tech-invite   World Map     

IETF     RFCs     Groups     SIP     ABNFs    |    3GPP     Specs     Glossaries     Architecture     IMS     UICC    |    search

RFC 4104

 
 
 

Policy Core Extension Lightweight Directory Access Protocol Schema (PCELS)

Part 2 of 4, p. 8 to 30
Prev RFC Part       Next RFC Part

 


prevText      Top      Up      ToC       Page 8 
4.  General Discussion of Mapping the Policy Core Information Model
    Extensions to LDAP

   The object classes described in this document contain certain
   optimizations for a directory that uses LDAP as its access protocol.
   An example is the use of auxiliary class attachment to LDAP entries
   for the realization of some of the associations defined in the
   information model.  For instance, the aggregation of a specific
   SimplePolicyCondition to a reusable PolicyRule [PCIM_EXT] may be
   realized by attaching a pcelsSimpleConditionAuxClass to a
   pcelsRuleInstance entry.

   Note that other data stores might need to implement the associations
   differently.

4.1.  Summary of Class Mappings

   The classes and their properties defined in the information model
   [PCIM_EXT] map directly to LDAP object classes and attribute types.

   The details of this mapping are discussed case by case in section 5.

+----------------------------------------------------------------------+
| Information Model (PCIM_EXT)  | LDAP Class(es)                       |
+----------------------------------------------------------------------+
| PolicySet                     | pcelsPolicySet                       |
+----------------------------------------------------------------------+
| PolicyGroup                   | pcelsGroup                           |
|                               | pcelsGroupAuxClass                   |
|                               | pcelsGroupInstance                   |
+----------------------------------------------------------------------+
| PolicyRule                    | pcelsRule                            |
|                               | pcelsRuleAuxClass                    |
|                               | pcelsRuleInstance                    |
+----------------------------------------------------------------------+
| SimplePolicyCondition         | pcelsSimpleConditionAuxClass         |
+----------------------------------------------------------------------+
| CompoundPolicyCondition       | pcelsCompoundConditionAuxClass       |
+----------------------------------------------------------------------+

Top      Up      ToC       Page 9 
| CompoundFilterCondition       | pcelsCompoundFilterConditionAuxClass |
+----------------------------------------------------------------------+
| SimplePolicyAction            | pcelsSimpleActionAuxClass            |
+----------------------------------------------------------------------+
| CompoundPolicyAction          | pcelsCompoundActionAuxClass          |
+----------------------------------------------------------------------+
| PolicyVariable                | pcelsVariable                        |
+----------------------------------------------------------------------+
| --------------                | pcelsVendorVariableAuxClass          |
+-------------------------------+--------------------------------------+
| PolicyExplicitVariable        | pcelsExplicitVariableAuxClass        |
+----------------------------------------------------------------------+
| PolicyImplicitVariable        | pcelsImplicitVariableAuxClass        |
+----------------------------------------------------------------------+
| PolicySourceIPv4Variable      | pcelsSourceIPv4VariableAuxClass      |
+----------------------------------------------------------------------+
| PolicySourceIPv6Variable      | pcelsSourceIPv6VariableAuxClass      |
+----------------------------------------------------------------------+
| PolicyDestinationIPv4Variable | pcelsDestinationIPv4VariableAuxClass |
+----------------------------------------------------------------------+
| PolicyDestinationIPv6Variable | pcelsDestinationIPv6VariableAuxClass |
+----------------------------------------------------------------------+
| PolicySourcePortVariable      | pcelsSourcePortVariableAuxClass      |
+----------------------------------------------------------------------+
| PolicyDestinationPortVariable | pcelsDestinationPortVariableAuxClass |
+----------------------------------------------------------------------+
| PolicyIPProtocolVariable      | pcelsIPProtocolVariableAuxClass      |
+----------------------------------------------------------------------+
| PolicyIPVersionVariable       | pcelsIPVersionVariableAuxClass       |
+----------------------------------------------------------------------+
| PolicyIPToSVariable           | pcelsIPToSVariableAuxClass           |
+----------------------------------------------------------------------+
| PolicyDSCPVariable            | pcelsDSCPVariableAuxClass            |
+----------------------------------------------------------------------+
| PolicyFlowIDVariable          | pcelsFlowIDVariableAuxClass          |
+----------------------------------------------------------------------+
| PolicySourceMACVariable       | pcelsSourceMACVariableAuxClass       |
+----------------------------------------------------------------------+
| PolicyDestinationMACVariable  | pcelsDestinationMACVariableAuxClass  |
+----------------------------------------------------------------------+
| PolicyVLANVariable            | pcelsVLANVariableAuxClass            |
+----------------------------------------------------------------------+
| PolicyCoSVariable             | pcelsCoSVariableAuxClass             |
+----------------------------------------------------------------------+
| PolicyEthertypeVariable       | pcelsEthertypeVariableAuxClass       |
+----------------------------------------------------------------------+
| PolicySourceSAPVariable       | pcelsSourceSAPVariableAuxClass       |
+----------------------------------------------------------------------+

