Purpose of the PCIM Provide a set of
- Slides: 46
Purpose of the PCIM • Provide a set of classes and relationships that provide an extensible means for defining policy control of managed objects » Represents the structure, not the contents, of a policy » Content provided by subclassing classes to derive technology- and vendor-specific conditions, actions, and other elements Strassner-Policy Theory and Practice – IM 2001 1
PCIM Overview (1) • Policy-based management assumes that the network is modeled as a state machine • Classes and relationships are used to model: » the state of an entity » settings to be applied to an entity that either maintain an entity’s state or move the entity to a new state » policies that control the application of settings Strassner-Policy Theory and Practice – IM 2001 2
PCIM Overview (2) • Thus, policy is applied using a set of rules » Each rule has a set of conditions that specify when the policy should be applied – Conditions can be specified in CNF or DNF » Each rule has a set of actions that are executed if the conditions are TRUE – Execution order can be specified » Rules may be prioritized and grouped together to model an administrative hierarchy Strassner-Policy Theory and Practice – IM 2001 3
Policy Core Model: Groups & Rules Strassner-Policy Theory and Practice – IM 2001 4
Policy Class • Policy Class (Abstract) » Root of the policy tree » Carries common attributes to all policy classes – Caption, Description from CIM ME – Ordered. CIMKeys to represent CIM hierarchy – cn from X. 520 – Policy. Keywords » Policy. Element. Aux. Class is an aux class to represent this class and enables any object in the DIT to be identified as a policy class Strassner-Policy Theory and Practice – IM 2001 5
Policy. Rule • A Policy. Rule consists of a set of conditions and a set of actions » Boolean logic assumed » If condition clause is TRUE, then action clause may execute » Rule-specific and reusable policy rules are supported by using the Policy. Condition. In. Policy. Rule and Policy. Action. In. Policy. Rule aggregations » Multiple time periods may be used to define a schedule for which this Policy. Rule is active by using the Policy. Rule. Validity. Period aggregation » Rules may be prioritized Strassner-Policy Theory and Practice – IM 2001 6
Types of Policy. Rules • Rule-specific Policy. Rules are those whose components are embedded in the Policy. Rule itself. » The terms making up the Policy. Rule can NOT be reused by other Policy. Rules • Reusable Policy. Rules share one or more components with other Policy. Rules » Policy. Rule components are stored in a common Policy Repository and referenced by the Policy. Rules using them • Each has implementation implications Strassner-Policy Theory and Practice – IM 2001 7
Policy. Group • Policy. Rules may be aggregated into Policy. Groups, which may be nested » Enables hierarchical representation of policy (per-user, per-domain, etc. ) • Special semantics defined in Qo. S information model to represent different administrative scopes and groupings of rules Strassner-Policy Theory and Practice – IM 2001 8
Policy. Repository • Represents an administratively-defined container for holding REUSABLE policy conditions and actions » May be extended to hold other types of reusable policy “building blocks” » May be nested to provide more granular domain control Strassner-Policy Theory and Practice – IM 2001 9
PCIM: Conditions & Actions Strassner-Policy Theory and Practice – IM 2001 10
Policy Conditions • Abstract base class for domain-specific conditions that will be defined by domainspecific models (e. g. , Qo. S model, IPSec model) • Boolean condition expressed in CNF or DNF » Individual condition terms can be negated • Only defines keys (7 - System, Policy. Rule, and its own CCN, Name, and a user-friendly name) Strassner-Policy Theory and Practice – IM 2001 11
Expressing Policy Conditions • Policy. Rule. Condition. List. Type defines how to interpret the condition (e. g. , CNF or DNF) • Policy. Condition. In. Policy. Rule contains two additional properties: » Group. Number indicates the group to which the Policy. Condition belongs » Condition. Negated is a boolean that, if TRUE, indicates that this condition is negated Strassner-Policy Theory and Practice – IM 2001 12
Reusable Policy. Conditions • Stored in a Policy. Repository and referenced using the association Policy. Condition. In. Policy. Repository » Rule-specific Policy. Conditions do NOT use this association; thus: – Cardinality is 0 for rule-specific, 1 for reusable » QPIM extends this so that different conditions can be stored in different portions of the repository – Different portions implies different scopes and application Strassner-Policy Theory and Practice – IM 2001 13
Policy. Time. Period. Condition • Subclass of Policy. Condition to represent time when Policy. Rule is active » If not specified, then rule is always active » Policy. Rule. Validity. Period is an aggregation that defines the set of time periods for a given Policy. Rule • Instances may have up to 5 properties that together specify the time period » Property values are ANDed to determine the validity period; properties not present are treated as having their value always enabled Strassner-Policy Theory and Practice – IM 2001 14
