idnits 2.17.1 draft-reyes-policy-core-ext-schema-07.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** It looks like you're using RFC 3978 boilerplate. You should update this to the boilerplate described in the IETF Trust License Policy document (see https://trustee.ietf.org/license-info), which is required now. -- Found old boilerplate from RFC 3667, Section 5.1 on line 21. -- Found old boilerplate from RFC 3978, Section 5.5 on line 4031. -- Found old boilerplate from RFC 3979, Section 5, paragraph 1 on line 4008. -- Found old boilerplate from RFC 3979, Section 5, paragraph 2 on line 4015. -- Found old boilerplate from RFC 3979, Section 5, paragraph 3 on line 4021. ** The document seems to lack an RFC 3978 Section 5.1 IPR Disclosure Acknowledgement -- however, there's a paragraph with a matching beginning. Boilerplate error? ** This document has an original RFC 3978 Section 5.4 Copyright Line, instead of the newer IETF Trust Copyright according to RFC 4748. ** This document has an original RFC 3978 Section 5.5 Disclaimer, instead of the newer disclaimer which includes the IETF Trust according to RFC 4748. ** The document uses RFC 3667 boilerplate or RFC 3978-like boilerplate instead of verbatim RFC 3978 boilerplate. After 6 May 2005, submission of drafts without verbatim RFC 3978 boilerplate is not accepted. The following non-3978 patterns matched text found in the document. That text should be removed or replaced: By submitting this Internet-Draft, I certify that any applicable patent or other IPR claims of which I am aware have been disclosed, or will be disclosed, and any of which I become aware will be disclosed, in accordance with RFC 3668. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- == No 'Intended status' indicated for this document; assuming Proposed Standard Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The abstract seems to contain references ([PCIM], [PCLS]), which it shouldn't. Please replace those with straight textual mentions of the documents in question. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the RFC 3978 Section 5.4 Copyright Line does not match the current year == Line 83 has weird spacing: '...y Class pcels...' (Using the creation date from RFC3703, updated by this document, for RFC5378 checks: 1998-11-23) -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (October 2004) is 7105 days in the past. Is this intentional? -- Found something which looks like a code comment -- if you have code sections in the document, please surround them with '' and '' lines. Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) -- Possible downref: Non-RFC (?) normative reference: ref. 'CIM' ** Obsolete normative reference: RFC 3377 (ref. 'LDAP') (Obsoleted by RFC 4510) -- Obsolete informational reference (is this intentional?): RFC 3383 (ref. 'LDAP-IANA') (Obsoleted by RFC 4520) Summary: 7 errors (**), 0 flaws (~~), 3 warnings (==), 10 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 1 Network Working Group Mircea Pana, Editor 2 INTERNET-DRAFT MetaSolv 3 Updates: 3703 Angelica Reyes 4 University Veracruzana 5 Antoni Barba 6 David Moron 7 Technical University of Catalonia 8 Marcus Brunner 9 NEC 11 October 2004 13 Policy Core Extension Lightweight Directory Access Protocol Schema 14 16 Status of this Memo 18 By submitting this Internet-Draft, we certify that any applicable 19 patent or other IPR claims of which we are aware have been 20 disclosed, or will be disclosed, and any of which we become aware 21 will be disclosed, in accordance with RFC 3668. 23 Internet-Drafts are working documents of the Internet Engineering 24 Task Force (IETF), its areas, and its working groups. Note that other 25 groups may also distribute working documents as Internet-Drafts. 27 Internet-Drafts are draft documents valid for a maximum of six months 28 and may be updated, replaced, or obsoleted by other documents at any 29 time. It is inappropriate to use Internet-Drafts as reference 30 material or to cite them other than as "work in progress." 32 The list of current Internet-Drafts can be accessed at 33 http://www.ietf.org/ietf/1id-abstracts.txt 35 The list of Internet-Draft Shadow Directories can be accessed at 36 http://www.ietf.org/shadow.html. 38 Abstract 40 This document defines a number of changes and extensions to the 41 Policy Core Lightweight Directory Access Protocol (LDAP) Schema 42 (RFC 3703) based on the model extensions defined by the Policy Core 43 Information Model (PCIM) Extensions (RFC 3460). These changes and 44 extensions consist of new LDAP object classes and attribute types. 45 Some of the schema items defined in this document re-implement 46 existing concepts in accordance with their new semantics introduced 47 by RFC 3460. The other schema items implement new concepts, not 48 covered by RFC 3703. This document updates RFC 3703. 50 Table of contents 52 1. Introduction.....................................................3 53 2. Relationship to other Policy Framework Documents.................4 54 3. Inheritance Hierarchy for PCELS..................................4 55 4. General Discussion of Mapping the Policy Core Information 56 Model Extensions to LDAP.........................................8 57 4.1 Summary of Class Mappings.....................................8 58 4.2 Summary of Association Mappings..............................11 59 4.3 Summary of changes since PCLS................................14 60 4.4 Relationship to PCLS classes.................................16 61 4.5 Impact on existing implementations 62 of the Policy Core LDAP Schema...............................16 63 4.6 The Association of PolicyVariable and PolicyValues 64 to PolicySimpleCondition and PolicySimpleAction..............17 65 4.7 The Aggregation of PolicyRules and PolicyGroups in 66 PolicySets...................................................18 67 4.8 The Aggregation of actions/conditions in PolicyRules and 68 CompoundActions/CompoundConditions...........................20 69 5. Class Definitions...............................................25 70 5.1 The Abstract Class pcelsPolicySet...........................26 71 5.2 The Structural Class pcelsPolicySetAssociation..............29 72 5.3 The Three Policy Group Classes .............................30 73 5.4 The Three Policy Rule Classes...............................31 74 5.5 The Structural Class pcelsConditionAssociation..............36 75 5.6 The Structural Class pcelsActionAssociation.................37 76 5.7 The Auxiliary Class pcelsSimpleConditionAuxClass............38 77 5.8 The Auxiliary Class pcelsCompoundConditionAuxClass..........40 78 5.9 The Auxiliary Class pcelsCompoundFilterConditionAuxClass....40 79 5.10 The Auxiliary Class pcelsSimpleActionAuxClass...............41 80 5.11 The Auxiliary Class pcelsCompoundActionAuxClass.............42 81 5.12 The Abstract Class pcelsVariable............................43 82 5.13 The Auxiliary Class pcelsExplicitVariableAuxClass...........45 83 5.14 The Auxiliary Class pcelsImplicitVariableAuxClass..........46 84 5.15 The Subclasses of pcelsImplicitVariableAuxClass.............47 85 5.16 The Auxiliary Class pcelsValueAuxClass......................54 86 5.17 The Subclasses of pcelsValueAuxClass........................55 87 5.18 The Three Reusable Policy Container Classes.................60 88 5.19 The Structural Class pcelsRoleCollection....................62 89 5.20 The Abstract Class pcelsFilterEntryBase.....................64 90 5.21 The Structural Class pcelsIPHeadersFilter...................65 91 5.22 The Structural Class pcels8021Filter........................73 92 5.23 The Auxiliary Class pcelsFilterListAuxClass.................77 93 5.24 The Auxiliary Class pcelsVendorVariableAuxClass.............79 94 5.25 The Auxiliary Class pcelsVendorValueAuxClass................80 95 6. Security Considerations.........................................81 96 7. IANA Considerations.............................................82 97 7.1 Object Identifiers...........................................82 98 7.2 Object Identifier Descriptors................................82 100 8. Acknowledgments.................................................85 101 9. Normative References............................................85 102 10. Informative References.........................................86 103 11. Authors' Addresses.............................................87 104 13. Intellectual Property Statement................................88 106 PLEASE NOTE: 108 OIDs for the schema elements specified herein are shown in symbolic 109 form, for example IANA-ASSIGNED-OID.1.1, where IANA-ASSIGNED is a 110 placeholder for the OID to be assigned to this document, by IANA. 111 See section 7 ("IANA Considerations") for details. 112 RFC-Editor, please see the note at the end of this document. 114 Specification of Requirements 116 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 117 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 118 document are to be interpreted as described in RFC 2119 [KEYWORDS]. 120 1. Introduction 122 This document defines a number of changes and extensions to the 123 Policy Core Lightweight Directory Access Protocol (LDAP) Schema 124 [PCLS] based on the model extensions defined by the Policy Core 125 Information Model (PCIM) Extensions [PCIM_EXT]. These changes and 126 extensions consist of new LDAP object classes and attribute 127 types [LDAP]. Some of the schema items defined in this document 128 re-implement existing concepts in accordance with their new 129 semantics introduced by [PCIM_EXT]. The other schema items 130 implement new concepts, not covered by [PCLS]. 131 This document updates RFC 3703 [PCLS]. 133 In addition to the concepts defined by [PCIM_EXT], this document 134 introduces two new classes: pcelsVendorVariableAuxClass and 135 pcelsVendorValueAuxClass. These classes provide a standard extension 136 mechanism for vendor-specific policy variables and policy values 137 that have not been specifically modeled. 139 Within the context of this document, the term 'PCELS' (Policy Core 140 Extension LDAP Schema) is used to refer to the LDAP object class 141 and attribute type definitions and the associated recommendations 142 contained in this document. 144 2. Relationship to other Policy Framework Documents 146 This document contains an LDAP schema mapping for the classes 147 defined in the "Policy Core Information Model (PCIM) Extensions" 148 [PCIM_EXT]. The LDAP schema defined in this document is an extension 149 to the "Policy Core Lightweight Directory Access Protocol (LDAP) 150 Schema" [PCLS], which defines the mapping of the "Policy Core 151 Information Model -- Version 1 Specification" [PCIM] to an LDAP 152 schema. 154 These three documents ([PCIM], [PCIM_EXT] and [PCLS]) are a 155 prerequisite for reading and understanding this document. 157 Other documents may subsequently be produced, with mappings of the 158 same model to other storage or transport technologies. 160 3. Inheritance Hierarchy for PCELS 162 The object class and attribute type names defined in this document 163 are prefixed 'pcels'. 165 The following diagram illustrates the combined class hierarchy for 166 the LDAP object classes defined in this document and other documents 167 as follows: 168 - The class names prefixed 'pcels' are defined in this document. 169 - The class names prefixed 'pcim' are defined in [PCLS]. 170 - The class names prefixed 'dlm1' are defined in [CIM_LDAP]. 171 - The class named 'top' is defined in [LDAP_SCHEMA]. 173 All the new object classes except for pcelsVendorVariableAuxClass 174 and pcelsVendorValueAuxClass, are mapped from concepts defined or 175 modified by [PCIM_EXT]. The pcelsVendorVariableAuxClass and 176 pcelsVendorValueAuxClass classes are not mapped from [PCIM_EXT]. 177 They represent concepts introduced in this document. 179 top 180 | 181 +---dlm1ManagedElement (abstract) 182 | | 183 | +---pcimPolicy (abstract) 184 | | | 185 | | +---pcelsPolicySet (abstract new) 186 | | | | 187 | | | +---pcelsGroup (abstract new) 188 | | | | | 189 | | | | +---pcelsGroupAuxClass (auxiliary new) 190 | | | | | 191 | | | | +---pcelsGroupInstance (structural new) 192 | | | | 193 | | | +---pcelsRule (abstract new) 194 | | | | 195 | | | +---pcelsRuleAuxClass (auxiliary new) 196 | | | | 197 | | | +---pcelsRuleInstance (structural new) 198 | | | 199 | | +---pcimGroup (abstract) 200 | | | | 201 | | | +---pcimGroupAuxClass (auxiliary) 202 | | | | 203 | | | +---pcimGroupInstance (structural) 204 | | | 205 | | +---pcimRule (abstract) 206 | | | | 207 | | | +---pcimRuleAuxClass (auxiliary) 208 | | | | 209 | | | +---pcimRuleInstance (structural) 210 | | | 211 | | +---pcimRuleConditionAssociation (structural) 212 | | | | 213 | | | +---pcelsConditionAssociation (structural new) 214 | | | 215 | | +---pcimRuleValidityAssociation (structural) 216 | | | 217 | | +---pcimRuleActionAssociation (structural) 218 | | | | 219 | | | +---pcelsActionAssociation (structural new) 220 | | | 221 | | +---pcelsPolicySetAssociation (structural new) 222 | | | 223 | | +---pcimPolicyInstance (structural) 224 | | | 225 | | +---pcimElementAuxClass (auxiliary) 226 | | | 227 | | +---pcelsRoleCollection (structural new) 228 | | | 229 | | +---pcelsFilterEntryBase (abstract new) 230 | | | 231 | | +---pcelsIPHeadersFilter (structural new) 232 | | | 233 | | +---pcels8021Filter (structural new) 234 | | 235 | +---dlm1ManagedSystemElement (abstract) 236 | | 237 | +---dlm1LogicalElement (abstract) 238 | | 239 | +---dlm1System (abstract) 240 | | 241 | +---dlm1AdminDomain (abstract) 242 | | 243 | +---pcimRepository (abstract) 244 | | 245 | +---pcimRepositoryAuxClass (auxiliary) 246 | | 247 | +---pcimRepositoryInstance (structural) 248 | | 249 | +---pcelsReusableContainer (abstract new) 250 | | 251 | +---pcelsReusableContainerAuxClass 252 | | (auxiliary new) 253 | | 254 | +---pcelsReusableContainerInstance 255 | (structural new) 256 | 257 +---pcimConditionAuxClass (auxiliary) 258 | | 259 | +---pcimTPCAuxClass (auxiliary) 260 | | 261 | +---pcimConditionVendorAuxClass (auxiliary) 262 | | 263 | +---pcelsSimpleConditionAuxClass (auxiliary new) 264 | | 265 | +---pcelsCompoundConditionAuxClass (auxiliary new) 266 | | | 267 | | +---pcelsCompoundFilterConditionAuxClass (auxiliary new) 268 | | 269 | +---pcelsFilterListAuxClass (auxiliary new) 270 | 271 +---pcimActionAuxClass (auxiliary) 272 | | 273 | +---pcimActionVendorAuxClass (auxiliary) 274 | | 275 | +---pcelsSimpleActionAuxClass (auxiliary new) 276 | | 277 | +---pcelsCompoundActionAuxClass (auxiliary new) 278 | 279 +---pcelsVariable (abstract new) 280 | | 281 | +---pcelsVendorVariableAuxClass (auxiliary new) 282 | | 283 | +---pcelsExplicitVariableAuxClass (auxiliary new) 284 | | 285 | +---pcelsImplicitVariableAuxClass (auxiliary new) 286 | | 287 | +---pcelsSourceIPv4VariableAuxClass (auxiliary new) 288 | | 289 | +---pcelsSourceIPv6VariableAuxClass (auxiliary new) 290 | | 291 | +---pcelsDestinationIPv4VariableAuxClass (auxiliary new) 292 | | 293 | +---pcelsDestinationIPv6VariableAuxClass (auxiliary new) 294 | | 295 | +---pcelsSourcePortVariableAuxClass (auxiliary new) 296 | | 297 | +---pcelsDestinationPortVariableAuxClass (auxiliary new) 298 | | 299 | +---pcelsIPProtocolVariableAuxClass (auxiliary new) 300 | | 301 | +---pcelsIPVersionVariableAuxClass (auxiliary new) 302 | | 303 | +---pcelsIPToSVariableAuxClass (auxiliary new) 304 | | 305 | +---pcelsDSCPVariableAuxClass (auxiliary new) 306 | | 307 | +---pcelsFlowIdVariableAuxClass (auxiliary new) 308 | | 309 | +---pcelsSourceMACVariableAuxClass (auxiliary new) 310 | | 311 | +---pcelsDestinationMACVariableAuxClass (auxiliary new) 312 | | 313 | +---pcelsVLANVariableAuxClass (auxiliary new) 314 | | 315 | +---pcelsCoSVariableAuxClass (auxiliary new) 316 | | 317 | +---pcelsEthertypeVariableAuxClass (auxiliary new) 318 | | 319 | +---pcelsSourceSAPVariableAuxClass (auxiliary new) 320 | | 321 | +---pcelsDestinationSAPVariableAuxClass (auxiliary new) 322 | | 323 | +---pcelsSNAPOUIVariableAuxClass (auxiliary new) 324 | | 325 | +---pcelsSNAPTypeVariableAuxClass (auxiliary new) 326 | | 327 | +---pcelsFlowDirectionVariableAuxClass (auxiliary new) 328 | 329 +---pcelsValueAuxClass (auxiliary new) 330 | | 331 | +---pcelsVendorValueAuxClass (auxiliary new) 332 | | 333 | +---pcelsIPv4AddrValueAuxClass (auxiliary new) 334 | | 335 | +---pcelsIPv6AddrValueAuxClass (auxiliary new) 336 | | 337 | +---pcelsMACAddrValueAuxClass (auxiliary new) 338 | | 339 | +---pcelsStringValueAuxClass (auxiliary new) 340 | | 341 | +---pcelsBitStringValueAuxClass (auxiliary new) 342 | | 343 | +---pcelsIntegerValueAuxClass (auxiliary new) 344 | | 345 | +---pcelsBooleanValueAuxClass (auxiliary new) 346 | 347 +---pcimSubtreesPtrAuxClass (auxiliary) 348 | 349 +---pcimGroupContainmentAuxClass (auxiliary) 350 | 351 +---pcimRuleContainmentAuxClass (auxiliary) 353 Figure 1. LDAP Class Inheritance Hierarchy for PCELS 355 4. General Discussion of Mapping the Policy Core Information Model 356 Extensions to LDAP 358 The object classes described in this document contain certain 359 optimizations for a directory that uses LDAP as its access protocol. 360 One example of this is the use of auxiliary class attachment to LDAP 361 entries for the realization of some of the associations defined in 362 the information model. For instance, the aggregation of a specific 363 SimplePolicyCondition to a reusable PolicyRule [PCIM_EXT] may be 364 realized by attaching a pcelsSimpleConditionAuxClass to a 365 pcelsRuleInstance entry. 367 Note that other data stores might need to implement the associations 368 differently. 370 4.1 Summary of Class Mappings 372 The classes and their properties defined in the information model 373 [PCIM_EXT] map directly to LDAP object classes and attribute types. 375 The details of this mapping are discussed case by case in section 5. 377 +----------------------------------------------------------------------+ 378 | Information Model (PCIM_EXT) | LDAP Class(es) | 379 +----------------------------------------------------------------------+ 380 | PolicySet | pcelsPolicySet | 381 +----------------------------------------------------------------------+ 382 | PolicyGroup | pcelsGroup | 383 | | pcelsGroupAuxClass | 384 | | pcelsGroupInstance | 385 +----------------------------------------------------------------------+ 386 | PolicyRule | pcelsRule | 387 | | pcelsRuleAuxClass | 388 | | pcelsRuleInstance | 389 +----------------------------------------------------------------------+ 390 | SimplePolicyCondition | pcelsSimpleConditionAuxClass | 391 +----------------------------------------------------------------------+ 392 | CompoundPolicyCondition | pcelsCompoundConditionAuxClass | 393 +----------------------------------------------------------------------+ 394 | CompoundFilterCondition | pcelsCompoundFilterConditionAuxClass | 395 +----------------------------------------------------------------------+ 396 | SimplePolicyAction | pcelsSimpleActionAuxClass | 397 +----------------------------------------------------------------------+ 398 | CompoundPolicyAction | pcelsCompoundActionAuxClass | 399 +----------------------------------------------------------------------+ 400 | PolicyVariable | pcelsVariable | 401 +----------------------------------------------------------------------+ 402 | -------------- | pcelsVendorVariableAuxClass | 403 +-------------------------------+--------------------------------------+ 404 | PolicyExplicitVariable | pcelsExplicitVariableAuxClass | 405 +----------------------------------------------------------------------+ 406 | PolicyImplicitVariable | pcelsImplicitVariableAuxClass | 407 +----------------------------------------------------------------------+ 408 | PolicySourceIPv4Variable | pcelsSourceIPv4VariableAuxClass | 409 +----------------------------------------------------------------------+ 410 | PolicySourceIPv6Variable | pcelsSourceIPv6VariableAuxClass | 411 +----------------------------------------------------------------------+ 412 | PolicyDestinationIPv4Variable | pcelsDestinationIPv4VariableAuxClass | 413 +----------------------------------------------------------------------+ 414 | PolicyDestinationIPv6Variable | pcelsDestinationIPv6VariableAuxClass | 415 +----------------------------------------------------------------------+ 416 | PolicySourcePortVariable | pcelsSourcePortVariableAuxClass | 417 +----------------------------------------------------------------------+ 418 | PolicyDestinationPortVariable | pcelsDestinationPortVariableAuxClass | 419 +----------------------------------------------------------------------+ 420 | PolicyIPProtocolVariable | pcelsIPProtocolVariableAuxClass | 421 +----------------------------------------------------------------------+ 422 | PolicyIPVersionVariable | pcelsIPVersionVariableAuxClass | 423 +----------------------------------------------------------------------+ 424 | PolicyIPToSVariable | pcelsIPToSVariableAuxClass | 425 +----------------------------------------------------------------------+ 426 | PolicyDSCPVariable | pcelsDSCPVariableAuxClass | 427 +----------------------------------------------------------------------+ 428 | PolicyFlowIDVariable | pcelsFlowIDVariableAuxClass | 429 +----------------------------------------------------------------------+ 430 | PolicySourceMACVariable | pcelsSourceMACVariableAuxClass | 431 +----------------------------------------------------------------------+ 432 | PolicyDestinationMACVariable | pcelsDestinationMACVariableAuxClass | 433 +----------------------------------------------------------------------+ 434 | PolicyVLANVariable | pcelsVLANVariableAuxClass | 435 +----------------------------------------------------------------------+ 436 | PolicyCoSVariable | pcelsCoSVariableAuxClass | 437 +----------------------------------------------------------------------+ 