1 Strassner-Policy Theory and Practice – IM2001 Purpose of the PCIM Purpose of the PCIM • Provide a set of classes and relationships that provide an extensible means for defining policy control of managed objects » Represents the structure, not the contents, of a policy » Content provided by subclassing classes to derive technology- and vendor-specific conditions, actions, and other elements
Purpose of the PCIM. Provide a set of classes and relationships that provide an extensible means for defining policy control of managed objects Represents the structure, not the contents, of a policy - PowerPoint PPT Presentation
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
1Strassner-Policy Theory and Practice – IM2001
Purpose of the PCIMPurpose of the PCIM
• Provide a set of classes and relationships that provide an extensible means for defining policy control of managed objects
» Represents the structure, not the contents, of a policy
» Content provided by subclassing classes to derive technology- and vendor-specific conditions, actions, and other elements
2Strassner-Policy Theory and Practice – IM2001
PCIM Overview (1)PCIM Overview (1)
• Policy-based management assumes that the network is modeled as a state machine
• Classes and relationships are used to model:
» the state of an entity
» settings to be applied to an entity that either maintain an entity’s state or move the entityto a new state
» policies that control the application of settings
3Strassner-Policy Theory and Practice – IM2001
PCIM Overview (2)PCIM Overview (2)
• Thus, policy is applied using a set of rules» Each rule has a set of conditions that specify when the
policy should be applied
– Conditions can be specified in CNF or DNF
» Each rule has a set of actions that are executed if the conditions are TRUE
– Execution order can be specified
» Rules may be prioritized and grouped together to model an administrative hierarchy
4Strassner-Policy Theory and Practice – IM2001
Policy Core Model: Groups & RulesPolicy Core Model: Groups & Rules
C reationC lassN am e: string[key]Po licyR uleN am e: string[key]Enab led: u in t16C onditionL istType: u in t16R uleU sage: stringPriority: u in t16M andatory: boo leanSequencedActions: u in t16PolicyR oles: string [ ]
Po licyR ule
Po licyC onditionInPo licyR ule
C reationC lassN am e: string[key]Po licyG roupN am e: string[key]
Po licyG roup
PolicyR ule InPolicyG roup
C om m onN am e: stringPolicyKeyw ords: string [ ]
Po licy (ABSTR AC T)
PolicyG roupInPolicyG roup
PolicyR ule InSystem
System
*
Adm inD om ain
PolicyC onditionInPo licyR eposito ry
Po licyAction InPo licyR eposito ry
Po licyR eposito ry
Po licyR eposito ryInPo licyR epository
Po licyG roupInSystem
w
*
*
*
*
* *
w
*
0..1 0..1
M anagedE lem ent
1 1
**
PolicyC om ponent**
PolicyInSystem
*0..1
System C om ponent**
D ependency**
5Strassner-Policy Theory and Practice – IM2001
Policy ClassPolicy Class
• Policy Class (Abstract)
» Root of the policy tree
» Carries common attributes to all policy classes
–Caption, Description from CIM ME
–OrderedCIMKeys to represent CIM hierarchy
–cn from X.520
–PolicyKeywords
» PolicyElementAuxClass is an aux class to represent this class and enables any object in the DIT to be identified as a policy class
6Strassner-Policy Theory and Practice – IM2001
PolicyRulePolicyRule
• A PolicyRule consists of a set of conditions and a set of actions» Boolean logic assumed
» If condition clause is TRUE, then action clause may execute
» Rule-specific and reusable policy rules are supported by using the PolicyConditionInPolicyRule and PolicyActionInPolicyRule aggregations
» Multiple time periods may be used to define a schedule for which this PolicyRule is active by using the PolicyRuleValidityPeriod aggregation
» Rules may be prioritized
7Strassner-Policy Theory and Practice – IM2001
Types of PolicyRulesTypes of PolicyRules
• Rule-specific PolicyRules are those whose components are embedded in the PolicyRule itself.» The terms making up the PolicyRule can NOT be reused
by other PolicyRules
• Reusable PolicyRules share one or more components with other PolicyRules» PolicyRule components are stored in a common Policy
Repository and referenced by the PolicyRules using them
• Each has implementation implications
8Strassner-Policy Theory and Practice – IM2001
PolicyGroupPolicyGroup
• PolicyRules may be aggregated into PolicyGroups, which may be nested
» Enables hierarchical representation of policy(per-user, per-domain, etc.)
