4 being the latest version as of this writing). QVT defines a
and 5). Alloy is a language for describing constraints, and uses a set of languages [20] (the two most powerful and useful are defined
SAT solver to guarantee correctness. Note that enumeration 7 by enumerations 5 and 6). Alloy is a language for describing
(English text) is not recommended (since it is informal, and hence, constraints, and uses a SAT solver to guarantee correctness [21].
not verifiable), but included for completeness. Enumeration 8 (ASCII Text) is not recommended (since it is informal,
and hence, not verifiable), but is included for completeness.
5.7.2.2. The Attribute "supaAPolCompConstraint[0..n]" If this class is instantiated, then this attribute SHOULD also be
instantiated, and SHOULD be part of a conformant implementation.
5.7.2.2. The Attribute "supaPolCompConstraint[0..n]"
This is a mandatory array of string attributes. Each attribute This is a mandatory array of string attributes. Each attribute
specifies a constraint to be applied using the encoding defined in specifies a constraint to be applied using the encoding defined in
the supaPolCompConstraintEncoding class attribute. This provides the supaPolCompConstraintEncoding class attribute. This provides
a more rigorous and flexible treatment of constraints than is a more rigorous and flexible treatment of constraints than is
possible in [RFC3460]. possible in [RFC3460], [4], [5], and [6].
Note: [0..n] means that this is a multi-valued property that may Note: [0..n] means that this is a multi-valued property that may
have zero or more attributes. have zero or more attributes.
5.7.3. SUPAPolicyComponentDecorator Relationships 5.7.3. SUPAPolicyComponentDecorator Relationships
One relationship is currently defined for this class, which is One relationship is currently defined for this class, which is
described in the following subsection. described in the following subsection.
5.7.3.1. The Aggregation "SUPAHasDecoratedPolicyComponent" 5.7.3.1. The Aggregation "SUPAHasDecoratedPolicyComponent"
skipping to change at page 66, line 38 skipping to change at page 67, line 38
is wrapping the concrete subclass of SUPAPolicyClause. Note that is wrapping the concrete subclass of SUPAPolicyClause. Note that
class attributes of SUPAPolicyComponentDecorator (see section class attributes of SUPAPolicyComponentDecorator (see section
5.9.2) only affect that specific subclass. 5.9.2) only affect that specific subclass.
5.7.3.2.1. The Attribute "supaDecoratedConstraintEncoding" 5.7.3.2.1. The Attribute "supaDecoratedConstraintEncoding"
This is a mandatory non-negative enumerated integer that defines This is a mandatory non-negative enumerated integer that defines
how to interpret each string in the supaDecoratedConstraint class how to interpret each string in the supaDecoratedConstraint class
attribute. Values include: attribute. Values include:
0: undefined 0: error
1: OCL 2.4 1: init
2: OCL 2.x 2: OCL 2.4
3: OCL 1.x 3: OCL 2.x
4: QVT 1.2 - Relations Language 4: OCL 1.x
5: QVT 1.2 - Operational language 5: QVT 1.2 - Relations Language
6: Alloy 6: QVT 1.2 - Operational language
7: English text 7: Alloy
8: ASCII Text
Enumerations 1-3 are dedicated to OCL (with OCL 2.4 being the Enumerations 1 and 2 signify an error state and an initialization
latest version as of this writing). QVT defines a set of languages state, respectively. Enumeraitons 3-5 are dedicated to OCL (with
(the two most powerful and useful are defined by enumerations 4 OCL 2.4 being the latest version as of this writing). QVT defines a
and 5). Alloy is a language for describing constraints, and uses a set of languages [20] (the two most powerful and useful are defined
SAT solver to guarantee correctness. Note that enumeration 7 by enumerations 5 and 6). Alloy is a language for describing
(English text) is not recommended (since it is informal, and hence, constraints, and uses a SAT solver to guarantee correctness [21].
not verifiable), but included for completeness. Enumeration 8 (ASCII Text) is not recommended (since it is informal,
and hence, not verifiable), but is included for completeness.
If this class is instantiated, then this attribute SHOULD also be
instantiated, and SHOULD be part of a conformant implementation.
5.7.3.2.2. The Attribute "supaDecoratedConstraint[0..n]" 5.7.3.2.2. The Attribute "supaDecoratedConstraint[0..n]"
This is a mandatory array of string attributes. Its purpose is to This is a mandatory array of string attributes. Its purpose is to
collect a set of constraints to be applied to a decorated object. collect a set of constraints to be applied to a decorated object.
The interpretation of each constraint in the array is defined in The interpretation of each constraint in the array is defined in
the supaDecoratedConstraintsEncoding class attribute. the supaDecoratedConstraintsEncoding class attribute.
Note: [0..n] means that this is a multi-valued property that may Note: [0..n] means that this is a multi-valued property that may
have zero or more attributes. have zero or more attributes.
5.7.4. Illustration of Constraints in the Decorator Pattern 5.7.4. Illustration of Constraints in the Decorator Pattern
The following example will illustrate how the different constraints Figure 21 builds a simple SUPAPolicyClause that has both types
of relationships, and illustrates how the different constraints
defined in sections 5.7.2 (class attribute constraints) and section defined in sections 5.7.2 (class attribute constraints) and section
5.7.3 (relationship constraints) can be used. 5.7.3 (relationship constraints) can be used.
Figure 21 builds a simple SUPAPolicyClause that has both types
of relationships.
A A A A
+------------------+ 0..1 +----------------------------+ +------------------+ 0..1 +----------------------------+
| | 1..n / \| | | | 1..n / \| |
| SUPAPolicyClause +------+----- A +SUPAPolicyComponentDecorator| | SUPAPolicyClause +------+----- A +SUPAPolicyComponentDecorator|
| | ^ \ /| | | | ^ \ /| |
+---------+--------+ | +-----------+----------------+ +---------+--------+ | +-----------+----------------+
I | I I | I
I | I I | I
C I | C I C I | C I
+--------+--------+ | +---------+----------+ +--------+--------+ | +---------+---------+
|SUPAEncodedClause| | |SUPAPolicyCollection| |SUPAEncodedClause| | | SUPAPolicyEvent |
+-----------------+ | +--------------------+ +-----------------+ | +-------------------+
| |
C | C |
+-----------------+-------------------+ +-----------------+-------------------+
|SUPAHasDecoratedPolicyComponentDetail| |SUPAHasDecoratedPolicyComponentDetail|
+-------------------------------------+ +-------------------------------------+
Figure 21. Constraints in the Decorator Pattern Figure 21. Constraints in the Decorator Pattern
Figure 21 says that a SUPAPolicyClause, realized as a Figure 21 says that a SUPAPolicyClause, realized as a
SUPAEncodedClause, is wrapped by a SUPAPolicyCollection object. SUPAEncodedClause, is wrapped by a SUPAPolicyEvent object. The
The attributes in the SUPAPolicyComponentDecorator object are used attributes in the SUPAPolicyComponentDecorator object are used
to constrain the attributes in the SUPAPolicyCollection object, to constrain the attributes in the SUPAPolicyEvent object, while
while the attributes in the SUPAHasDecoratedPolicyComponentDetail the attributes in the SUPAHasDecoratedPolicyComponentDetail
object are used to contrain the behavior of the aggregation object are used to contrain the behavior of the aggregation
(SUPAHasDecoratedPolicyComponent). For example, the attributes in (SUPAHasDecoratedPolicyComponent). For example, the attributes in
the SUPAPolicyComponentDecorator object could restrict the data the SUPAPolicyComponentDecorator object could restrict the data
type and range of the components in the SUPAPolicyCollection, while type and range of the components in the SUPAPolicyEvent, while
the attributes in the SUPAHasDecoratedPolicyComponentDetail object the attributes in the SUPAHasDecoratedPolicyComponentDetail object
could restrict which SUPAPolicyCollection objects are allowed to be could restrict which SUPAPolicyEvent objects are allowed to be
used with which SUPAEncodedClauses. used with which SUPAEncodedClauses.