438 | PolicyEthertypeVariable | pcelsEthertypeVariableAuxClass | 439 +----------------------------------------------------------------------+ 440 | PolicySourceSAPVariable | pcelsSourceSAPVariableAuxClass | 441 +----------------------------------------------------------------------+ 442 | PolicyDestinationSAPVariable | pcelsDestinationSAPVariableAuxClass | 443 +----------------------------------------------------------------------+ 444 | PolicySNAPOUIVariable | pcelsSNAPOUIVariableAuxClass | 445 +----------------------------------------------------------------------+ 446 | PolicySNAPTypeVariable | pcelsSNAPTypeVariableAuxClass | 447 +----------------------------------------------------------------------+ 448 | PolicyFlowDirectionVariable | pcelsFlowDirectionVariableAuxClass | 449 +----------------------------------------------------------------------+ 450 | PolicyValue | pcelsValueAuxClass | 451 +----------------------------------------------------------------------+ 452 | ------------- | pcelsVendorValueAuxClass | 453 +-------------------------------+--------------------------------------+ 454 | PolicyIPv4AddrValue | pcelsIPv4AddrValueAuxClass | 455 +----------------------------------------------------------------------+ 456 | PolicyIPv6AddrValue | pcelsIPv6AddrValueAuxClass | 457 +----------------------------------------------------------------------+ 458 | PolicyMACAddrValue | pcelsMACAddrValueAuxClass | 459 +----------------------------------------------------------------------+ 460 | PolicyStringValue | pcelsStringValueAuxClass | 461 +----------------------------------------------------------------------+ 462 | PolicyBitStringValue | pcelsBitStringValueAuxClass | 463 +----------------------------------------------------------------------+ 464 | PolicyIntegerValue | pcelsIntegerValueAuxClass | 465 +----------------------------------------------------------------------+ 466 | PolicyBooleanValue | pcelsBooleanValueAuxClass | 467 +----------------------------------------------------------------------+ 468 | PolicyRoleCollection | pcelsRoleCollection | 469 +----------------------------------------------------------------------+ 470 | ReusablePolicyContainer | pcelsReusableContainer | 471 | | pcelsReusableContainerAuxClass | 472 | | pcelsReusableContainerInstance | 473 +----------------------------------------------------------------------+ 474 | FilterEntryBase | pcelsFilterEntryBase | 475 +----------------------------------------------------------------------+ 476 | IPHeadersFilter | pcelsIPHeadersFilter | 477 +----------------------------------------------------------------------+ 478 | 8021Filter | pcels8021Filter | 479 +----------------------------------------------------------------------+ 480 | FilterList | pcelsFilterListAuxClass | 481 +----------------------------------------------------------------------+ 483 Figure 2. Mapping of Information Model Extension Classes to LDAP 485 The pcelsVendorVariableAuxClass and pcelsVendorValueAuxClass 486 classes are not mapped from [PCIM_EXT]. These classes are introduced 487 in this document as a new extension mechanism for vendor-specific 488 policy variables and policy values that have not been specifically 489 modeled. Just like for any other schema elements defined in this 490 document or in [PCLS], a particular submodel schema will not, in 491 general, need to use vendor specific variable and value classes. 492 Submodel schemas SHOULD apply the recommendations of section 5.10 of 493 [PCIM_EXT] with regards to the supported and unsupported elements. 495 4.2 Summary of Association Mappings 497 The associations in the information model map to one or more of the 498 following options: 499 1. attributes that reference DNs (Distinguished Names) 500 2. Directory Information Tree (DIT) containment 501 (i.e., superior-subordinate relationships) in LDAP 502 3. auxiliary class attachment 503 4. association object classes and attributes that reference DNs 505 The details of this mapping are discussed case by case in section 5. 507 +----------------------------------------------------------------------+ 508 | Information Model Association | LDAP Attribute/Class | 509 +----------------------------------------------------------------------+ 510 | PolicySetComponent | pcelsPolicySetComponentList in | 511 | | pcelsPolicySet and | 512 | | pcelsPolicySetDN in | 513 | | pcelsPolicySetAsociation | 514 +----------------------------------------------------------------------+ 515 | PolicySetInSystem | DIT Containment and | 516 | | pcelsPolicySetDN in | 517 | | pcelsPolicySetAsociation | 518 +----------------------------------------------------------------------+ 519 | PolicyGroupInSystem | DIT Containment and | 520 | | pcelsPolicySetDN in | 521 | | pcelsPolicySetAsociation | 522 +----------------------------------------------------------------------+ 523 | PolicyRuleInSystem | DIT Containment and | 524 | | pcelsPolicySetDN in | 525 | | pcelsPolicySetAsociation | 526 +----------------------------------------------------------------------+ 527 | PolicyConditionStructure | pcimConditionDN in | 528 | | pcelsConditionAssociation | 529 +----------------------------------------------------------------------+ 530 | PolicyConditionInPolicyRule | pcelsConditionList in | 531 | | pcelsRule and | 532 | | pcimConditionDN in | 533 | | pcelsConditionAssociation | 534 +----------------------------------------------------------------------+ 535 | PolicyConditionInPolicyCondition | pcelsConditionList in | 536 | | pcelsCompoundConditionAuxClass | 537 | | and pcimConditionDN in | 538 | | pcelsConditionAssociation | 539 +----------------------------------------------------------------------+ 540 | PolicyActionStructure | pcimActionDN in | 541 | | pcelsActionAssociation | 542 +----------------------------------------------------------------------+ 543 | PolicyActionInPolicyRule | pcelsActionList in | 544 | | pcelsRule and | 545 | | pcimActionDN in | 546 | | pcelsActionAssociation | 547 +----------------------------------------------------------------------+ 548 | PolicyActionInPolicyAction | pcelsActionList in | 549 | | pcelsCompoundActionAuxClass | 550 | | and pcimActionDN in | 551 | | pcelsActionAssociation | 552 +----------------------------------------------------------------------+ 553 | PolicyVariableInSimplePolicy | pcelsVariableDN in | 554 | Condition | pcelsSimpleConditionAuxClass | 555 +----------------------------------------------------------------------+ 556 | PolicyValueInSimplePolicy | pcelsValueDN in | 557 | Condition | pcelsSimpleConditionAuxClass | 558 +----------------------------------------------------------------------+ 559 | PolicyVariableInSimplePolicy | pcelsVariableDN in | 560 | Action | pcelsSimpleActionAuxClass | 561 +----------------------------------------------------------------------+ 562 | PolicyValueInSimplePolicyAction | pcelsValueDN in | 563 | | pcelsSimpleActionAuxClass | 564 +----------------------------------------------------------------------+ 565 | ReusablePolicy | DIT containment | 566 +----------------------------------------------------------------------+ 567 | ExpectedPolicyValuesForVariable | pcelsExpectedValueList in | 568 | | pcelsVariable | 569 +----------------------------------------------------------------------+ 570 | ContainedDomain | DIT containment or | 571 | | pcelsReusableContainerList in | 572 | | pcelsReusableContainer | 573 +----------------------------------------------------------------------+ 574 | EntriesInFilterList | pcelsFilterEntryList in | 575 | | pcelsFilterListAuxClass | 576 +----------------------------------------------------------------------+ 577 | ElementInPolicyRoleCollection | DIT containment or | 578 | | pcelsElementList in | 579 | | pcelsRoleCollection | 580 +----------------------------------------------------------------------+ 581 | PolicyRoleCollectionInSystem | DIT Containment | 582 +----------------------------------------------------------------------+ 584 Figure 3. Mapping of Information Model Extension Associations to LDAP 586 Two [PCIM_EXT] associations are mapped to DIT containment: 588 - PolicyRoleCollectionInSystem is a weak association and weak 589 associations map well to DIT containment [CIM_LDAP] (without 590 being limited to this mapping). In the absence of additional 591 constraints, DIT containment is chosen here as the optimal 592 association mapping. 594 - ReusablePolicy is mapped to DIT containment for scalability 595 reasons: it is expected that applications will associate a large 596 number of policy instances to a ReusablePolicyContainer and DIT 597 containment is a type of association that scales well. 599 4.3 Summary of changes since PCLS 601 This section provides an overview of the changes relative to [PCLS] 602 defined in this document: 604 1. The concept of a set of policies is introduced by means of two 605 new object classes: pcelsPolicySet and pcelsPolicySetAssociation. 606 These classes enable the aggregation and relative prioritization of 607 policies (rules and/or groups). The attribute pcelsPriority is used 608 by pcelsPolicySetAssociation instances to indicate the priority of 609 a policy relative to the other policies aggregated by the same set. 610 Applications may used this attribute to apply appropriate ordering 611 to the aggregated policies. This new policy aggregation mechanism 612 provides an alternative to the aggregation mechanism defined by 613 [PCLS] (that defines pcimRuleContainmentAuxClass and/or 614 pcimGroupContainmentAuxClass for attaching components to a 615 pcimGroup). 617 2. The attribute pcimRoles defined by [PCLS] is used here by the 618 pcelsPolicySet object class. Thus, the role based policy selection 619 mechanism is extended to all the subclasses of pcelsPolicySet. 621 3. A new attribute pcelsDecisionStrategy is added on the 622 pcelsPolicySet class as a mapping from the decision mechanism. 624 4. A new class pcelsGroup (with two subclasses), implements the 625 modified semantics of the PolicyGroup in accordance with [PCIM_EXT]. 626 This new class inherits from its superclass pcelsPolicySet the 627 ability to aggregate (with relative priority) other policy rules or 628 groups. 630 5. A new class pcelsRule (with two subclasses), implements the 631 modified semantics of the PolicyRule in accordance with [PCIM_EXT]. 632 This new class does not include an absolute priority attribute but 633 instances of non-abstract subclasses of pcelsRule can be prioritized 634 relative to each other within a System (behavior inherited from its 635 superclass: pcelsPolicySet). The pcelsRule class also inherits from 636 pcelsPolicySet the ability to aggregate other policy rules or groups. 637 Hence, the ability to construct nested rule structures of arbitrary 638 complexity. 640 6. A new attribute pcelsExecutionStrategy is added to the 641 pcelsRule and pcelsCompoundActionAuxClass classes to allow the 642 specification of the expected behavior in case of multiple actions 643 aggregated by a rule or by a compound action. 645 7. Compound Conditions: The pcelsCompoundConditionAuxClass class is 646 added in order to map the CompoundPolicyCondition class. A new class, 647 pcelsConditionAssociation is used to aggregate policy conditions in 648 a pcelsCompoundConditionAuxClass. The same class is also used to 649 aggregate policy conditions in a pcelsRule. 651 8. Compound Actions: The pcelsCompoundActionAuxClass class is 652 added in order to map the CompoundPolicyAction class. A new class, 653 pcelsActionAssociation is used to aggregate policy actions in 654 a pcelsCompoundActionAuxClass. The same class is also used to 655 aggregate policy actions in a pcelsRule. 657 9. Simple Conditions, Simple Actions, Variables and Values: The 658 simple condition, simple action, variable and value classes defined 659 by [PCIM_EXT] are directly mapped to LDAP object classes. These are: 660 pcelsSimpleConditionAuxClass, pcelsSimpleActionAuxClass, 661 pcelsVariable and its subclasses, and pcelsValueAuxClass and its 662 subclasses. 664 10. A general extension mechanism is introduced for representing 665 policy variables and values that have not been specifically modeled. 666 The mechanism is intended for vendor-specific extensions. 668 11. Reusable Policy Repository: A new class (with two subclasses), 669 pcelsReusableContainer is created as a subclass of pcimRepository. 670 While maintaining compatibility with older [PCLS] implementations, 671 the addition of this class acknowledges the intent of [PCIM_EXT] to 672 avoid the potential for confusion with the Policy Framework component 673 named Policy Repository. The new class enables many-to-many 674 associations between reusable policy containers. 676 12. The ReusablePolicy association defined in [PCIM_EXT] is realized 677 through subordination to an instance of a non-abstract subclass of 678 pcelsReusableContainer. Thus, reusable policy components (groups, 679 rules, conditions, actions, variables and values) may be defined as 680 stand-alone entries or stand-alone groups of related entries 681 subordinated (DIT contained) to a pcelsReusableContainer. 683 13. Device level filter classes are added to the schema. 685 14. The pcelsRoleCollection class is added to the schema to allow 686 the association of policy roles to resources represented as LDAP 687 entries. 689 4.4 Relationship to PCLS classes 691 Several [PCLS] classes are used in this document to derive other 692 classes. If a PCELS application requires a functionality provided 693 by any of derived classes, then the [PCLS] class MUST also be 694 supported by PCELS implementations. These classes are: 695 pcimPolicy 696 pcimRuleConditionAssociation 697 pcimRuleActionAssociation 698 pcimConditionAuxClass 699 pcimActionAuxClass 700 pcimRepository 702 Other [PCLS] classes are neither derived to nor superseded by 703 classes defined in this document. If a PCELS application requires a 704 functionality provided by any of these classes, then the [PCLS] 705 class SHOULD be used. These classes are: 706 pcimRuleValidityAssociation 707 pcimTPCAuxClass 708 pcimConditionVendorAuxClass 709 pcimActionVendorAuxClass 710 pcimPolicyInstance 711 pcimElementAuxClass 712 pcimSubtreesPtrAuxClass 714 Among the classes defined in this document some implement concepts 715 that supersede the concepts implemented by similar [PCLS] classes. 716 PCELS implementations MAY support such [PCLS] classes. 717 These classes are: 718 pcimGroup and its subclasses 719 pcimRule and its subclasses 720 pcimGroupContainmentAuxClass 721 pcimRuleContainmentAuxClass 722 the subclasses of pcimRepository 724 4.5 Impact on existing implementations of the Policy Core LDAP Schema 726 In general, the intent of PCELS is to extend the functionality 727 offered by the Policy Core LDAP Schema. For the most part, the 728 compatibility with [PCLS] is preserved. The few cases where 729 compatibility can not be achieved due to fundamental changes imposed 730 by [PCIM_EXT], are defined here as alternatives to the original 731 implementation. 733 PCELS does not obsolete nor deprecate the concepts implemented by 734 [PCLS]. The new LDAP schema items are defined in this document in a 735 way that avoids, to the extent possible, interference into the normal 736 operation of a reasonably well executed implementation of [PCLS]. 737 The intent is to permit at least a harmless coexistence of the two 738 models in the same data repository. 740 It should be noted, however, that the PCELS introduces the following 741 changes that may have an impact on some [PCLS] implementations: 743 1. Some attributes originally used only by pcimRule or pcimGroup 744 are now also used by classes unknown to [PCLS] implementations 745 (pcelsPolicySet, pcelsRule and pcelsGroup). In particular the 746 attribute pcimRoles is also used by pcelsPolicySet for role based 747 policy selection. 749 2. Condition and action association classes originally used by only 750 pcimRule are now used (through subclasses) by pcelsRule as well. 752 3. pcimRepository containers may include entries of types unknown to 753 [PCLS] implementations. 755 When the choice exists, PCELS implementations SHOULD support the 756 new schema and MAY also support the one defined by [PCLS]. For 757 example, if PolicyRule support is required, an implementation SHOULD 758 be able to read or read-write (as applicable) pcelsRule entires. The 759 same implementation MAY be able to read or read-write pcimRule. 761 4.6 The Association of PolicyVariable and PolicyValues 762 to PolicySimpleCondition and PolicySimpleAction 764 A PolicySimpleCondition as well as a PolicySimpleAction includes a 765 single PolicyValue and a single PolicyVariable. Each of them can be 766 attached or referenced by a DN. 768 The attachment helps create compact PolicyCondition and PolicyAction 769 definitions that can be efficiently provisioned and retrieved from 770 the repository. On the other hand, referenced PolicyVariables and 771 PolicyValues instances can be reused in the construction of multiple 772 policies and permit an administrative partitioning of the data and 773 policy definitions. 775 4.7 The Aggregation of PolicyRules and PolicyGroups in PolicySets 777 In [PCIM_EXT], the two aggregations PolicyGroupInPolicyGroup and 778 PolicyRuleInPolicyGroup, are combined into a single aggregation 779 PolicySetComponent. This aggregation and the capability of 780 association between a policy and the ReusablePolicyContainer offer 781 new possibilities of reusability. Furthermore, these aggregations 782 introduce new semantics representing the execution of one PolicyRule 783 within the scope of another PolicyRule. 785 Since PolicySet is defined in [PCIM_EXT], it is mapped in this 786 document to a new class pcelsPolicySet in order to provide an 787 abstraction for a set of policy rules or groups. The aggregation 788 class PolicySetComponent in [PCIM_EXT] is mapped to a multi-value 789 attribute pcelsPolicySetList in the pcelsPolicySet class and the 790 attribute pcelsPolicySetDN in the pcelsPolicySetAssociation. These 791 attributes refer to the nested rules and groups. 793 It is possible to store a rule/group nested in another rule/group 794 in two ways. The first way is to define the nested rule/group as 795 specific to the nesting rule/group. The second way is to define the 796 nested rules/groups as reusable. 798 First case: Specific nested sets (rules/groups). 800 +----------+ 801 |Rule/Group| 802 | | 803 +-----|- -|-----+ 804 | +----------+ | 805 | * * | 806 | * * | 807 | **** **** | 808 | * * | 809 v * * v 810 +-----------+ +-----------+ 811 | SA1+Set1 | | SA2+Set2 | 812 +-----------+ +-----------+ 814 +------------------------------+ 815 |LEGEND: | 816 | ***** DIT containment | 817 | + auxiliary attachment | 818 | ----> DN reference | 819 +------------------------------+ 821 #: Number. 822 Set#: pcelsRuleAuxClass or pcelsGroupAuxClass auxiliary class. 823 SA#: pcelsPolicySetAssocation structural class. 825 Figure 4. Policy Set with Specific Components 827 The nesting pcelsPolicySet refers to instances of 828 pcelsPolicySetAssociation using the attribute pcelsPolicySetList. 829 These structural association classes are subordinated (DIT contained) 830 to an instance of a non-abstract subclass of pcelsPolicySet and 831 represent the association between the PolicySet and its nested rules/ 832 groups. The nested instances of auxiliary subclasses of 833 pcelsPolicySet are attached to the association entries. 835 Second case: Reusable nested sets (rules/groups). 837 +----------+ +-------------+ 838 |Rule/Group| | ContainerX | 839 +-|- -|--+ | | 840 | +----------+ | +-------------+ 841 | * * | * * 842 | *** **** | * * 843 | * * v * * 844 | * +---+ * * 845 | * |SA2| +-------+ * 846 v * | -|-------->|S1+Set2| * 847 +---+ +---+ +-------+ * 848 |SA1| +-------+ 849 | -|------------------------------>|S2+Set3| 850 +---+ +-------+ 852 +------------------------------+ 853 |LEGEND: | 854 | ***** DIT containment | 855 | + auxiliary attachment | 856 | ----> DN reference | 857 +------------------------------+ 859 Set#: pcelsRuleAuxClass or pcelsGroupAuxClass auxiliary class. 860 SA#: PolicySetAssocation structural class. 861 S#: structural class. 863 Figure 5. Policy Set with Reusable Components 864 The nesting pcelsPolicySet refers to instances of 865 pcelsPolicySetAssociation using the attribute pcelsPolicySetList. 866 These structural association classes are subordinated (DIT contained) 867 to an instance of a non-abstract subclass of pcelsPolicySet and 868 represent the association between the PolicySet and its nested 869 rules/groups. The reusable rules/groups are instantiated here as 870 auxiliary classes and attached to pcimPolicyInstance entries in the 871 reusable container. Another option is to use the structural 872 subclasses for defining reusable rules/groups. The association 873 classes belonging to a nesting policy set are reference the reusable 874 rules/groups using the attribute pcelsPolicySetDN. 876 A combination of both specific and reusable components is also 877 allowed for the same policy set. 879 4.8 The Aggregation of actions/conditions in PolicyRules and 880 CompoundActions/CompoundConditions 882 [PCIM_EXT] defines two new classes that offer the designer the 883 capability of creating more complex conditions and actions. 884 CompoundPolicyCondition and CompoundPolicyAction classes are mapped 885 in this document to pcelsCompoundConditionAuxClass and 886 pcelsCompoundActionAuxClass classes that are subclasses of 887 pcimConditionAuxClass/pcimActionAuxClass. The compound conditions 888 /actions defined in [PCIM_EXT] extend the capability of the rule to 889 associate, group and evaluate conditions or execute actions. The 890 conditions/actions are associated to compounds conditions/actions 891 in the same way as they are associated to the rules. 