Top      Up      ToC       Page 10 
| PolicyDestinationSAPVariable  | pcelsDestinationSAPVariableAuxClass  |
+----------------------------------------------------------------------+
| PolicySNAPOUIVariable         | pcelsSNAPOUIVariableAuxClass         |
+----------------------------------------------------------------------+
| PolicySNAPTypeVariable        | pcelsSNAPTypeVariableAuxClass        |
+----------------------------------------------------------------------+
| PolicyFlowDirectionVariable   | pcelsFlowDirectionVariableAuxClass   |
+----------------------------------------------------------------------+
| PolicyValue                   | pcelsValueAuxClass                   |
+----------------------------------------------------------------------+
| -------------                 | pcelsVendorValueAuxClass             |
+-------------------------------+--------------------------------------+
| PolicyIPv4AddrValue           | pcelsIPv4AddrValueAuxClass           |
+----------------------------------------------------------------------+
| PolicyIPv6AddrValue           | pcelsIPv6AddrValueAuxClass           |
+----------------------------------------------------------------------+
| PolicyMACAddrValue            | pcelsMACAddrValueAuxClass            |
+----------------------------------------------------------------------+
| PolicyStringValue             | pcelsStringValueAuxClass             |
+----------------------------------------------------------------------+
| PolicyBitStringValue          | pcelsBitStringValueAuxClass          |
+----------------------------------------------------------------------+
| PolicyIntegerValue            | pcelsIntegerValueAuxClass            |
+----------------------------------------------------------------------+
| PolicyBooleanValue            | pcelsBooleanValueAuxClass            |
+----------------------------------------------------------------------+
| PolicyRoleCollection          | pcelsRoleCollection                  |
+----------------------------------------------------------------------+
| ReusablePolicyContainer       | pcelsReusableContainer               |
|                               | pcelsReusableContainerAuxClass       |
|                               | pcelsReusableContainerInstance       |
+----------------------------------------------------------------------+
| FilterEntryBase               | pcelsFilterEntryBase                 |
+----------------------------------------------------------------------+
| IPHeadersFilter               | pcelsIPHeadersFilter                 |
+----------------------------------------------------------------------+
| 8021Filter                    | pcels8021Filter                      |
+----------------------------------------------------------------------+
| FilterList                    | pcelsFilterListAuxClass              |
+----------------------------------------------------------------------+

     Figure 2.  Mapping of Information Model Extension Classes to LDAP

   The pcelsVendorVariableAuxClass and pcelsVendorValueAuxClass classes
   are not mapped from [PCIM_EXT].  These classes are introduced in this
   document as a new extension mechanism for vendor-specific policy
   variables and values that have not been specifically modeled.  Just
   like for any other schema elements defined in this document or in

Top      Up      ToC       Page 11 
   [PCLS], a particular submodel schema generally will not need to use
   vendor specific variable and value classes.   Submodel schemas SHOULD
   apply the recommendations of section 5.10 of [PCIM_EXT] with regards
   to the supported and unsupported elements.

4.2.  Summary of Association Mappings

   The associations in the information model map to one or more of the
   following options:

      1.  Attributes that reference DNs (Distinguished Names)
      2.  Directory Information Tree (DIT) containment
          (i.e., superior-subordinate relationships) in LDAP
      3.  Auxiliary class attachment
      4.  Association object classes and attributes that reference DNs

   The details of this mapping are discussed case by case in section 5.

+----------------------------------------------------------------------+
| Information Model Association    | LDAP Attribute/Class              |
+----------------------------------------------------------------------+
| PolicySetComponent               | pcelsPolicySetComponentList in    |
|                                  | pcelsPolicySet and                |
|                                  | pcelsPolicySetDN in               |
|                                  | pcelsPolicySetAsociation          |
+----------------------------------------------------------------------+
| PolicySetInSystem                | DIT Containment and               |
|                                  | pcelsPolicySetDN in               |
|                                  | pcelsPolicySetAsociation          |
+----------------------------------------------------------------------+
| PolicyGroupInSystem              | DIT Containment and               |
|                                  | pcelsPolicySetDN in               |
|                                  | pcelsPolicySetAsociation          |
+----------------------------------------------------------------------+
| PolicyRuleInSystem               | DIT Containment and               |
|                                  | pcelsPolicySetDN in               |
|                                  | pcelsPolicySetAsociation          |
+----------------------------------------------------------------------+
| PolicyConditionStructure         | pcimConditionDN in                |
|                                  | pcelsConditionAssociation         |
+----------------------------------------------------------------------+
| PolicyConditionInPolicyRule      | pcelsConditionList in             |
|                                  | pcelsRule and                     |
|                                  | pcimConditionDN in                |
|                                  | pcelsConditionAssociation         |
+----------------------------------------------------------------------+
| PolicyConditionInPolicyCondition | pcelsConditionList in             |
|                                  | pcelsCompoundConditionAuxClass    |

Top      Up      ToC       Page 12 
|                                  | and pcimConditionDN in            |
|                                  | pcelsConditionAssociation         |
+----------------------------------------------------------------------+
| PolicyActionStructure            | pcimActionDN in                   |
|                                  | pcelsActionAssociation            |
+----------------------------------------------------------------------+
| PolicyActionInPolicyRule         | pcelsActionList in                |
|                                  | pcelsRule and                     |
|                                  | pcimActionDN in                   |
|                                  | pcelsActionAssociation            |
+----------------------------------------------------------------------+
| PolicyActionInPolicyAction       | pcelsActionList in                |
|                                  | pcelsCompoundActionAuxClass       |
|                                  | and pcimActionDN in               |
|                                  | pcelsActionAssociation            |
+----------------------------------------------------------------------+
| PolicyVariableInSimplePolicy     | pcelsVariableDN in                |
| Condition                        | pcelsSimpleConditionAuxClass      |
+----------------------------------------------------------------------+
| PolicyValueInSimplePolicy        | pcelsValueDN in                   |
| Condition                        | pcelsSimpleConditionAuxClass      |
+----------------------------------------------------------------------+
| PolicyVariableInSimplePolicy     | pcelsVariableDN in                |
| Action                           | pcelsSimpleActionAuxClass         |
+----------------------------------------------------------------------+
| PolicyValueInSimplePolicyAction  | pcelsValueDN in                   |
|                                  | pcelsSimpleActionAuxClass         |
+----------------------------------------------------------------------+
| ReusablePolicy                   | DIT containment                   |
+----------------------------------------------------------------------+
| ExpectedPolicyValuesForVariable  | pcelsExpectedValueList in         |
|                                  | pcelsVariable                     |
+----------------------------------------------------------------------+
| ContainedDomain                  | DIT containment or                |
|                                  | pcelsReusableContainerList in     |
|                                  | pcelsReusableContainer            |
+----------------------------------------------------------------------+
| EntriesInFilterList              | pcelsFilterEntryList in           |
|                                  | pcelsFilterListAuxClass           |
+----------------------------------------------------------------------+
| ElementInPolicyRoleCollection    | DIT containment or                |
|                                  | pcelsElementList in               |
|                                  | pcelsRoleCollection               |
+----------------------------------------------------------------------+
| PolicyRoleCollectionInSystem     | DIT Containment                   |
+----------------------------------------------------------------------+