5.8. The Abstract Class "SUPAPolicyTerm" 5.8. The Abstract Class "SUPAPolicyTerm"
This is a mandatory abstract class that is the parent of This is a mandatory abstract class that is the parent of
SUPAPolicy objects that can be used to define a standard way to SUPAPolicy objects that can be used to define a standard way to
test or set the value of a variable. It does this by defining a test or set the value of a variable. It does this by defining a
3-tuple, in the form {variable, operator, value}, where each 3-tuple, in the form {variable, operator, value}, where each
element of the 3-tuple is defined by a concrete subclass of the element of the 3-tuple is defined by a concrete subclass of the
appropriate type (i.e., SUPAPolicyVariable, SUPAPolicyOperator, appropriate type (i.e., SUPAPolicyVariable, SUPAPolicyOperator,
skipping to change at page 70, line 41 skipping to change at page 71, line 41
5.9.2.1. The Attribute "supaPolVarName" 5.9.2.1. The Attribute "supaPolVarName"
This is an optional string attribute that contains the name of This is an optional string attribute that contains the name of
this SUPAPolicyVariable. This variable name forms part of the this SUPAPolicyVariable. This variable name forms part of the
{variable, operator, value} canonical form of a SUPAPolicyClause. {variable, operator, value} canonical form of a SUPAPolicyClause.
5.9.3. SUPAPolicyVariable Relationships 5.9.3. SUPAPolicyVariable Relationships
Currently, no relationships are defined for the SUPAPolicyVariable Currently, no relationships are defined for the SUPAPolicyVariable
class (note that the decorator pattern obviates the need for class (note that the decorator pattern obviates the need for
relationships such as those in [RFC3460] and [6]). relationships such as those defined in [RFC3460] and [6]). This is
SUPAPolicyVariable, and its subclasses, inherit the because SUPAPolicyVariable, and its subclasses, inherit the
SUPAHasDecoratedPolicyComponent aggregation, which was defined in SUPAHasDecoratedPolicyComponent aggregation, which was defined in
section 5.7.3. section 5.7.3.
5.10. The Concrete Class "SUPAPolicyOperator" 5.10. The Concrete Class "SUPAPolicyOperator"
This is a mandatory concrete class for modeling different types of This is a mandatory concrete class for modeling different types of
operators that are used in a SUPAPolicyClause. operators that are used in a SUPAPolicyClause.
The restriction of the type of operator used in a SUPAPolicyClause The restriction of the type of operator used in a SUPAPolicyClause
restricts the semantics that can be expressed in that restricts the semantics that can be expressed in that
skipping to change at page 71, line 20 skipping to change at page 72, line 20
Currently, SUPAPolicyOperator defines a single generic attribute, Currently, SUPAPolicyOperator defines a single generic attribute,
as described below. as described below.
5.10.2.1. The Attribute "supaPolOpType" 5.10.2.1. The Attribute "supaPolOpType"
This is a mandatory non-negative enumerated integer that specifies This is a mandatory non-negative enumerated integer that specifies
the various types of operators that are allowed to be used in this the various types of operators that are allowed to be used in this
particular SUPAPolicyClause. Values include: particular SUPAPolicyClause. Values include:
0: Unknown 0: error
1: Greater than 1: init
2: Greater than or equal to 2: Greater than
3: Less than 3: Greater than or equal to
4: Less than or equal to 4: Less than
5: Equal to 5: Less than or equal to
6: Not equal to 6: Equal to
7: IN 7: Not equal to
8: NOT IN 8: IN
9: SET 9: NOT IN
10: CLEAR 10: SET
11: BETWEEN (inclusive) 11: CLEAR (0 for integers, "" for strings, FALSE for Booleans)
12: BETWEEN (inclusive)
Note that 0 is an unacceptable value. Its purpose is to support Note that 0 and 1 represent error and initialization states,
dynamically building a SUPAPolicyClause by enabling the respectively. Their purpose is to support dynamically building a
application to set the value of this attribute to a standard SUPAPolicyClause by enabling the application to set the value of
default value if the real value is not yet known. this attribute to a standard value.
Additional operators may be defined in future work. For example, Additional operators may be defined in future work. For example,
if SUPAPolicyVariables and SUPAPolicyValues are expanded to/from if SUPAPolicyVariables and SUPAPolicyValues are expanded to/from
include structured objects, then "deep" versions of operators include structured objects, then "deep" versions of operators
1-6 could also be defined. In this case, values 1-6 will be 1-6 could also be defined. In this case, values 1-6 will be
edited to explicitly indicate that they perform "shallow" edited to explicitly indicate that they perform "shallow"
comparison operations. comparison operations.
5.10.3. SUPAPolicyOperator Relationships 5.10.3. SUPAPolicyOperator Relationships
Currently, no relationships are defined for the SUPAPolicyOperator Currently, no relationships are defined for the SUPAPolicyOperator
class (note that the decorator pattern obviates the need for class (note that the decorator pattern obviates the need for
relationships such as those in [6]). SUPAPolicyOperator, and its relationships such as those in [6]). This is because
subclasses, inherit the SUPAHasDecoratedPolicyComponent SUPAPolicyOperator, and its subclasses, inherit the
aggregation, which was defined in section 5.7.3. SUPAHasDecoratedPolicyComponent aggregation, which was defined in
section 5.7.3. Please refer to the examples in section 7, which
Please refer to the examples in section 7, which show how to show how to restrict the value, data type, range, and other
restrict the value, data type, range, and other semantics of the semantics of the SUPAPolicyOperator when used in a SUPAPolicyClause.
SUPAPolicyOperator when used in a SUPAPolicyClause.
5.11. The Concrete Class "SUPAPolicyValue" 5.11. The Concrete Class "SUPAPolicyValue"
The SUPAPolicyValue class is a mandatory concrete class for The SUPAPolicyValue class is a mandatory concrete class for
modeling different types of values and constants that occur in a modeling different types of values and constants that occur in a
SUPAPolicyClause. SUPAPolicyClause.
SUPAPolicyValues are used to abstract the representation of a SUPAPolicyValues are used to abstract the representation of a
SUPAPolicyRule from its implementation. Therefore, the design of SUPAPolicyRule from its implementation. Therefore, the design of
SUPAPolicyValues depends on two important factors. First, just as SUPAPolicyValues depends on two important factors. First, just as
skipping to change at page 73, line 11 skipping to change at page 74, line 11
class attribute. class attribute.
Note: [0..n] means that this is a multi-valued property that has Note: [0..n] means that this is a multi-valued property that has
zero or more attributes. zero or more attributes.