893 In this section it is explained how to store instances of these 894 classes in an LDAP Directory. As a general rule, specific 895 conditions/actions are subordinated (DIT contained) to the rule or 896 compound condition/action that aggregates them and are attached 897 to association class instances. Reusable conditions/actions, are 898 subordinated to pcelsReusableContainer instances and attached to 899 pcimPolicyInstance instances. 901 The examples below illustrate the four possible cases combining 902 specific/reusable compound/non-compound condition/action. The rule 903 has two compound conditions, each one has two different conditions. 904 The schemes can be extended in order to store actions. 906 The examples below are based on and extend those illustrated in 907 the section 4.4 of [PCLS]. 909 - First case: Specific compound condition/action with specific 910 conditions/actions. 912 +--------------+ 913 +------| Rule |------+ 914 | +--------------+ | 915 | * * | 916 | ********* ********* | 917 v * * v 918 +---------+ +---------+ 919 +-| CA1+cc1 |-+ +-| CA2+cc2 |-+ 920 | +---------+ | | +---------+ | 921 | * * | | * * | 922 | **** **** | | **** **** | 923 v * * v v * * v 924 +------+ +------+ +------+ +------+ 925 |CA3+c1| |CA4+c2| |CA5+c3| |CA6+c4| 926 +------+ +------+ +------+ +------+ 928 +------------------------------+ 929 |LEGEND: | 930 | ***** DIT containment | 931 | + auxiliary attachment | 932 | ----> DN reference | 933 +------------------------------+ 935 #: Number. 936 CA#: pcelsConditionAssociation structural class. 937 cc#: pcelsCompoundConditionAuxClass auxiliary class. 938 c#: subclass of pcimConditionAuxClass. 940 Figure 6. Specific Compound Conditions with Specific Components 942 Because the compound conditions/actions are specific to the Rule, 943 They are auxiliary attachments to instances of the structural 944 classes pcelsConditionAssociation or pcelsActionAssociation. These 945 structural classes represent the association between the rule and 946 the compound condition/action . The rule specific conditions 947 /actions are therefore subordinated (DIT contained) to the rule 948 entry. 950 The conditions/actions are tied to the compound conditions/actions 951 in the same way the compound conditions/actions are tied to rules. 952 Association classes realize the association between the aggregating 953 compound conditions/actions and the specific conditions/actions. 955 - Second case: Rule specific compound conditions/actions with 956 reusable conditions/actions. 958 +-------------+ +---------------+ 959 +------| Rule |-----+ | ContainerX | 960 | +-------------+ | +---------------+ 961 | * * | * * * * 962 | * * | **** * * * 963 | ********* ******** | * * * ******** 964 | * * v * * * * 965 | * +---------+ * * **** * 966 | * +-| CA2+cc2 |-+ * * * * 967 | * | +---------+ | * * * * 968 v * | * * | * * * * 969 +---------+ | **** **** | * * * * 970 +-| CA1+cc1 |-+ | * * v * * * * 971 | +---------+ | | * +------+ +-----+ * * * 972 | * * | v * | CA6 |->|S1+c4| * * * 973 | **** **** | +------+ +------+ +-----+ +-----+ * * 974 | * * v | CA5 |------------------>|S2+c3| * * 975 | * +------+ +------+ +-----+ +-----+ * 976 v * | CA4 |------------------------------------->|S3+c2| * 977 +------+ +------+ +-----+ +-----+ 978 | CA3 |------------------------------------------------------>|S4+c1| 979 +------+ +-----+ 981 +------------------------------+ 982 |LEGEND: | 983 | ***** DIT containment | 984 | + auxiliary attachment | 985 | ----> DN reference | 986 +------------------------------+ 988 #: Number. 989 CA#: pcelsConditionAssociation structural class. 990 cc#: pcelsCompoundConditionAuxClass auxiliary class. 991 c#: subclass of pcimConditionAuxClass. 992 S#: structural class 994 Figure 7. Specific Compound Conditions with Reusable Components 996 This case is similar to the first one. The conditions/actions are 997 reusable so they are not attached to the association classes but they 998 are attached to structural classes in the reusable container. The 999 association classes tie the conditions/actions in located in a 1000 reusable container to their aggregators using DN references. 1002 -Third case: Reusable compound condition/action with specific 1003 conditions/actions. 1005 +--------------+ +--------------+ 1006 | Rule | | RepositoryX | 1007 +---+--------------+----+ +--------------+ 1008 | * * | * * 1009 | ******* ******* | ******** ******** 1010 | * * v * * 1011 | * +----------+ +---------+ * 1012 | * | CA2 |--->| S1+cc2 | * 1013 | * +----------+ +-+---------+-+ * 1014 | * | * * | * 1015 | * | **** **** | * 1016 | * v * * v * 1017 | * +------+ +------+ * 1018 | * |CA5+c3| |CA6+c4| * 1019 v * +------+ +------+ * 1020 +----------+ +---------+ 1021 | CA1 |----------------------------------------->| S2+cc1 | 1022 +----------+ +-+---------+-+ 1023 | * * | 1024 | **** **** | 1025 v * * v 1026 +------+ +------+ 1027 |CA3+c1| |CA4+c2| 1028 +------+ +------+ 1030 +------------------------------+ 1031 |LEGEND: | 1032 | ***** DIT containment | 1033 | + auxiliary attachment | 1034 | ----> DN reference | 1035 +------------------------------+ 1037 #: Number. 1038 CA#: pcelsConditionAssociation structural class. 1039 cc#: pcelsCompoundConditionAuxClass auxiliary class. 1040 c#: subclass of pcimConditionAuxClass. 1041 S#: structural class 1043 Figure 8. Reusable Compound Conditions with Specific Components 1045 Re-usable compound conditions/actions are attached to structural 1046 classes and stored in a reusable policy container. They are related 1047 to the rule through a DN reference attribute in the association 1048 classes. 1050 Specific conditions/actions are attached to association entries and 1051 subordinated (DIT contained) to the aggregating compound 1052 conditions/actions. 1054 -Fourth case: Reusable conditions/actions and compound 1055 conditions/actions. 1057 +------+ +---------------+ +---------------+ 1058 +-----| Rule |-----+ | ContainerX | | ContainerY | 1059 | +------+ | +---------------+ +---------------+ 1060 | * * | * * * * * * 1061 | ****** ****** | *** *** *** * * ***** 1062 | * * v * * * * * * 1063 | * +-------+ +------+ * * * *** * 1064 | * | CA2 |->|S1+ca1| * * * * * 1065 | * +-------+ +------+ * * * * * 1066 | * / * * \ * * * * * 1067 | * |** ** | * * * * * 1068 | * |* * v * * * * * 1069 | * |* +---+ * +-----+ * * * 1070 | * |* |CA6|----*--->|S3+c4| * * * 1071 | * v* +---+ * +-----+ * * * 1072 | * +---+ * +-----+ * * 1073 | * |CA5|-----------*--------->|S4+c3| * * 1074 v * +---+ * +-----+ * * 1075 +-------+ +------+ * * 1076 | CA1 |-------------------------->|S2+cc1| * * 1077 +-------+ +------+ * * 1078 / * * \ * * 1079 | ** ** | * * 1080 | * * v * * 1081 | * +---+ +-----+ * 1082 | * |CA4|---------->|S5+c2| * 1083 v * +---+ +-----+ * 1084 +---+ +-----+ 1085 |CA3|--------------------->|S6+c1| 1086 +---+ +-----+ 1088 +------------------------------+ 1089 |LEGEND: | 1090 | ***** DIT containment | 1091 | + auxiliary attachment | 1092 | ----> DN reference | 1093 +------------------------------+ 1095 #: Number. 1096 CA#: pcelsConditionAssociation structural class. 1097 cc#: pcelsCompoundConditionAuxClass auxiliary class. 1098 c#: subclass of pcimConditionAuxClass. 1099 S#: structural class 1101 Figure 9. Reusable Compound Conditions with Reusable Components 1102 All the conditions/actions are reusable so they are stored in 1103 reusable containers. The figure above illustrates two different 1104 reusable policy containers but the number of containers in the 1105 system is decided based on administrative reasons. The conditions, 1106 actions, etc. may be stored in the same container or in different 1107 containers with no impact on the policy definition semantics. 1109 5. Class Definitions 1111 The semantics for the policy information classes that are to be 1112 mapped directly from the information model to an LDAP representation 1113 are detailed in [PCIM_EXT]. Consequently, this document presents only 1114 a brief reference to those semantics. The focus here is on the 1115 mapping from the information model (which is independent of 1116 repository type and access protocol) to a form that can be accessed 1117 using LDAP. For various reasons including LDAP specific optimization, 1118 this mapping is not always 1:1. Some new classes and attributes 1119 needed to be created (that were not part of [PCIM] or [PCIM_EXT]) to 1120 implement the LDAP mapping. These new LDAP-only classes are fully 1121 defined in this document. 1123 The following notes apply to this section in its entirety. 1125 Note 1: The formal language for specifying the classes, attributes, 1126 and DIT structure and content rules is that defined in [LDAP_SYNTAX]. 1127 In the following definitions, the class and attribute definitions 1128 follow [LDAP_SYNTAX] but they are line-wrapped to enhance human 1129 readability. 1131 Note 2: Even though not explicitly noted in the following class and 1132 attribute definitions, implementations may define DIT structure and 1133 content rules where applicable and supported by the underlying LDAP 1134 infrastructure. In such cases, the DIT structure rule considerations 1135 discussed in section 5 of [PCLS] must be applied to PCELS 1136 implementations as well. The reasons and details are presented in 1137 [X.501]. 1139 Note 3: Wherever possible, an equality, a substrings and an ordering 1140 matching rule are defined for a particular attribute. This provides 1141 additional implementation flexibility. However, in some cases, the 1142 LDAP matching semantics may not cover all the application needs. For 1143 instance, different values of pcelsIPv4AddrList may be semantically 1144 equivalent. The equality matching rule, caseIgnoreMatch, associated 1145 to this attribute type is not suitable for detecting this 1146 equivalence. Implementers should not rely solely on LDAP syntaxes 1147 and matching rules for being consistent with this specification. 1149 Note 4: The following attribute definitions use only LDAP matching 1150 rules and syntax definitions from [LDAP_SYNTAX], [LDAP_SCHEMA] and 1151 [LDAP_MATCH]. The corresponding X.500 matching rules are defined in 1152 [X.520]. 1154 Note 5: Some of the following attribute types MUST conform to 1155 additional constraints on various data types (E.g. the only valid 1156 values for pcelsDecisionStrategy are 1 and 2."). Just like 1157 the attribute semantics, the definition of the value structures, 1158 valid ranges, etc. is covered by [PCIM_EXT] for the corresponding 1159 properties while in this document such constraints are only briefly 1160 mentioned. In all cases, if a constraint is violated, the entry 1161 SHOULD be treated as invalid and the policy rules or groups that 1162 refer to it SHOULD be treated as being disabled, meaning that the 1163 execution of such policy rules or groups SHOULD be stopped. 1165 Note 6: Some of the object classes defined in this section can not 1166 or should not be directly instantiated either because they are 1167 defined as abstract or because they do not implement stand-alone 1168 semantics (e.g. pcelsValueAuxClass). With regards to instances of 1169 objects that inherit from such classes, the text refers to 1170 "instances of " when in fact the strictly correct 1171 expression would be "instances of objects which belong to 1172 non-abstract subclasses of ". The omission is 1173 intentional: it makes the text easier to read. 1175 5.1 The Abstract Class pcelsPolicySet 1177 The pcelsPolicySet class represents a set of policies with a common 1178 decision strategy and a common set of policy roles. This class 1179 together with the pcelsPolicySetAssociation class defined in a 1180 subsequent section of this document provide sufficient information 1181 to allow applications to apply appropriate ordering to a set of 1182 policies. The pcelsPolicySet is mapped from the PolicySet class 1183 [PCIM_EXT]. The pcelsPolicySet class is an abstract object class and 1184 it is derived from the pcimPolicy class [PCLS]. 1186 The pcelsPolicySetList attribute of a pcelsPolicySet instance 1187 references subordinated pcelsPolicySetAssociation entries. 1188 The aggregated pcelsPolicySet instances are either attached to the 1189 pcelsPolicySetAssociation entries as auxiliary object classes or 1190 referenced by the pcelsPolicySetAssociation entries using the 1191 pcelsPolicySetDN attribute. 1193 The pcelsPolicySet class is defined as follows: 1195 ( IANA-ASSIGNED-OID.1.1 1196 NAME 'pcelsPolicySet' 1197 DESC 'Set of policies' 1198 SUP pcimPolicy 1199 ABSTRACT 1200 MAY ( pcelsPolicySetName 1201 $ pcelsDecisionStrategy 1202 $ pcimRoles 1203 $ pcelsPolicySetList ) 1204 ) 1206 One of the attributes of the pcelsPolicySet class, pcimRoles is 1207 defined in the section 5.3 of [PCLS]. In the pcelsPolicySet class 1208 the pcimRole attribute preserves its syntax and semantics as defined 1209 by [PCLS] and [PCIM]. 1211 The pcelsPolicySetName attribute type may be used as naming attribute 1212 for pcelsPolicySet entries. This attribute type is of syntax 1213 Directory String [LDAP_SYNTAX]. It has an equality matching rule of 1214 caseIgnoreMatch, an ordering matching rule of caseIgnoreOrderingMatch 1215 and a substrings matching rule of caseIgnoreSubstringsMatch 1216 [LDAP_SYNTAX]. Attributes of this type can only have a single value. 1218 This attribute type is defined as follows: 1220 ( IANA-ASSIGNED-OID.2.1 1221 NAME 'pcelsPolicySetName' 1222 DESC 'User-friendly name of a policy set' 1223 EQUALITY caseIgnoreMatch 1224 ORDERING caseIgnoreOrderingMatch 1225 SUBSTR caseIgnoreSubstringsMatch 1226 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 1227 SINGLE-VALUE 1228 ) 1230 The pcelsDecisionStrategy attribute type indicates the evaluation 1231 method for the policies aggregated in the policy set. It is mapped 1232 from the PolicySet.PolicyDecisionStrategy property [PCIM_EXT]. This 1233 attribute type is of syntax Integer [LDAP_SYNTAX]. It has an 1234 equality matching rule of integerMatch [LDAP_SYNTAX] and an ordering 1235 matching rule of integerOrderingMatch [LDAP_MATCH]. Attributes of 1236 this type can only have a single value. The only allowed values for 1237 attributes of this type are 1 (FirstMatching) and 2 (AllMatching). 1238 If this attribute is missing from a pcelsPolicySet instance, 1239 applications MUST assume a FirstMatching decision strategy for the 1240 policy set. 1242 This attribute type is defined as follows: 1244 ( IANA-ASSIGNED-OID.2.2 1245 NAME 'pcelsDecisionStrategy' 1246 DESC 'Evaluation method for the components of a pcelsPolicySet' 1247 EQUALITY integerMatch 1248 ORDERING integerOrderingMatch 1249 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 1250 SINGLE-VALUE 1251 ) 1253 The pcelsPolicySetList attribute type is used in the realization of 1254 the PolicySetComponent association [PCIM_EXT]. This attribute type 1255 is of syntax DN [LDAP_SYNTAX]. It has an equality matching rule of 1256 distinguishedNameMatch [LDAP_SYNTAX]. Attributes of this type can 1257 have multiple values. The only allowed values for pcelsPolicySetList 1258 attributes are DNs of pcelsPolicySetAssociation entries. In a 1259 pcelsPolicySet, the pcelsPolicySetList attribute represents the 1260 associations between this policy set and its components. 1262 This attribute type is defined as follows: 1264 ( IANA-ASSIGNED-OID.2.3 1265 NAME 'pcelsPolicySetList' 1266 DESC 'Unordered set of DNs of pcelsPolicySetAssociation entries' 1267 EQUALITY distinguishedNameMatch 1268 SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 1269 ) 1271 Note: A pcelsPolicySet instance aggregates other pcelsPolicySet 1272 instances using pcelsPolicySetAssociation entries (defined in the 1273 next section). Applications can sort the components of a 1274 pcelsPolicySet using attributes of the pcelsPolicySetAssociation 1275 entries. However, implementations should not expect the LDAP data 1276 store to provide a useful ordering of the pcelsPolicySetList values 1277 in a pcelsPolicySet instance or to return sets of matching 1278 pcelsPolicySetAssociation entries in a meaningful order. Instead, 1279 applications SHOULD implement their own means for post-retrieval 1280 ordering of policy rules/groups based on 1281 pcelsPolicySetAssociation.pcelsPriority values. 1283 5.2 The Structural Class pcelsPolicySetAssociation 1285 The pcelsPolicySetAssociation class is used to associate PolicySet 1286 instances [PCIM_EXT] to other entries. pcelsPolicySetAssociation 1287 entries are always subordinated to the aggregating entry. When 1288 subordinated to an instance of pcelsPolicySet, 1289 pcelsPolicySetAssociation realizes a PolicySetComponent association 1290 [PCIM_EXT]. When subordinated to an instance of dlm1System 1291 [CIM_LDAP], pcelsPolicySetAssociation realizes a PolicySetInSystem 1292 association [PCIM_EXT]. 1294 The pcelsPolicySetAssociation class is a structural object class and 1295 it is derived from the pcimPolicy class [PCLS]. 1297 The aggregation of a reusable pcelsPolicySet instance is realized 1298 via the pcelsPolicySetDN attribute. A non-reusable pcelsPolicySet 1299 instance is attached (as auxiliary subclass of pcelsPolicySet) 1300 directly to the pcelsPolicySetAssociation entry. 1302 When reading a pcelsPolicySetAssociation instance that has a 1303 pcelsPolicySet attached, the attribute pcelsPolicySetDN MUST 1304 be ignored. Applications SHOULD remove the pcelsPolicySetDN value 1305 from a pcelsPolicySetAssociation upon attachment of a pcelsPolicySet 1306 to the entry. 1308 The pcelsPolicySetAssociation class is defined as follows: 1310 ( IANA-ASSIGNED-OID.1.2 1311 NAME 'pcelsPolicySetAssociation' 1312 DESC 'Associates a policy set to an aggregating entry' 1313 SUP pcimPolicy 1314 STRUCTURAL 1315 MUST ( pcelsPriority ) 1316 MAY ( pcelsPolicySetName 1317 $ pcelsPolicySetDN ) 1318 ) 1320 The pcelsPriority attribute type indicates the priority of a policy 1321 set component. This attribute type is of syntax Integer 1322 [LDAP_SYNTAX]. It has an equality matching rule of integerMatch 1323 [LDAP_SYNTAX] and an ordering matching rule of integerOrderingMatch 1324 [LDAP_MATCH]. Attributes of this type can only have a single value. 1325 The only allowed values for attributes of this type are non-negative 1326 integers. Within the set of pcelsPolicySetAssociation entries 1327 directly subordinated to a pcelsPolicySet or a dlm1System [CIM_LDAP], 1328 the pcelsPriority values MUST be unique. 1330 This attribute type is defined as follows: 1332 ( IANA-ASSIGNED-OID.2.4 1333 NAME 'pcelsPriority' 1334 DESC 'Priority of a component' 1335 EQUALITY integerMatch 1336 ORDERING integerOrderingMatch 1337 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 1338 SINGLE-VALUE 1339 ) 1341 The pcelsPolicySetDN attribute type is used in the aggregation of 1342 PolicySet instances [PCIM_EXT]. This attribute type is of syntax DN 1343 [LDAP_SYNTAX]. It has an equality matching rule of 1344 distinguishedNameMatch [LDAP_SYNTAX]. Attributes of this type can 1345 only have a single values. The only allowed values for 1346 pcelsPolicySetDN attributes are DNs of pcelsPolicySet entries. 1348 This attribute type is defined as follows: 1350 ( IANA-ASSIGNED-OID.2.5 1351 NAME 'pcelsPolicySetDN' 1352 DESC 'DN of a pcelsPolicySet entry' 1353 EQUALITY distinguishedNameMatch 1354 SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 1355 SINGLE-VALUE 1356 ) 1358 5.3 The Three Policy Group Classes 1360 The pcelsGroup class is the base class for representing a policy 1361 group. It is mapped from the modified PolicyGroup class [PCIM_EXT]. 1362 The pcelsGroup class is derived from the pcelsPolicySet class. To 1363 maximize flexibility, the pcelsGroup class is defined as abstract. An 1364 auxiliary subclass pcelsGroupAuxClass enables the attachment of a 1365 policy group to an existing entry, while a structural subclass 1366 pcelsGroupInstance permits the representation of a policy group as a 1367 standalone entry. 1369 The pcelsGroup class is defined as follows: 1371 ( IANA-ASSIGNED-OID.1.3 1372 NAME 'pcelsGroup' 1373 DESC 'Base class for representing a policy group' 1374 SUP pcelsPolicySet 1375 ABSTRACT 1376 MAY ( pcimGroupName ) 1377 ) 1379 The pcelsGroupAuxClass class is defined as follows: 1381 ( IANA-ASSIGNED-OID.1.4 1382 NAME 'pcelsGroupAuxClass' 1383 DESC 'Auxiliary class for representing a policy group' 1384 SUP pcelsGroup 1385 AUXILIARY 1386 ) 1388 The pcelsGroupInstance class is defined as follows: 1390 ( IANA-ASSIGNED-OID.1.5 1391 NAME 'pcelsGroupInstance' 1392 DESC 'Structural class for representing a policy group' 1393 SUP pcelsGroup 1394 STRUCTURAL 1395 ) 1397 The pcimGroupName attribute type used by the pcelsGroup class is 1398 defined in the section 5.2 of [PCLS]. In the pcelsGroup object 1399 class, this attribute preserves its syntax and semantics as defined 1400 by [PCLS] and [PCIM]. 1402 Note: PCELS implementations SHOULD support pcelsGroup and its two 1403 subclasses and MAY also support pcimGroup and its two subclasses 1404 [PCLS]. Applications that choose to support pcelsGroup and its two 1405 subclasses MUST use the aggregation mechanism provided by 1406 pcelsPolicySetAssociation for aggregating policy groups or policy 1407 rules in policy groups represented as instances of pcelsGroup. 1409 5.4 The Three Policy Rule Classes 1411 The pcelsRule class is the base class for representing a policy 1412 rule. It is mapped from the modified PolicyRule class [PCIM_EXT]. 1413 The pcelsRule class is derived from the pcelsPolicySet class. To 1414 maximize flexibility, the pcelsRule class is defined as abstract. An 1415 auxiliary subclass pcelsRuleAuxClass enables the attachment of a 1416 policy rule to an existing entry, while a structural subclass 1417 pcelsRuleInstance permits the representation of a policy rule as a 1418 standalone entry. 