Policy Actions • Abstract base class for domain-specific actions that will be defined by domain-specific models » Deployed actions are bound to a System; reusable actions exist in a Policy. Repository » Only defines keys (7 - System, Policy. Rule, and its own CCN and Name, and a user-friendly name) • Stored in a Policy. Repository and referenced using Policy. Action. In. Policy. Repository association » Rule-specific Policy. Conditions do NOT use this association; thus, cardinality is 0 for rule-specific, 1 for reusable Strassner-Policy Theory and Practice – IM 2001 15
Policy Actions (2) • Policy. Action. In. Policy. Rule aggregation contains the set of action clauses for a given Policy. Rule » Action. Order property indicates relative position of an action in the sequence of actions associated with a Policy. Rule – If n is a positive integer, it defines the order, with smaller integers being ordered first – 0 is a special value that indicates “don’t care” – Two or more properties with the same value can be executed in any order, as long as they are executed in the correct overall order in the sequence Strassner-Policy Theory and Practice – IM 2001 16
Rule-Specific Policy Structure • Policy. Rule is a container that holds Policy. Conditions and Policy. Actions » QPIM extends this so that a condition is treated as a container • To do this attachment » Policy. Rule is a structural class » Policy. Condition and Policy. Action are both auxiliary classes Strassner-Policy Theory and Practice – IM 2001 17
Rule-Specific Example Rule 1 (structural) DN Pointer Represents association between Rule 1 and Condition 1 DN Pointer Represents association between Rule 1 (structural) and Action 1 DIT Represents the condition Condition 1 Containment Action 1 Represents the action itself (aux attached) itself Strassner-Policy Theory and Practice – IM 2001 Condition 1 Action 1 18
Reusable Components • Policy components can be specific to a rule or reusable among many rules » Rule-specific information is attached to the rule itself » Reusable information is stored in a container that is referenced by the rule • The only difference between a reusable and a rule-specific component is in the intent of the administrator » No difference in functionality Strassner-Policy Theory and Practice – IM 2001 19
Reusable Components (2) • PCIM defines a policy repository to store reusable information. This causes some subtle differences, including: » access control can be specified for rule-specific conditions and actions, but not for reusable ones » referential integrity should be enforced for rulespecific elements; harder to due in the reusable case » mapping to a data model is more difficult Strassner-Policy Theory and Practice – IM 2001 20
Reusable Rule Example Rule 1 (structural) DIT Containment Represents association between Rule 1 and Condition 1 DIT Containment Condition 1 Action 1 (structural) DN Pointer Represents the condition itself Represents association between Rule 1 and Action 1 Condition 1 Aux Action 1 Aux (aux attachment) Condition. Instance Action. Instance (structural) DIT Containment Represents the action itself DIT Containment Policy. Repository (structural) Strassner-Policy Theory and Practice – IM 2001 21
Policy. Instance • Uses DIT content rules to allow a Policy. Condition. Aux. Class or a Policy. Action. Aux. Class to be attached to it • Uses DIT structure rules to enable it to be named using either Policy. Instance. Name, cn, or Ordered. CIMKeys Strassner-Policy Theory and Practice – IM 2001 22
Policy. Subtrees. Ptr. Aux. Class • This aux class provides a single multivalued attribute to point to the root of a set of subtrees that contain policy information » Attaching this attribute to other class instances enables the administrator to define entry points to related policy information – Can be used to define the order of visiting information in the policy tree (e. g. , for a PDP) – Can be used to tie different subtrees together Strassner-Policy Theory and Practice – IM 2001 23
Policy. Element. Aux. Class • This class is the aux equivalent of the Policy class » Enables tagging of selected instances that are outside of the policy class hierarchy, but are nevertheless policy-related » This works through searching on oc=policy » Note that some directories don’t support this, so in these cases, policy-related entries must be tagged with the keyword Policy and searched on using an attribute search Strassner-Policy Theory and Practice – IM 2001 24
Aux Containment Classes • Policy. Group. Containment. Aux. Class and Policy. Rule. Containment. Aux. Class » Each contains a single multi-valued attribute that points to a set of Policy. Groups and Policy. Rules, respectively » Enables the administrator to bind Policy. Groups/Policy. Rules to a container Strassner-Policy Theory and Practice – IM 2001 25