5.11.2.2. The Attribute "supaPolValEncoding" 5.11.2.2. The Attribute "supaPolValEncoding"
This is a mandatory string attribute that contains the data type This is a mandatory string attribute that contains the data type
of the SUPAPolicyValue object instance. Its value is defined by of the SUPAPolicyValue object instance. Its value is defined by
the supaPolValContent class attribute. Values include: the supaPolValContent class attribute. Values include:
0: Undefined 0: error
1: String 1: init
2: Integer 2: String
3: Boolean 3: Integer
4: Floating Point 4: Boolean
5: DateTime 5: Floating Point
6: GUID 6: DateTime
7: UUID 7: GUID
8: URI 8: UUID
9: FQDN 9: URI
10: FQPN 10: DN
11: NULL 11: FQDN
12: FQPN
13: NULL
A string is a sequence of zero or more characters. An Integer is Note that 0 and 1 represent error and initialization states,
a whole number (e.g., it has no fractional part). A Boolean respectively. A string is a sequence of zero or more characters. An
represents the values TRUE and FALSE. A floating point number may Integer is a whole number, and has no fractional part. A Boolean may
contain fractional values, as well as an exponent. A DateTime take the values TRUE and FALSE. A floating point number may contain
represents a value that has a date and/or a time component (as in fractional values, as well as an exponent. A DateTime represents a
the Java or Python libraries). A NULL explicitly models the lack value that has a date and/or a time component (as in the Java or
of a value. Python libraries). A NULL explicitly models the lack of a value.
5.11.3. SUPAPolicyValue Relationships 5.11.3. SUPAPolicyValue Relationships
Currently, no relationships are defined for the SUPAPolicyValue Currently, no relationships are defined for the SUPAPolicyValue
class (note that the decorator pattern obviates the need for class (note that the decorator pattern obviates the need for
relationships such as those in [6]). SUPAPolicyValue, and its relationships such as those in [6]). SUPAPolicyValue, and its
subclasses, inherit the SUPAHasDecoratedPolicyComponent subclasses, inherit the SUPAHasDecoratedPolicyComponent
aggregation, which was defined in section 5.7.3. aggregation, which was defined in section 5.7.3. Please refer to
the examples in section 7, which show how to restrict the value,
Please refer to the examples in section 7, which show how to data type, range, and other semantics of the SUPAPolicyValue when
restrict the value, data type, range, and other semantics of the used in a SUPAPolicyClause.
SUPAPolicyValue when used in a SUPAPolicyClause.
5.12. The Concrete Class "SUPAGenericDecoratedComponent" 5.12. The Concrete Class "SUPAGenericDecoratedComponent"
A SUPAGenericDecoratedComponent enables a custom, vendor-specific A SUPAGenericDecoratedComponent enables a generic object to be
object to be defined and used in a SUPAPolicyClause. This class defined and used in a SUPAPolicyClause. This class was derived
was derived from [2], but is not present in [RFC3460], [4], [5], from [2], but is not present in [RFC3460], [4], [5], or [6].
or [6].
This should not be confused with the SUPAEncodedClause class. The This class should not be confused with the SUPAEncodedClause class.
SUPAGenericDecoratedComponent class represents a single, atomic, The SUPAGenericDecoratedComponent class represents a single, atomic
vendor-specific object that defines a **portion** of a object that defines a **portion** of a SUPAPolicyClause, whereas a
SUPAPolicyClause, whereas a SUPAEncodedClause, which may or SUPAEncodedClause represents an **entire** SUPAPolicyClause.
may not be vendor-specific, represents an **entire**
SUPAPolicyClause.
5.12.1. SUPAGenericDecoratedComponent Attributes 5.12.1. SUPAGenericDecoratedComponent Attributes
Currently, SUPAGenericDecoratedComponent defines two generic Currently, SUPAGenericDecoratedComponent defines two generic
attributes, as described below. attributes, as described below.
5.12.1.1. The Attribute "supaVendorDecoratedCompContent[0..n]" 5.12.1.1. The Attribute "supaVendorDecoratedCompContent[0..n]"
This is a mandatory attribute that defines an array of strings. This is a mandatory attribute that defines an array of strings.
This array contains the value(s) of the This array contains the value(s) of the
skipping to change at page 74, line 37 skipping to change at page 75, line 37
3: Boolean 3: Boolean
4: Floating Point 4: Floating Point
5: DateTime 5: DateTime
6: GUID 6: GUID
7: UUID 7: UUID
8: URI 8: URI
9: FQDN 9: FQDN
10: FQPN 10: FQPN
11: NULL 11: NULL
A string is a sequence of zero or more characters. An Integer is Note that 0 and 1 represent error and initialization states,
a whole number (e.g., it has no fractional part). A Boolean respectively. A string is a sequence of zero or more characters. An
represents the values TRUE and FALSE. A floating point number may Integer is a whole number (e.g., it has no fractional part). A
contain fractional values, as well as an exponent. A DateTime Boolean represents the values TRUE and FALSE. A floating point
represents a value that has a date and/or a time component (as in number may contain fractional values, as well as an exponent. A
the Java or Python libraries). A NULL explicitly models the lack DateTime represents a value that has a date and/or a time component
of a value. (as in the Java or Python libraries). A NULL explicitly models the
lack of a value.
5.12.2. SUPAGenericDecoratedComponent Relationships 5.12.2. SUPAGenericDecoratedComponent Relationships
Currently, no relationships are defiend for the Currently, no relationships are defiend for the
SUPAGenericDecoratedComponent class (note that the decorator SUPAGenericDecoratedComponent class (note that the decorator
pattern obviates the need for relationships such as those in [6]). pattern obviates the need for relationships such as those in [6]).
SUPAGenericDecoratedComponent participates in a single relationship, SUPAGenericDecoratedComponent participates in a single relationship,
SUPAHasDecoratedPolicyComponent, as defined in section 5.7.3. SUPAHasDecoratedPolicyComponent, as defined in section 5.7.3.
** This class is under discussion - please comment as to its utility **
5.13. The Concrete Class "SUPAPolicyCollection" 5.13. The Concrete Class "SUPAPolicyCollection"
A SUPAPolicyCollection is an optional concrete class that enables A SUPAPolicyCollection is an optional concrete class that enables
a collection (e.g., set, bag, or other, more complex, collections a collection (e.g., set, bag, or other, more complex, collections
of elements) of **arbitrary objects** to be defined and used as of elements) of **arbitrary objects** to be defined and used as
part of a SUPAPolicyClause. This class was derived from [2], but part of a SUPAPolicyClause. This class was derived from [2], but
is not present in [RFC3460], [4], [5], or [6]. is not present in [RFC3460], [4], [5], or [6].
5.13.1. Motivation 5.13.1. Motivation
One of the problems with ECA policy rules is when a set of events One of the problems with ECA policy rules is when a set of events
or conditions needs to be tested. For example, if a set of events or conditions needs to be tested. For example, if a set of events
is received, the policy system may need to wait for patterns of is received, the policy system may need to wait for patterns of
events to emerge (e.g., any number of Events of type A, followed events to emerge (e.g., any number of Events of type A, followed
by either one event of type B or two events of type Event C). by either one event of type B or two events of type Event C).
Similarly, a set of conditions, testing the value of an attribute, Similarly, for conditions, testing the value of a set of attributes
may need to be performed. Both of these represent behavior may need to be performed. Both of these represent behavior
similar to a set of if-then-else statements or a switch statement. similar to a set of if-then-else statements or a switch statement.