1420 When reading a pcelsRule instance that has a pcimConditionAuxClass 1421 attached, from the policy rule perspective the attribute 1422 pcelsConditionList MUST be ignored. I.e. If present, the attribute 1423 must not be considered as an association between this policy rule 1424 and a policy condition. Such situations may occur, for example, when 1425 a pcelsCompoundConditionAuxClass is attached to a pcelsRule 1426 instance. 1428 When reading a pcelsRule instance that has a pcimActionAuxClass 1429 attached, from the policy rule perspective the attribute 1430 pcelsActionList MUST be ignored. I.e. If present, the attribute 1431 must not be considered as an association between this policy rule 1432 and a policy action. Such situations may occur, for example, when 1433 a pcelsCompoundActionAuxClass is attached to a pcelsRule instance. 1435 The pcelsRule class is defined as follows: 1437 ( IANA-ASSIGNED-OID.1.6 1438 NAME 'pcelsRule' 1439 DESC 'Base class for representing a policy rule' 1440 SUP pcelsPolicySet 1441 ABSTRACT 1442 MAY ( pcimRuleName 1443 $ pcimRuleEnabled 1444 $ pcimRuleUsage 1445 $ pcimRuleMandatory 1446 $ pcelsRuleValidityPeriodList 1447 $ pcelsConditionListType 1448 $ pcelsConditionList 1449 $ pcelsActionList 1450 $ pcelsSequencedActions 1451 $ pcelsExecutionStrategy ) 1452 ) 1454 The pcelsRuleAuxClass class is defined as follows: 1456 ( IANA-ASSIGNED-OID.1.7 1457 NAME 'pcelsRuleAuxClass' 1458 DESC 'Auxiliary class for representing a policy rule' 1459 SUP pcelsRule 1460 AUXILIARY 1461 ) 1463 The pcelsRuleInstance class is defined as follows: 1465 ( IANA-ASSIGNED-OID.1.8 1466 NAME 'pcelsRuleInstance' 1467 DESC 'Structural class for representing a policy rule' 1468 SUP pcelsRule 1469 STRUCTURAL 1470 ) 1472 Four of the attributes used by the pcelsRule class are defined 1473 in the section 5.3 of [PCLS]. These attributes are: pcimRuleName, 1474 pcimRuleEnabled, pcimRuleUsage and pcimRuleMandatory. In the 1475 pcelsRule object class, these attributes preserve their syntax and 1476 semantics as defined by [PCLS] and [PCIM]. 1478 The attributes pcimRuleValidityPeriodList, 1479 pcimRuleConditionListType, pcimRuleConditionList, pcimRuleActionList 1480 and pcimRuleSequencedActions defined in [PCLS] are not used by 1481 pcelsRule. Instead, this class uses the new attributes 1482 pcelsRuleValidityPeriodList, pcelsConditionListType, 1483 pcelsConditionList, pcelsActionList and pcelsSequencedActions. 1484 Except for pcelsRuleValidityPeriodList, the new attributes are also 1485 used for similar purpose by either pcelsCompoundConditionAuxClass or 1486 pcelsCompoundActionAuxClass. 1488 The pcelsRuleValidityPeriodList attribute type is used in the 1489 realization of the PolicyRuleValidityPeriod association ([PCIM_EXT] 1490 and [PCIM]). This attribute type is of syntax DN [LDAP_SYNTAX]. It 1491 has an equality matching rule of distinguishedNameMatch 1492 [LDAP_SYNTAX]. Attributes of this type can have multiple values. The 1493 only allowed values for pcelsRuleValidityPeriodList attributes are 1494 DNs of pcimRuleValidityAssociation entries. In a pcelsRule, the 1495 pcelsRuleValidityPeriodList attribute represents the associations 1496 between this policy rule and its time period conditions. 1498 This attribute type is defined as follows: 1500 ( IANA-ASSIGNED-OID.2.62 1501 NAME 'pcelsRuleValidityPeriodList' 1502 DESC 'Unordered set of DNs of pcimRuleValidityAssociation entries' 1503 EQUALITY distinguishedNameMatch 1504 SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 1505 ) 1507 The pcelsConditionListType attribute type indicates whether the set 1508 of aggregated conditions is in disjunctive or in conjunctive normal 1509 form. It is mapped from the PolicyRule.ConditionListType property 1510 [PCIM] (identical to the CompoundPolicyCondition.ConditionListType 1511 property defined in [PCIM_EXT]). This attribute type is of syntax 1512 Integer [LDAP_SYNTAX]. It has an equality matching rule of 1513 integerMatch [LDAP_SYNTAX] and an ordering matching rule of 1514 integerOrderingMatch [LDAP_MATCH]. Attributes of this type can only 1515 have a single value. The only allowed values for attributes of this 1516 type are 1 (Disjunctive) and 2 (Conjunctive). If this attribute is 1517 missing from a pcelsRule instance, applications MUST assume that the 1518 set of aggregated conditions is in disjunctive normal form. 1520 This attribute type is defined as follows: 1522 ( IANA-ASSIGNED-OID.2.6 1523 NAME 'pcelsConditionListType' 1524 DESC 'Indicates the type of condition aggregation' 1525 EQUALITY integerMatch 1526 ORDERING integerOrderingMatch 1527 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 1528 SINGLE-VALUE 1529 ) 1531 The pcelsConditionList attribute type is used in the realization of 1532 the PolicyConditionStructure association [PCIM_EXT]. This attribute 1533 type is of syntax DN [LDAP_SYNTAX]. It has an equality matching rule 1534 of distinguishedNameMatch [LDAP_SYNTAX]. Attributes of this type can 1535 have multiple values. The only allowed values for pcelsConditionList 1536 attributes are DNs of pcelsConditionAssociation entries. In a 1537 pcelsRule, the pcelsConditionList attribute represents the 1538 associations between this policy rule and its conditions. 1540 This attribute type is defined as follows: 1542 ( IANA-ASSIGNED-OID.2.7 1543 NAME 'pcelsConditionList' 1544 DESC 'Unordered set of DNs of pcelsConditionAssociation entries' 1545 EQUALITY distinguishedNameMatch 1546 SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 1547 ) 1549 The pcelsActionList attribute type is used in the realization of 1550 the PolicyActionStructure association [PCIM_EXT]. This attribute 1551 type is of syntax DN [LDAP_SYNTAX]. It has an equality matching rule 1552 of distinguishedNameMatch [LDAP_SYNTAX]. Attributes of this type can 1553 have multiple values. The only allowed values for pcelsActionList 1554 attributes are DNs of pcelsActionAssociation entries. In a 1555 pcelsRule, the pcelsActionList attribute represents the 1556 associations between this policy rule and its actions. 1558 This attribute type is defined as follows: 1560 ( IANA-ASSIGNED-OID.2.8 1561 NAME 'pcelsActionList' 1562 DESC 'Unordered set of DNs of pcelsActionAssociation entries' 1563 EQUALITY distinguishedNameMatch 1564 SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 1565 ) 1566 The pcelsSequencedActions attribute type indicates whether the 1567 ordered execution of actions in an aggregate is Mandatory, 1568 Recommended or DontCare. It is mapped from the 1569 PolicyRule.SequencedActions property [PCIM] (identical to the 1570 CompoundPolicyAction.SequencedActions property defined in 1571 [PCIM_EXT]). This attribute type is of syntax Integer [LDAP_SYNTAX]. 1572 It has an equality matching rule of integerMatch [LDAP_SYNTAX] and 1573 an ordering matching rule of integerOrderingMatch [LDAP_MATCH]. 1574 Attributes of this type can only have a single value. The only 1575 allowed values for attributes of this type are 1 (Mandatory), 2 1576 (Recommended) and 3 (DontCare). If this attribute is missing from a 1577 pcelsRule instance, applications MUST assume that the ordered 1578 execution of actions in this rule is not important (DontCare). 1580 This attribute type is defined as follows: 1582 ( IANA-ASSIGNED-OID.2.9 1583 NAME 'pcelsSequencedActions' 1584 DESC 'Indicates the importance of action sequencing' 1585 EQUALITY integerMatch 1586 ORDERING integerOrderingMatch 1587 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 1588 SINGLE-VALUE 1589 ) 1591 The pcelsExecutionStrategy attribute type indicates whether the 1592 actions in an aggregate are to be executed until success, all 1593 (independent of their outcome) or until failure. It is mapped from 1594 the PolicyRule.ExecutionStrategy property [PCIM_EXT] (identical to 1595 the CompoundPolicyAction.ExecutionStrategy property). This attribute 1596 type is of syntax Integer [LDAP_SYNTAX]. It has an equality matching 1597 rule of integerMatch [LDAP_SYNTAX] and an ordering matching rule of 1598 integerOrderingMatch [LDAP_MATCH]. Attributes of this type can only 1599 have a single value. The only allowed values for attributes of this 1600 type are 1 (Do until success), 2 (Do all) and 3 (Do until failure). 1601 If this attribute is missing from a pcelsRule instance, applications 1602 MUST assume that all the actions are to be executed (Do all). 1604 This attribute type is defined as follows: 1606 ( IANA-ASSIGNED-OID.2.10 1607 NAME 'pcelsExecutionStrategy' 1608 DESC 'Indicates the action execution strategy' 1609 EQUALITY integerMatch 1610 ORDERING integerOrderingMatch 1611 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 1612 SINGLE-VALUE 1613 ) 1614 Note 1: Rule validity periods for an instance of pcelsRule are 1615 realized using the attribute pcelsRuleValidityPeriodList and 1616 pcimRuleValidityAssociation [PCLS] entries subordinated to the rule. 1618 If DIT structure rules and name forms are written for a PCELS 1619 implementation (as suggested in section 5.5 of [PCLS]), they would 1620 require that an instance of the pcimRuleValidityAssociation class 1621 have as its superior an instance of the pcelsRule class or, if 1622 applicable, an instance of the pcimRule class. Any structure rules 1623 and name forms that require an instance of the 1624 pcimRuleValidityAssociation class to have as its superior only an 1625 instance of the pcimRule class, are in conflict and MUST be removed. 1627 Note 2: PCELS implementations SHOULD support pcelsRule and its two 1628 subclasses and MAY also support pcimRule and its two subclasses 1629 [PCLS]. Applications that choose to support pcelsRule and its two 1630 subclasses MUST use the aggregation mechanism provided by 1631 pcelsPolicySetAssociation for aggregating policy groups or policy 1632 rules in policy rules represented as instances of pcelsRule. 1634 5.5 The Structural Class pcelsConditionAssociation 1636 The pcelsConditionAssociation class is used in the aggregation of 1637 PolicyCondition instances [PCIM]. pcelsConditionAssociation entries 1638 are always subordinated to the aggregating entry. When subordinated 1639 to an instance of pcelsRule, the pcelsConditionAssociation entry 1640 realizes the PolicyConditionInPolicyRule association [PCIM_EXT]. 1641 When subordinated to an instance of pcelsCompoundConditionAuxClass, 1642 the pcelsConditionAssociation entry realizes the 1643 PolicyConditionInPolicyCondition association [PCIM_EXT]. 1645 The pcelsConditionAssociation class is a structural object class and 1646 it is derived from the pcimRuleConditionAssociation class [PCLS]. 1648 The aggregation of a reusable instance of pcimConditionAuxClass is 1649 realized via the pcimConditionDN attribute. A non-reusable 1650 instance of pcimConditionAuxClass is attached directly to the 1651 pcelsConditionAssociation entry. 1653 When reading a pcelsConditionAssociation entry that has a 1654 pcimConditionAuxClass instance attached, the attribute 1655 pcimConditionDN MUST be ignored. Applications SHOULD remove the 1656 pcimConditionDN value from a pcelsConditionAssociation upon 1657 attachment of a pcimConditionAuxClass to the entry. 1659 The pcelsConditionAssociation class is defined as follows: 1661 ( IANA-ASSIGNED-OID.1.9 1662 NAME 'pcelsConditionAssociation' 1663 DESC 'Associates a policy conditions to an aggregating entry' 1664 SUP pcimRuleConditionAssociation 1665 STRUCTURAL 1666 ) 1668 This class extends the semantics of the pcimRuleConditionAssociation 1669 object class without using any new attributes. All its attributes are 1670 inherited from the pcimRuleConditionAssociation that is defined in 1671 section 5.4 of [PCLS]. 1673 5.6 The Structural Class pcelsActionAssociation 1675 The pcelsActionAssociation class is used in the aggregation of 1676 PolicyAction instances [PCIM]. pcelsActionAssociation entries are 1677 always subordinated to the aggregating entry. When subordinated to a 1678 pcelsRule instance, the pcelsActionAssociation entry realizes the 1679 PolicyActionInPolicyRule association [PCIM_EXT]. When subordinated 1680 to an instance of pcelsCompoundActionAuxClass, the 1681 pcelsActionAssociation entry realizes the PolicyActionInPolicyAction 1682 association [PCIM_EXT]. 1684 The pcelsActionAssociation class is a structural object class and 1685 it is derived from the pcimRuleActionAssociation class [PCLS]. 1687 The aggregation of a reusable instance of pcimActionAuxClass is 1688 realized via the pcimActionDN attribute. A non-reusable instance 1689 of pcimActionAuxClass is attached directly to the 1690 pcelsActionAssociation entry. 1692 When reading a pcelsActionAssociation entry that has a 1693 pcimActionAuxClass instance attached, the attribute pcimActionDN 1694 MUST be ignored. Applications SHOULD remove the pcimActionDN 1695 value from a pcelsActionAssociation upon attachment of a 1696 pcimActionAuxClass to the entry. 1698 The pcelsActionAssociation class is defined as follows: 1700 ( IANA-ASSIGNED-OID.1.10 1701 NAME 'pcelsActionAssociation' 1702 DESC 'Associates a policy conditions to an aggregating entry' 1703 SUP pcimRuleActionAssociation 1704 STRUCTURAL 1705 ) 1706 This class extends the semantics of the pcimRuleActionAssociation 1707 object class without using any new attributes. All its attributes are 1708 inherited from the pcimRuleActionAssociation that is defined in 1709 section 5.6 of [PCLS]. 1711 5.7 The Auxiliary Class pcelsSimpleConditionAuxClass. 1713 The pcelsSimpleConditionAuxClass class implements a Value matching 1714 condition for a Variable. It is mapped from the 1715 SimplePolicyCondition class [PCIM_EXT]. The 1716 pcelsSimpleConditionAuxClass class is an auxiliary object class and 1717 it is derived from the pcimConditionAuxClass class [PCLS]. 1719 A reusable variable/value is associated to a 1720 pcelsSimpleConditionAuxClass via the pcelsVariableDN/pcelsValueDN 1721 reference from the simple condition instance. A non-reusable 1722 variable/value is associated directly as auxiliary object class to 1723 the same entry as the pcelsSimpleConditionAuxClass instance. 1725 When reading a pcelsSimpleConditionAuxClass instance that has an 1726 instance of pcelsVariable attached, the attribute pcelsVariableDN 1727 MUST be ignored. Applications SHOULD remove the pcelsVariableDN 1728 value from a pcelsSimpleConditionAuxClass instance upon attachment 1729 of a pcelsVariable instance to the same entry. 1731 When reading a pcelsSimpleConditionAuxClass instance that has an 1732 instance of pcelsValue attached, the attribute pcelsValueDN MUST be 1733 ignored. Applications SHOULD remove the pcelsValueDN value from a 1734 pcelsSimpleConditionAuxClass instance upon attachment of a 1735 pcelsValue instance to the same entry. 1737 The pcelsSimpleConditionAuxClass class is defined as follows: 1739 ( IANA-ASSIGNED-OID.1.11 1740 NAME 'pcelsSimpleConditionAuxClass' 1741 DESC 'Value matching condition for a policy variable' 1742 SUP pcimConditionAuxClass 1743 AUXILIARY 1744 MAY ( pcelsVariableDN 1745 $ pcelsValueDN ) 1746 ) 1747 The pcelsVariableDN attribute type realizes the 1748 PolicyVariableInSimplePolicyCondition association [PCIM_EXT]. 1749 This attribute type is of syntax DN [LDAP_SYNTAX]. It has an 1750 equality matching rule of distinguishedNameMatch [LDAP_SYNTAX]. 1751 Attributes of this type can only have a single value. The only 1752 allowed values for pcelsVariableDN attributes are DNs of 1753 pcelsVariable entries. In a pcelsSimpleConditionAuxClass, the 1754 pcelsVariableDN attribute represents the association between this 1755 simple policy condition and its policy variable. 1757 This attribute type is defined as follows: 1759 ( IANA-ASSIGNED-OID.2.11 1760 NAME 'pcelsVariableDN' 1761 DESC 'DN of a pcelsVariable entry' 1762 EQUALITY distinguishedNameMatch 1763 SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 1764 SINGLE-VALUE 1765 ) 1767 The pcelsValueDN attribute type realizes the 1768 PolicyValueInSimplePolicyCondition association [PCIM_EXT]. 1769 This attribute type is of syntax DN [LDAP_SYNTAX]. It has an 1770 equality matching rule of distinguishedNameMatch [LDAP_SYNTAX]. 1771 Attributes of this type can only have a single value. The only 1772 allowed values for pcelsValueDN attributes are DNs of 1773 pcelsValueAuxClass entries. In a pcelsSimpleConditionAuxClass, the 1774 pcelsValueDN attribute represents the association between this 1775 simple policy condition and its policy value. 1777 This attribute type is defined as follows: 1779 ( IANA-ASSIGNED-OID.2.12 1780 NAME 'pcelsValueDN' 1781 DESC 'DN of a pcelsValueAuxClass entry' 1782 EQUALITY distinguishedNameMatch 1783 SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 1784 SINGLE-VALUE 1785 ) 1787 Note: An instance of pcelsSimpleActionAuxClass and an instance of 1788 pcelsSimpleConditionAuxClass MUST NOT be attached to a same 1789 entry. Because the two classes use the same mechanisms to 1790 associate Variables and Values, this restriction is necessary 1791 in order to avoid ambiguities. 1793 5.8 The Auxiliary Class pcelsCompoundConditionAuxClass. 1795 The pcelsCompoundConditionAuxClass class represents a compound 1796 policy condition formed by the aggregation of other policy 1797 conditions. It is mapped from the CompoundPolicyCondition class 1798 [PCIM_EXT]. The pcelsCompoundConditionAuxClass class is an auxiliary 1799 object class and it is derived from the pcimConditionAuxClass class 1800 [PCLS]. 1802 The pcelsCompoundConditionAuxClass class is defined as follows: 1804 ( IANA-ASSIGNED-OID.1.12 1805 NAME 'pcelsCompoundConditionAuxClass' 1806 DESC 'Boolean combination of simpler conditions' 1807 SUP pcimConditionAuxClass 1808 AUXILIARY 1809 MAY ( pcelsConditionListType 1810 $ pcelsConditionList ) 1811 ) 1813 If the pcelsConditionListType attribute is missing from a 1814 pcelsCompoundConditionAuxClass instance, applications MUST assume 1815 that the set of aggregated conditions is in disjunctive normal form. 1817 In a pcelsCompoundConditionAuxClass instance, the pcelsConditionList 1818 attribute represents the associations between this compound policy 1819 condition and the compounded conditions. 1821 These attribute types are defined in section 5.4. 1823 Like pcelsRule, instances of pcelsCompoundConditionAuxClass use 1824 pcelsConditionList values and subordinated pcelsConditionAssociation 1825 entries to aggregate policy conditions. 1827 5.9 The Auxiliary Class pcelsCompoundFilterConditionAuxClass. 1829 The pcelsCompoundFilterConditionAuxClass class represents a 1830 domain-level filter. It is mapped from the CompoundFilterCondition 1831 class [PCIM_EXT]. The pcelsCompoundFilterConditionAuxClass class is 1832 an auxiliary object class and it is derived from the 1833 pcelsCompoundConditionAuxClass class. 1835 The pcelsCompoundFilterConditionAuxClass class is defined as follows: 1837 ( IANA-ASSIGNED-OID.1.13 1838 NAME 'pcelsCompoundFilterConditionAuxClass' 1839 DESC 'A compound condition with mirroring capabilities' 1840 SUP pcelsCompoundConditionAuxClass 1841 AUXILIARY 1842 MAY ( pcelsIsMirrored ) 1843 ) 1845 The pcelsIsMirrored attribute type indicates whether the traffic 1846 that mirrors the specified filter is to be treated as matching the 1847 filter. It is mapped from the CompoundFilterCondition.IsMirrored 1848 property [PCIM_EXT]. This attribute type is of syntax Boolean 1849 [LDAP_SYNTAX]. It has an equality matching rule of booleanMatch 1850 [LDAP_MATCH]. Attributes of this type can only have a single value. 1851 If this attribute is missing from a 1852 pcelsCompoundFilterConditionAuxClass instance, applications MUST 1853 assume that the filter is not mirrored. 1855 This attribute type is defined as follows: 1857 ( IANA-ASSIGNED-OID.2.13 1858 NAME 'pcelsIsMirrored' 1859 DESC 'Indicates whether the mirrored traffic matches' 1860 EQUALITY booleanMatch 1861 SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 1862 SINGLE-VALUE 1863 ) 1865 5.10 The Auxiliary Class pcelsSimpleActionAuxClass. 1867 The pcelsSimpleActionAuxClass class implements the action of 1868 assigning a Value to a Variable. It is mapped from the 1869 SimplePolicyAction class [PCIM_EXT]. The 1870 pcelsSimpleActionAuxClass class is an auxiliary object class and it 1871 is derived from the pcimActionAuxClass class [PCLS]. 1873 A reusable variable/value is associated to a 1874 pcelsSimpleActionAuxClass via the pcelsVariableDN/pcelsValueDN 1875 reference from the simple action instance. A non-reusable variable 1876 /value is associated directly as auxiliary object class to the 1877 same entry as the pcelsSimpleActionAuxClass instance. 1879 When reading a pcelsSimpleActionAuxClass instance that has an 1880 instance of pcelsVariable attached, the attribute pcelsVariableDN 1881 MUST be ignored. Applications SHOULD remove the pcelsVariableDN 1882 value from a pcelsSimpleActionAuxClass instance upon attachment 1883 of a pcelsVariable instance to the same entry. 1885 When reading a pcelsSimpleActionAuxClass instance that has an 1886 instance of pcelsValue attached, the attribute pcelsValueDN MUST be 1887 ignored. Applications SHOULD remove the pcelsValueDN value from a 1888 pcelsSimpleActionAuxClass instance upon attachment of a pcelsValue 1889 instance to the same entry. 1891 The pcelsSimpleActionAuxClass class is defined as follows: 1893 ( IANA-ASSIGNED-OID.1.14 1894 NAME 'pcelsSimpleActionAuxClass' 1895 DESC 'Value assignment action for a policy variable' 1896 SUP pcimActionAuxClass 1897 AUXILIARY 1898 MAY ( pcelsVariableDN 1899 $ pcelsValueDN ) 1900 ) 1902 In a pcelsSimpleActionAuxClass, the pcelsVariableDN attribute 1903 represents the association between this simple policy action and 1904 its policy variable. It realizes the 1905 PolicyVariableInSimplePolicyAction association [PCIM_EXT]. 