 Figure 3.  Mapping of Information Model Extension Associations to LDAP

Top      Up      ToC       Page 13 
   Two [PCIM_EXT] associations are mapped to DIT containment:

      - PolicyRoleCollectionInSystem is a weak association and weak
        associations map well to DIT containment [CIM_LDAP] (without
        being limited to this mapping).  In the absence of additional
        constraints, DIT containment is chosen here as the optimal
        association mapping.

      - ReusablePolicy is mapped to DIT containment for scalability
        reasons.  It is expected that applications will associate a
        large number of policy instances to a ReusablePolicyContainer
        and DIT containment is a type of association that scales well.

4.3.  Summary of Changes since PCLS

   This section provides an overview of the changes relative to [PCLS]
   defined in this document:

   1.  The concept of a set of policies is introduced by two new object
       classes: pcelsPolicySet and pcelsPolicySetAssociation.  These
       classes enable the aggregation and relative prioritization of
       policies (rules and/or groups).  The attribute pcelsPriority is
       used by pcelsPolicySetAssociation instances to indicate the
       priority of a policy relative to the other policies aggregated by
       the same set.  Applications may use this attribute to apply
       appropriate ordering to the aggregated policies.  This new policy
       aggregation mechanism provides an alternative to the aggregation
       mechanism defined by [PCLS] (that defines
       pcimRuleContainmentAuxClass and/or pcimGroupContainmentAuxClass
       for attaching components to a pcimGroup).

   2.  The attribute pcimRoles defined by [PCLS] is used here by the
       pcelsPolicySet object class.  Thus, the role based policy
       selection mechanism is extended to all the subclasses of
       pcelsPolicySet.

   3.  A new attribute pcelsDecisionStrategy is added on the
       pcelsPolicySet class as a mapping from the decision mechanism.

   4.  A new class pcelsGroup (with two subclasses), implements the
       modified semantics of the PolicyGroup in accordance with
       [PCIM_EXT].  This new class inherits from its superclass
       pcelsPolicySet the ability to aggregate (with relative priority)
       other policy rules or groups.

   5.  A new class pcelsRule (with two subclasses), implements the
       modified semantics of the PolicyRule in accordance with
       [PCIM_EXT].  It does not include an absolute priority attribute,

Top      Up      ToC       Page 14 
       but instances of non-abstract subclasses of pcelsRule can be
       prioritized relative to each other within a System (behavior
       inherited from its superclass: pcelsPolicySet).  The pcelsRule
       class also inherits from pcelsPolicySet the ability to aggregate
       other policy rules or groups, and thus, the ability to construct
       nested rule structures of arbitrary complexity.

   6.  A new attribute pcelsExecutionStrategy is added to the pcelsRule
       and pcelsCompoundActionAuxClass classes to allow the
       specification of the expected behavior in case of multiple
       actions aggregated by a rule or by a compound action.

   7.  Compound Conditions: The pcelsCompoundConditionAuxClass class is
       added in order to map the CompoundPolicyCondition class.  A new
       class, pcelsConditionAssociation is used to aggregate policy
       conditions in a pcelsCompoundConditionAuxClass.  The same class
       is also used to aggregate policy conditions in a pcelsRule.

   8.  Compound Actions: The pcelsCompoundActionAuxClass class is added
       in order to map the CompoundPolicyAction class.  A new class,
       pcelsActionAssociation is used to aggregate policy actions in a
       pcelsCompoundActionAuxClass.  The same class is also used to
       aggregate policy actions in a pcelsRule.

   9.  Simple Conditions, Simple Actions, Variables and Values: The
       simple condition, simple action, variable and value classes
       defined by [PCIM_EXT] are directly mapped to LDAP object classes.
       These are:  pcelsSimpleConditionAuxClass,
       pcelsSimpleActionAuxClass, pcelsVariable and its subclasses, and
       pcelsValueAuxClass and its subclasses.

   10.  A general extension mechanism is introduced for representing
        policy variables and values that have not been specifically
        modeled.  The mechanism is intended for vendor-specific
        extensions.

   11.  Reusable Policy Repository: A new class (with two subclasses),
        pcelsReusableContainer is created as a subclass of
        pcimRepository.  While maintaining compatibility with older
        [PCLS] implementations, the addition of this class acknowledges
        the intent of [PCIM_EXT] to avoid the potential for confusion
        with the Policy Framework component named Policy Repository.
        The new class enables many-to-many associations between reusable
        policy containers.

   12.  The ReusablePolicy association defined in [PCIM_EXT] is realized
        through subordination to an instance of a non-abstract subclass
        of pcelsReusableContainer.  Thus, reusable policy components

Top      Up      ToC       Page 15 
        (groups, rules, conditions, actions, variables and values) may
        be defined as stand-alone entries or stand-alone groups of
        related entries subordinated (DIT contained) to a
        pcelsReusableContainer.

   13.  Device level filter classes are added to the schema.

   14.  The pcelsRoleCollection class is added to the schema to allow
        the association of policy roles to resources represented as LDAP
        entries.