It is typically not desirable for the policy system to represent It is typically not desirable for the policy system to represent
each choice in such conditions as its own policy clause (i.e., a each choice in such clauses as its own policy clause (i.e., a
3-tuple), as this creates object explosion and poor performance. 3-tuple), as this creates object explosion and poor performance.
Furthermore, in these cases, it is often required to have a set of Furthermore, in these cases, it is often required to have a set of
complex logic to be executed, where the logic varies according to complex logic to be executed, where the logic varies according to
the particular event or condition that was selected. It is much the particular event or condition that was selected. It is much
too complex to represent this using separate objects, especially too complex to represent this using separate objects, especially
when the logic is application- and/or vendor-specific. when the logic is application- and/or vendor-specific. However,
recall that one of the goals of this document was to facilitate
However, recall that one of the goals of this document was to the machine-driven construction of policies. Therefore, a solution
facilitate the machine-driven construction of policies. Therefore, to this problem is needed.
a solution to this problem is needed.
5.13.2. Solution 5.13.2. Solution
Therefore, this document defines the concept of a collection of Therefore, this document defines the concept of a collection of
entities, called a SUPAPolicyCollection. Conceptually, the items entities, called a SUPAPolicyCollection. Conceptually, the items
to be collected (e.g., events or conditions) are aggregated in to be collected (e.g., events or conditions) are aggregated in
one or more SUPAPolicyCollection objects of the appropriate type. one or more SUPAPolicyCollection objects of the appropriate type.
Another optional SUPAPolicyCollection object could be used to Another optional SUPAPolicyCollection object could be used to
aggregate logic blocks (including SUPAPolicies) to execute. aggregate logic blocks (including SUPAPolicies) to execute.
Once finished, all appropriate SUPAPolicyCollection objects are Once finished, all appropriate SUPAPolicyCollection objects are
skipping to change at page 76, line 24 skipping to change at page 77, line 24
an object that is collected by this SUPAPolicyCollection instance. an object that is collected by this SUPAPolicyCollection instance.
Note: [0..n] means that this is a multi-valued property that has Note: [0..n] means that this is a multi-valued property that has
zero or more attributes. zero or more attributes.
5.13.3.2. The Attribute "supaPolCollectionEncoding" 5.13.3.2. The Attribute "supaPolCollectionEncoding"
This is an optional non-negative enumerated integer that defines This is an optional non-negative enumerated integer that defines
the data type of the content of this collection instance. Values the data type of the content of this collection instance. Values
include: include:
0: undefined 0: error
1: by regex (regular expression) 1: init
2: by URI 2: by regex (regular expression)
3: by URI
For example, if the value of this attribute is 1, then each of Note that 0 and 1 represent error and initialization states,
the strings in the supaPolCollectionContent attribute represent respectively. If the value of this attribute is 2, then each of the
a regex that contains all or part of a string to match the class strings in the supaPolCollectionContent attribute represent a regex
name of the object that is to be collected by this instance of that contains all or part of a string to match the class name of the
a SUPAPolicyCollection class. object that is to be collected by this instance of a
SUPAPolicyCollection class. If the value of this attribute is 3,
then each of the strings in the supaPolCollectionContent attribute
represent a URI.
5.13.3.3. The Attribute "supaPolCollectionFunction" 5.13.3.3. The Attribute "supaPolCollectionFunction"
This is an optional non-negative enumerated integer that defines This is an optional non-negative enumerated integer that defines
the function of this collection instance. Values include: the function of this collection instance. Values include:
0: undefined 0: error
1: event collection 1: init
2: condition collection 2: event collection
3: action collection 3: condition collection
4: logic collection 4: action collection
5: logic collection
Values 1-3 define a collection of objects that are to be used to Note that 0 and 1 represent error and initialization states,
populate the event, condition, or action clauses, respectively, of respectively. Values 2-4 define a collection of objects that are to
a SUPAECAPolicyRule. A value of 4 indicates that this collection be used to populate the event, condition, or action clauses,
contains objects that define logic for processing a SUPAPolicy. respectively, of a SUPAECAPolicyRule. A value of 4 indicates that
this collection contains objects that define logic for processing
a SUPAPolicy.
5.13.3.4. The Attribute "supaPolCollectionIsOrdered" 5.13.3.4. The Attribute "supaPolCollectionIsOrdered"
This is an optional Boolean attribute. If the value of this This is an optional Boolean attribute. If the value of this
attribute is TRUE, then all elements in this instance of this attribute is TRUE, then all elements in this instance of this
SUPAPolicyCollection are ordered. SUPAPolicyCollection are ordered.
5.13.3.5. The Attribute "supaPolCollectionType" 5.13.3.5. The Attribute "supaPolCollectionType"
This is an optional non-negative enumerated integer that defines This is an optional non-negative enumerated integer that defines
the type of collection that this instance is. Values include: the type of collection that this instance is. Values include:
0: undefined 0: error
1: set 1: init
2: bag (e.g., multi-set) 2: set
3: dictionary (e.g., associative array) 3: bag (e.g., multi-set)
4: dictionary (e.g., associative array)
A set is an unordered collection of elements that MUST NOT have Note that 0 and 1 represent error and initialization states,
duplicates. A bag is an unordered collection of elements; it MAY respectively. A set is an unordered collection of elements that MUST
also have duplicates. A dictionary is a table that associates a NOT have duplicates. A bag is an unordered collection of elements;
it MAY have duplicates. A dictionary is a table that associates a
key with a value. key with a value.
Sets have a number of important functions, including: Sets have a number of important functions, including:
o membership: returns TRUE if the element being tested is o membership: returns TRUE if the element being tested is
in the set, and FALSE otherwise in the set, and FALSE otherwise
o subset: returns TRUE if all elements in the first set o subset: returns TRUE if all elements in the first set
are also in the second set are also in the second set
o union: returns all elements from both sets with no o union: returns all elements from both sets with no
duplicates duplicates
skipping to change at page 81, line 5 skipping to change at page 82, line 18
represents part of the object identifier of an instance of this represents part of the object identifier of an instance of this
class. It defines the format of the object identifier. It works class. It defines the format of the object identifier. It works
with another class attribute, called supaPolMetadataIDContent, with another class attribute, called supaPolMetadataIDContent,
which defines the content of the object ID. which defines the content of the object ID.
These two attributes form a tuple, and together enable a machine These two attributes form a tuple, and together enable a machine
to understand the syntax and value of an object identifier for to understand the syntax and value of an object identifier for
the object instance of this class. The supaPolMetadataIDEncoding the object instance of this class. The supaPolMetadataIDEncoding
attribute is mapped to the following values: attribute is mapped to the following values:
0: undefined 0: error
1: GUID 1: init
2: UUID 2: GUID
3: URI 3: UUID
4: FQDN 4: URI
5: FQPN 5: FQDN
6: FQPN
7: string_instance_id
Note that 0 and 1 represent error and initialization states,
respectively. Values 2-6 define the content as a reference. Value 7
defines the content as a string that is the canonical
representation, in ASCII, of an instance ID of this object.
5.16.1.4. The Attribute "supaPolMetadataName" 5.16.1.4. The Attribute "supaPolMetadataName"
This is an optional string attribute that defines the name of this This is an optional string attribute that defines the name of this
SUPAPolicyMetadata object. SUPAPolicyMetadata object.