1907 In a pcelsSimpleActionAuxClass, the pcelsValueDN attribute 1908 represents the association between this simple policy action and 1909 its policy value. It realizes the PolicyValueInSimplePolicyAction 1910 association [PCIM_EXT]. 1912 These attributes are defined in section 5.7. 1914 Note: An instance of pcelsSimpleActionAuxClass and an instance of 1915 pcelsSimpleConditionAuxClass MUST NOT be attached to a same entry. 1916 Because the two classes use the same mechanisms to associate 1917 Variables and Values, this restriction is necessary in order to 1918 avoid ambiguities. 1920 5.11 The Auxiliary Class pcelsCompoundActionAuxClass. 1922 The pcelsCompoundActionAuxClass class represents a compound policy 1923 action formed by the aggregation of other policy actions. It is 1924 mapped from the CompoundPolicyCondition class [PCIM_EXT]. The 1925 pcelsCompoundActionAuxClass class is an auxiliary object class and 1926 it is derived from the pcimActionAuxClass class [PCLS]. 1928 The pcelsCompoundActionAuxClass class is defined as follows: 1930 ( IANA-ASSIGNED-OID.1.15 1931 NAME 'pcelsCompoundActionAuxClass' 1932 DESC 'Sequence of actions with specific execution strategy' 1933 SUP pcimActionAuxClass 1934 AUXILIARY 1935 MAY ( pcelsActionList 1936 $ pcelsSequencedActions 1937 $ pcelsExecutionStrategy ) 1938 ) 1940 In a pcelsCompoundActionAuxClass instance, the pcelsActionList 1941 attribute represents the associations between this policy rule and 1942 its actions. 1944 If the pcelsSequencedActions attribute is missing from a 1945 pcelsCompoundActionAuxClass instance, applications MUST assume that 1946 the ordered execution of actions in this compound policy action is 1947 not important (DontCare). 1949 If the pcelsExecutionStrategy attribute is missing from a 1950 pcelsCompoundActionAuxClass instance, applications MUST assume that 1951 all the actions are to be executed (Do all). 1953 These attribute types are defined in section 5.4. 1955 Like pcelsRule, instances of pcelsCompoundActionAuxClass use 1956 pcelsActionList values and subordinated pcelsActionAssociation 1957 entries to aggregate policy actions. 1959 5.12 The Abstract Class pcelsVariable. 1961 The pcelsVariable class is mapped from the PolicyVariable class 1962 [PCIM_EXT]. The pcelsVariable is an abstract object class and it is 1963 derived directly from the 'top' object class [LDAP_SCHEMA]. 1965 A pcelsVariable instance may be associated to a set of 1966 pcelsValueAuxClass instances that represent its expected values. The 1967 expected values for a variable may be indicated by: 1968 (1) pcelsExpectedValueList references to reusable instances of 1969 pcelsValueAuxClass or by 1970 (2) pcelsExpectedValueList references to subordinated 1971 non-reusable instances of pcelsValueAuxClass 1973 The pcelsVariable class is defined as follows: 1975 ( IANA-ASSIGNED-OID.1.16 1976 NAME 'pcelsVariable' 1977 DESC 'Base class for representing a policy variable' 1978 SUP top 1979 ABSTRACT 1980 MAY ( pcelsVariableName 1981 $ pcelsExpectedValueList ) 1982 ) 1984 The pcelsVariableName attribute type may be used as naming attribute 1985 for pcelsVariable entries. This attribute type is of syntax 1986 Directory String [LDAP_SYNTAX]. It has an equality matching rule of 1987 caseIgnoreMatch, an ordering matching rule of caseIgnoreOrderingMatch 1988 and a substrings matching rule of caseIgnoreSubstringsMatch 1989 [LDAP_SYNTAX]. Attributes of this type can only have a single value. 1991 This attribute type is defined as follows: 1993 ( IANA-ASSIGNED-OID.2.14 1994 NAME 'pcelsVariableName' 1995 DESC 'The user-friendly name of a variable.' 1996 EQUALITY caseIgnoreMatch 1997 ORDERING caseIgnoreOrderingMatch 1998 SUBSTR caseIgnoreSubstringsMatch 1999 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 2000 SINGLE-VALUE 2001 ) 2003 The pcelsExpectedValueList attribute type realizes the 2004 ExpectedPolicyValuesForVariable association [PCIM_EXT]. This 2005 attribute type is of syntax DN [LDAP_SYNTAX]. It has an equality 2006 matching rule of distinguishedNameMatch [LDAP_SYNTAX]. Attributes of 2007 this type can have multiple values. The only allowed values for 2008 pcelsExpectedValueList attributes are DNs of pcelsValueAuxClass 2009 entries. In a pcelsVariable, the pcelsExpectedValueList attribute 2010 represents the associations between this policy variable and its 2011 expected values. 2013 This attribute type is defined as follows: 2015 ( IANA-ASSIGNED-OID.2.15 2016 NAME 'pcelsExpectedValueList' 2017 DESC 'Unordered set of DNs of pcelsValueAuxClass entries 2018 representing expected values for a policy variable' 2019 EQUALITY distinguishedNameMatch 2020 SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 2021 ) 2023 5.13 The Auxiliary Class pcelsExplicitVariableAuxClass 2025 The pcelsExplicitVariableAuxClass class is mapped from the 2026 PolicyExplicitVariable class [PCIM_EXT]. The 2027 pcelsExplicitVariableAuxClass is an auxiliary object class and it is 2028 derived from the pcelsVariable class. 2030 The pcelsExplicitVariableAuxClass class is defined as follows: 2032 ( IANA-ASSIGNED-OID.1.17 2033 NAME 'pcelsExplicitVariableAuxClass' 2034 DESC 'Explicitly defined policy variable' 2035 SUP pcelsVariable 2036 AUXILIARY 2037 MUST ( pcelsVariableModelClass 2038 $ pcelsVariableModelProperty ) 2039 ) 2041 The pcelsVariableModelClass attribute type identifies a [CIM] class 2042 whose property is evaluated or set as a variable. It is mapped from 2043 the PolicyExplicitVariable.ModelClass property [PCIM_EXT]. This 2044 attribute type is of syntax Directory String [LDAP_SYNTAX]. It has 2045 an equality matching rule of caseIgnoreMatch [LDAP_SYNTAX]. 2046 Attributes of this type can only have a single value. 2048 This attribute type is defined as follows: 2050 ( IANA-ASSIGNED-OID.2.16 2051 NAME 'pcelsVariableModelClass' 2052 DESC 'Identifies a CIM class' 2053 EQUALITY caseIgnoreMatch 2054 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 2055 SINGLE-VALUE 2056 ) 2058 The pcelsVariableModelProperty attribute type identifies the 2059 attribute of a [CIM] class which is evaluated or set as a variable. 2060 It is mapped from the PolicyExplicitVariable.ModelProperty property 2061 [PCIM_EXT]. This attribute type is of syntax Directory String 2062 [LDAP_SYNTAX]. It has an equality matching rule of caseIgnoreMatch 2063 [LDAP_SYNTAX]. Attributes of this type can only have a single value. 2065 This attribute type is defined as follows: 2067 ( IANA-ASSIGNED-OID.2.17 2068 NAME 'pcelsVariableModelProperty' 2069 DESC 'Identifies the property of a CIM class.' 2070 EQUALITY caseIgnoreMatch 2071 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 2072 SINGLE-VALUE 2073 ) 2075 5.14 The Auxiliary Class pcelsImplicitVariableAuxClass 2077 The pcelsImplicitVariableAuxClass class is mapped from the 2078 PolicyImplicitVariable class [PCIM_EXT]. The 2079 pcelsImplicitVariableAuxClass is an auxiliary object class and it is 2080 derived from the pcelsVariable class. 2082 The pcelsImplicitVariableAuxClass class does not represent actual 2083 variables: these are introduced by its subclasses. 2084 pcelsImplicitVariableAuxClass introduces the semantics of being an 2085 implicitly defined policy variable and these semantics are inherited 2086 by all its subclasses. Among these semantics are those inherited 2087 from pcelsVariable that include the possibility of representing 2088 either rule-specific or reusable policy variables. 2090 In order to preserve the ability to represent rule-specific or 2091 reusable variables, all the subclasses of 2092 pcelsImplicitVariableAuxClass MUST also be auxiliary classes. 2094 The pcelsImplicitVariableAuxClass class is defined as follows: 2096 ( IANA-ASSIGNED-OID.1.18 2097 NAME 'pcelsImplicitVariableAuxClass' 2098 DESC 'Implicitly defined policy variable' 2099 SUP pcelsVariable 2100 AUXILIARY 2101 MAY ( pcelsExpectedValueTypes ) 2102 ) 2104 The pcelsExpectedValueTypes attribute type represents the set of 2105 policy value types that may be used with this policy variable. It is 2106 mapped from the PolicyImplicitVariable.ValueTypes property 2107 [PCIM_EXT]. This attribute type is of syntax Directory String 2108 [LDAP_SYNTAX]. It has an equality matching rule of caseIgnoreMatch 2109 [LDAP_SYNTAX]. Attributes of this type can have multiple values. 2111 This attribute type is defined as follows: 2113 ( IANA-ASSIGNED-OID.2.18 2114 NAME 'pcelsExpectedValueTypes' 2115 DESC 'Identifies subclasses of pcelsValueAuxClass by name' 2116 EQUALITY caseIgnoreMatch 2117 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 2118 ) 2120 5.15 The Subclasses of pcelsImplicitVariableAuxClass 2122 The following classes are derived from the 2123 pcelsImplicitVariableAuxClass class. They are mapped from the 2124 corresponding subclasses of the PolicyImplicitVariable class 2125 [PCIM_EXT]. All the classes defined below are auxiliary object 2126 classes. 2128 Each one of the classes defined in this section introduces specific 2129 restrictions for the values of the pcelsExpectedValueTypes 2130 attribute. If this attribute is missing applications MUST assume 2131 that all the allowed value types are expected for the policy 2132 variable. 2134 Some of these classes have additional restrictions on the actual 2135 values of the associated policy value instances (e.g. only integers 2136 in the range 0..65535 must be used with a SourcePort variable). The 2137 association between a pcelsImplicitVariableAuxClass instance and a 2138 pcelsValueAuxClass instance that contains values outside the valid 2139 range or set for that variable SHOULD be considered invalid. The 2140 entry that realizes such association SHOULD be treated as invalid 2141 and the policy rules or groups that refer to it SHOULD be treated as 2142 being disabled, meaning that the execution of such policy rules or 2143 groups SHOULD be stopped. 2145 The pcelsSourceIPv4VariableAuxClass class is defined as follows: 2147 ( IANA-ASSIGNED-OID.1.19 2148 NAME 'pcelsSourceIPv4VariableAuxClass' 2149 DESC 'Source IP v4 address' 2150 SUP pcelsImplicitVariableAuxClass 2151 AUXILIARY 2152 ) 2154 In a pcelsSourceIPv4VariableAuxClass instance, the only allowed 2155 value for the pcelsExpectedValueTypes attribute is 2156 'pcelsIPv4AddrValueAuxClass'. 2158 The pcelsSourceIPv6VariableAuxClass class is defined as follows: 2160 ( IANA-ASSIGNED-OID.1.20 2161 NAME 'pcelsSourceIPv6VariableAuxClass' 2162 DESC 'Source IP v6 address' 2163 SUP pcelsImplicitVariableAuxClass 2164 AUXILIARY 2165 ) 2167 In a pcelsSourceIPv6VariableAuxClass instance, the only allowed 2168 value for the pcelsExpectedValueTypes attribute is 2169 'pcelsIPv6AddrValueAuxClass'. 2171 The pcelsDestinationIPv4VariableAuxClass class is defined as 2172 follows: 2174 ( IANA-ASSIGNED-OID.1.21 2175 NAME 'pcelsDestinationIPv4VariableAuxClass' 2176 DESC 'Destination IP v4 address' 2177 SUP pcelsImplicitVariableAuxClass 2178 AUXILIARY 2179 ) 2181 In a pcelsDestinationIPv4VariableAuxClass instance, the only allowed 2182 value for the pcelsExpectedValueTypes attribute is 2183 'pcelsIPv4AddrValueAuxClass'. 2185 The pcelsDestinationIPv6VariableAuxClass class is defined as 2186 follows: 2188 ( IANA-ASSIGNED-OID.1.22 2189 NAME 'pcelsDestinationIPv6VariableAuxClass' 2190 DESC 'Destination IP v6 address' 2191 SUP pcelsImplicitVariableAuxClass 2192 AUXILIARY 2193 ) 2195 In a pcelsDestinationIPv6VariableAuxClass instance, the only allowed 2196 value for the pcelsExpectedValueTypes attribute is 2197 'pcelsIPv6AddrValueAuxClass'. 2199 The pcelsSourcePortVariableAuxClass class is defined as follows: 2201 ( IANA-ASSIGNED-OID.1.23 2202 NAME 'pcelsSourcePortVariableAuxClass' 2203 DESC 'Source port' 2204 SUP pcelsImplicitVariableAuxClass 2205 AUXILIARY 2206 ) 2207 In a pcelsSourcePortVariableAuxClass instance, the only allowed 2208 value for the pcelsExpectedValueTypes attribute is 2209 'pcelsIntegerValueAuxClass'. Additionally, only policy values 2210 that represent integers in the range 0..65535 (inclusive) SHOULD 2211 be used with pcelsSourcePortVariableAuxClass instances. 2213 The pcelsDestinationPortVariableAuxClass class is defined as 2214 follows: 2216 ( IANA-ASSIGNED-OID.1.24 2217 NAME 'pcelsDestinationPortVariableAuxClass' 2218 DESC 'Destination port' 2219 SUP pcelsImplicitVariableAuxClass 2220 AUXILIARY 2221 ) 2223 In a pcelsDestinationPortVariableAuxClass instance, the only allowed 2224 value for the pcelsExpectedValueTypes attribute is 2225 'pcelsIntegerValueAuxClass'. Additionally, only policy values 2226 that represent integers in the range 0..65535 (inclusive) SHOULD be 2227 used with pcelsDestinationPortVariableAuxClass instances. 2229 The pcelsIPProtocolVariableAuxClass class is defined as follows: 2231 ( IANA-ASSIGNED-OID.1.25 2232 NAME 'pcelsIPProtocolVariableAuxClass' 2233 DESC 'IP protocol number' 2234 SUP pcelsImplicitVariableAuxClass 2235 AUXILIARY 2236 ) 2238 In a pcelsIPProtocolVariableAuxClass instance, the only allowed 2239 value for the pcelsExpectedValueTypes attribute is 2240 'pcelsIntegerValueAuxClass'. Additionally, only policy values 2241 that represent integers in the range 0..255 (inclusive) SHOULD be 2242 used with pcelsIPProtocolVariableAuxClass instances. 2244 The pcelsIPVersionVariableAuxClass class is defined as follows: 2246 ( IANA-ASSIGNED-OID.1.26 2247 NAME 'pcelsIPVersionVariableAuxClass' 2248 DESC 'IP version number' 2249 SUP pcelsImplicitVariableAuxClass 2250 AUXILIARY 2251 ) 2252 In a pcelsIPVersionVariableAuxClass instance, the only allowed 2253 value for the pcelsExpectedValueTypes attribute is 2254 'pcelsIntegerValueAuxClass'. Additionally, only policy values 2255 that represent integers in the range 0..15 (inclusive) SHOULD be 2256 used with pcelsIPVersionVariableAuxClass instances. 2258 The pcelsIPToSVariableAuxClass class is defined as follows: 2260 ( IANA-ASSIGNED-OID.1.27 2261 NAME 'pcelsIPToSVariableAuxClass' 2262 DESC 'IP ToS octet' 2263 SUP pcelsImplicitVariableAuxClass 2264 AUXILIARY 2265 ) 2267 In a pcelsIPToSVariableAuxClass instance, the only allowed 2268 values for the pcelsExpectedValueTypes attribute are 2269 'pcelsIntegerValueAuxClass' and 'pcelsBitStringValueAuxClass'. 2270 Additionally, only policy values that represent integers in the 2271 range 0..255 (inclusive) or 8-bit bitStrings SHOULD be used with 2272 pcelsIPToSVariableAuxClass instances. 2274 The pcelsDSCPVariableAuxClass class is defined as follows: 2276 ( IANA-ASSIGNED-OID.1.28 2277 NAME 'pcelsDSCPVariableAuxClass' 2278 DESC 'DiffServ code point' 2279 SUP pcelsImplicitVariableAuxClass 2280 AUXILIARY 2281 ) 2283 In a pcelsDSCPVariableAuxClass instance, the only allowed 2284 values for the pcelsExpectedValueTypes attribute are 2285 'pcelsIntegerValueAuxClass' and 'pcelsBitStringValueAuxClass'. 2286 Additionally, only policy values that represent integers in the 2287 range 0..63 (inclusive) or 6-bit bitStrings SHOULD be used with 2288 pcelsDSCPVariableAuxClass instances. 2290 The pcelsFlowIdVariableAuxClass class is defined as follows: 2292 ( IANA-ASSIGNED-OID.1.29 2293 NAME 'pcelsFlowIdVariableAuxClass' 2294 DESC 'Flow Identifier' 2295 SUP pcelsImplicitVariableAuxClass 2296 AUXILIARY 2297 ) 2298 In a pcelsFlowIdVariableAuxClass instance, the only allowed 2299 values for the pcelsExpectedValueTypes attribute are 2300 'pcelsIntegerValueAuxClass' and 'pcelsBitStringValueAuxClass'. 2301 Additionally, only policy values that represent integers in the 2302 range 0..1048575 (inclusive) or 20-bit bitStrings SHOULD be used 2303 with pcelsFlowIdVariableAuxClass instances. 2305 The pcelsSourceMACVariableAuxClass class is defined as follows: 2307 ( IANA-ASSIGNED-OID.1.30 2308 NAME 'pcelsSourceMACVariableAuxClass' 2309 DESC 'Source MAC address' 2310 SUP pcelsImplicitVariableAuxClass 2311 AUXILIARY 2312 ) 2314 In a pcelsSourceMACVariableAuxClass instance, the only allowed 2315 value for the pcelsExpectedValueTypes attribute is 2316 'pcelsMACAddrValueAuxClass'. 2318 The pcelsDestinationMACVariableAuxClass class is defined as follows: 2320 ( IANA-ASSIGNED-OID.1.31 2321 NAME 'pcelsDestinationMACVariableAuxClass' 2322 DESC 'Destination MAC address' 2323 SUP pcelsImplicitVariableAuxClass 2324 AUXILIARY 2325 ) 2327 In a pcelsDestinationMACVariableAuxClass instance, the only allowed 2328 value for the pcelsExpectedValueTypes attribute is 2329 'pcelsMACAddrValueAuxClass'. 2331 The pcelsVLANVariableAuxClass class is defined as follows: 2333 ( IANA-ASSIGNED-OID.1.32 2334 NAME 'pcelsVLANVariableAuxClass' 2335 DESC 'VLAN' 2336 SUP pcelsImplicitVariableAuxClass 2337 AUXILIARY 2338 ) 2340 In a pcelsVLANVariableAuxClass instance, the only allowed 2341 values for the pcelsExpectedValueTypes attribute are 2342 'pcelsIntegerValueAuxClass' and 'pcelsBitStringValueAuxClass'. 2343 Additionally, only policy values that represent integers in the 2344 range 0..4095 (inclusive) or 12-bit bitStrings SHOULD be used with 2345 pcelsVLANVariableAuxClass instances. 2347 The pcelsCoSVariableAuxClass class is defined as follows: 2349 ( IANA-ASSIGNED-OID.1.33 2350 NAME 'pcelsCoSVariableAuxClass' 2351 DESC 'Class of service' 2352 SUP pcelsImplicitVariableAuxClass 2353 AUXILIARY 2354 ) 2356 In a pcelsCoSVariableAuxClass instance, the only allowed 2357 values for the pcelsExpectedValueTypes attribute are 2358 'pcelsIntegerValueAuxClass' and 'pcelsBitStringValueAuxClass'. 2359 Additionally, only policy values that represent integers in the 2360 range 0..7 (inclusive) or 3-bit bitStrings SHOULD be used with 2361 pcelsCoSVariableAuxClass instances. 2363 The pcelsEthertypeVariableAuxClass class is defined as follows: 2365 ( IANA-ASSIGNED-OID.1.34 2366 NAME 'pcelsEthertypeVariableAuxClass' 2367 DESC 'Ethertype' 2368 SUP pcelsImplicitVariableAuxClass 2369 AUXILIARY 2370 ) 2372 In a pcelsEthertypeVariableAuxClass instance, the only allowed 2373 values for the pcelsExpectedValueTypes attribute are 2374 'pcelsIntegerValueAuxClass' and 'pcelsBitStringValueAuxClass'. 2375 Additionally, only policy values that represent integers in the 2376 range 0..65535 (inclusive) or 16-bit bitStrings SHOULD be used with 2377 pcelsEthertypeVariableAuxClass instances. 2379 The pcelsSourceSAPVariableAuxClass class is defined as follows: 2381 ( IANA-ASSIGNED-OID.1.35 2382 NAME 'pcelsSourceSAPVariableAuxClass' 2383 DESC 'Source SAP' 2384 SUP pcelsImplicitVariableAuxClass 2385 AUXILIARY 2386 ) 2388 In a pcelsSourceSAPVariableAuxClass instance, the only allowed 2389 values for the pcelsExpectedValueTypes attribute are 2390 'pcelsIntegerValueAuxClass' and 'pcelsBitStringValueAuxClass'. 2391 Additionally, only policy values that represent integers in the 2392 range 0..255 (inclusive) or 8-bit bitStrings SHOULD be used with 2393 pcelsSourceSAPVariableAuxClass instances. 2395 The pcelsDestinationSAPVariableAuxClass class is defined as follows: 2397 ( IANA-ASSIGNED-OID.1.36 2398 NAME 'pcelsDestinationSAPVariableAuxClass' 2399 DESC 'Destination SAP' 2400 SUP pcelsImplicitVariableAuxClass 2401 AUXILIARY 2402 ) 2404 In a pcelsDestinationSAPVariableAuxClass instance, the only allowed 2405 values for the pcelsExpectedValueTypes attribute are 2406 'pcelsIntegerValueAuxClass' and 'pcelsBitStringValueAuxClass'. 2407 Additionally, only policy values that represent integers in the 2408 range 0..255 (inclusive) or 8-bit bitStrings SHOULD be used with 2409 pcelsDestinationSAPVariableAuxClass instances. 2411 The pcelsSNAPOUIVariableAuxClass class is defined as follows: 2413 ( IANA-ASSIGNED-OID.1.37 2414 NAME 'pcelsSNAPOUIVariableAuxClass' 2415 DESC 'SNAP OUI' 2416 SUP pcelsImplicitVariableAuxClass 2417 AUXILIARY 2418 ) 2420 In a pcelsSNAPOUIVariableAuxClass instance, the only allowed 2421 values for the pcelsExpectedValueTypes attribute are 2422 'pcelsIntegerValueAuxClass' and 'pcelsBitStringValueAuxClass'. 2423 Additionally, only policy values that represent integers in the 2424 range 0..16777215 (inclusive) or 24-bit bitStrings SHOULD be used 2425 with pcelsSNAPOUIVariableAuxClass instances. 2427 The pcelsSNAPTypeVariableAuxClass class is defined as follows: 2429 ( IANA-ASSIGNED-OID.1.38 2430 NAME 'pcelsSNAPTypeVariableAuxClass' 2431 DESC 'SNAP type' 2432 SUP pcelsImplicitVariableAuxClass 2433 AUXILIARY 2434 ) 2436 In a pcelsSNAPTypeVariableAuxClass instance, the only allowed 2437 values for the pcelsExpectedValueTypes attribute are 2438 'pcelsIntegerValueAuxClass' and 'pcelsBitStringValueAuxClass'. 2439 Additionally, only policy values that represent integers in the 2440 range 0..65535 (inclusive) or 16-bit bitStrings SHOULD be used with 2441 pcelsSNAPTypeVariableAuxClass instances. 2443 The pcelsFlowDirectionVariableAuxClass class is defined as follows: 2445 ( IANA-ASSIGNED-OID.1.39 2446 NAME 'pcelsFlowDirectionVariableAuxClass' 2447 DESC 'Flow direction' 2448 SUP pcelsImplicitVariableAuxClass 2449 AUXILIARY 2450 ) 2452 In a pcelsFlowDirectionVariableAuxClass instance, the only allowed 2453 value for the pcelsExpectedValueTypes attribute is 2454 'pcelsStringValueAuxClass'. Additionally, only policy values that 2455 represent the strings 'IN' and 'OUT' SHOULD be used with 2456 pcelsFlowDirectionVariableAuxClass instances. 2458 5.16 The Auxiliary Class pcelsValueAuxClass. 2460 The pcelsValueAuxClass class is the base class for representing a 2461 policy value. It is mapped from the PolicyValue class [PCIM_EXT]. 2462 The pcelsValueAuxClass is an auxiliary object class and it is 2463 derived directly from the 'top' object class [LDAP_SCHEMA]. 2465 The pcelsValueAuxClass class does not represent actual values: these 2466 are introduced by its subclasses. pcelsValueAuxClass introduces the 2467 semantics of being a policy value and these semantics are inherited 2468 by all its subclasses. Among these semantics are those of 2469 representing either rule-specific or reusable policy values. 2471 In order to preserve the ability to represent rule-specific or 2472 reusable values, all the subclasses of pcelsValueAuxClass MUST also 2473 be auxiliary classes. 