• Special semantics defined in QoS information model to represent different administrative scopes and groupings of rules
9Strassner-Policy Theory and Practice – IM2001
PolicyRepositoryPolicyRepository
• Represents an administratively-defined container for holding REUSABLE policy conditions and actions
» May be extended to hold other types of reusable policy “building blocks”
» May be nested to provide more granular domain control
T im ePeriod: stringM onthO fYearM ask: u in t8 [ ][O cte tstring ]D ayO fM onthM ask: u in t8 [ ][O cte tstring ]D ayO fW eekM ask: u in t8 [ ][O cte tstring ]T im eO fD ayM ask: stringLoca lO rU tcT im e: u in t16
PolicyC ondition (ABSTR AC T)
System C reationC lassN am e: string [key]System N am e: string[key]Po licyR uleC reationC lassN am e: string [key]Po licyR uleN am e: string[key]C reationC lassN am e: string[key]Po licyC onditionN am e: string[key]
C reationC lassN am e: string[key]Po licyR uleN am e: string[key]Enab led: u in t16C onditionL istType: u in t16R uleU sage: stringPriority: u in t16M andatory: boo leanSequencedActions: u in t16PolicyR oles: string [ ]
Po licyR ule
Po licyAction (ABSTR AC T)
System C reationC lassN am e: string [key]System N am e: string[key]Po licyR uleC reationC lassN am e: string [key]Po licyR uleN am e: string[key]C reationC lassN am e: string[key]Po licyActionN am e: string[key]
Po licyAction InPolicyR ule
Po licyC onditionInPo licyR ule
C reationC lassN am e: string[key]Po licyG roupN am e: string[key]
Po licyG roup
PolicyR ule InPolicyG roup
VendorPo licyC ondition
C onstra in t: O cte tstring[ ]C onstra in tEncod ing: string [O ID ]
VendorPo licyAction
ActionD ata : O cte tstring [ ]ActionEncoding: string[O ID ]
Po licyR uleVa lid ityPeriod
C om m onN am e: stringPolicyKeyw ords: string [ ]
Po licy (ABSTR AC T)
Adm inD om ain
PolicyC onditionInPo licyR eposito ry
Po licyAction InPo licyR eposito ry
Po licyR eposito ry
*
*
*
*
*
*
*
*
*
0..1 0..1
PolicyC om ponent
*
11Strassner-Policy Theory and Practice – IM2001
Policy ConditionsPolicy Conditions
• Abstract base class for domain-specific conditions that will be defined by domain-specific models(e.g., QoS model, IPSec model)
• Boolean condition expressed in CNF or DNF» Individual condition terms can be negated
• Only defines keys (7 - System, PolicyRule, and its own CCN, Name, and a user-friendly name)
• Subclass of PolicyCondition to represent time when PolicyRule is active» If not specified, then rule is always active
» PolicyRuleValidityPeriod is an aggregation that defines the set of time periods for a given PolicyRule
• Instances may have up to 5 properties that together specify the time period» Property values are ANDed to determine the validity
period; properties not present are treated as having their value always enabled
15Strassner-Policy Theory and Practice – IM2001
Policy ActionsPolicy Actions
• Abstract base class for domain-specific actions that will be defined by domain-specific models» Deployed actions are bound to a System; reusable actions
exist in a PolicyRepository
» Only defines keys (7 - System, PolicyRule, and its own CCN and Name, and a user-friendly name)
• Stored in a PolicyRepository and referenced using PolicyActionInPolicyRepository association» Rule-specific PolicyConditions do NOT use this association;
thus, cardinality is 0 for rule-specific, 1 for reusable
16Strassner-Policy Theory and Practice – IM2001
Policy Actions (2)Policy Actions (2)
• PolicyActionInPolicyRule aggregation contains the set of action clauses for a given PolicyRule» ActionOrder property indicates relative position of an action
in the sequence of actions associated with a PolicyRule
– If n is a positive integer, it defines the order, with smaller integers being ordered first
