purpose of the pcim

1Strassner-Policy Theory and Practice – IM2001

Purpose of the PCIMPurpose of the PCIM

• Provide a set of classes and relationships that provide an extensible means for defining policy control of managed objects

» Represents the structure, not the contents, of a policy

» Content provided by subclassing classes to derive technology- and vendor-specific conditions, actions, and other elements


PCIM Overview (1)PCIM Overview (1)

• Policy-based management assumes that the network is modeled as a state machine

• Classes and relationships are used to model:

» the state of an entity

» settings to be applied to an entity that either maintain an entity’s state or move the entityto a new state

» policies that control the application of settings


PCIM Overview (2)PCIM Overview (2)

• Thus, policy is applied using a set of rules» Each rule has a set of conditions that specify when the

policy should be applied

– Conditions can be specified in CNF or DNF

» Each rule has a set of actions that are executed if the conditions are TRUE

– Execution order can be specified

» Rules may be prioritized and grouped together to model an administrative hierarchy


Policy Core Model: Groups & RulesPolicy Core Model: Groups & Rules

C reationC lassN am e: string[key]Po licyR uleN am e: string[key]Enab led: u in t16C onditionL istType: u in t16R uleU sage: stringPriority: u in t16M andatory: boo leanSequencedActions: u in t16PolicyR oles: string [ ]

Po licyR ule

Po licyC onditionInPo licyR ule

C reationC lassN am e: string[key]Po licyG roupN am e: string[key]

Po licyG roup

PolicyR ule InPolicyG roup

C om m onN am e: stringPolicyKeyw ords: string [ ]

Po licy (ABSTR AC T)

PolicyG roupInPolicyG roup

PolicyR ule InSystem

System

*

Adm inD om ain

PolicyC onditionInPo licyR eposito ry

Po licyAction InPo licyR eposito ry

Po licyR eposito ry

Po licyR eposito ryInPo licyR epository

Po licyG roupInSystem

w

*

*

*

*

* *

w

*

0..1 0..1

M anagedE lem ent

1 1

**

PolicyC om ponent**

PolicyInSystem

*0..1

System C om ponent**

D ependency**


Policy ClassPolicy Class

• Policy Class (Abstract)

» Root of the policy tree

» Carries common attributes to all policy classes

–Caption, Description from CIM ME

–OrderedCIMKeys to represent CIM hierarchy

–cn from X.520

–PolicyKeywords

» PolicyElementAuxClass is an aux class to represent this class and enables any object in the DIT to be identified as a policy class


PolicyRulePolicyRule

• A PolicyRule consists of a set of conditions and a set of actions» Boolean logic assumed

» If condition clause is TRUE, then action clause may execute

» Rule-specific and reusable policy rules are supported by using the PolicyConditionInPolicyRule and PolicyActionInPolicyRule aggregations

» Multiple time periods may be used to define a schedule for which this PolicyRule is active by using the PolicyRuleValidityPeriod aggregation

» Rules may be prioritized


Types of PolicyRulesTypes of PolicyRules

• Rule-specific PolicyRules are those whose components are embedded in the PolicyRule itself.» The terms making up the PolicyRule can NOT be reused

by other PolicyRules

• Reusable PolicyRules share one or more components with other PolicyRules» PolicyRule components are stored in a common Policy

Repository and referenced by the PolicyRules using them

• Each has implementation implications


PolicyGroupPolicyGroup

• PolicyRules may be aggregated into PolicyGroups, which may be nested

» Enables hierarchical representation of policy(per-user, per-domain, etc.)

• Special semantics defined in QoS information model to represent different administrative scopes and groupings of rules


PolicyRepositoryPolicyRepository

• Represents an administratively-defined container for holding REUSABLE policy conditions and actions

» May be extended to hold other types of reusable policy “building blocks”

» May be nested to provide more granular domain control


PCIM: Conditions & ActionsPCIM: Conditions & Actions

PolicyT im ePeriodC ondition

T im ePeriod: stringM onthO fYearM ask: u in t8 [ ][O cte tstring ]D ayO fM onthM ask: u in t8 [ ][O cte tstring ]D ayO fW eekM ask: u in t8 [ ][O cte tstring ]T im eO fD ayM ask: stringLoca lO rU tcT im e: u in t16

PolicyC ondition (ABSTR AC T)

System C reationC lassN am e: string [key]System N am e: string[key]Po licyR uleC reationC lassN am e: string [key]Po licyR uleN am e: string[key]C reationC lassN am e: string[key]Po licyC onditionN am e: string[key]