2475 The pcelsValueAuxClass class is defined as follows: 2477 ( IANA-ASSIGNED-OID.1.40 2478 NAME 'pcelsValueAuxClass' 2479 DESC 'Base class for representing a policy value' 2480 SUP top 2481 AUXILIARY 2482 MAY ( pcelsValueName ) 2483 ) 2485 The pcelsValueName attribute type may be used as naming attribute 2486 for pcelsValueAuxClass entries. This attribute type is of syntax 2487 Directory String [LDAP_SYNTAX]. It has an equality matching rule of 2488 caseIgnoreMatch, an ordering matching rule of caseIgnoreOrderingMatch 2489 and a substrings matching rule of caseIgnoreSubstringsMatch 2490 [LDAP_SYNTAX]. Attributes of this type can only have a single value. 2492 This attribute type is defined as follows: 2494 ( IANA-ASSIGNED-OID.2.19 2495 NAME 'pcelsValueName' 2496 DESC 'The user-friendly name of a value' 2497 EQUALITY caseIgnoreMatch 2498 ORDERING caseIgnoreOrderingMatch 2499 SUBSTR caseIgnoreSubstringsMatch 2500 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 2501 SINGLE-VALUE 2502 ) 2504 5.17 The Subclasses of pcelsValueAuxClass. 2506 The following classes are derived from the pcelsValueAuxClass class. 2507 They are mapped from the corresponding subclasses of the PolicyValue 2508 class [PCIM_EXT]. All the classes defined below are auxiliary object 2509 classes. 2511 The pcelsIPv4AddrValueAuxClass class represents a policy value that 2512 provides an unordered set of IPv4 addresses, IPv4 address ranges or 2513 hosts. It is mapped from the PolicyIPv4AddrValue class [PCIM_EXT]. 2515 The pcelsIPv4AddrValueAuxClass class is defined as follows: 2517 ( IANA-ASSIGNED-OID.1.41 2518 NAME 'pcelsIPv4AddrValueAuxClass' 2519 DESC 'Provides IPv4 addresses' 2520 SUP pcelsValueAuxClass 2521 AUXILIARY 2522 MUST ( pcelsIPv4AddrList ) 2523 ) 2525 The pcelsIPv4AddrList attribute type represents an unordered set of 2526 IPv4 addresses, IPv4 address ranges or hosts. It is mapped from the 2527 PolicyIPv4AddrValue.IPv4AddrList property [PCIM_EXT]. This attribute 2528 type is of syntax Directory String [LDAP_SYNTAX]. It has an equality 2529 matching rule of caseIgnoreMatch, an ordering matching rule of 2530 caseIgnoreOrderingMatch and a substrings matching rule of 2531 caseIgnoreSubstringsMatch [LDAP_SYNTAX]. Attributes of this type can 2532 have multiple values. The only allowed values for attributes of this 2533 type are strings conforming to any of the formats defined for the 2534 IPv4AddrList property [PCIM_EXT]. 2536 This attribute type is defined as follows: 2538 ( IANA-ASSIGNED-OID.2.20 2539 NAME 'pcelsIPv4AddrList' 2540 DESC 'Unordered set of IPv4 addresses, IPv4 address ranges or 2541 hosts' 2542 EQUALITY caseIgnoreMatch 2543 ORDERING caseIgnoreOrderingMatch 2544 SUBSTR caseIgnoreSubstringsMatch 2545 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 2546 ) 2548 The pcelsIPv6AddrValueAuxClass class represents a policy value that 2549 provides an unordered set of IPv6 addresses, IPv6 address ranges or 2550 hosts. It is mapped from the PolicyIPv6AddrValue class [PCIM_EXT]. 2552 The pcelsIPv6AddrValueAuxClass class is defined as follows: 2554 ( IANA-ASSIGNED-OID.1.42 2555 NAME 'pcelsIPv6AddrValueAuxClass' 2556 DESC 'Provides IPv6 addresses' 2557 SUP pcelsValueAuxClass 2558 AUXILIARY 2559 MUST ( pcelsIPv6AddrList ) 2560 ) 2562 The pcelsIPv6AddrList attribute type represents an unordered set of 2563 IPv6 addresses, IPv6 address ranges or hosts. It is mapped from the 2564 PolicyIPv6AddrValue.IPv6AddrList property [PCIM_EXT]. This attribute 2565 type is of syntax Directory String [LDAP_SYNTAX]. It has an equality 2566 matching rule of caseIgnoreMatch, an ordering matching rule of 2567 caseIgnoreOrderingMatch and a substrings matching rule of 2568 caseIgnoreSubstringsMatch [LDAP_SYNTAX]. Attributes of this type can 2569 have multiple values. The only allowed values for attributes of this 2570 type are strings conforming to any of the formats defined for the 2571 IPv6AddrList property [PCIM_EXT]. 2573 This attribute type is defined as follows: 2575 ( IANA-ASSIGNED-OID.2.21 2576 NAME 'pcelsIPv6AddrList' 2577 DESC 'Unordered set of IPv6 addresses, IPv6 address ranges or 2578 hosts' 2579 EQUALITY caseIgnoreMatch 2580 ORDERING caseIgnoreOrderingMatch 2581 SUBSTR caseIgnoreSubstringsMatch 2582 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 2583 ) 2584 The pcelsMACAddrValueAuxClass class represents a policy value that 2585 provides an unordered set of MAC addresses or MAC address ranges. It 2586 is mapped from the PolicyMACAddrValue class [PCIM_EXT]. 2588 The pcelsMACAddrValueAuxClass class is defined as follows: 2590 ( IANA-ASSIGNED-OID.1.43 2591 NAME 'pcelsMACAddrValueAuxClass' 2592 DESC 'Provides MAC addresses' 2593 SUP pcelsValueAuxClass 2594 AUXILIARY 2595 MUST ( pcelsMACAddrList ) 2596 ) 2598 The pcelsMACAddrList attribute type represents an unordered set of 2599 MAC addresses or MAC address ranges. It is mapped from the 2600 PolicyMACAddrValue.MACAddrList property [PCIM_EXT]. This attribute 2601 type is of syntax Directory String [LDAP_SYNTAX]. It has an equality 2602 matching rule of caseIgnoreMatch, an ordering matching rule of 2603 caseIgnoreOrderingMatch and a substrings matching rule of 2604 caseIgnoreSubstringsMatch [LDAP_SYNTAX]. Attributes of this type can 2605 have multiple values. The only allowed values for attributes of this 2606 type are strings conforming to any of the formats defined for the 2607 MACAddrList property [PCIM_EXT]. 2609 This attribute type is defined as follows: 2611 ( IANA-ASSIGNED-OID.2.22 2612 NAME 'pcelsMACAddrList' 2613 DESC 'Unordered set of MAC addresses or MAC address ranges' 2614 EQUALITY caseIgnoreMatch 2615 ORDERING caseIgnoreOrderingMatch 2616 SUBSTR caseIgnoreSubstringsMatch 2617 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 2618 ) 2620 The pcelsStringValueAuxClass class represents a policy value that 2621 provides an unordered set of strings with wildcards. It is mapped 2622 from the PolicyStringValue class [PCIM_EXT]. 2624 The pcelsStringValueAuxClass class is defined as follows: 2626 ( IANA-ASSIGNED-OID.1.44 2627 NAME 'pcelsStringValueAuxClass' 2628 DESC 'Provides string values' 2629 SUP pcelsValueAuxClass 2630 AUXILIARY 2631 MUST ( pcelsStringList ) 2632 ) 2633 The pcelsStringList attribute type represents an unordered set of 2634 strings with wildcards. It is mapped from the 2635 PolicyStringValue.StringList property [PCIM_EXT]. This attribute 2636 type is of syntax Directory String [LDAP_SYNTAX]. It has an equality 2637 matching rule of caseIgnoreMatch, an ordering matching rule of 2638 caseIgnoreOrderingMatch and a substrings matching rule of 2639 caseIgnoreSubstringsMatch [LDAP_SYNTAX]. Attributes of this type can 2640 have multiple values. The only allowed values for attributes of this 2641 type are strings conforming to the format defined for the StringList 2642 property [PCIM_EXT]. 2644 This attribute type is defined as follows: 2646 ( IANA-ASSIGNED-OID.2.23 2647 NAME 'pcelsStringList' 2648 DESC 'Unordered set of strings with wildcards' 2649 EQUALITY caseIgnoreMatch 2650 ORDERING caseIgnoreOrderingMatch 2651 SUBSTR caseIgnoreSubstringsMatch 2652 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 2653 ) 2655 The pcelsBitStringValueAuxClass class represents a policy value that 2656 provides an unordered set of bit strings or bit string ranges. It is 2657 mapped from the PolicyBitStringValue class [PCIM_EXT]. 2659 The pcelsBitStringValueAuxClass class is defined as follows: 2661 ( IANA-ASSIGNED-OID.1.45 2662 NAME 'pcelsBitStringValueAuxClass' 2663 DESC 'Provides bit strings' 2664 SUP pcelsValueAuxClass 2665 AUXILIARY 2666 MUST ( pcelsBitStringList ) 2667 ) 2669 The pcelsBitStringList attribute type represents an unordered set of 2670 bit strings or bit string ranges. It is mapped from the 2671 PolicyBitStringValue.BitStringList property [PCIM_EXT]. This 2672 attribute type is of syntax Directory String [LDAP_SYNTAX]. It has 2673 an equality matching rule of caseIgnoreMatch, an ordering matching 2674 rule of caseIgnoreOrderingMatch and a substrings matching rule of 2675 caseIgnoreSubstringsMatch [LDAP_SYNTAX]. Attributes of this type can 2676 have multiple values. The only allowed values for attributes of this 2677 type are strings conforming to any of the formats defined for the 2678 BitStringList property [PCIM_EXT]. 2680 This attribute type is defined as follows: 2682 ( IANA-ASSIGNED-OID.2.24 2683 NAME 'pcelsBitStringList' 2684 DESC 'Unordered set of bit strings or bit string ranges' 2685 EQUALITY caseIgnoreMatch 2686 ORDERING caseIgnoreOrderingMatch 2687 SUBSTR caseIgnoreSubstringsMatch 2688 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 2689 ) 2691 The pcelsIntegerValueAuxClass class represents a policy value that 2692 provides an unordered set of integers or integer ranges. It is 2693 mapped from the PolicyIntegerValue class [PCIM_EXT]. 2695 The pcelsIntegerValueAuxClass class is defined as follows: 2697 ( IANA-ASSIGNED-OID.1.46 2698 NAME 'pcelsIntegerValueAuxClass' 2699 DESC 'Provides integer values' 2700 SUP pcelsValueAuxClass 2701 AUXILIARY 2702 MUST ( pcelsIntegerList ) 2703 ) 2705 The pcelsIntegerList attribute type represents an unordered set of 2706 integers or integer ranges. It is mapped from the 2707 PolicyIntegerValue.IntegerList property [PCIM_EXT]. This 2708 attribute type is of syntax Directory String [LDAP_SYNTAX]. It has 2709 an equality matching rule of caseIgnoreMatch, an ordering matching 2710 rule of caseIgnoreOrderingMatch and a substrings matching rule of 2711 caseIgnoreSubstringsMatch [LDAP_SYNTAX]. Attributes of this type can 2712 have multiple values. The only allowed values for attributes of this 2713 type are strings conforming to the format defined for the 2714 IntegerList property [PCIM_EXT]. 2716 This attribute type is defined as follows: 2718 ( IANA-ASSIGNED-OID.2.25 2719 NAME 'pcelsIntegerList' 2720 DESC 'Unordered set of integers or integer ranges' 2721 EQUALITY caseIgnoreMatch 2722 ORDERING caseIgnoreOrderingMatch 2723 SUBSTR caseIgnoreSubstringsMatch 2724 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 2725 ) 2727 The pcelsBooleanValueAuxClass class represents a policy value that 2728 provides a boolean. It is mapped from the PolicyIntegerValue class 2729 [PCIM_EXT]. 2731 The pcelsBooleanValueAuxClass class is defined as follows: 2733 ( IANA-ASSIGNED-OID.1.47 2734 NAME 'pcelsBooleanValueAuxClass' 2735 DESC 'Provides a boolean value.' 2736 SUP pcelsValueAuxClass 2737 AUXILIARY 2738 MUST ( pcelsBoolean ) 2739 ) 2741 The pcelsBoolean attribute type represents a boolean. It is mapped 2742 from the PolicyBooleanValue.BooleanValue property [PCIM_EXT]. This 2743 attribute type is of syntax Boolean [LDAP_SYNTAX]. It has an 2744 equality matching rule of booleanMatch [LDAP_MATCH]. Attributes of 2745 this type can only have a single value. 2747 This attribute type is defined as follows: 2749 ( IANA-ASSIGNED-OID.2.26 2750 NAME 'pcelsBoolean' 2751 DESC 'Boolean value' 2752 EQUALITY booleanMatch 2753 SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 2754 SINGLE-VALUE 2755 ) 2757 5.18 The Three Reusable Policy Container Classes 2759 The pcelsReusableContainer class represents a container of reusable 2760 policy elements. It is mapped from the ReusablePolicyContainer 2761 class [PCIM_EXT]. The pcelsReusableContainer class is derived from 2762 the pcimRepository class [PCLS]. To maximize flexibility, the 2763 pcelsReusableContainer class is defined as abstract. An auxiliary 2764 subclass pcelsReusableContainerAuxClass enables the attachment of a 2765 reusable policy container to an existing entry, while a structural 2766 subclass pcelsReusableContainerInstance permits the representation 2767 of a reusable policy container as a standalone entry. 2769 The elements contained in a reusable policy container are aggregated 2770 via subordination to a pcelsReusableContainer instance (DIT 2771 containment). A reusable policy container can include the elements 2772 of another reusable policy container by aggregating the container 2773 itself. This is realized by DIT containment when the policy 2774 containers are subordinated to one another, or by reference when 2775 the aggregating policy container references the aggregated one using 2776 the attribute pcelsReusableContainerList. 2778 The pcelsReusableContainer class is defined as follows: 2780 ( IANA-ASSIGNED-OID.1.48 2781 NAME 'pcelsReusableContainer' 2782 DESC 'Container for reusable policy information' 2783 SUP pcimRepository 2784 ABSTRACT 2785 MAY ( pcelsReusableContainerName 2786 $ pcelsReusableContainerList ) 2787 ) 2789 The pcelsReusableContainerAuxClass class is defined as follows: 2791 ( IANA-ASSIGNED-OID.1.49 2792 NAME 'pcelsReusableContainerAuxClass ' 2793 DESC 'Container for reusable policy information' 2794 SUP pcelsReusableContainer 2795 AUXILIARY 2796 ) 2798 The pcelsReusableContainerInstance class is defined as follows: 2800 ( IANA-ASSIGNED-OID.1.50 2801 NAME 'pcelsReusableContainerInstance' 2802 DESC 'Container for reusable policy information' 2803 SUP pcelsReusableContainer 2804 STRUCTURAL 2805 ) 2807 The pcelsReusableContainerName attribute type may be used as naming 2808 attribute for pcelsReusableContainer entries. This attribute type is 2809 of syntax Directory String [LDAP_SYNTAX]. It has an equality 2810 matching rule of caseIgnoreMatch, an ordering matching rule of 2811 caseIgnoreOrderingMatch and a substrings matching rule of 2812 caseIgnoreSubstringsMatch [LDAP_SYNTAX]. Attributes of this type can 2813 only have a single value. 2815 This attribute type is defined as follows: 2817 ( IANA-ASSIGNED-OID.2.27 2818 NAME 'pcelsReusableContainerName' 2819 DESC 'User-friendly name of a reusable policy container' 2820 EQUALITY caseIgnoreMatch 2821 ORDERING caseIgnoreOrderingMatch 2822 SUBSTR caseIgnoreSubstringsMatch 2823 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 2824 SINGLE-VALUE 2825 ) 2826 The pcelsReusableContainerList attribute type realizes the 2827 ContainedDomain association [PCIM_EXT]. This attribute type 2828 is of syntax DN [LDAP_SYNTAX]. It has an equality matching rule of 2829 distinguishedNameMatch [LDAP_SYNTAX]. Attributes of this type can 2830 have multiple values. The only allowed values for 2831 pcelsReusableContainerList attributes are DNs of 2832 pcelsReusableContainer entries. In a pcelsReusableContainer, the 2833 pcelsReusableContainerList attribute represents the associations 2834 between this reusable policy container and other reusable policy 2835 containers for the purpose of including them as nested containers. 2837 This attribute type is defined as follows: 2839 ( IANA-ASSIGNED-OID.2.28 2840 NAME 'pcelsReusableContainerList' 2841 DESC 'Unordered set of DNs of pcelsReusableContainer entries' 2842 EQUALITY distinguishedNameMatch 2843 SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 2844 ) 2846 Note: PCELS implementations SHOULD support pcelsReusableContainer 2847 and its two subclasses and MAY also support the two subclasses of 2848 pcimRepository [PCLS]. 2850 5.19 The Structural Class pcelsRoleCollection. 2852 The pcelsRoleCollection class represents a collection of managed 2853 elements that share a common role. It is mapped from the 2854 PolicyRoleCollection class [PCIM_EXT]. The pcelsRoleCollection 2855 class is a structural object class and it is derived from the 2856 pcimPolicy class [PCLS]. 2858 The pcelsRoleCollection class is defined as follows: 2860 ( IANA-ASSIGNED-OID.1.51 2861 NAME 'pcelsRoleCollection' 2862 DESC 'Collection of managed elements that share a common role' 2863 SUP pcimPolicy 2864 STRUCTURAL 2865 MUST ( pcelsRole ) 2866 MAY ( pcelsRoleCollectionName 2867 $ pcelsElementList ) 2868 ) 2869 The pcelsRole attribute type represents the role associated with a 2870 collection of managed elements. It is mapped from the 2871 PolicyRoleCollection.PolicyRole property [PCIM_EXT]. This attribute 2872 type is of syntax Directory String [LDAP_SYNTAX]. It has an equality 2873 matching rule of caseIgnoreMatch, an ordering matching rule of 2874 caseIgnoreOrderingMatch and a substrings matching rule of 2875 caseIgnoreSubstringsMatch [LDAP_SYNTAX]. Attributes of this type can 2876 only have a single value. 2878 This attribute type is defined as follows: 2880 ( IANA-ASSIGNED-OID.2.29 2881 NAME 'pcelsRole' 2882 DESC 'String representing a role.' 2883 EQUALITY caseIgnoreMatch 2884 ORDERING caseIgnoreOrderingMatch 2885 SUBSTR caseIgnoreSubstringsMatch 2886 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 2887 SINGLE-VALUE 2888 ) 2890 The pcelsRoleCollectionName attribute type may be used as naming 2891 attribute for pcelsRoleCollection entries. This attribute type is 2892 of syntax Directory String [LDAP_SYNTAX]. It has an equality 2893 matching rule of caseIgnoreMatch, an ordering matching rule of 2894 caseIgnoreOrderingMatch and a substrings matching rule of 2895 caseIgnoreSubstringsMatch [LDAP_SYNTAX]. Attributes of this type can 2896 only have a single value. 2898 This attribute type is defined as follows: 2900 ( IANA-ASSIGNED-OID.2.30 2901 NAME 'pcelsRoleCollectionName' 2902 DESC 'User-friendly name of a role collection' 2903 EQUALITY caseIgnoreMatch 2904 ORDERING caseIgnoreOrderingMatch 2905 SUBSTR caseIgnoreSubstringsMatch 2906 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 2907 SINGLE-VALUE 2908 ) 2910 The pcelsElementList attribute type realizes the 2911 ElementInPolicyRoleCollection association [PCIM_EXT]. This attribute 2912 type is of syntax DN [LDAP_SYNTAX]. It has an equality matching rule 2913 of distinguishedNameMatch [LDAP_SYNTAX]. Attributes of this type can 2914 have multiple values. In a pcelsRoleCollection, the pcelsElementList 2915 attribute represents the associations between this role collection 2916 and its members. 2918 This attribute type is defined as follows: 2920 ( IANA-ASSIGNED-OID.2.31 2921 NAME 'pcelsElementList' 2922 DESC 'Unordered set of managed elements' 2923 EQUALITY distinguishedNameMatch 2924 SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 2925 ) 2927 5.20 The Abstract Class pcelsFilterEntryBase 2929 The pcelsFilterEntryBase class is the base class for defining 2930 message or packet filters. It is mapped from the FilterEntryBase 2931 class [PCIM_EXT]. The pcelsFilterEntryBase class is an abstract 2932 object class and it is derived from the pcimPolicy class [PCLS]. 2934 The pcelsFilterEntryBase class is defined as follows: 2936 ( IANA-ASSIGNED-OID.1.52 2937 NAME 'pcelsFilterEntryBase' 2938 DESC 'Base class for message or packet filters' 2939 SUP pcimPolicy 2940 ABSTRACT 2941 MAY ( pcelsFilterName 2942 $ pcelsFilterIsNegated ) 2943 ) 2945 The pcelsFilterName attribute type may be used as naming 2946 attribute for pcelsFilterEntryBase entries. This attribute type is 2947 of syntax Directory String [LDAP_SYNTAX]. It has an equality 2948 matching rule of caseIgnoreMatch, an ordering matching rule of 2949 caseIgnoreOrderingMatch and a substrings matching rule of 2950 caseIgnoreSubstringsMatch [LDAP_SYNTAX]. Attributes of this type can 2951 only have a single value. 2953 This attribute type is defined as follows: 2955 ( IANA-ASSIGNED-OID.2.32 2956 NAME 'pcelsFilterName' 2957 DESC 'User-friendly name of a filter entry' 2958 EQUALITY caseIgnoreMatch 2959 ORDERING caseIgnoreOrderingMatch 2960 SUBSTR caseIgnoreSubstringsMatch 2961 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 2962 SINGLE-VALUE 2963 ) 2964 The pcelsFilterIsNegated attribute type indicates whether the match 2965 information specified in a pcelsFilterEntryBase is negated or not. 2966 It is mapped from the FilterEntryBase.IsNegated property [PCIM_EXT]. 2967 This attribute type is of syntax Boolean [LDAP_SYNTAX]. It has an 2968 equality matching rule of booleanMatch [LDAP_MATCH]. Attributes of 2969 this type can only have a single value. If this attribute is missing 2970 from a pcelsFilterEntryBase instance, applications MUST assume that 2971 the filter is not negated. 2973 This attribute type is defined as follows: 2975 ( IANA-ASSIGNED-OID.2.33 2976 NAME 'pcelsFilterIsNegated' 2977 DESC 'Indicates whether the filter is negated' 2978 EQUALITY booleanMatch 2979 SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 2980 SINGLE-VALUE 2981 ) 2983 5.21 The Structural Class pcelsIPHeadersFilter 2985 The pcelsIPHeadersFilter class provides the most commonly required 2986 attributes for performing filtering on IP, TCP or UDP headers. It is 2987 mapped from the IpHeadersFilter class [PCIM_EXT]. The 2988 pcelsIPHeadersFilter class is a structural object class and it is 2989 derived from the pcelsFilterEntryBase class. 2991 The pcelsIPHeadersFilter class is defined as follows: 2993 ( IANA-ASSIGNED-OID.1.53 2994 NAME 'pcelsIPHeadersFilter' 2995 DESC 'IP header filter' 2996 SUP pcelsFilterEntryBase 2997 STRUCTURAL 2998 MAY ( pcelsIPHdrVersion 2999 $ pcelsIPHdrSourceAddress 3000 $ pcelsIPHdrSourceAddressEndOfRange 3001 $ pcelsIPHdrSourceMask 3002 $ pcelsIPHdrDestAddress 3003 $ pcelsIPHdrDestAddressEndOfRange 3004 $ pcelsIPHdrDestMask 3005 $ pcelsIPHdrProtocolID 3006 $ pcelsIPHdrSourcePortStart 3007 $ pcelsIPHdrSourcePortEnd 3008 $ pcelsIPHdrDestPortStart 3009 $ pcelsIPHdrDestPortEnd 3010 $ pcelsIPHdrDSCPList 3011 $ pcelsIPHdrFlowLabel ) 3012 ) 3014 Applications MUST assume 'all values' for optional (MAY) attributes 3015 not present in a pcelsIPHeadersFilter entry. 3017 [PCIM_EXT] defines several constraints for the IpHeadersFilter class 3018 and its properties. All these constraints (even those that, for 3019 brevity, are not reiterated in this document) apply to the 3020 pcelsIPHeadersFilter class and its attributes. A 3021 pcelsIPHeadersFilter entry that violates any of these constraints 3022 SHOULD be treated as invalid and the policy rules or groups 3023 associated to this entry SHOULD be treated as being disabled, 3024 meaning that the execution of such policy rules or groups SHOULD be 3025 stopped. 