4.4.  Relationship to PCLS Classes

   Several [PCLS] classes are used in this document to derive other
   classes.  If a PCELS application requires a functionality provided by
   any of derived classes, then the [PCLS] class MUST also be supported
   by PCELS implementations.  These classes are:

    pcimPolicy
    pcimRuleConditionAssociation
    pcimRuleActionAssociation
    pcimConditionAuxClass
    pcimActionAuxClass
    pcimRepository

   Other [PCLS] classes are neither derived to nor superseded by classes
   defined in this document.  If a PCELS application requires a
   functionality provided by any of these classes, then the [PCLS] class
   SHOULD be used.  These classes are:

    pcimRuleValidityAssociation
    pcimTPCAuxClass
    pcimConditionVendorAuxClass
    pcimActionVendorAuxClass
    pcimPolicyInstance
    pcimElementAuxClass
    pcimSubtreesPtrAuxClass

   Among the classes defined in this document some implement concepts
   that supersede the concepts implemented by similar [PCLS] classes.
   PCELS implementations MAY support such [PCLS] classes.  These classes
   are:

    pcimGroup and its subclasses
    pcimRule and its subclasses
    pcimGroupContainmentAuxClass
    pcimRuleContainmentAuxClass
    the subclasses of pcimRepository

Top      Up      ToC       Page 16 
4.5.  Impact on Existing Implementations of the Policy Core LDAP Schema

    In general, the intent of PCELS is to extend the functionality
    offered by the Policy Core LDAP Schema.  For the most part, the
    compatibility with [PCLS] is preserved.  The few cases in which
    compatibility cannot be achieved due to fundamental changes imposed
    by [PCIM_EXT], are defined here as alternatives to the original
    implementation.

    PCELS does not obsolete nor deprecate the concepts implemented by
    [PCLS].  The new LDAP schema items are defined in this document in a
    way that avoids, to the extent possible, interference with the
    normal operation of a reasonably well-executed implementation of
    [PCLS].  The intent is to permit at least a harmless coexistence of
    the two models in the same data repository.

    However, it should be noted that the PCELS introduces the following
    changes that may have an impact on some [PCLS] implementations:

   1.  Some attributes originally used only by pcimRule or pcimGroup are
       now also used by classes unknown to [PCLS] implementations
       (pcelsPolicySet, pcelsRule and pcelsGroup).  In particular, the
       attribute pcimRoles is also used by pcelsPolicySet for role based
       policy selection.

   2.  Condition and action association classes originally used by only
       pcimRule are now used (through subclasses) by pcelsRule as well.

   3.  pcimRepository containers may include entries of types unknown to
       [PCLS] implementations.

   When the choice exists, PCELS implementations SHOULD support the new
   schema and MAY also support the one defined by [PCLS].  For example,
   if PolicyRule support is required, an implementation SHOULD be able
   to read or read-write (as applicable) pcelsRule entries.  The same
   implementation MAY be able to read or read-write pcimRule.

4.6.  The Association of PolicyVariable and PolicyValues
      to PolicySimpleCondition and PolicySimpleAction

   A PolicySimpleCondition, as well as a PolicySimpleAction, includes a
   single PolicyValue and a single PolicyVariable.  Each of them can be
   attached or referenced by a DN.

Top      Up      ToC       Page 17 
   The attachment helps create compact PolicyCondition and PolicyAction
   definitions that can be efficiently provisioned and retrieved from
   the repository.  On the other hand, referenced PolicyVariables and
   PolicyValues instances can be reused in the construction of multiple
   policies and permit an administrative partitioning of the data and
   policy definitions.

4.7.  The Aggregation of PolicyRules and PolicyGroups in PolicySets

   In [PCIM_EXT], the two aggregations PolicyGroupInPolicyGroup and
   PolicyRuleInPolicyGroup, are combined into a single aggregation
   PolicySetComponent.  This aggregation and the capability of
   association between a policy and the ReusablePolicyContainer offer
   new possibilities of reusability.  Furthermore, these aggregations
   introduce new semantics representing the execution of one PolicyRule
   within the scope of another PolicyRule.

   Since PolicySet is defined in [PCIM_EXT], it is mapped in this
   document to a new class pcelsPolicySet in order to provide an
   abstraction for a set of policy rules or groups.  The aggregation
   class PolicySetComponent in [PCIM_EXT] is mapped to a multi-value
   attribute pcelsPolicySetList in the pcelsPolicySet class and the
   attribute pcelsPolicySetDN in the pcelsPolicySetAssociation.  These
   attributes refer to the nested rules and groups.

   It is possible to store a rule/group nested in another rule/group in
   two ways.  The first way is to define the nested rule/group as
   specific to the nesting rule/group.  The second way is to define the
   nested rules/groups as reusable.

Top      Up      ToC       Page 18 
   First case: Specific nested sets (rules/groups).

                       +----------+
                       |Rule/Group|
                       |          |
                 +-----|-        -|-----+
                 |     +----------+     |
                 |       *      *       |
                 |       *      *       |
                 |    ****      ****    |
                 |    *            *    |
                 v    *            *    v
               +-----------+   +-----------+
               | SA1+Set1  |   | SA2+Set2  |
               +-----------+   +-----------+

              +------------------------------+
              |LEGEND:                       |
              |  ***** DIT containment       |
              |    +   auxiliary attachment  |
              |  ----> DN reference          |
              +------------------------------+

   #: Number.
   Set#: pcelsRuleAuxClass or pcelsGroupAuxClass auxiliary class.
   SA#: pcelsPolicySetAssocation structural class.