5.16.2. SUPAPolicyMetadata Relationships 5.16.2. SUPAPolicyMetadata Relationships
SUPAPolicyMetadata participates in a single aggregation, which is SUPAPolicyMetadata participates in a single aggregation, which is
defined in the following subsections. defined in the following subsections.
skipping to change at page 82, line 11 skipping to change at page 83, line 30
attribute is TRUE, then the SUPAPolicyMetadata object(s) of this attribute is TRUE, then the SUPAPolicyMetadata object(s) of this
particular SUPAHasPolicyMetadata aggregation SHOULD be aggregated particular SUPAHasPolicyMetadata aggregation SHOULD be aggregated
by this particular SUPAPolicyObject. by this particular SUPAPolicyObject.
5.16.2.2.2. The Attribute "supaPolMetadataConstraintEncoding" 5.16.2.2.2. The Attribute "supaPolMetadataConstraintEncoding"
This is an optional non-negative enumerated integer that defines This is an optional non-negative enumerated integer that defines
how to interpret each string in the supaPolMetadataConstraint how to interpret each string in the supaPolMetadataConstraint
class attribute. Values include: class attribute. Values include:
0: undefined 0: error
1: OCL 2.4 1: init
2: OCL 2.x 2: OCL 2.4
3: OCL 1.x 3: OCL 2.x
4: QVT 1.2 - Relations Language 4: OCL 1.x
5: QVT 1.2 - Operational language 5: QVT 1.2 - Relations Language
6: Alloy 6: QVT 1.2 - Operational language
7: English text 7: Alloy
8: ASCII Text
Enumerations 1-3 are dedicated to OCL (with OCL 2.4 being the Enumerations 1 and 2 signify an error state and an initialization
latest version as of this writing). QVT defines a set of languages state, respectively. Enumeraitons 3-5 are dedicated to OCL (with
(the two most powerful and useful are defined by enumerations 4 OCL 2.4 being the latest version as of this writing). QVT defines a
and 5). Alloy is a language for describing constraints, and uses a set of languages [20] (the two most powerful and useful are defined
SAT solver to guarantee correctness. Note that enumeration 7 by enumerations 5 and 6). Alloy is a language for describing
(English text) is not recommended (since it is informal, and hence, constraints, and uses a SAT solver to guarantee correctness [21].
not verifiable), but included for completeness. Enumeration 8 (ASCII Text) is not recommended (since it is informal,
and hence, not verifiable), but is included for completeness.
If this class is instantiated, then this attribute SHOULD also be If this class is instantiated, then this attribute SHOULD also be
instantiated, and should be part of a conformant implementation. instantiated, and SHOULD be part of a conformant implementation.
5.16.2.2.3. The Attribute "supaPolMetadataConstraint[0..n]" 5.16.2.2.3. The Attribute "supaPolMetadataConstraint[0..n]"
This is an optional array of string attributes. Each attribute This is an optional array of string attributes. Each attribute
specifies a constraint to be applied using the format identified specifies a constraint to be applied using the format identified
by the value of the supaPolMetadataPolicyConstraintEncoding class by the value of the supaPolMetadataPolicyConstraintEncoding class
attribute. This provides a more rigorous and flexible treatment of attribute. This provides a more rigorous and flexible treatment of
constraints than is possible in [RFC3460]. constraints than is possible in [RFC3460].
If this class is instantiated, then this attribute SHOULD also be If this class is instantiated, then this attribute SHOULD also be
skipping to change at page 85, line 20 skipping to change at page 86, line 39
5.19.1.1. The Attribute "supaPolAccessPrivilegeDef" 5.19.1.1. The Attribute "supaPolAccessPrivilegeDef"
This is an optional non-negative enumerated integer attribute. It This is an optional non-negative enumerated integer attribute. It
specifies the access privileges that external Applications have specifies the access privileges that external Applications have
when interacting with a specific SUPAPolicyObject that is adorned when interacting with a specific SUPAPolicyObject that is adorned
with an instance of this SUPAPolicyAccessMetadataDef object. This with an instance of this SUPAPolicyAccessMetadataDef object. This
enables the management system to control, in a consistent manner, enables the management system to control, in a consistent manner,
the set of operations that external Applications have for the set of operations that external Applications have for
SUPAPolicies and components of SUPAPolicies. Values include: SUPAPolicies and components of SUPAPolicies. Values include:
0: undefined 0: error
1: read only (for all policy components) 1: init
2: read and write (for all policy components) 2: read only (for all policy components)
3: privileges are specified by an external MAC model 3: read and write (for all policy components)
4: privileges are specified by an external DAC model 4: privileges are specified by an external MAC model
5: privileges are specified by an external RBAC model 5: privileges are specified by an external DAC model
6: privileges are specified by an external ABAC model 6: privileges are specified by an external RBAC model
7: privileges are specified by an external custom model 7: privileges are specified by an external ABAC model
8: privileges are specified by an external custom model
Values 1 and 2 apply to ALL SUPAPolicyObject instances that are Note that 0 and 1 represent error and initialization states,
adorned with this SUPAPolicyConcreteMetadata object instance; respectively. Values 4-8 indicate that a formal external access
these two settings are "all-or-nothing" settings, and are included control model is used. The name of this model, and its location,
for ease of use. are specified in two other class attributes, called
supaPolAccessPrivilegeModelName and supaPolAccessPrivilegeModelRef.
Values 3-7 indicate that a formal external access control model is MAC, DAC, RBAC, and ABAC (values 4-7 stand for Mandatory Access
used. The name of this model, and its location, are specified in Control, Discretionary Access Control, Role-Based Access Control,
two other class attributes, called supaPolAccessPrivilegeModelName and Attribute-Based Access Control, respectively. They are defined
and supaPolAccessPrivilegeModelRef. MAC, DAC, RBAC, and ABAC in [22]. A value of 8 indicates that a formal external model that
(values 3-6 stand for Mandatory Access Control, Discretionary is not MAC, DAC, RBAC, or ABAC is used.
Access Control, Role-Based Access Control, and Attribute-Based
Access Control, respectively. A value of 7 indicates that a formal
external model that is not MAC, DAC, RBAC, or ABAC is used.
5.19.1.2. The Attribute "supaPolAccessPrivilegeModelName" 5.19.1.2. The Attribute "supaPolAccessPrivilegeModelName"
This is an optional string attribute that contains the name of This is an optional string attribute that contains the name of
the access control model being used. If the value of the the access control model being used. If the value of the
supaPolAccessPrivilegeDef is 0-2, then the value of this attribute supaPolAccessPrivilegeDef is 0-2, then the value of this attribute
is not applicable. Otherwise, the text in this class attribute is not applicable. Otherwise, the text in this class attribute
should be interpreted according to the value of the should be interpreted according to the value of the
supaPolAccessPrivilegeModelRef class attribute. supaPolAccessPrivilegeModelRef class attribute.