– 0 is a special value that indicates “don’t care”
– Two or more properties with the same value can be executed in any order, as long as they are executed in the correct overall order in the sequence
• This aux class provides a single multi-valued attribute to point to the root of a set of subtrees that contain policy information
» Attaching this attribute to other class instances enables the administrator to define entry points to related policy information
– Can be used to define the order of visiting information in the policy tree (e.g., for a PDP)
– Can be used to tie different subtrees together
24Strassner-Policy Theory and Practice – IM2001
PolicyElementAuxClassPolicyElementAuxClass
• This class is the aux equivalent of the Policy class
» Enables tagging of selected instances that are outside of the policy class hierarchy, but are nevertheless policy-related
» This works through searching on oc=policy
» Note that some directories don’t support this, so in these cases, policy-related entries must be tagged with the keyword Policy and searched on using an attribute search
25Strassner-Policy Theory and Practice – IM2001
Aux Containment ClassesAux Containment Classes
• PolicyGroupContainmentAuxClass and PolicyRuleContainmentAuxClass
» Each contains a single multi-valued attribute that points to a set of PolicyGroups and PolicyRules, respectively
» Enables the administrator to bind PolicyGroups/PolicyRules to a container
26Strassner-Policy Theory and Practice – IM2001
PCIM ExtensionsPCIM Extensions
• New draft to simplify and encourage use of PCIM PolicyRepository broadened & renamed
Rules may contain groups & other rules (context)
Priorities & decision strategies clarified
Refinements in the use of PolicyRoles
Compound conditions & actions (reusable)
Transactional semantics for action execution
Variables & values, for conditions & actions
Packet filtering in policy conditions based on variables/values
27Strassner-Policy Theory and Practice – IM2001
Building PolicyConditionsBuilding PolicyConditions
• The PolicyConditionInPolicyRule association has properties that require special mapping» PolicyRuleConditionAssociation represents the properties and
is attached via DIT containment
» The conditions themselves are represented by the PolicyConditionAuxClass (and its subclasses) which are either
– attached directly to instances of the PolicyRuleConditionAssociation for rule-specific classes, or
– indirectly, using a DN pointer to refer to an instance of a PolicyConditionInstance class
• This aux class provides a single multi-valued attribute to point to the root of a set of subtrees that contain policy information
» Attaching this attribute to other class instances enables the administrator to define entry points to related policy information
– Can be used to define the order of visiting information in the policy tree (e.g., for a PDP)
– Can be used to tie different subtrees together
43Strassner-Policy Theory and Practice – IM2001
Aux Containment ClassesAux Containment Classes
• PolicyGroupContainmentAuxClass and PolicyRuleContainmentAuxClass
» Each contains a single multi-valued attribute that points to a set of PolicyGroups and PolicyRules, respectively
» Enables the administrator to bind PolicyGroups/PolicyRules to a container
44Strassner-Policy Theory and Practice – IM2001
PolicyElementAuxClassPolicyElementAuxClass
• This class is the aux equivalent of the Policy class
» Enables tagging of selected instances that are outside of the policy class hierarchy, but are nevertheless policy-related
» This works through searching on oc=policy
» Note that some directories don’t support this, so in these cases, policy-related entries must be tagged with the keyword Policy and searched on using an attribute search