   Figure 4.  Policy Set with Specific Components

   The nesting pcelsPolicySet refers to instances of
   pcelsPolicySetAssociation using the attribute pcelsPolicySetList.
   These structural association classes are subordinated (DIT contained)
   to an instance of a non-abstract subclass of pcelsPolicySet and
   represent the association between the PolicySet and its nested
   rules/groups.  The nested instances of auxiliary subclasses of
   pcelsPolicySet are attached to the association entries.

Top      Up      ToC       Page 19 
   Second case: Reusable nested sets (rules/groups).

             +----------+             +-------------+
             |Rule/Group|             | ContainerX  |
           +-|-        -|--+          |             |
           | +----------+  |          +-------------+
           |   *      *    |             *        *
           | ***      **** |             *        *
           | *           * v             *        *
           | *          +---+            *        *
           | *          |SA2|         +-------+   *
           v *          |  -|-------->|S1+Set2|   *
          +---+         +---+         +-------+   *
          |SA1|                               +-------+
          |  -|------------------------------>|S2+Set3|
          +---+                               +-------+

                 +------------------------------+
                 |LEGEND:                       |
                 |  ***** DIT containment       |
                 |    +   auxiliary attachment  |
                 |  ----> DN reference          |
                 +------------------------------+

   Set#: pcelsRuleAuxClass or pcelsGroupAuxClass auxiliary class.
   SA#: PolicySetAssocation structural class.
   S#: structural class.

   Figure 5.  Policy Set with Reusable Components

   The nesting pcelsPolicySet refers to instances of
   pcelsPolicySetAssociation using the attribute pcelsPolicySetList.
   These structural association classes are subordinated (DIT contained)
   to an instance of a non-abstract subclass of pcelsPolicySet and
   represent the association between the PolicySet and its nested
   rules/groups.  The reusable rules/groups are instantiated here as
   auxiliary classes and attached to pcimPolicyInstance entries in the
   reusable container.  Another option is to use the structural
   subclasses for defining reusable rules/groups.  The association
   classes belonging to a nesting policy set are reference the reusable
   rules/groups using the attribute pcelsPolicySetDN.

   A combination of both specific and reusable components is also
   allowed for the same policy set.

Top      Up      ToC       Page 20 
4.8.  The Aggregation of Actions/Conditions in PolicyRules and
      CompoundActions/CompoundConditions

   [PCIM_EXT] defines two new classes that allow the designer to create
   more complex conditions and actions.  CompoundPolicyCondition and
   CompoundPolicyAction classes are mapped in this document to
   pcelsCompoundConditionAuxClass and pcelsCompoundActionAuxClass
   classes that are subclasses of
   pcimConditionAuxClass/pcimActionAuxClass.  The compound
   conditions/actions defined in [PCIM_EXT] extend the capability of the
   rule to associate, group and evaluate conditions or execute actions.
   The conditions/actions are associated to compounds conditions/actions
   in the same way as they are associated to the rules.

   In this section, how to store instances of these classes in an LDAP
   Directory is explained.  As a general rule, specific
   conditions/actions are subordinated (DIT contained) to the rule or
   compound condition/action that aggregates them and are attached to
   association class instances.  Reusable conditions/actions are
   subordinated to pcelsReusableContainer instances and attached to
   pcimPolicyInstance instances.

   The examples below illustrate the four possible cases combining
   specific/reusable compound/non-compound condition/action.  The rule
   has two compound conditions, each one has two different conditions.
   The schemes can be extended in order to store actions.

   The examples below are based on and extend those illustrated in the
   section 4.4 of [PCLS].

Top      Up      ToC       Page 21 
   First case: Specific compound condition/action with specific
               conditions/actions.

                          +--------------+
                   +------|     Rule     |------+
                   |      +--------------+      |
                   |           *    *           |
                   |   *********    *********   |
                   v   *                    *   v
                  +---------+          +---------+
                +-| CA1+cc1 |-+      +-| CA2+cc2 |-+
                | +---------+ |      | +---------+ |
                |     * *     |      |     * *     |
                |  **** ****  |      |  **** ****  |
                v  *       *  v      v  *       *  v
               +------+ +------+    +------+ +------+
               |CA3+c1| |CA4+c2|    |CA5+c3| |CA6+c4|
               +------+ +------+    +------+ +------+

                  +------------------------------+
                  |LEGEND:                       |
                  |  ***** DIT containment       |
                  |    +   auxiliary attachment  |
                  |  ----> DN reference          |
                  +------------------------------+

   #: Number.
   CA#: pcelsConditionAssociation structural class.
   cc#: pcelsCompoundConditionAuxClass auxiliary class.
   c#: subclass of pcimConditionAuxClass.

   Figure 6.  Specific Compound Conditions with Specific Components

   Because the compound conditions/actions are specific to the Rule,
   They are auxiliary attachments to instances of the structural classes
   pcelsConditionAssociation or pcelsActionAssociation.  These
   structural classes represent the association between the rule and the
   compound condition/action.  The rule specific conditions/actions are
   therefore subordinated (DIT contained) to the rule entry.

   The conditions/actions are tied to the compound conditions/actions in
   the same way the compound conditions/actions are tied to rules.
   Association classes realize the association between the aggregating
   compound conditions/actions and the specific conditions/actions.

Top      Up      ToC       Page 22 
   Second case: Rule specific compound conditions/actions with
                reusable conditions/actions.