3027 The pcelsIPHdrVersion attribute type indicates the version of the IP 3028 addresses to be filtered on. It is mapped from the 3029 IpHeadersFilter.HdrIpVersion property [PCIM_EXT]. This attribute 3030 type is of syntax Integer [LDAP_SYNTAX]. It has an equality matching 3031 rule of integerMatch [LDAP_SYNTAX] and an ordering matching rule of 3032 integerOrderingMatch [LDAP_MATCH]. Attributes of this type can only 3033 have a single value. The only allowed values for attributes of this 3034 type are 4 and 6. 3036 In a pcelsIPHeadersFilter entry, the pcelsIPHdrVersion attribute type 3037 determines the size for the IP version dependent attribute values. 3038 These attributes are: pcelsIPHdrSourceAddress, 3039 pcelsIPHdrSourceAddressEndOfRange, pcelsIPHdrSourceMask, 3040 pcelsIPHdrDestAddress, pcelsIPHdrDestAddressEndOfRange and 3041 pcelsIPHdrDestMask. Their valid values are as follows: 3042 for IPv4: OctetStrings with a size of 4 3043 for IPv6: OctetStrings with a size of 16 or 20 3045 If the pcelsIPHdrVersion attribute is missing from a 3046 pcelsFilterEntryBase instance, then the filter does not consider IP 3047 version in selecting matching packets. In this case, IP version 3048 dependent attributes (listed above) must not be present in the 3049 filter entry. 3051 This attribute type is defined as follows: 3053 ( IANA-ASSIGNED-OID.2.34 3054 NAME 'pcelsIPHdrVersion' 3055 DESC 'IP version' 3056 EQUALITY integerMatch 3057 ORDERING integerOrderingMatch 3058 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 3059 SINGLE-VALUE 3060 ) 3062 The pcelsIPHdrSourceAddress attribute type represents a source IP 3063 address. It is mapped from the IpHeadersFilter.HdrSrcAddress 3064 property [PCIM_EXT]. This attribute type is of syntax OctetString 3065 [LDAP_SYNTAX]. It has an equality matching rule of octetStringMatch 3066 [LDAP_SCHEMA] and an ordering matching rule of 3067 octetStringOrderingMatch [LDAP_MATCH]. Attributes of 3068 this type can only have a single value. The only allowed values for 3069 attributes of this type are octet strings with a size of 4, 16 or 20. 3071 This attribute type is defined as follows: 3073 ( IANA-ASSIGNED-OID.2.35 3074 NAME 'pcelsIPHdrSourceAddress' 3075 DESC 'Source IP address' 3076 EQUALITY octetStringMatch 3077 ORDERING octetStringOrderingMatch 3078 SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 3079 SINGLE-VALUE 3080 ) 3081 The pcelsIPHdrSourceAddressEndOfRange attribute type represents the 3082 end of a range of source IP addresses. It is mapped from the 3083 IpHeadersFilter.HdrSrcAddressEndOfRange property [PCIM_EXT]. This 3084 attribute type is of syntax OctetString [LDAP_SYNTAX]. It has an 3085 equality matching rule of octetStringMatch [LDAP_SCHEMA] and an 3086 ordering matching rule of octetStringOrderingMatch [LDAP_MATCH]. 3087 Attributes of this type can only have a single value. The only 3088 allowed values for attributes of this type are octet strings with a 3089 size of 4, 16 or 20. 3091 This attribute type is defined as follows: 3093 ( IANA-ASSIGNED-OID.2.36 3094 NAME 'pcelsIPHdrSourceAddressEndOfRange' 3095 DESC 'End of a range of source IP addresses' 3096 EQUALITY octetStringMatch 3097 ORDERING octetStringOrderingMatch 3098 SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 3099 SINGLE-VALUE 3100 ) 3102 The pcelsIPHdrSourceMask attribute type represents the 3103 a mask to be used in comparing the source IP address. It is mapped 3104 from the IpHeadersFilter.HdrSrcMask property [PCIM_EXT]. This 3105 attribute type is of syntax OctetString [LDAP_SYNTAX]. It has an 3106 equality matching rule of octetStringMatch [LDAP_SCHEMA] and an 3107 ordering matching rule of octetStringOrderingMatch [LDAP_MATCH]. 3108 Attributes of this type can only have a single value. The only 3109 allowed values for attributes of this type are octet strings with a 3110 size of 4, 16 or 20. 3112 This attribute type is defined as follows: 3114 ( IANA-ASSIGNED-OID.2.37 3115 NAME 'pcelsIPHdrSourceMask' 3116 DESC 'Mask to be used in comparing the source IP address' 3117 EQUALITY octetStringMatch 3118 ORDERING octetStringOrderingMatch 3119 SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 3120 SINGLE-VALUE 3121 ) 3122 The pcelsIPHdrDestAddress attribute type represents a destination IP 3123 address. It is mapped from the IpHeadersFilter.HdrDestAddress 3124 property [PCIM_EXT]. This attribute type is of syntax OctetString 3125 [LDAP_SYNTAX]. It has an equality matching rule of octetStringMatch 3126 [LDAP_SCHEMA] and an ordering matching rule of 3127 octetStringOrderingMatch [LDAP_MATCH]. Attributes of 3128 this type can only have a single value. The only allowed values for 3129 attributes of this type are octet strings with a size of 4, 16 or 20. 3131 This attribute type is defined as follows: 3133 ( IANA-ASSIGNED-OID.2.38 3134 NAME 'pcelsIPHdrDestAddress' 3135 DESC 'Destination IP address' 3136 EQUALITY octetStringMatch 3137 ORDERING octetStringOrderingMatch 3138 SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 3139 SINGLE-VALUE 3140 ) 3142 The pcelsIPHdrDestAddressEndOfRange attribute type represents the 3143 end of a range of destination IP addresses. It is mapped from the 3144 IpHeadersFilter.HdrDestAddressEndOfRange property [PCIM_EXT]. This 3145 attribute type is of syntax OctetString [LDAP_SYNTAX]. It has an 3146 equality matching rule of octetStringMatch [LDAP_SCHEMA] and an 3147 ordering matching rule of octetStringOrderingMatch [LDAP_MATCH]. 3148 Attributes of this type can only have a single value. The only 3149 allowed values for attributes of this type are octet strings with a 3150 size of 4, 16 or 20. 3152 This attribute type is defined as follows: 3154 ( IANA-ASSIGNED-OID.2.39 3155 NAME 'pcelsIPHdrDestAddressEndOfRange' 3156 DESC 'End of a range of destination IP addresses' 3157 EQUALITY octetStringMatch 3158 ORDERING octetStringOrderingMatch 3159 SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 3160 SINGLE-VALUE 3161 ) 3163 The pcelsIPHdrDestMask attribute type represents a mask to be 3164 used in comparing the destination IP address. It is mapped from the 3165 IpHeadersFilter.HdrDestMask property [PCIM_EXT]. This attribute type 3166 is of syntax OctetString [LDAP_SYNTAX]. It has an equality matching 3167 rule of octetStringMatch [LDAP_SCHEMA] and an ordering matching rule 3168 of octetStringOrderingMatch [LDAP_MATCH]. Attributes of this type 3169 can only have a single value. The only allowed values for attributes 3170 of this type are octet strings with a size of 4, 16 or 20. 3172 This attribute type is defined as follows: 3174 ( IANA-ASSIGNED-OID.2.40 3175 NAME 'pcelsIPHdrDestMask' 3176 DESC 'Mask to be used in comparing the destination IP address' 3177 EQUALITY octetStringMatch 3178 ORDERING octetStringOrderingMatch 3179 SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 3180 SINGLE-VALUE 3181 ) 3183 The pcelsIPHdrProtocolID attribute type indicates an IP protocol 3184 type. It is mapped from the IpHeadersFilter.HdrProtocolID property 3185 [PCIM_EXT]. This attribute type is of syntax Integer [LDAP_SYNTAX]. 3186 It has an equality matching rule of integerMatch [LDAP_SYNTAX] and 3187 an ordering matching rule of integerOrderingMatch [LDAP_MATCH]. 3188 Attributes of this type can only have a single value. The only 3189 allowed values for attributes of this type are integers in the range 3190 0..255 (inclusive). 3192 This attribute type is defined as follows: 3194 ( IANA-ASSIGNED-OID.2.41 3195 NAME 'pcelsIPHdrProtocolID' 3196 DESC 'IP protocol type' 3197 EQUALITY integerMatch 3198 ORDERING integerOrderingMatch 3199 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 3200 SINGLE-VALUE 3201 ) 3203 The pcelsIPHdrSourcePortStart attribute type represents the lower 3204 end of a range of UDP or TCP source ports. It is mapped from the 3205 IpHeadersFilter.HdrSrcPortStart property [PCIM_EXT]. This attribute 3206 type is of syntax Integer [LDAP_SYNTAX]. It has an equality matching 3207 rule of integerMatch [LDAP_SYNTAX] and an ordering matching rule of 3208 integerOrderingMatch [LDAP_MATCH]. Attributes of this type can only 3209 have a single value. The only allowed values for attributes of this 3210 type are integers in the range 0..65535 (inclusive). 3212 This attribute type is defined as follows: 3214 ( IANA-ASSIGNED-OID.2.42 3215 NAME 'pcelsIPHdrSourcePortStart' 3216 DESC 'Lower end of a range of UDP or TCP source ports' 3217 EQUALITY integerMatch 3218 ORDERING integerOrderingMatch 3219 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 3220 SINGLE-VALUE 3221 ) 3223 The pcelsIPHdrSourcePortEnd attribute type represents the upper 3224 end of a range of UDP or TCP source ports. It is mapped from the 3225 IpHeadersFilter.HdrSrcPortEnd property [PCIM_EXT]. This attribute 3226 type is of syntax Integer [LDAP_SYNTAX]. It has an equality matching 3227 rule of integerMatch [LDAP_SYNTAX] and an ordering matching rule of 3228 integerOrderingMatch [LDAP_MATCH]. Attributes of this type can only 3229 have a single value. The only allowed values for attributes of this 3230 type are integers in the range 0..65535 (inclusive). 3232 This attribute type is defined as follows: 3234 ( IANA-ASSIGNED-OID.2.43 3235 NAME 'pcelsIPHdrSourcePortEnd' 3236 DESC 'Upper end of a range of UDP or TCP source ports' 3237 EQUALITY integerMatch 3238 ORDERING integerOrderingMatch 3239 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 3240 SINGLE-VALUE 3241 ) 3243 The pcelsIPHdrDestPortStart attribute type represents the lower 3244 end of a range of UDP or TCP destination ports. It is mapped from 3245 the IpHeadersFilter.HdrDestPortStart property [PCIM_EXT]. This 3246 attribute type is of syntax Integer [LDAP_SYNTAX]. It has an 3247 equality matching rule of integerMatch [LDAP_SYNTAX] and an ordering 3248 matching rule of integerOrderingMatch [LDAP_MATCH]. Attributes of 3249 this type can only have a single value. The only allowed values for 3250 attributes of this type are integers in the range 0..65535 3251 (inclusive). 3253 This attribute type is defined as follows: 3255 ( IANA-ASSIGNED-OID.2.44 3256 NAME 'pcelsIPHdrDestPortStart' 3257 DESC 'Lower end of a range of UDP or TCP destination ports' 3258 EQUALITY integerMatch 3259 ORDERING integerOrderingMatch 3260 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 3261 SINGLE-VALUE 3262 ) 3263 The pcelsIPHdrDestPortEnd attribute type represents the upper 3264 end of a range of UDP or TCP destination ports. It is mapped from 3265 the IpHeadersFilter.HdrDestPortEnd property [PCIM_EXT]. This 3266 attribute type is of syntax Integer [LDAP_SYNTAX]. It has an 3267 equality matching rule of integerMatch [LDAP_SYNTAX] and an ordering 3268 matching rule of integerOrderingMatch [LDAP_MATCH]. Attributes of 3269 this type can only have a single value. The only allowed values for 3270 attributes of this type are integers in the range 0..65535 3271 (inclusive). 3273 This attribute type is defined as follows: 3275 ( IANA-ASSIGNED-OID.2.45 3276 NAME 'pcelsIPHdrDestPortEnd' 3277 DESC 'Upper end of a range of UDP or TCP destination ports' 3278 EQUALITY integerMatch 3279 ORDERING integerOrderingMatch 3280 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 3281 SINGLE-VALUE 3282 ) 3284 The pcelsIPHdrDSCPList attribute type is mapped from the 3285 IpHeadersFilter.HdrDSCP property [PCIM_EXT]. This attribute type is 3286 of syntax Integer [LDAP_SYNTAX]. It has an equality matching rule of 3287 integerMatch [LDAP_SYNTAX] and an ordering matching rule of 3288 integerOrderingMatch [LDAP_MATCH]. Attributes of this type can have 3289 multiple values. The only allowed values for attributes of this type 3290 are integers in the range 0..63 (inclusive). 3292 This attribute type is defined as follows: 3294 ( IANA-ASSIGNED-OID.2.46 3295 NAME 'pcelsIPHdrDSCPList' 3296 DESC 'DSCP values' 3297 EQUALITY integerMatch 3298 ORDERING integerOrderingMatch 3299 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 3300 ) 3302 The pcelsIPHdrFlowLabel attribute type is mapped from the 3303 IpHeadersFilter.HdrFlowLabel property [PCIM_EXT]. This attribute 3304 type is of syntax OctetString [LDAP_SYNTAX]. It has an equality 3305 matching rule of octetStringMatch [LDAP_SCHEMA] and an ordering 3306 matching rule of octetStringOrderingMatch [LDAP_MATCH]. Attributes 3307 of this type can only have a single value. The only allowed values 3308 for attributes of this type are octet strings of size 3 (that is, 24 3309 bits) that contain a Flow Label value in the rightmost 20 bits 3310 padded on the left with b'0000'. 3312 This attribute type is defined as follows: 3314 ( IANA-ASSIGNED-OID.2.47 3315 NAME 'pcelsIPHdrFlowLabel' 3316 DESC 'IP flow label' 3317 EQUALITY octetStringMatch 3318 ORDERING octetStringOrderingMatch 3319 SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 3320 SINGLE-VALUE 3321 ) 3323 5.22 The Structural Class pcels8021Filter 3325 The pcels8021Filter class provides 802.1 attributes for performing 3326 filtering on 802.1 headers. It is mapped from the 8021Filter class 3327 [PCIM_EXT]. The pcels8021Filter class is a structural object class 3328 and it is derived from the pcelsFilterEntryBase class. 3330 The pcels8021Filter class is defined as follows: 3332 ( IANA-ASSIGNED-OID.1.54 3333 NAME 'pcels8021Filter' 3334 DESC '802.1 header filter' 3335 SUP pcelsFilterEntryBase 3336 STRUCTURAL 3337 MAY ( pcels8021HdrSourceMACAddress 3338 $ pcels8021HdrSourceMACMask 3339 $ pcels8021HdrDestMACAddress 3340 $ pcels8021HdrDestMACMask 3341 $ pcels8021HdrProtocolID 3342 $ pcels8021HdrPriority 3343 $ pcels8021HdrVLANID ) 3344 ) 3346 Applications MUST assume 'all values' for optional (MAY) attributes 3347 not present in a pcels8021Filter entry. 3349 [PCIM_EXT] defines several constraints for the 8021Filter class 3350 and its properties. All these constraints (even those that, for 3351 brevity, are not reiterated in this document) apply to the 3352 pcels8021Filter class and its attributes. A pcels8021Filter entry 3353 that violates any of these constraints SHOULD be treated as invalid 3354 and the policy rules or groups associated to this entry SHOULD be 3355 treated as being disabled, meaning that the execution of such policy 3356 rules or groups SHOULD be stopped. 3358 The pcels8021HdrSourceMACAddress attribute type represents a source 3359 MAC address. It is mapped from the 8021Filter.8021HdrSrcMACAddr 3360 property [PCIM_EXT]. This attribute type is of syntax OctetString 3361 [LDAP_SYNTAX]. It has an equality matching rule of octetStringMatch 3362 [LDAP_SCHEMA] and an ordering matching rule of 3363 octetStringOrderingMatch [LDAP_MATCH]. Attributes of this type can 3364 only have a single value. The only allowed values for attributes of 3365 this type are octet strings with a size of 6. 3367 This attribute type is defined as follows: 3369 ( IANA-ASSIGNED-OID.2.48 3370 NAME 'pcels8021HdrSourceMACAddress' 3371 DESC 'Source MAC address' 3372 EQUALITY octetStringMatch 3373 ORDERING octetStringOrderingMatch 3374 SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 3375 SINGLE-VALUE 3376 ) 3378 The pcels8021HdrSourceMACMask attribute type represents the 3379 a mask to be used in comparing the source MAC address. It is mapped 3380 from the 8021Filter.8021HdrSrcMACMask property [PCIM_EXT]. This 3381 attribute type is of syntax OctetString [LDAP_SYNTAX]. It has an 3382 equality matching rule of octetStringMatch [LDAP_SCHEMA] and an 3383 ordering matching rule of octetStringOrderingMatch [LDAP_MATCH]. 3384 Attributes of this type can only have a single value. The only 3385 allowed values for attributes of this type are octet strings with a 3386 size of 6. 3388 This attribute type is defined as follows: 3390 ( IANA-ASSIGNED-OID.2.49 3391 NAME 'pcels8021HdrSourceMACMask' 3392 DESC 'Source MAC address mask' 3393 EQUALITY octetStringMatch 3394 ORDERING octetStringOrderingMatch 3395 SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 3396 SINGLE-VALUE 3397 ) 3399 The pcels8021HdrDestMACAddress attribute type represents a 3400 destination MAC address. It is mapped from the 3401 8021Filter.8021HdrDestMACAddr property [PCIM_EXT]. This attribute 3402 type is of syntax OctetString [LDAP_SYNTAX]. It has an equality 3403 matching rule of octetStringMatch [LDAP_SCHEMA] and an ordering 3404 matching rule of octetStringOrderingMatch [LDAP_MATCH]. Attributes 3405 of this type can only have a single value. The only allowed values 3406 for attributes of this type are octet strings with a size of 6. 3408 This attribute type is defined as follows: 3410 ( IANA-ASSIGNED-OID.2.50 3411 NAME 'pcels8021HdrDestMACAddress' 3412 DESC 'Destination MAC address' 3413 EQUALITY octetStringMatch 3414 ORDERING octetStringOrderingMatch 3415 SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 3416 SINGLE-VALUE 3417 ) 3419 The pcels8021HdrDestMACMask attribute type represents the a mask to 3420 be used in comparing the destination MAC address. It is mapped 3421 from the 8021Filter.8021HdrDestMACMask property [PCIM_EXT]. This 3422 attribute type is of syntax OctetString [LDAP_SYNTAX]. It has an 3423 equality matching rule of octetStringMatch [LDAP_SCHEMA] and an 3424 ordering matching rule of octetStringOrderingMatch [LDAP_MATCH]. 3425 Attributes of this type can only have a single value. The only 3426 allowed values for attributes of this type are octet strings with a 3427 size of 6. 3429 This attribute type is defined as follows: 3431 ( IANA-ASSIGNED-OID.2.51 3432 NAME 'pcels8021HdrDestMACMask' 3433 DESC 'Destination MAC address mask' 3434 EQUALITY octetStringMatch 3435 ORDERING octetStringOrderingMatch 3436 SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 3437 SINGLE-VALUE 3438 ) 3440 The pcels8021HdrProtocolID attribute type indicates an Ethernet 3441 protocol type. It is mapped from the 8021Filter.8021HdrProtocolID 3442 property [PCIM_EXT]. This attribute type is of syntax Integer 3443 [LDAP_SYNTAX]. It has an equality matching rule of integerMatch 3444 [LDAP_SYNTAX] and an ordering matching rule of integerOrderingMatch 3445 [LDAP_MATCH]. Attributes of this type can have multiple values. No 3446 order is implied. The only allowed values for attributes of this 3447 type are integers in the range 0..65535 (inclusive). 3449 This attribute type is defined as follows: 3451 ( IANA-ASSIGNED-OID.2.52 3452 NAME 'pcels8021HdrProtocolID' 3453 DESC 'Ethernet protocol ID' 3454 EQUALITY integerMatch 3455 ORDERING integerOrderingMatch 3456 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 3457 ) 3459 The pcels8021HdrPriority attribute type indicates an 802.1Q 3460 priority. It is mapped from the 8021Filter.8021HdrPriorityValue 3461 property [PCIM_EXT]. This attribute type is of syntax Integer 3462 [LDAP_SYNTAX]. It has an equality matching rule of integerMatch 3463 [LDAP_SYNTAX] and an ordering matching rule of integerOrderingMatch 3464 [LDAP_MATCH]. Attributes of this type can have multiple values. No 3465 order is implied. The only allowed values for attributes of this 3466 type are integers in the range 0..7 (inclusive). 3468 This attribute type is defined as follows: 3470 ( IANA-ASSIGNED-OID.2.53 3471 NAME 'pcels8021HdrPriority' 3472 DESC '802.1Q priority' 3473 EQUALITY integerMatch 3474 ORDERING integerOrderingMatch 3475 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 3476 ) 3478 The pcels8021HdrVLANID attribute type indicates an 802.1Q VLAN 3479 Identifier. It is mapped from the 8021Filter.8021HdrVLANID 3480 property [PCIM_EXT]. This attribute type is of syntax Integer 3481 [LDAP_SYNTAX]. It has an equality matching rule of integerMatch 3482 [LDAP_SYNTAX] and an ordering matching rule of integerOrderingMatch 3483 [LDAP_MATCH]. Attributes of this type can have multiple values. The 3484 only allowed values for attributes of this type are integers in the 3485 range 0..4095 (inclusive). 3487 This attribute type is defined as follows: 3489 ( IANA-ASSIGNED-OID.2.54 3490 NAME 'pcels8021HdrVLANID' 3491 DESC '802.1Q VLAN ID' 3492 EQUALITY integerMatch 3493 ORDERING integerOrderingMatch 3494 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 3495 ) 3497 5.23 The Auxiliary Class pcelsFilterListAuxClass. 3499 The pcelsFilterListAuxClass class represents a collection of 3500 device-level filters aggregated in a policy condition. It is mapped 3501 from the FilterList class [PCIM_EXT]. pcelsFilterListAuxClass 3502 instances can be used as conditions in policy rules or as components 3503 in compound conditions. The pcelsFilterListAuxClass class is an 3504 auxiliary object class and it is derived from the 3505 pcimConditionAuxClass class [PCLS]. 3507 The pcelsFilterListAuxClass class is defined as follows: 3509 ( IANA-ASSIGNED-OID.1.55 3510 NAME 'pcelsFilterListAuxClass' 3511 DESC 'Collection of pcelsFilterEntryBase filters' 3512 SUP pcimConditionAuxClass 3513 AUXILIARY 3514 MAY ( pcelsFilterListName 3515 $ pcelsFilterDirection 3516 $ pcelsFilterEntryList ) 3517 ) 3519 The pcelsFilterListName attribute type may be used as naming 3520 attribute for pcelsFilterListAuxClass entries. This attribute type 3521 is of syntax Directory String [LDAP_SYNTAX]. It has an equality 3522 matching rule of caseIgnoreMatch, an ordering matching rule of 3523 caseIgnoreOrderingMatch and a substrings matching rule of 3524 caseIgnoreSubstringsMatch [LDAP_SYNTAX]. Attributes of this type can 3525 only have a single value. 3527 This attribute type is defined as follows: 3529 ( IANA-ASSIGNED-OID.2.55 3530 NAME 'pcelsFilterListName' 3531 DESC 'User-friendly name of a FilterList' 3532 EQUALITY caseIgnoreMatch 3533 ORDERING caseIgnoreOrderingMatch 3534 SUBSTR caseIgnoreSubstringsMatch 3535 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 3536 SINGLE-VALUE 3537 ) 3538 The pcelsFilterDirection attribute type indicates the direction 3539 of the packets or messages relative to the interface where the 3540 filter is applied. It is mapped from the FilterList.Direction 3541 property [PCIM_EXT]. This attribute type is of syntax Integer 3542 [LDAP_SYNTAX]. It has an equality matching rule of integerMatch 3543 [LDAP_SYNTAX] and an ordering matching rule of integerOrderingMatch 3544 [LDAP_MATCH]. Attributes of this type can only have a single value. 