5.19.1.3. The Attribute "supaPolAccessPrivilegeModelRef" 5.19.1.3. The Attribute "supaPolAccessPrivilegeModelRef"
This is an optional non-negative enumerated integer attribute This is an optional non-negative enumerated integer attribute
that defines the data type of the supaPolAccessPrivilegeModelName that defines the data type of the supaPolAccessPrivilegeModelName
attribute. If the value of the supaPolAccessPrivilegeDef class attribute. If the value of the supaPolAccessPrivilegeDef class
attribute is 0-2, then the value of this attribute is not attribute is 0-2, then the value of this attribute is not
applicable. Otherwise, the value of this class attribute defines applicable. Otherwise, the value of this class attribute defines
how to interpret the text in the supaPolAccessPrivilegeModelRef how to interpret the text in the supaPolAccessPrivilegeModelRef
class attribute. Values include: class attribute. Values include:
0: Undefined 0: error
1: URI 1: init
2: GUID 2: GUID
3: UUID 3: UUID
4: FQDN 4: URI
5: FQPN 5: FQDN
6: FQPN
7: string_instance_id
Note that 0 and 1 represent error and initialization states,
respectively. Values 2-6 define the content as a reference. Value 7
defines the content as a string that is the canonical
representation, in ASCII, of an instance ID of this object.
5.20. The Concrete Class "SUPAPolicyVersionMetadataDef" 5.20. The Concrete Class "SUPAPolicyVersionMetadataDef"
This is an optional concrete class that defines versioning This is an optional concrete class that defines versioning
information, in the form of metadata, that can be added to a information, in the form of metadata, that can be added to a
SUPAPolicyObject. This enables all or part of a standardized SUPAPolicyObject. This enables all or part of a standardized
description and/or specification of version information for a description and/or specification of version information for a
given SUPAPolicyObject to be easily changed at runtime by given SUPAPolicyObject to be easily changed at runtime by
wrapping an object instance of the SUPAPolicyConcreteMetadata wrapping an object instance of the SUPAPolicyConcreteMetadata
class (or its subclass) with all or part of this object. class (or its subclass) with all or part of this object.
skipping to change at page 89, line 29 skipping to change at page 91, line 18
of the SUPA ECAPolicyRule Information Model (EPRIM). Unless of the SUPA ECAPolicyRule Information Model (EPRIM). Unless
otherwise stated, all classes (and attributes) defined in this otherwise stated, all classes (and attributes) defined in this
section were abstracted from DEN-ng [2], and a version of them are section were abstracted from DEN-ng [2], and a version of them are
in the process of being added to [5]. in the process of being added to [5].
6.1. Overview 6.1. Overview
Conceptually, the EPRIM is a set of subclasses that specialize the Conceptually, the EPRIM is a set of subclasses that specialize the
concepts defined in the GPIM for representing the components of a concepts defined in the GPIM for representing the components of a
Policy that uses ECA semantics. This is shown in Figure 23 (only Policy that uses ECA semantics. This is shown in Figure 23 (only
new EPRIM subclasses and their GPIM superclasses are shown). new EPRIM subclasses and their GPIM superclasses are shown; note
that the SUPAPolicyMetadata hierarchy is used **as is**).
(Class of another model that SUPA is integrating into) (Class of another model that SUPA is integrating into)
| |
+---SUPAPolicyObject (5.2) +---SUPAPolicyObject (5.2)
| |
+---SUPAPolicyStructure (5.3) +---SUPAPolicyStructure (5.3)
| | | |
| +---SUPAECAPolicyRule (6.4) | +---SUPAECAPolicyRule (6.4)
| | | |
| +---SUPAECAPolicyRuleAtomic (6.5) | +---SUPAECAPolicyRuleAtomic (6.5)
skipping to change at page 96, line 5 skipping to change at page 97, line 27
among policy actions (e.g., given a set of conflicting actions, among policy actions (e.g., given a set of conflicting actions,
which one will execute) and (2) to define the execution order of which one will execute) and (2) to define the execution order of
policy actions (e.g., when one action may depend on the output of policy actions (e.g., when one action may depend on the output of
one or more previous actions). one or more previous actions).
6.4.1.2. The Attribute "supaECAPolicyRuleStatus" 6.4.1.2. The Attribute "supaECAPolicyRuleStatus"
This is an optional non-negative enumerated integer whose value This is an optional non-negative enumerated integer whose value
defines the current status of this policy rule. Values include: defines the current status of this policy rule. Values include:
0: In development, not ready to be deployed 0: error
1: init
2: In development, not ready to be deployed
1: Ready to be deployed 1: Ready to be deployed
2: Deployed but not enabled 2: Deployed but not enabled
3: Deployed and enabled, but not executed 3: Deployed and enabled, but not executed
4: Executed without errors 4: Executed without errors
5: Executed with errors 5: Executed with errors
6: Aborted during execution 6: Aborted during execution
Note that 0 and 1 represent error and initialization states,
respectively.
6.4.2. SUPAECAPolicyRule Relationships 6.4.2. SUPAECAPolicyRule Relationships
Currently, the SUPAECAPolicyRule does not define any Currently, the SUPAECAPolicyRule does not define any
relationships. It inherits all four relationships defined by relationships. It inherits all four relationships defined by
the SUPAPolicyStructure class (see section 5.3.2.). the SUPAPolicyStructure class (see section 5.3.2.).
6.5. The Concrete Class "SUPAECAPolicyRuleAtomic" 6.5. The Concrete Class "SUPAECAPolicyRuleAtomic"
This is a mandatory concrete class. This class is a type of This is a mandatory concrete class. This class is a type of
PolicyContainer, and represents a SUPAECAPolicyRule that can PolicyContainer, and represents a SUPAECAPolicyRule that can
skipping to change at page 97, line 14 skipping to change at page 98, line 41
6.6.1.1. The Attribute "supaECAEvalStrategy" 6.6.1.1. The Attribute "supaECAEvalStrategy"
This is a mandatory, non-zero, integer attribute that enumerates This is a mandatory, non-zero, integer attribute that enumerates
a set of allowable alternatives that define how the set of a set of allowable alternatives that define how the set of
SUPAECAPolicyRule object instances in a SUPAECAPolicyRuleComposite SUPAECAPolicyRule object instances in a SUPAECAPolicyRuleComposite
object are evaluated. It is assumed that the event and condition object are evaluated. It is assumed that the event and condition
clauses of the SUPAECAPolicyRules have evaluated to TRUE (e.g., the clauses of the SUPAECAPolicyRules have evaluated to TRUE (e.g., the
event has occurred and the conditions were met). Values include: event has occurred and the conditions were met). Values include:
0: undefined 0: error
1: execute the first SUPAECAPolicyRule in the 1: init
2: execute the first SUPAECAPolicyRule in the
SUPAECAPolicyRuleComposite and then terminate SUPAECAPolicyRuleComposite and then terminate
2: execute only the highest priority SUPAECAPolicyRule(s) in 3: execute only the highest priority SUPAECAPolicyRule(s) in
the SUPAECAPolicyRuleComposite and then terminate the SUPAECAPolicyRuleComposite and then terminate
3: execute all SUPAECAPolicyRules in prioritized order (if 4: execute all SUPAECAPolicyRules in prioritized order (if
any) regardless of whether their SUPAPolicyActions any) regardless of whether their SUPAPolicyActions
succeed or fail succeed or fail
4: execute all SUPAECAPolicyRules in prioritized order (if 5: execute all SUPAECAPolicyRules in prioritized order (if
any) until at least one SUPAPolicyAction in a any) until at least one SUPAPolicyAction in a
SUPAECAPolicyRule fails, and then terminate SUPAECAPolicyRule fails, and then terminate
Note that 0 and 1 represent error and initialization states,
respectively.