           +-------------+                   +---------------+
    +------|     Rule    |-----+             |  ContainerX   |
    |      +-------------+     |             +---------------+
    |           *    *         |              *    *    *   *
    |           *    *         |           ****    *    *   *
    |   *********    ********  |           *       *    *   ********
    |   *                   *  v           *       *    *          *
    |   *               +---------+        *       *    ****       *
    |   *             +-| CA2+cc2 |-+      *       *       *       *
    |   *             | +---------+ |      *       *       *       *
    v   *             |    *  *     |      *       *       *       *
   +---------+        | ****  ****  |      *       *       *       *
 +-| CA1+cc1 |-+      | *        *  v      *       *       *       *
 | +---------+ |      | *     +------+  +-----+    *       *       *
 |    *  *     |      v *     |  CA6 |->|S1+c4|    *       *       *
 | ****  ****  |     +------+ +------+  +-----+ +-----+    *       *
 | *        *  v     |  CA5 |------------------>|S2+c3|    *       *
 | *      +------+   +------+                   +-----+ +-----+    *
 v *      |  CA4 |------------------------------------->|S3+c2|    *
 +------+ +------+                                      +-----+ +-----+
 |  CA3 |------------------------------------------------------>|S4+c1|
 +------+                                                       +-----+

                    +------------------------------+
                    |LEGEND:                       |
                    |  ***** DIT containment       |
                    |    +   auxiliary attachment  |
                    |  ----> DN reference          |
                    +------------------------------+

      #: Number.
      CA#: pcelsConditionAssociation structural class.
      cc#: pcelsCompoundConditionAuxClass auxiliary class.
      c#: subclass of pcimConditionAuxClass.
      S#: structural class

      Figure 7.  Specific Compound Conditions with Reusable Components

   This case is similar to the first one.  The conditions/actions are
   reusable and are therefore not attached to the association classes,
   but rather to structural classes in the reusable container.  The
   association classes tie the conditions/actions in located in a
   reusable container to their aggregators using DN references.

Top      Up      ToC       Page 23 
   Third case: Reusable compound condition/action with specific
               conditions/actions.

        +--------------+                  +--------------+
        |     Rule     |                  |  RepositoryX |
    +---+--------------+----+             +--------------+
    |        *     *        |                  *    *
    |  *******     *******  |           ********    ********
    |  *                 *  v           *                  *
    |  *            +----------+    +---------+            *
    |  *            |   CA2    |--->| S1+cc2  |            *
    |  *            +----------+  +-+---------+-+          *
    |  *                          |     * *     |          *
    |  *                          |  **** ****  |          *
    |  *                          v  *       *  v          *
    |  *                         +------+ +------+         *
    |  *                         |CA5+c3| |CA6+c4|         *
    v  *                         +------+ +------+         *
  +----------+                                          +---------+
  |   CA1    |----------------------------------------->| S2+cc1  |
  +----------+                                        +-+---------+-+
                                                      |     * *     |
                                                      |  **** ****  |
                                                      v  *       *  v
                                                     +------+ +------+
                                                     |CA3+c1| |CA4+c2|
                                                     +------+ +------+

                    +------------------------------+
                    |LEGEND:                       |
                    |  ***** DIT containment       |
                    |    +   auxiliary attachment  |
                    |  ----> DN reference          |
                    +------------------------------+

      #: Number.
      CA#: pcelsConditionAssociation structural class.
      cc#: pcelsCompoundConditionAuxClass auxiliary class.
      c#: subclass of pcimConditionAuxClass.
      S#: structural class

      Figure 8.  Reusable Compound Conditions with Specific Components

   Re-usable compound conditions/actions are attached to structural
   classes and stored in a reusable policy container.  They are related
   to the rule through a DN reference attribute in the association
   classes.

Top      Up      ToC       Page 24 
   Specific conditions/actions are attached to association entries and
   subordinated (DIT contained) to the aggregating compound
   conditions/actions.

   Fourth case: Reusable conditions/actions and compound
                conditions/actions.

          +------+          +---------------+    +---------------+
    +-----| Rule |-----+    |  ContainerX   |    |  ContainerY   |
    |     +------+     |    +---------------+    +---------------+
    |      *    *      |         *     *           *   *   *   *
    | ******    ****** |       ***     ***       ***   *   *   *****
    | *              * v       *         *       *     *   *       *
    | *          +-------+  +------+     *       *     *   ***     *
    | *          |  CA2  |->|S1+ca1|     *       *     *     *     *
    | *          +-------+  +------+     *       *     *     *     *
    | *                    /  *  *  \    *       *     *     *     *
    | *                    |**   ** |    *       *     *     *     *
    | *                    |*     * v    *       *     *     *     *
    | *                    |*   +---+    *    +-----+  *     *     *
    | *                    |*   |CA6|----*--->|S3+c4|  *     *     *
    | *                    v*   +---+    *    +-----+  *     *     *
    | *                  +---+           *          +-----+  *     *
    | *                  |CA5|-----------*--------->|S4+c3|  *     *
    v *                  +---+           *          +-----+  *     *
  +-------+                           +------+               *     *
  |  CA1  |-------------------------->|S2+cc1|               *     *
  +-------+                           +------+               *     *
                                     /  *  *  \              *     *
                                     | **  ** |              *     *
                                     | *    * v              *     *
                                     | *  +---+           +-----+  *
                                     | *  |CA4|---------->|S5+c2|  *
                                     v *  +---+           +-----+  *
                                    +---+                      +-----+
                                    |CA3|--------------------->|S6+c1|
                                    +---+                      +-----+

                    +------------------------------+
                    |LEGEND:                       |
                    |  ***** DIT containment       |
                    |    +   auxiliary attachment  |
                    |  ----> DN reference          |
                    +------------------------------+

      #: Number.
      CA#: pcelsConditionAssociation structural class.
      cc#: pcelsCompoundConditionAuxClass auxiliary class.

Top      Up      ToC       Page 25 
      c#: subclass of pcimConditionAuxClass.
      S#: structural class

      Figure 9.  Reusable Compound Conditions with Reusable Components

   All the conditions/actions are reusable so they are stored in
   reusable containers.  The figure above illustrates two different
   reusable policy containers, but the number of containers in the
   system is decided based on administrative reasons.  The conditions,
   actions, etc. may be stored in the same or different containers with
   no impact on the policy definition semantics.