C reationC lassN am e: string[key]Po licyR uleN am e: string[key]Enab led: u in t16C onditionL istType: u in t16R uleU sage: stringPriority: u in t16M andatory: boo leanSequencedActions: u in t16PolicyR oles: string [ ]

Po licyR ule

Po licyAction (ABSTR AC T)

System C reationC lassN am e: string [key]System N am e: string[key]Po licyR uleC reationC lassN am e: string [key]Po licyR uleN am e: string[key]C reationC lassN am e: string[key]Po licyActionN am e: string[key]

Po licyAction InPolicyR ule

Po licyC onditionInPo licyR ule

C reationC lassN am e: string[key]Po licyG roupN am e: string[key]

Po licyG roup

PolicyR ule InPolicyG roup

VendorPo licyC ondition

C onstra in t: O cte tstring[ ]C onstra in tEncod ing: string [O ID ]

VendorPo licyAction

ActionD ata : O cte tstring [ ]ActionEncoding: string[O ID ]

Po licyR uleVa lid ityPeriod

C om m onN am e: stringPolicyKeyw ords: string [ ]

Po licy (ABSTR AC T)

Adm inD om ain

PolicyC onditionInPo licyR eposito ry

Po licyAction InPo licyR eposito ry

Po licyR eposito ry

*

*

*

*

*

*

*

*

*

0..1 0..1

PolicyC om ponent

*


Policy ConditionsPolicy Conditions

• Abstract base class for domain-specific conditions that will be defined by domain-specific models(e.g., QoS model, IPSec model)

• Boolean condition expressed in CNF or DNF» Individual condition terms can be negated

• Only defines keys (7 - System, PolicyRule, and its own CCN, Name, and a user-friendly name)


Expressing Policy ConditionsExpressing Policy Conditions

• PolicyRule.ConditionListType defines how to interpret the condition (e.g., CNF or DNF)

• PolicyConditionInPolicyRule contains two additional properties:

» GroupNumber indicates the group to which the PolicyCondition belongs

» ConditionNegated is a boolean that, if TRUE, indicates that this condition is negated


Reusable PolicyConditionsReusable PolicyConditions

• Stored in a PolicyRepository and referenced using the association PolicyConditionInPolicyRepository

» Rule-specific PolicyConditions do NOT use this association; thus:

– Cardinality is 0 for rule-specific, 1 for reusable

» QPIM extends this so that different conditions can be stored in different portions of the repository

– Different portions implies different scopes and application


PolicyTimePeriodConditionPolicyTimePeriodCondition

• Subclass of PolicyCondition to represent time when PolicyRule is active» If not specified, then rule is always active

» PolicyRuleValidityPeriod is an aggregation that defines the set of time periods for a given PolicyRule

• Instances may have up to 5 properties that together specify the time period» Property values are ANDed to determine the validity

period; properties not present are treated as having their value always enabled


Policy ActionsPolicy Actions

• Abstract base class for domain-specific actions that will be defined by domain-specific models» Deployed actions are bound to a System; reusable actions

exist in a PolicyRepository

» Only defines keys (7 - System, PolicyRule, and its own CCN and Name, and a user-friendly name)

• Stored in a PolicyRepository and referenced using PolicyActionInPolicyRepository association» Rule-specific PolicyConditions do NOT use this association;

thus, cardinality is 0 for rule-specific, 1 for reusable


Policy Actions (2)Policy Actions (2)

• PolicyActionInPolicyRule aggregation contains the set of action clauses for a given PolicyRule» ActionOrder property indicates relative position of an action

in the sequence of actions associated with a PolicyRule

– If n is a positive integer, it defines the order, with smaller integers being ordered first

– 0 is a special value that indicates “don’t care”

– Two or more properties with the same value can be executed in any order, as long as they are executed in the correct overall order in the sequence


Rule-Specific Policy StructureRule-Specific Policy Structure

• PolicyRule is a container that holds PolicyConditions and PolicyActions

» QPIM extends this so that a condition is treated as a container

• To do this attachment

» PolicyRule is a structural class

» PolicyCondition and PolicyAction are both auxiliary classes


Rule-Specific ExampleRule-Specific Example

Condition 1(structural)

Action 1(structural)

Condition 1(aux attached)

Action 1(aux attached)

Represents associationbetween Rule 1and Condition 1

Represents the conditionitself

DN Pointer DN Pointer

Represents associationbetween Rule 1

and Action 1

Represents the actionitself

DITContainment

Rule 1(structural)


Reusable ComponentsReusable Components

• Policy components can be specific to a rule or reusable among many rules» Rule-specific information is attached to the rule itself

» Reusable information is stored in a container that is referenced by the rule

• The only difference between a reusable and a rule-specific component is in the intent of the administrator» No difference in functionality