PCIM Extensions • New draft to simplify and encourage use of PCIM Ø Policy. Repository broadened & renamed Ø Rules may contain groups & other rules (context) Ø Priorities & decision strategies clarified Ø Refinements in the use of Policy. Roles Ø Compound conditions & actions (reusable) Ø Transactional semantics for action execution Ø Variables & values, for conditions & actions Ø Packet filtering in policy conditions based on variables/values Strassner-Policy Theory and Practice – IM 2001 26
Building Policy. Conditions • The Policy. Condition. In. Policy. Rule association has properties that require special mapping » Policy. Rule. Condition. Association represents the properties and is attached via DIT containment » The conditions themselves are represented by the Policy. Condition. Aux. Class (and its subclasses) which are either – attached directly to instances of the Policy. Rule. Condition. Association for rule-specific classes, or – indirectly, using a DN pointer to refer to an instance of a Policy. Condition. Instance class Strassner-Policy Theory and Practice – IM 2001 27
Policy. Rule. Condition. Association (1) • Contains properties characterizing the relationship between a rule and a condition » Policy. Condition. Group. Number - used to group conditions according to CNF or DNF » Policy. Condition. Negated - flag defining if a condition is negated or not » Policy. Condition. DN - pointer to a reusable Policy. Condition (should be NULL if rule-specific) Strassner-Policy Theory and Practice – IM 2001 28
Policy. Rule. Condition. Association (2) • Semantics defined using DIT structure and content rules » Policy. Condition. Aux. Class subclasses are attached using DIT content rules » Structure rules define naming, scoped by a Policy. Rule, using either the Ordered. CIMKeys, cn, or Policy. Condition. Name Strassner-Policy Theory and Practice – IM 2001 29
Policy. Condition. Aux. Class • Used to bind conditions to rules » Rule-specific conditions defined by attaching this aux class to either an instance of the Policy. Rule. Condition. Association or the Policy. Rule classes » Reusable conditions defined by attaching this aux class to an instance of the Policy. Condition. Instance class » Note: this class is derived from Top because it attaches to classes already derived from Policy – otherwise we have property conflict! Strassner-Policy Theory and Practice – IM 2001 30
Building Policy. Actions • The Policy. Condition. In. Policy. Rule association has properties that require special mapping » Policy. Rule. Action. Association represents the property and is attached via DIT containment » The actions themselves are represented by the Policy. Action. Aux. Class (and its subclasses) which are either – attached directly to instances of the Policy. Rule. Action. Association for rule-specific classes, or – indirectly, using a DN pointer to refer to an instance of a Policy. Action. Instance class Strassner-Policy Theory and Practice – IM 2001 31
Policy. Rule. Action. Association • Two properties » Policy. Action. Order determines the order of executing actions associated with a policy rule » Policy. Action. DN - pointer to a reusable Policy. Action (should be NULL if rule-specific) • Semantics » Policy. Action. Aux. Class subclasses are attached using DIT content rules » Structure rules define naming, scoped by a Policy. Rule, using either the Ordered. CIMKeys, cn, or Policy. Action. Name Strassner-Policy Theory and Practice – IM 2001 32
Policy. Action. Aux. Class • Used to bind actions to rules » Rule-specific conditions defined by attaching this aux class to either an instance of the Policy. Rule. Action. Association or the Policy. Rule classes » Reusable conditions defined by attaching this aux class to an instance of the Policy. Action. Instance class » Note: this class is derived from Top because it attaches to classes already derived from Policy – otherwise we have property conflict! Strassner-Policy Theory and Practice – IM 2001 33
Policy. Time. Period. Condition. Aux. Class • Built as an aux class so it can be attached directly to a policy rule » Represents periods of time that define when a condition is valid – time period, plus month, day of month and week, and time of day masks Strassner-Policy Theory and Practice – IM 2001 34
Structure of a Rule-Specific Policy • Policy. Rule is a container that holds Policy. Conditions and Policy. Actions » QPIM extends this so that a condition is treated as a container • To do this attachment » Policy. Rule is a structural class » Policy. Condition and Policy. Action are both auxiliary classes Strassner-Policy Theory and Practice – IM 2001 35
Attachment • Info model defines Policy. Rule relationships » Policy. Condition. In. Policy. Rule attaches conditions to a Policy. Rule » Policy. Action. In. Policy. Rule attaches actions to a Policy. Rule » Policy. Rule. In. Policy. Group groups Policy. Rules » Policy. Rule. In. System associates a Policy. Rule with a System (e. g. , a router or server) • There can be as many attached conditions and actions as required Strassner-Policy Theory and Practice – IM 2001 36