If the value of supaECAEvalStrategy is 3 or 4, then all If the value of supaECAEvalStrategy is 3 or 4, then all
SUPAECAPolicyRules that have a priority will be executed first SUPAECAPolicyRules that have a priority will be executed first
(starting with the SUPAECAPolicyRule(s) that have the highest (starting with the SUPAECAPolicyRule(s) that have the highest
priority, and descending); all SUPAECAPolicyRule(s) that do not priority, and descending); all SUPAECAPolicyRule(s) that do not
have a priority are then executed (in any order). have a priority are then executed (in any order).
Assume that the actions in a given SUPAECAPolicyRuleComposite Assume that the actions in a given SUPAECAPolicyRuleComposite
are defined as follows are defined as follows
SUPAECAPolicyRule A, priority 0 SUPAECAPolicyRule A, priority 0
SUPAECAPolicyRule B, priority 10 SUPAECAPolicyRule B, priority 10
SUPAECAPolicyRule C, priority 5 SUPAECAPolicyRule C, priority 5
SUPAECAPolicyRule D, priority 10 SUPAECAPolicyRule D, priority 10
SUPAECAPolicyRule E, priority 2 SUPAECAPolicyRule E, priority 2
Then, if the supaECAEvalStrategy attribute value equals: Then, if the supaECAEvalStrategy attribute value equals:
0: an error is issued 0: an error is issued
1: only SUPAECAPolicyRule A is executed 1: this SUPAECAPolicyRule MUST NOT be used (since it is not yet
2: only SUPAECAPolicyRules B and D are executed properly initialized)
3: all SUPAECAPolicyRules are executed, regardless of any 2: only SUPAECAPolicyRule A is executed
3: only SUPAECAPolicyRules B and D are executed
4: all SUPAECAPolicyRules are executed, regardless of any
failures in their SUPAPolicyActions failures in their SUPAPolicyActions
4: all SUPAECAPolicyRules are executed until a failure is 5: all SUPAECAPolicyRules are executed until a failure is
detected, and then execution for all SUPAECAPolicyRules detected, and then execution for all SUPAECAPolicyRules
terminate terminates
6.6.2. SUPAECAPolicyRuleComposite Relationships 6.6.2. SUPAECAPolicyRuleComposite Relationships
Currently, the SUPAECAPolicyRuleComposite defines a single Currently, the SUPAECAPolicyRuleComposite defines a single
aggregation between it and SUPAECAPolicyRule, as described below. aggregation between it and SUPAECAPolicyRule, as described below.
6.6.2.1. The Aggregation "SUPAHasECAPolicyRule" 6.6.2.1. The Aggregation "SUPAHasECAPolicyRule"
This is an optional aggregation that implements the composite This is an optional aggregation that implements the composite
pattern. The multiplicity of this aggregation is 0..1 on the pattern. The multiplicity of this aggregation is 0..1 on the
skipping to change at page 104, line 4 skipping to change at page 105, line 39
Note: [0..n] means that this is a multi-valued property that has Note: [0..n] means that this is a multi-valued property that has
zero or more attributes. zero or more attributes.
6.11.1.4. The Attribute "supaPolicyEventEncoding" 6.11.1.4. The Attribute "supaPolicyEventEncoding"
This is a mandatory non-zero enumerated integer attribute, and This is a mandatory non-zero enumerated integer attribute, and
defines how to interpret the supaPolicyEventData class attribute. defines how to interpret the supaPolicyEventData class attribute.
These two attributes form a tuple, and together enable a machine These two attributes form a tuple, and together enable a machine
to understand the syntax and value of the data carried by the to understand the syntax and value of the data carried by the
object instance of this class. Values include: object instance of this class. Values include:
0: error
0: Undefined 1: init
1: String 2: String
2: Integer 3: Integer
3: Boolean 4: Boolean
4: Floating Point 5: Floating Point
5: DateTime 6: DateTime
6.11.1.5. The Attribute "supaPolicyEventData[1..n]" 6.11.1.5. The Attribute "supaPolicyEventData[1..n]"
This is a mandatory attribute that defines an array of strings. This is a mandatory attribute that defines an array of strings.
Each string in the array represents an attribute name and value Each string in the array represents an attribute name and value
of an Event object. The format of each string is defined as of an Event object. The format of each string is defined as
name:value. The 'name' part is the name of the SUPAPolicyEvent name:value. The 'name' part is the name of the SUPAPolicyEvent
attribute, and the 'value' part is the value of that attribute. attribute, and the 'value' part is the value of that attribute.
Note: [1..n] means that this is a multi-valued property that has Note: [1..n] means that this is a multi-valued property that has
at least one (and possibly more) attributes. For example, if at least one (and possibly more) attributes. For example, if
this value of this attribute is: this value of this attribute is:
{(startTime:0800), (endTime:1700), (date:2016-05-11), {(startTime:0800), (endTime:1700), (date:2016-05-11),
(timeZone:-08:00)} (timeZone:-08:00)}
then this attribute contains four properties, called startTime, then this attribute contains four properties, called startTime,
endTime, date, and timeZone whose values are 0800, 1700, May 11 endTime, date, and timeZone whose values are 0800, 1700, May 11
2016, and Pacific Standard Time, respectively. 2016, and Pacific Standard Time, respectively.
skipping to change at page 105, line 31 skipping to change at page 107, line 19
by the object instance of this class. by the object instance of this class.
6.12.1.2. The Attribute "supaPolicyConditionEncoding" 6.12.1.2. The Attribute "supaPolicyConditionEncoding"
This is a mandatory non-zero enumerated integer attribute, and This is a mandatory non-zero enumerated integer attribute, and
defines the data type of the supaPolicyConditionData attribute. defines the data type of the supaPolicyConditionData attribute.
These two attributes form a tuple, and together enable a machine These two attributes form a tuple, and together enable a machine
to understand the syntax and value of the content of this to understand the syntax and value of the content of this
SUPAPolicyCondition object. Values include: SUPAPolicyCondition object. Values include:
0: undefined 0: error
1: String 1: init
2: OCL 2.x 2: OCL 2.4
3: OCL 1.x 3: OCL 2.x
4: QVT 1.2 - Relations Language 4: OCL 1.x
5: QVT 1.2 - Operational language 5: QVT 1.2 - Relations Language
6: Alloy 6: QVT 1.2 - Operational language
7: English text 7: Alloy
8: ASCII Text
Enumerations 1-3 are dedicated to OCL (with OCL 2.4 being the Enumerations 1 and 2 signify an error state and an initialization
latest version as of this writing). QVT defines a set of languages state, respectively. Enumeraitons 3-5 are dedicated to OCL (with
(the two most powerful and useful are defined by enumerations 4 OCL 2.4 being the latest version as of this writing). QVT defines a
and 5). Alloy is a language for describing constraints, and uses a set of languages [20] (the two most powerful and useful are defined
SAT solver to guarantee correctness. Note that enumeration 7 by enumerations 5 and 6). Alloy is a language for describing
(English text) is not recommended (since it is informal, and hence, constraints, and uses a SAT solver to guarantee correctness [21].
not verifiable), but included for completeness. Enumeration 8 (ASCII Text) is not recommended (since it is informal,
and hence, not verifiable), but is included for completeness.
If this class is instantiated, then this attribute SHOULD also be
instantiated, and SHOULD be part of a conformant implementation.