3545 The only allowed values for attributes of this type are 0 3546 (NotApplicable), 1 (Input), 2 (Output), 3 (Both) and 4 (Mirrored). 3547 If this attribute is missing from a pcelsFilterListAuxClass 3548 instance, applications MUST assume that a direction is not 3549 applicable. 3551 This attribute type is defined as follows: 3553 ( IANA-ASSIGNED-OID.2.56 3554 NAME 'pcelsFilterDirection' 3555 DESC 'Direction to which this filter is applied' 3556 EQUALITY integerMatch 3557 ORDERING integerOrderingMatch 3558 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 3559 SINGLE-VALUE 3560 ) 3562 The pcelsFilterEntryList attribute type realizes the 3563 EntriesInFilterList association [PCIM_EXT]. This attribute type 3564 is of syntax DN [LDAP_SYNTAX]. It has an equality matching rule of 3565 distinguishedNameMatch [LDAP_SYNTAX]. Attributes of this type can 3566 have multiple values. The only allowed values for 3567 pcelsFilterEntryList attributes are DNs of pcelsFilterEntryBase 3568 entries. In a pcelsFilterListAuxClass, the pcelsFilterEntryList 3569 attribute represents the associations between this filter collection 3570 and its components. 3572 This attribute type is defined as follows: 3574 ( IANA-ASSIGNED-OID.2.57 3575 NAME 'pcelsFilterEntryList' 3576 DESC 'Unordered set of DNs of pcelsFilterEntryBase entries' 3577 EQUALITY distinguishedNameMatch 3578 SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 3579 ) 3581 The EntrySequence property of the association EntriesInFilterList 3582 is restricted to a single value ('0') [PCIM_EXT]. This makes it 3583 redundant and, therefore, its mapping to an LDAP schema element 3584 is unnecessary. 3586 5.24 The Auxiliary Class pcelsVendorVariableAuxClass. 3588 The pcelsVendorVariableAuxClass class provides a general extension 3589 mechanism for representing policy variables that have not been 3590 specifically modeled. Instead, its two properties are used to define 3591 the content and format of the variable, as explained below. This 3592 class is intended for vendor-specific extensions that are not 3593 amenable to using pcelsVariable; standardized extensions SHOULD NOT 3594 use this class. 3596 The pcelsVendorVariableAuxClass class is an auxiliary object class 3597 and it is derived from the pcelsVariable class. 3599 The pcelsVendorVariableAuxClass class is defined as follows: 3601 ( IANA-ASSIGNED-OID.1.56 3602 NAME 'pcelsVendorVariableAuxClass' 3603 DESC 'Defines registered means to describe a policy variable' 3604 SUP pcelsVariable 3605 AUXILIARY 3606 MAY ( pcelsVendorVariableData $ 3607 pcelsVendorVariableEncoding ) 3608 ) 3610 The pcelsVendorVariableData attribute provides a general mechanism 3611 for representing policy variables that have not been specifically 3612 modeled. This attribute type is of syntax OctetString [LDAP_SYNTAX]. 3613 It has an equality matching rule of octetStringMatch [LDAP_SCHEMA] 3614 and an ordering matching rule of octetStringOrderingMatch 3615 [LDAP_MATCH]. Attributes of this type can have multiple values. In 3616 pcelsVendorVariableAuxClass instances, the format of the values for 3617 attributes of this type is identified by the OID stored in the 3618 pcelsVendorVariableEncoding attribute. 3620 This attribute type is defined as follows: 3622 ( IANA-ASSIGNED-OID.2.58 3623 NAME 'pcelsVendorVariableData' 3624 DESC 'Mechanism for representing variables that have not 3625 been specifically modeled' 3626 EQUALITY octetStringMatch 3627 ORDERING octetStringOrderingMatch 3628 SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 3629 ) 3630 The pcelsVendorVariableEncoding attribute identifies the format for 3631 representing policy variables that have not been specifically 3632 modeled. This attribute type is of syntax OID [LDAP_SYNTAX]. It has 3633 an equality matching rule of objectIdentifierMatch [LDAP_SYNTAX]. 3634 Attributes of this type can only have a single value. In 3635 pcelsVendorVariableAuxClass instances, the 3636 pcelsVendorVariableEncoding attribute is used to identify the 3637 format and semantics for the pcelsVendorVariableData attribute 3638 values. 3640 This attribute type is defined as follows: 3642 ( IANA-ASSIGNED-OID.2.59 3643 NAME 'pcelsVendorVariableEncoding' 3644 DESC 'Identifies the format and semantics for policy variables' 3645 EQUALITY objectIdentifierMatch 3646 SYNTAX 1.3.6.1.4.1.1466.115.121.1.38 3647 SINGLE-VALUE 3648 ) 3650 5.25 The Auxiliary Class pcelsVendorValueAuxClass. 3652 The pcelsVendorValueAuxClass class provides a general extension 3653 mechanism for representing policy values that have not been 3654 specifically modeled. Instead, its two properties are used to define 3655 the content and format of the policy value, as explained below. This 3656 class is intended for vendor-specific extensions that are not 3657 amenable to using pcelsValueAuxClass; standardized extensions SHOULD 3658 NOT use this class. 3660 The pcelsVendorValueAuxClass class is an auxiliary object class 3661 and it is derived from the pcelsValueAuxClass class. 3663 The pcelsVendorValueAuxClass class is defined as follows: 3665 ( IANA-ASSIGNED-OID.1.57 3666 NAME 'pcelsVendorValueAuxClass' 3667 DESC 'Defines registered means to describe a policy value' 3668 SUP pcelsValueAuxClass 3669 AUXILIARY 3670 MAY ( pcelsVendorValueData $ 3671 pcelsVendorValueEncoding ) 3672 ) 3673 The pcelsVendorValueData attribute provides a general mechanism 3674 for representing policy values that have not been specifically 3675 modeled. This attribute type is of syntax OctetString [LDAP_SYNTAX]. 3676 It has an equality matching rule of octetStringMatch [LDAP_SCHEMA] 3677 and an ordering matching rule of octetStringOrderingMatch 3678 [LDAP_MATCH]. Attributes of this type can have multiple values. In 3679 pcelsVendorValueAuxClass instances, the format of the values for 3680 attributes of this type is identified by the OID stored in the 3681 pcelsVendorValueEncoding attribute. 3683 This attribute type is defined as follows: 3685 ( IANA-ASSIGNED-OID.2.60 3686 NAME 'pcelsVendorValueData' 3687 DESC 'Mechanism for representing values that have not been 3688 specifically modeled' 3689 EQUALITY octetStringMatch 3690 ORDERING octetStringOrderingMatch 3691 SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 3692 ) 3694 The pcelsVendorValueEncoding attribute identifies the format for 3695 representing policy values that have not been specifically 3696 modeled. This attribute type is of syntax OID [LDAP_SYNTAX]. It has 3697 an equality matching rule of objectIdentifierMatch [LDAP_SYNTAX]. 3698 Attributes of this type can only have a single value. In 3699 pcelsVendorVarlueAuxClass instances, the pcelsVendorValueEncoding 3700 attribute is used to identify the format and semantics for the 3701 pcelsVendorValueData attribute values. 3703 This attribute type is defined as follows: 3705 ( IANA-ASSIGNED-OID.2.61 3706 NAME 'pcelsVendorValueEncoding' 3707 DESC 'Identifies the format and semantics for policy values' 3708 EQUALITY objectIdentifierMatch 3709 SYNTAX 1.3.6.1.4.1.1466.115.121.1.38 3710 SINGLE-VALUE 3711 ) 3713 6. Security Considerations 3715 The Policy Core LDAP Schema [PCLS] describes the general security 3716 considerations related to the general core policy schema. The 3717 extensions defined in this document do not introduce any additional 3718 considerations related to security. 3720 7. IANA Considerations 3722 Refer to RFC 3383, "Internet Assigned Numbers Authority (IANA) 3723 Considerations for the Lightweight Directory Access Protocol (LDAP)" 3724 [LDAP-IANA]. 3726 PLEASE NOTE: 3728 The following specifications (sections 7.1 and 7.2) will be true 3729 after IANA has made the requested assignments. 3730 RFC-Editor, please see the note at the end of this document. 3732 7.1 Object Identifiers 3734 The IANA has registered an LDAP Object Identifier for use in this 3735 technical specification according to the following template: 3737 Subject: Request for LDAP OID Registration 3738 Person & e-mail address to contact for further information: 3739 Mircea Pana (mpana@metasolv.com) 3740 Specification: RFC xxxx 3741 Author/Change Controller: IESG 3742 Comments: 3743 The assigned OID is used as a base for identifying 3744 a number of schema elements defined in this document. 3746 IANA has assigned an OID of IANA-ASSIGNED-OID with the name of 3747 pcelsSchema to this registration as recorded in the following 3748 registry: 3750 http://www.iana.org/assignments/smi-numbers 3752 7.2 Object Identifier Descriptors 3754 The IANA has registered the LDAP Descriptors used in this technical 3755 specification as detailed in the following template: 3757 Subject: Request for LDAP Descriptor Registration Update 3758 Descriptor (short name): see comment 3759 Object Identifier: see comment 3760 Person & e-mail address to contact for further information: 3761 Mircea Pana (mpana@metasolv.com) 3762 Usage: see comment 3763 Specification: RFC xxxx 3764 Author/Change Controller: IESG 3765 Comments: 3767 The following descriptors have been added: 3769 NAME Type OID 3770 -------------- ---- ------------ 3771 pcelsPolicySet O IANA-ASSIGNED-OID.1.1 3772 pcelsPolicySetAssociation O IANA-ASSIGNED-OID.1.2 3773 pcelsGroup O IANA-ASSIGNED-OID.1.3 3774 pcelsGroupAuxClass O IANA-ASSIGNED-OID.1.4 3775 pcelsGroupInstance O IANA-ASSIGNED-OID.1.5 3776 pcelsRule O IANA-ASSIGNED-OID.1.6 3777 pcelsRuleAuxClass O IANA-ASSIGNED-OID.1.7 3778 pcelsRuleInstance O IANA-ASSIGNED-OID.1.8 3779 pcelsConditionAssociation O IANA-ASSIGNED-OID.1.9 3780 pcelsActionAssociation O IANA-ASSIGNED-OID.1.10 3781 pcelsSimpleConditionAuxClass O IANA-ASSIGNED-OID.1.11 3782 pcelsCompoundConditionAuxClass O IANA-ASSIGNED-OID.1.12 3783 pcelsCompoundFilterConditionAuxClass O IANA-ASSIGNED-OID.1.13 3784 pcelsSimpleActionAuxClass O IANA-ASSIGNED-OID.1.14 3785 pcelsCompoundActionAuxClass O IANA-ASSIGNED-OID.1.15 3786 pcelsVariable O IANA-ASSIGNED-OID.1.16 3787 pcelsExplicitVariableAuxClass O IANA-ASSIGNED-OID.1.17 3788 pcelsImplicitVariableAuxClass O IANA-ASSIGNED-OID.1.18 3789 pcelsSourceIPv4VariableAuxClass O IANA-ASSIGNED-OID.1.19 3790 pcelsSourceIPv6VariableAuxClass O IANA-ASSIGNED-OID.1.20 3791 pcelsDestinationIPv4VariableAuxClass O IANA-ASSIGNED-OID.1.21 3792 pcelsDestinationIPv6VariableAuxClass O IANA-ASSIGNED-OID.1.22 3793 pcelsSourcePortVariableAuxClass O IANA-ASSIGNED-OID.1.23 3794 pcelsDestinationPortVariableAuxClass O IANA-ASSIGNED-OID.1.24 3795 pcelsIPProtocolVariableAuxClass O IANA-ASSIGNED-OID.1.25 3796 pcelsIPVersionVariableAuxClass O IANA-ASSIGNED-OID.1.26 3797 pcelsIPToSVariableAuxClass O IANA-ASSIGNED-OID.1.27 3798 pcelsDSCPVariableAuxClass O IANA-ASSIGNED-OID.1.28 3799 pcelsFlowIdVariableAuxClass O IANA-ASSIGNED-OID.1.29 3800 pcelsSourceMACVariableAuxClass O IANA-ASSIGNED-OID.1.30 3801 pcelsDestinationMACVariableAuxClass O IANA-ASSIGNED-OID.1.31 3802 pcelsVLANVariableAuxClass O IANA-ASSIGNED-OID.1.32 3803 pcelsCoSVariableAuxClass O IANA-ASSIGNED-OID.1.33 3804 pcelsEthertypeVariableAuxClass O IANA-ASSIGNED-OID.1.34 3805 pcelsSourceSAPVariableAuxClass O IANA-ASSIGNED-OID.1.35 3806 pcelsDestinationSAPVariableAuxClass O IANA-ASSIGNED-OID.1.36 3807 pcelsSNAPOUIVariableAuxClass O IANA-ASSIGNED-OID.1.37 3808 pcelsSNAPTypeVariableAuxClass O IANA-ASSIGNED-OID.1.38 3809 pcelsFlowDirectionVariableAuxClass O IANA-ASSIGNED-OID.1.39 3810 pcelsValueAuxClass O IANA-ASSIGNED-OID.1.40 3811 pcelsIPv4AddrValueAuxClass O IANA-ASSIGNED-OID.1.41 3812 pcelsIPv6AddrValueAuxClass O IANA-ASSIGNED-OID.1.42 3813 pcelsMACAddrValueAuxClass O IANA-ASSIGNED-OID.1.43 3814 pcelsStringValueAuxClass O IANA-ASSIGNED-OID.1.44 3815 pcelsBitStringValueAuxClass O IANA-ASSIGNED-OID.1.45 3816 pcelsIntegerValueAuxClass O IANA-ASSIGNED-OID.1.46 3817 pcelsBooleanValueAuxClass O IANA-ASSIGNED-OID.1.47 3818 pcelsReusableContainer O IANA-ASSIGNED-OID.1.48 3819 pcelsReusableContainerAuxClass O IANA-ASSIGNED-OID.1.49 3820 pcelsReusableContainerInstance O IANA-ASSIGNED-OID.1.50 3821 pcelsRoleCollection O IANA-ASSIGNED-OID.1.51 3822 pcelsFilterEntryBase O IANA-ASSIGNED-OID.1.52 3823 pcelsIPHeadersFilter O IANA-ASSIGNED-OID.1.53 3824 pcels8021Filter O IANA-ASSIGNED-OID.1.54 3825 pcelsFilterListAuxClass O IANA-ASSIGNED-OID.1.55 3826 pcelsVendorVariableAuxClass O IANA-ASSIGNED-OID.1.56 3827 pcelsVendorValueAuxClass O IANA-ASSIGNED-OID.1.57 3828 pcelsPolicySetName A IANA-ASSIGNED-OID.2.1 3829 pcelsDecisionStrategy A IANA-ASSIGNED-OID.2.2 3830 pcelsPolicySetList A IANA-ASSIGNED-OID.2.3 3831 pcelsPriority A IANA-ASSIGNED-OID.2.4 3832 pcelsPolicySetDN A IANA-ASSIGNED-OID.2.5 3833 pcelsConditionListType A IANA-ASSIGNED-OID.2.6 3834 pcelsConditionList A IANA-ASSIGNED-OID.2.7 3835 pcelsActionList A IANA-ASSIGNED-OID.2.8 3836 pcelsSequencedActions A IANA-ASSIGNED-OID.2.9 3837 pcelsExecutionStrategy A IANA-ASSIGNED-OID.2.10 3838 pcelsVariableDN A IANA-ASSIGNED-OID.2.11 3839 pcelsValueDN A IANA-ASSIGNED-OID.2.12 3840 pcelsIsMirrored A IANA-ASSIGNED-OID.2.13 3841 pcelsVariableName A IANA-ASSIGNED-OID.2.14 3842 pcelsExpectedValueList A IANA-ASSIGNED-OID.2.15 3843 pcelsVariableModelClass A IANA-ASSIGNED-OID.2.16 3844 pcelsVariableModelProperty A IANA-ASSIGNED-OID.2.17 3845 pcelsExpectedValueTypes A IANA-ASSIGNED-OID.2.18 3846 pcelsValueName A IANA-ASSIGNED-OID.2.19 3847 pcelsIPv4AddrList A IANA-ASSIGNED-OID.2.20 3848 pcelsIPv6AddrList A IANA-ASSIGNED-OID.2.21 3849 pcelsMACAddrList A IANA-ASSIGNED-OID.2.22 3850 pcelsStringList A IANA-ASSIGNED-OID.2.23 3851 pcelsBitStringList A IANA-ASSIGNED-OID.2.24 3852 pcelsIntegerList A IANA-ASSIGNED-OID.2.25 3853 pcelsBoolean A IANA-ASSIGNED-OID.2.26 3854 pcelsReusableContainerName A IANA-ASSIGNED-OID.2.27 3855 pcelsReusableContainerList A IANA-ASSIGNED-OID.2.28 3856 pcelsRole A IANA-ASSIGNED-OID.2.29 3857 pcelsRoleCollectionName A IANA-ASSIGNED-OID.2.30 3858 pcelsElementList A IANA-ASSIGNED-OID.2.31 3859 pcelsFilterName A IANA-ASSIGNED-OID.2.32 3860 pcelsFilterIsNegated A IANA-ASSIGNED-OID.2.33 3861 pcelsIPHdrVersion A IANA-ASSIGNED-OID.2.34 3862 pcelsIPHdrSourceAddress A IANA-ASSIGNED-OID.2.35 3863 pcelsIPHdrSourceAddressEndOfRange A IANA-ASSIGNED-OID.2.36 3864 pcelsIPHdrSourceMask A IANA-ASSIGNED-OID.2.37 3865 pcelsIPHdrDestAddress A IANA-ASSIGNED-OID.2.38 3866 pcelsIPHdrDestAddressEndOfRange A IANA-ASSIGNED-OID.2.39 3867 pcelsIPHdrDestMask A IANA-ASSIGNED-OID.2.40 3868 pcelsIPHdrProtocolID A IANA-ASSIGNED-OID.2.41 3869 pcelsIPHdrSourcePortStart A IANA-ASSIGNED-OID.2.42 3870 pcelsIPHdrSourcePortEnd A IANA-ASSIGNED-OID.2.43 3871 pcelsIPHdrDestPortStart A IANA-ASSIGNED-OID.2.44 3872 pcelsIPHdrDestPortEnd A IANA-ASSIGNED-OID.2.45 3873 pcelsIPHdrDSCPList A IANA-ASSIGNED-OID.2.46 3874 pcelsIPHdrFlowLabel A IANA-ASSIGNED-OID.2.47 3875 pcels8021HdrSourceMACAddress A IANA-ASSIGNED-OID.2.48 3876 pcels8021HdrSourceMACMask A IANA-ASSIGNED-OID.2.49 3877 pcels8021HdrDestMACAddress A IANA-ASSIGNED-OID.2.50 3878 pcels8021HdrDestMACMask A IANA-ASSIGNED-OID.2.51 3879 pcels8021HdrProtocolID A IANA-ASSIGNED-OID.2.52 3880 pcels8021HdrPriority A IANA-ASSIGNED-OID.2.53 3881 pcels8021HdrVLANID A IANA-ASSIGNED-OID.2.54 3882 pcelsFilterListName A IANA-ASSIGNED-OID.2.55 3883 pcelsFilterDirection A IANA-ASSIGNED-OID.2.56 3884 pcelsFilterEntryList A IANA-ASSIGNED-OID.2.57 3885 pcelsVendorVariableData A IANA-ASSIGNED-OID.2.58 3886 pcelsVendorVariableEncoding A IANA-ASSIGNED-OID.2.59 3887 pcelsVendorValueData A IANA-ASSIGNED-OID.2.60 3888 pcelsVendorValueEncoding A IANA-ASSIGNED-OID.2.61 3889 pcelsRuleValidityPeriodList A IANA-ASSIGNED-OID.2.62 3891 where Type A is Attribute, Type O is ObjectClass 3893 These assignments are recorded in the following registry: 3895 http://www.iana.org/assignments/ldap-parameters 3897 8. Acknowledgments 3899 We would like to thank Kurt Zeilenga, Bert Wijnen, Ryan Moats, 3900 John Strassner, David McTavish, Larry Bartz and all the other 3901 members of the Policy Framework WG for doing a review of this 3902 document and for making many helpful suggestions and corrections. 3904 We would also like to thank Joel Halpern (co-chair of the Policy 3905 Framework WG) for his support, for bringing this document to the 3906 attention of the Policy Framework WG and for moderating the 3907 resulting interactions. 3909 9. Normative References 3911 [KEYWORDS] S. Bradner, "Key words for use in RFCs to Indicate 3912 Requirement Levels", BCP 14, RFC 2119, March 1997. 3914 [CIM] Distributed Management Task Force, Inc., "Common Information 3915 Model (CIM) Specification", Version 2.2, June 14, 1999. This 3916 document is available on the following DMTF web page: 3917 http://www.dmtf.org/standards/documents/CIM/DSP0004.pdf 3919 [CIM_LDAP] Distributed Management Task Force, Inc., "DMTF LDAP Schema 3920 for the CIM v2.5 Core Information Model", April 15, 2002. 3921 This document is available on the following DMTF web page: 3922 http://www.dmtf.org/standards/documents/DEN/DSP0123.pdf 3924 [PCIM] B. Moore, E. Ellesson, J. Strassner, "Policy Core Information 3925 Model -- Version 1 Specification", RFC 3060, May 2000. 3927 [PCIM_EXT] B. Moore et al., "Policy Core Information Model (PCIM) 3928 Extensions", RFC 3460, January 2003. 3930 [PCLS] J. Strassner, B. Moore, R. Moats, E. Ellesson, "Policy Core 3931 Lightweight Directory Access Protocol (LDAP) Schema", 3932 RFC 3703, February 2004. 3934 [LDAP] Hodges, J., and Morgan R., "Lightweight Directory Access 3935 Protocol (v3): Technical Specification", RFC 3377, 3936 September 2002. 3938 [LDAP_SYNTAX] M. Wahl, A. Coulbeck, T. Howes, S. Kille, "Lightweight 3939 Directory Access Protocol(v3): Attribute Syntax Definitions", 3940 RFC 2252, December 1997. 3942 [LDAP_SCHEMA] M. Wahl, "A Summary of the X.500(96) User Schema for use 3943 with LDAPv3", RFC 2256, December 1997. 3945 [LDAP_MATCH] Zeilenga, K., Ed., "Lightweight Directory Access Protocol 3946 (LDAP): Additional Matching Rules", RFC 3698, February 2004. 3948 [X.501] The Directory: Models. ITU-T Recommendation X.501, 2001. 3950 [X.520] The Directory: Selected Attribute Types. ITU-T Recommendation 3951 X.520, 2001. 3953 10. Informative References 3955 [LDAP-IANA] K. Zeilenga, "Internet Assigned Numbers Authority (IANA) 3956 Considerations for the Lightweight Directory Access Protocol 3957 (LDAP)", BCP 64, RFC 3383, September 2002. 3959 11. Authors' Addresses 3961 Mircea Pana 3962 MetaSolv Software Inc. 3963 360 Legget Drive 3964 Ottawa, Ontario, Canada 3965 K2K 3N1 3967 EMail: mpana@metasolv.com 3969 Angelica Reyes 3970 University Veracruzana 3971 Spain 3973 EMail: xalitta@yahoo.com 3975 Antoni Barba 3976 Technical University of Catalonia 3977 Jordi-Girona 1-3 3978 08034 Barcelona 3979 Spain 3981 EMail: telabm@mat.upc.es 3983 David Moron 3984 Technical University of Catalonia 3985 Jordi-Girona 1-3 3986 08034 Barcelona 3987 Spain 3989 EMail: dmor4477@hotmail.com 3991 Marcus Brunner 3992 NEC Europe Ltd. 3993 Kurfuersten Anlage 34 3994 D-69115 Heidelberg 3995 Germany 3997 EMail: brunner@ccrle.nec.de 3999 13. Intellectual Property Statement 4001 The IETF takes no position regarding the validity or scope of any 4002 Intellectual Property Rights or other rights that might be claimed to 4003 pertain to the implementation or use of the technology described in 4004 this document or the extent to which any license under such rights 4005 might or might not be available; nor does it represent that it has 4006 made any independent effort to identify any such rights. Information 4007 on the procedures with respect to rights in RFC documents can be 4008 found in BCP 78 and BCP 79. 4010 Copies of IPR disclosures made to the IETF Secretariat and any 4011 assurances of licenses to be made available, or the result of an 4012 attempt made to obtain a general license or permission for the use of 4013 such proprietary rights by implementers or users of this 4014 specification can be obtained from the IETF on-line IPR repository at 4015 http://www.ietf.org/ipr. 4017 The IETF invites any interested party to bring to its attention any 4018 copyrights, patents or patent applications, or other proprietary 4019 rights that may cover technology that may be required to implement 4020 this standard. Please address the information to the IETF at 4021 ietf-ipr@ietf.org. 4023 Disclaimer of Validity 4025 This document and the information contained herein are provided on an 4026 "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS 4027 OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET 4028 ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, 4029 INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE 4030 INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED 4031 WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. 4033 Copyright Statement 4035 Copyright (C) The Internet Society (2004). This document is subject 4036 to the rights, licenses and restrictions contained in BCP 78, and 4037 except as set forth therein, the authors retain all their rights. 4039 Acknowledgment 4041 Funding for the RFC Editor function is currently provided by the 4042 Internet Society. 4044 RFC-Editor, please make the following changes before the publication 4045 of this document as an RFC: 4047 1. Replace every occurrence of the string "xxxx" throughout the 4048 entire document with the RFC number assigned to this document. 4049 2. Replace every occurrence the string "IANA-ASSIGNED-OID" throughout 4050 the entire document with the OID assigned by IANA. 4051 3. Remove the section "PLEASE NOTE:" that follows the "Table of 4052 contents" section upon OID assignment by IANA. 4053 4. Remove the subsection "PLEASE NOTE:" in section 7 ("IANA 4054 Considerations") upon OID assignment by IANA. 4055 5. Remove this note.