Example Rule 1 (structural) DN Pointer Represents association between Rule 1 and Condition 1 DN Pointer Represents association between Rule 1 (structural) and Action 1 DIT Represents the condition Condition 1 Containment Action 1 Represents the action itself (aux attached) itself Strassner-Policy Theory and Practice – IM 2001 Condition 1 Action 1 37
Defining Reusable Elements • Reusable elements are always stored in a special part of the DIT » Modeled using the Policy. Repository class » Attached (indirectly) using DN pointers to a rule • Since conditions and actions are aux classes, they need something to attach to » Rule-specific uses the Policy. Rule itself » Reusable uses this class, which is stored in the Policy. Repository Strassner-Policy Theory and Practice – IM 2001 38
Policy. Instance • Uses DIT content rules to allow a Policy. Condition. Aux. Class or a Policy. Action. Aux. Class to be attached to it • Uses DIT structure rules to enable it to be named using either Policy. Instance. Name, cn, or Ordered. CIMKeys Strassner-Policy Theory and Practice – IM 2001 39
Policy. Instance Subclasses • Two subclasses, Policy. Condition. Instance and Policy. Action. Instance, are defined » Defines additional naming attributes (Policy. Condition. Name and Policy. Action. Name) » DIT content rules enable condition and action aux classes to be attached to it » DIT structure rules enable it to be named under an instance of Policy. Repository using any of its four attributes Strassner-Policy Theory and Practice – IM 2001 40
Policy. Repository • This is a container for holding reusable policy elements » DIT structure rules enable it to be named under an instance of Policy. Repository using any of its four attributes Strassner-Policy Theory and Practice – IM 2001 41
Policy. Subtrees. Ptr. Aux. Class • This aux class provides a single multivalued attribute to point to the root of a set of subtrees that contain policy information » Attaching this attribute to other class instances enables the administrator to define entry points to related policy information – Can be used to define the order of visiting information in the policy tree (e. g. , for a PDP) – Can be used to tie different subtrees together Strassner-Policy Theory and Practice – IM 2001 42
Aux Containment Classes • Policy. Group. Containment. Aux. Class and Policy. Rule. Containment. Aux. Class » Each contains a single multi-valued attribute that points to a set of Policy. Groups and Policy. Rules, respectively » Enables the administrator to bind Policy. Groups/Policy. Rules to a container Strassner-Policy Theory and Practice – IM 2001 43
Policy. Element. Aux. Class • This class is the aux equivalent of the Policy class » Enables tagging of selected instances that are outside of the policy class hierarchy, but are nevertheless policy-related » This works through searching on oc=policy » Note that some directories don’t support this, so in these cases, policy-related entries must be tagged with the keyword Policy and searched on using an attribute search Strassner-Policy Theory and Practice – IM 2001 44
Example Rule 1 (structural) DIT Containment Represents association between Rule 1 and Condition 1 DIT Containment Condition 1 Action 1 (structural) DN Pointer Represents the condition itself Represents association between Rule 1 and Action 1 Condition 1 Aux Action 1 Aux (aux attachment) Condition. Instance Action. Instance (structural) DIT Containment Represents the action itself DIT Containment Policy. Repository (structural) Strassner-Policy Theory and Practice – IM 2001 45
Policy. Repository • Used to define a “repository within a repository” for storing reusable data » DIT structure rules enable it to be named under an instance of Policy. Repository using any of its three attributes Strassner-Policy Theory and Practice – IM 2001 46
- Total set awareness set consideration set
- Training set validation set test set
- Fucntions
- Correspondence function examples
- Crisp set vs fuzzy set
- Crisp set vs fuzzy set
- Bounded set vs centered set
- What is the overlap of data set 1 and data set 2?
- Bổ thể
- Vẽ hình chiếu đứng bằng cạnh của vật thể
- Thế nào là sự mỏi cơ
- độ dài liên kết
- Các môn thể thao bắt đầu bằng từ đua
- Sự nuôi và dạy con của hổ
- Thiếu nhi thế giới liên hoan
- Alleluia hat len nguoi oi
- điện thế nghỉ
- Một số thể thơ truyền thống
- Trời xanh đây là của chúng ta thể thơ
- Số nguyên tố là
- Tỉ lệ cơ thể trẻ em
- Phối cảnh
- Các châu lục và đại dương trên thế giới
- Thế nào là hệ số cao nhất
- ưu thế lai là gì
- Sơ đồ cơ thể người
- Tư thế ngồi viết
- Hát kết hợp bộ gõ cơ thể
- đặc điểm cơ thể của người tối cổ
- Cái miệng bé xinh thế chỉ nói điều hay thôi
- Mật thư anh em như thể tay chân
- Tư thế ngồi viết
- Voi kéo gỗ như thế nào
- Thẻ vin
- Thơ thất ngôn tứ tuyệt đường luật
- Các châu lục và đại dương trên thế giới
- Từ ngữ thể hiện lòng nhân hậu
- Diễn thế sinh thái là
- Thế nào là giọng cùng tên? *
- Vẽ hình chiếu vuông góc của vật thể sau
- 101012 bằng
- Hổ đẻ mỗi lứa mấy con
- Lời thề hippocrates
- Chụp phim tư thế worms-breton
- đại từ thay thế
- Quá trình desamine hóa có thể tạo ra