5.  Class Definitions

   The semantics for the policy information classes that are to be
   mapped directly from the information model to an LDAP representation
   are detailed in [PCIM_EXT].  Consequently, this document presents
   only a brief reference to those semantics.  The focus here is on the
   mapping from the information model (which is independent of
   repository type and access protocol) to a form that can be accessed
   using LDAP.  For various reasons including LDAP specific
   optimization, this mapping is not always 1:1.  Some new classes and
   attributes (that were not part of [PCIM] or [PCIM_EXT]) needed to be
   created in order to implement the LDAP mapping.  These new LDAP-only
   classes are fully defined in this document.

   The following notes apply to this section in its entirety.

   Note 1: The formal language for specifying the classes, attributes,
   and DIT structure and content rules is that defined in [LDAP_SYNTAX].
   In the following definitions, the class and attribute definitions
   follow [LDAP_SYNTAX] but they are line-wrapped to enhance human
   readability.

   Note 2: Even though not explicitly noted in the following class and
   attribute definitions, implementations may define DIT structure and
   content rules where applicable and supported by the underlying LDAP
   infrastructure.  In such cases, the DIT structure rule considerations
   discussed in section 5 of [PCLS] must be applied to PCELS
   implementations as well.  The reasons and details are presented in
   [X.501].

   Note 3: Wherever possible, an equality, a substrings and an ordering
   matching rule are defined for a particular attribute.  This provides
   additional implementation flexibility.  However, in some cases, the
   LDAP matching semantics may not cover all the application needs.  For
   instance, different values of pcelsIPv4AddrList may be semantically
   equivalent.  The equality matching rule, caseIgnoreMatch, associated

Top      Up      ToC       Page 26 
   to this attribute type is not suitable for detecting this
   equivalence.  Implementers should not rely solely on LDAP syntaxes
   and matching rules for being consistent with this specification.

   Note 4: The following attribute definitions use only LDAP matching
   rules and syntax definitions from [LDAP_SYNTAX], [LDAP_SCHEMA] and
   [LDAP_MATCH].  The corresponding X.500 matching rules are defined in
   [X.520].

   Note 5: Some of the following attribute types MUST conform to
   additional constraints on various data types (e.g., the only valid
   values for pcelsDecisionStrategy are 1 and 2).  Just like the
   attribute semantics, the definition of the value structures, valid
   ranges, etc. is covered by [PCIM_EXT] for the corresponding
   properties while such constraints are only briefly mentioned in this
   document.  In all cases, if a constraint is violated, the entry
   SHOULD be treated as invalid and the policy rules or groups that
   refer to it SHOULD be treated as being disabled, meaning that the
   execution of such policy rules or groups SHOULD be stopped.

   Note 6: Some of the object classes defined in this section cannot or
   should not be directly instantiated because they are either defined
   as abstract or do not implement stand-alone semantics (e.g.,
   pcelsValueAuxClass).  Regarding instances of objects that inherit
   from such classes, the text refers to "instances of <class_name>"
   when in fact the strictly correct expression would be "instances of
   objects that belong to non-abstract subclasses of <class_name>".  The
   omission is intentional; it makes the text easier to read.

5.1.  The Abstract Class pcelsPolicySet

   The pcelsPolicySet class represents a set of policies with a common
   decision strategy and a common set of policy roles.  This class
   together with the pcelsPolicySetAssociation class defined in a
   subsequent section of this document provide sufficient information to
   allow applications to apply appropriate ordering to a set of
   policies.  The pcelsPolicySet is mapped from the PolicySet class
   [PCIM_EXT].  The pcelsPolicySet class is an abstract object class and
   it is derived from the pcimPolicy class [PCLS].

   The pcelsPolicySetList attribute of a pcelsPolicySet instance
   references subordinated pcelsPolicySetAssociation entries.  The
   aggregated pcelsPolicySet instances are either attached to the
   pcelsPolicySetAssociation entries as auxiliary object classes or
   referenced by the pcelsPolicySetAssociation entries using the
   pcelsPolicySetDN attribute.

Top      Up      ToC       Page 27 
   The pcelsPolicySet class is defined as follows:

   ( 1.3.6.1.1.9.1.1
     NAME 'pcelsPolicySet'
     DESC 'Set of policies'
     SUP pcimPolicy
     ABSTRACT
     MAY ( pcelsPolicySetName
         $ pcelsDecisionStrategy
         $ pcimRoles
         $ pcelsPolicySetList )
   )

   One of the attributes of the pcelsPolicySet class, pcimRoles is
   defined in the section 5.3 of [PCLS].  In the pcelsPolicySet class
   the pcimRole attribute preserves its syntax and semantics as defined
   by [PCLS] and [PCIM].

   The pcelsPolicySetName attribute type may be used as naming attribute
   for pcelsPolicySet entries.  This attribute type is of syntax
   Directory String [LDAP_SYNTAX].  It has an equality matching rule of
   caseIgnoreMatch, an ordering matching rule of caseIgnoreOrderingMatch
   and a substrings matching rule of caseIgnoreSubstringsMatch
   [LDAP_SYNTAX].  Attributes of this type can only have a single value.