6.12.2. SUPAPolicyEvent Relationships 6.12.2. SUPAPolicyEvent Relationships
No relationships are currently defined for this class. It inherits No relationships are currently defined for this class. It inherits
the relationships defined by the SUPAPolicyComponentDecorator (see the relationships defined by the SUPAPolicyComponentDecorator (see
section 5.7.3.). section 5.7.3.).
6.13. The Concrete Class "SUPAPolicyAction" 6.13. The Concrete Class "SUPAPolicyAction"
This is a mandatory concrete class that represents the concept of This is a mandatory concrete class that represents the concept of
skipping to change at page 107, line 15 skipping to change at page 109, line 5
6.13.1.2. The Attribute "supaPolicyActionEncoding" 6.13.1.2. The Attribute "supaPolicyActionEncoding"
This is a mandatory non-zero enumerated integer attribute, and This is a mandatory non-zero enumerated integer attribute, and
defines the data type of the supaPolicyActionData attribute. This defines the data type of the supaPolicyActionData attribute. This
attribute works with another class attribute, called attribute works with another class attribute, called
supaPolicyActionData, which contains the content of the action. supaPolicyActionData, which contains the content of the action.
These two attributes form a tuple, and together enable a machine These two attributes form a tuple, and together enable a machine
to understand the syntax and value of the content of this to understand the syntax and value of the content of this
SUPAPolicyAction object. Values include: SUPAPolicyAction object. Values include:
0: undefined 0: error
1: GUID 1: init
2: UUID 2: OCL 2.4
3: URI 3: OCL 2.x
4: FQDN 4: OCL 1.x
5: String 5: QVT 1.2 - Relations Language
6: OCL 2.x 6: QVT 1.2 - Operational language
7: OCL 1.x 7: Alloy
8: QVT 1.2 - Relations Language 8: ASCII Text
9: QVT 1.2 - Operational language 9: GUID
10: Alloy 10: UUID
11: URI
12: FQDN
Enumerations 1 and 2 signify an error state and an initialization
state, respectively. Enumeraitons 3-5 are dedicated to OCL (with
OCL 2.4 being the latest version as of this writing). QVT defines a
set of languages [20] (the two most powerful and useful are defined
by enumerations 5 and 6). Alloy is a language for describing
constraints, and uses a SAT solver to guarantee correctness [21].
Enumeration 8 (ASCII Text) is not recommended (since it is informal,
and hence, not verifiable), but is included for completeness.
Enumerations 9-12 define a reference to the SUPAPolicyAction.
If this class is instantiated, then this attribute SHOULD also be
instantiated, and SHOULD be part of a conformant implementation.
6.13.2. SUPAPolicyAction Relationships 6.13.2. SUPAPolicyAction Relationships
No relationships are currently defined for this class. It inherits No relationships are currently defined for this class. It inherits
the relationships defined by the SUPAPolicyComponentDecorator (see the relationships defined by the SUPAPolicyComponentDecorator (see
section 5.7.3.). section 5.7.3.).
Enumerations 1-4 are used to provide a reference to an action Enumerations 1-4 are used to provide a reference to an action
object. Enumerations 5-10 are used to express the action to object. Enumerations 5-10 are used to express the action to
perform as a string. perform as a string.
skipping to change at page 108, line 30 skipping to change at page 110, line 34
12. References 12. References
This section defines normative and informative references for this This section defines normative and informative references for this
document. document.
12.1. Normative References 12.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997. Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC6020] Bjorklund, M., "YANG - A Data Modeling Language for
the Network Configuration Protocol (NETCONF)",
RFC 6020, October 2010.
[RFC6991] Schoenwaelder, J., "Common YANG Data Types", RFC 6991,
July 2013.
12.2. Informative References 12.2. Informative References
[RFC3060] Moore, B., Ellesson, E., Strassner, J., Westerinen, [RFC3060] Moore, B., Ellesson, E., Strassner, J., Westerinen,
A., "Policy Core Information Model -- Version 1 A., "Policy Core Information Model -- Version 1
Specification", RFC 3060, February 2001 Specification", RFC 3060, February 2001
[RFC3198] Westerinen, A., Schnizlein, J., Strassner, J., [RFC3198] Westerinen, A., Schnizlein, J., Strassner, J.,
Scherling, M., Quinn, B., Herzog, S., Huynh, A., Scherling, M., Quinn, B., Herzog, S., Huynh, A.,
Carlson, M., Perry, J., Waldbusser, S., "Terminology Carlson, M., Perry, J., Waldbusser, S., "Terminology
for Policy-Based Management", RFC 3198, November, 2001 for Policy-Based Management", RFC 3198, November, 2001
skipping to change at page 110, line 11 skipping to change at page 112, line 21
[13] Liskov, B.H., Wing, J.M., "A Behavioral Notion of [13] Liskov, B.H., Wing, J.M., "A Behavioral Notion of
subtyping", ACM Transactions on Programming languages subtyping", ACM Transactions on Programming languages
and Systems, 16 (6): 1811 - 1841, 1994 and Systems, 16 (6): 1811 - 1841, 1994
[14] Martin, R.C., "Agile Software Development, Principles, [14] Martin, R.C., "Agile Software Development, Principles,
Patterns, and Practices", Prentice-Hall, 2002, Patterns, and Practices", Prentice-Hall, 2002,
ISBN: 0-13-597444-5 ISBN: 0-13-597444-5
[15] Halpern, J., Strassner, J., "Generic Policy Data Model [15] Halpern, J., Strassner, J., "Generic Policy Data Model
for Simplified Use of Policy Abstractions (SUPA)" for Simplified Use of Policy Abstractions (SUPA)"
draft-ietf-supa-generic-policy-data-model-00, draft-ietf-supa-generic-policy-data-model-02,
July 13, 2016 July 13, 2016
[16] Wang, Y., Esposito, F., Matta, I., Day, J., "RINA: An [16] Wang, Y., Esposito, F., Matta, I., Day, J., "RINA: An
Architecture for Policy-based Dynamic Service Architecture for Policy-based Dynamic Service
Management", Tech Report BUCS-TR-2013-014, 2013 Management", Tech Report BUCS-TR-2013-014, 2013
[17] Meyer, B., "Object-Oriented Software Construction", [17] Meyer, B., "Object-Oriented Software Construction",
Prentice Hall, second edition, 1997 ISBN 0-13-629155-4 Prentice Hall, second edition, 1997 ISBN 0-13-629155-4
[18] http://semver.org/ [18] http://semver.org/
[19] ISO/IEC:2004(E), "Data elements and interchange [19] ISO/IEC:2004(E), "Data elements and interchange
formats -- Information interchange -- Representation formats -- Information interchange -- Representation
of dates and times", 2004 of dates and times", 2004
[20] http://www.omg.org/spec/QVT/
[21] http://alloy.mit.edu/alloy/
Authors' Addresses Authors' Addresses
John Strassner John Strassner
Huawei Technologies Huawei Technologies
2330 Central Expressway 2330 Central Expressway
Santa Clara, CA 95138 USA Santa Clara, CA 95138 USA
Email: john.sc.strassner@huawei.com Email: john.sc.strassner@huawei.com
Joel Halpern Joel Halpern
Ericsson Ericsson
 End of changes. 126 change blocks. 
432 lines changed or deleted 539 lines changed or added

This html diff was produced by rfcdiff 1.45. The latest version is available from http://tools.ietf.org/tools/rfcdiff/