Reusable Components (2)Reusable Components (2)

• PCIM defines a policy repository to store reusable information. This causes some subtle differences, including:

» access control can be specified for rule-specific conditions and actions, but not for reusable ones

» referential integrity should be enforced for rule-specific elements; harder to due in the reusable case

» mapping to a data model is more difficult


Reusable Rule ExampleReusable Rule Example

ActionInstance(structural)

Represents thecondition

itself

DIT Containment

Rule 1(structural)

DIT Containment

Represents theactionitself

DN Pointer

PolicyRepository(structural)

ConditionInstance(structural)

Condition 1 Aux(aux attachment)

Action 1 Aux(aux attachment)




and Action 1

DN Pointer

DIT Containment DIT Containment



PolicyInstancePolicyInstance

• Uses DIT content rules to allow a PolicyConditionAuxClass or a PolicyActionAuxClass to be attached to it

• Uses DIT structure rules to enable it to be named using either PolicyInstanceName, cn, or OrderedCIMKeys


PolicySubtreesPtrAuxClassPolicySubtreesPtrAuxClass

• This aux class provides a single multi-valued attribute to point to the root of a set of subtrees that contain policy information

» Attaching this attribute to other class instances enables the administrator to define entry points to related policy information

– Can be used to define the order of visiting information in the policy tree (e.g., for a PDP)

– Can be used to tie different subtrees together


PolicyElementAuxClassPolicyElementAuxClass

• This class is the aux equivalent of the Policy class

» Enables tagging of selected instances that are outside of the policy class hierarchy, but are nevertheless policy-related

» This works through searching on oc=policy

» Note that some directories don’t support this, so in these cases, policy-related entries must be tagged with the keyword Policy and searched on using an attribute search


Aux Containment ClassesAux Containment Classes

• PolicyGroupContainmentAuxClass and PolicyRuleContainmentAuxClass

» Each contains a single multi-valued attribute that points to a set of PolicyGroups and PolicyRules, respectively

» Enables the administrator to bind PolicyGroups/PolicyRules to a container


PCIM ExtensionsPCIM Extensions

• New draft to simplify and encourage use of PCIM PolicyRepository broadened & renamed

Rules may contain groups & other rules (context)

Priorities & decision strategies clarified

Refinements in the use of PolicyRoles

Compound conditions & actions (reusable)

Transactional semantics for action execution

Variables & values, for conditions & actions

Packet filtering in policy conditions based on variables/values


Building PolicyConditionsBuilding PolicyConditions

• The PolicyConditionInPolicyRule association has properties that require special mapping» PolicyRuleConditionAssociation represents the properties and

is attached via DIT containment

» The conditions themselves are represented by the PolicyConditionAuxClass (and its subclasses) which are either

– attached directly to instances of the PolicyRuleConditionAssociation for rule-specific classes, or

– indirectly, using a DN pointer to refer to an instance of a PolicyConditionInstance class


PolicyRuleConditionAssociation (1)PolicyRuleConditionAssociation (1)

• Contains properties characterizing the relationship between a rule and a condition

» PolicyConditionGroupNumber - used to group conditions according to CNF or DNF

» PolicyConditionNegated - flag defining if a condition is negated or not

» PolicyConditionDN - pointer to a reusable PolicyCondition (should be NULL if rule-specific)


PolicyRuleConditionAssociation (2)PolicyRuleConditionAssociation (2)

• Semantics defined using DIT structure and content rules

» PolicyConditionAuxClass subclasses are attached using DIT content rules

» Structure rules define naming, scoped by a PolicyRule, using either the OrderedCIMKeys, cn, or PolicyConditionName


PolicyConditionAuxClassPolicyConditionAuxClass

• Used to bind conditions to rules» Rule-specific conditions defined by attaching

this aux class to either an instance of the PolicyRuleConditionAssociation or the PolicyRule classes

» Reusable conditions defined by attaching this aux class to an instance of the PolicyConditionInstance class

» Note: this class is derived from Top because it attaches to classes already derived from Policy

– otherwise we have property conflict!