   This attribute type is defined as follows:

   ( 1.3.6.1.1.9.2.1
     NAME 'pcelsPolicySetName'
     DESC 'User-friendly name of a policy set'
     EQUALITY caseIgnoreMatch
     ORDERING caseIgnoreOrderingMatch
     SUBSTR caseIgnoreSubstringsMatch
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
     SINGLE-VALUE
   )

   The pcelsDecisionStrategy attribute type indicates the evaluation
   method for the policies aggregated in the policy set.  It is mapped
   from the PolicySet.PolicyDecisionStrategy property [PCIM_EXT].  This
   attribute type is of syntax Integer [LDAP_SYNTAX].  It has an
   equality matching rule of integerMatch [LDAP_SYNTAX] and an ordering
   matching rule of integerOrderingMatch [LDAP_MATCH].  Attributes of
   this type can only have a single value.  The only allowed values for
   attributes of this type are 1 (FirstMatching) and 2 (AllMatching).
   If this attribute is missing from a pcelsPolicySet instance,
   applications MUST assume a FirstMatching decision strategy for the
   policy set.

Top      Up      ToC       Page 28 
   This attribute type is defined as follows:

   ( 1.3.6.1.1.9.2.2
     NAME 'pcelsDecisionStrategy'
     DESC 'Evaluation method for the components of a pcelsPolicySet'
     EQUALITY integerMatch
     ORDERING integerOrderingMatch
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
     SINGLE-VALUE
   )

   The pcelsPolicySetList attribute type is used in the realization of
   the PolicySetComponent association [PCIM_EXT].  This attribute type
   is of syntax DN [LDAP_SYNTAX].  It has an equality matching rule of
   distinguishedNameMatch [LDAP_SYNTAX].  Attributes of this type can
   have multiple values.  The only allowed values for pcelsPolicySetList
   attributes are DNs of pcelsPolicySetAssociation entries.  In a
   pcelsPolicySet, the pcelsPolicySetList attribute represents the
   associations between this policy set and its components.

   This attribute type is defined as follows:

   ( 1.3.6.1.1.9.2.3
     NAME 'pcelsPolicySetList'
     DESC 'Unordered set of DNs of pcelsPolicySetAssociation entries'
     EQUALITY distinguishedNameMatch
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
   )

   Note: A pcelsPolicySet instance aggregates other pcelsPolicySet
   instances using pcelsPolicySetAssociation entries (defined in the
   next section).  Applications can sort the components of a
   pcelsPolicySet using attributes of the pcelsPolicySetAssociation
   entries.  However, implementations should not expect the LDAP data
   store to provide a useful ordering of the pcelsPolicySetList values
   in a pcelsPolicySet instance or to return sets of matching
   pcelsPolicySetAssociation entries in a meaningful order.  Instead,
   applications SHOULD implement their own means for post-retrieval
   ordering of policy rules/groups based on
   pcelsPolicySetAssociation.pcelsPriority values.

Top      Up      ToC       Page 29 
5.2.  The Structural Class pcelsPolicySetAssociation

   The pcelsPolicySetAssociation class is used to associate PolicySet
   instances [PCIM_EXT] to other entries.  pcelsPolicySetAssociation
   entries are always subordinated to the aggregating entry.  When
   subordinated to an instance of pcelsPolicySet,
   pcelsPolicySetAssociation realizes a PolicySetComponent association
   [PCIM_EXT].  When subordinated to an instance of dlm1System
   [CIM_LDAP], pcelsPolicySetAssociation realizes a PolicySetInSystem
   association [PCIM_EXT].

   The pcelsPolicySetAssociation class is a structural object class and
   it is derived from the pcimPolicy class [PCLS].

   The aggregation of a reusable pcelsPolicySet instance is realized via
   the pcelsPolicySetDN attribute.  A non-reusable pcelsPolicySet
   instance is attached (as auxiliary subclass of pcelsPolicySet)
   directly to the pcelsPolicySetAssociation entry.

   When reading a pcelsPolicySetAssociation instance that has a
   pcelsPolicySet attached, the attribute pcelsPolicySetDN MUST be
   ignored.  Applications SHOULD remove the pcelsPolicySetDN value from
   a pcelsPolicySetAssociation upon attachment of a pcelsPolicySet to
   the entry.

   The pcelsPolicySetAssociation class is defined as follows:

   ( 1.3.6.1.1.9.1.2
     NAME 'pcelsPolicySetAssociation'
     DESC 'Associates a policy set to an aggregating entry'
     SUP pcimPolicy
     STRUCTURAL
     MUST ( pcelsPriority )
     MAY ( pcelsPolicySetName
         $ pcelsPolicySetDN )
   )

   The pcelsPriority attribute type indicates the priority of a policy
   set component.  This attribute type is of syntax Integer
   [LDAP_SYNTAX].  It has an equality matching rule of integerMatch
   [LDAP_SYNTAX] and an ordering matching rule of integerOrderingMatch
   [LDAP_MATCH].  Attributes of this type can only have single values.
   The only allowed values for attributes of this type are non-negative
   integers.  Within the set of pcelsPolicySetAssociation entries
   directly subordinated to a pcelsPolicySet or a dlm1System [CIM_LDAP],
   the pcelsPriority values MUST be unique.

Top      Up      ToC       Page 30 
   This attribute type is defined as follows:

   ( 1.3.6.1.1.9.2.4
     NAME 'pcelsPriority'
     DESC 'Priority of a component'
     EQUALITY integerMatch
     ORDERING integerOrderingMatch
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
     SINGLE-VALUE
   )

   The pcelsPolicySetDN attribute type is used in the aggregation of
   PolicySet instances [PCIM_EXT].  This attribute type is of syntax DN
   [LDAP_SYNTAX].  It has an equality matching rule of
   distinguishedNameMatch [LDAP_SYNTAX].  Attributes of this type can
   only have single values.  The only allowed values for
   pcelsPolicySetDN attributes are DNs of pcelsPolicySet entries.

   This attribute type is defined as follows:

   ( 1.3.6.1.1.9.2.5
     NAME 'pcelsPolicySetDN'
     DESC 'DN of a pcelsPolicySet entry'
     EQUALITY distinguishedNameMatch
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
     SINGLE-VALUE
   )



(page 30 continued on part 3)

Next RFC Part