RE: [Policy] PCLS classes deprecated in PCELS

David,

PCLS recommends:

"A policy rule may have its conditions attached to itself and its actions
attached to other entries, or it may have its actions attached to itself
and its conditions attached to other entries. However, it SHALL NOT have
either its conditions or its actions attached both to itself and to
other entries, with one exception: a policy rule may reference its
validity periods with the pcimRuleValidityPeriodList attribute, but have
its other conditions attached to itself."

Which implies that if a pcimTPCAuxClass is attached to a pcimRule (because pcimTPCAuxClass is a subclass of pcimConditionAuxClass) then no other conditions shall be aggregated (referenced) by that rule except for other validity periods aggregated through pcimRuleValidityPeriodList references. I am not sure about the reasons behind this limitation introduced by PCLS but in PCELS we have simply re-phrased it to make it clear for implementers.

Regards,

Mircea.

Things I disagree with:

5.6 pcimPolicyRule "If a pcimPolicyRule instance has a pcimConditionAuxClass attached to it then the attribute pcimConditionList SHOULD NOT be present in the same entry for the purpose of associating other conditions to the rule. However, when such situations occur the referenced conditions MUST NOT be considered as associated to the rule."

- this means that re-usable conditions are not easily used in conjuction with customized conditions. ie: we use PCIM to specify rules for policy-based filtering. For instance, we may have a pre-defined condition that is linked through the pcimConditionList, but the individual user may update their policy so that the rule contains a TimePeriodCondition that specifies it only is valid between the hours of 9-5. With the above language, this sort of amalgamation of conditions is not valid. I believe the configuration SHOULD be correct, and the evaluation of the conditions are done on a priority-based level.

Regards,

d.