Building PolicyActionsBuilding PolicyActions

• The PolicyConditionInPolicyRule association has properties that require special mapping» PolicyRuleActionAssociation represents the property and is

attached via DIT containment

» The actions themselves are represented by the PolicyActionAuxClass (and its subclasses) which are either

– attached directly to instances of the PolicyRuleActionAssociation for rule-specific classes, or

– indirectly, using a DN pointer to refer to an instance of a PolicyActionInstance class


PolicyRuleActionAssociationPolicyRuleActionAssociation

• Two properties» PolicyActionOrder determines the order of

executing actions associated with a policy rule

» PolicyActionDN - pointer to a reusable PolicyAction (should be NULL if rule-specific)

• Semantics» PolicyActionAuxClass subclasses are

attached using DIT content rules

» Structure rules define naming, scoped by a PolicyRule, using either the OrderedCIMKeys, cn, or PolicyActionName


PolicyActionAuxClassPolicyActionAuxClass

• Used to bind actions to rules» Rule-specific conditions defined by attaching

this aux class to either an instance of the PolicyRuleActionAssociation or the PolicyRule classes

» Reusable conditions defined by attaching this aux class to an instance of the PolicyActionInstance class

» Note: this class is derived from Top because it attaches to classes already derived from Policy

– otherwise we have property conflict!


PolicyTimePeriodConditionAuxClassPolicyTimePeriodConditionAuxClass

• Built as an aux class so it can be attached directly to a policy rule

» Represents periods of time that define when a condition is valid

– time period, plus month, day of month and week, and time of day masks


Structure of a Rule-Specific PolicyStructure of a Rule-Specific Policy

• PolicyRule is a container that holds PolicyConditions and PolicyActions

» QPIM extends this so that a condition is treated as a container

• To do this attachment

» PolicyRule is a structural class

» PolicyCondition and PolicyAction are both auxiliary classes


AttachmentAttachment

• Info model defines PolicyRule relationships» PolicyConditionInPolicyRule attaches conditions to a

PolicyRule

» PolicyActionInPolicyRule attaches actions to a PolicyRule

» PolicyRuleInPolicyGroup groups PolicyRules

» PolicyRuleInSystem associates a PolicyRule with a System (e.g., a router or server)

• There can be as many attached conditions and actions as required


ExampleExample



Condition 1(aux attached)

Action 1(aux attached)


Represents the conditionitself

DN Pointer DN Pointer


and Action 1

Represents the actionitself

DITContainment

Rule 1(structural)


Defining Reusable ElementsDefining Reusable Elements

• Reusable elements are always stored in a special part of the DIT» Modeled using the PolicyRepository class

» Attached (indirectly) using DN pointers to a rule

• Since conditions and actions are aux classes, they need something to attach to» Rule-specific uses the PolicyRule itself

» Reusable uses this class, which is stored in the PolicyRepository


PolicyInstancePolicyInstance

• Uses DIT content rules to allow a PolicyConditionAuxClass or a PolicyActionAuxClass to be attached to it

• Uses DIT structure rules to enable it to be named using either PolicyInstanceName, cn, or OrderedCIMKeys


PolicyInstance SubclassesPolicyInstance Subclasses

• Two subclasses, PolicyConditionInstance and PolicyActionInstance, are defined

» Defines additional naming attributes (PolicyConditionName and PolicyActionName)

» DIT content rules enable condition and action aux classes to be attached to it

» DIT structure rules enable it to be named under an instance of PolicyRepository using any of its four attributes



• This is a container for holding reusable policy elements

» DIT structure rules enable it to be named under an instance of PolicyRepository using any of its four attributes


PolicySubtreesPtrAuxClassPolicySubtreesPtrAuxClass

• This aux class provides a single multi-valued attribute to point to the root of a set of subtrees that contain policy information

» Attaching this attribute to other class instances enables the administrator to define entry points to related policy information

– Can be used to define the order of visiting information in the policy tree (e.g., for a PDP)

– Can be used to tie different subtrees together


Aux Containment ClassesAux Containment Classes

• PolicyGroupContainmentAuxClass and PolicyRuleContainmentAuxClass

» Each contains a single multi-valued attribute that points to a set of PolicyGroups and PolicyRules, respectively

» Enables the administrator to bind PolicyGroups/PolicyRules to a container


PolicyElementAuxClassPolicyElementAuxClass

• This class is the aux equivalent of the Policy class

» Enables tagging of selected instances that are outside of the policy class hierarchy, but are nevertheless policy-related

» This works through searching on oc=policy

» Note that some directories don’t support this, so in these cases, policy-related entries must be tagged with the keyword Policy and searched on using an attribute search


ExampleExample

ActionInstance(structural)

Represents thecondition

itself

DIT Containment

Rule 1(structural)

DIT Containment

Represents theactionitself

DN Pointer

PolicyRepository(structural)

ConditionInstance(structural)

Condition 1 Aux(aux attachment)

Action 1 Aux(aux attachment)




and Action 1

DN Pointer

DIT Containment DIT Containment




• Used to define a “repository within a repository” for storing reusable data

» DIT structure rules enable it to be named under an instance of PolicyRepository using any of its three attributes

purpose of the pcim

Documents