Network Working Group B. Moore
Request for Comments: 3060 IBM
Category: Standards Track E. Ellesson
LongBoard, Inc.
J. Strassner
A. Westerinen
Cisco Systems
February 2001
Network Working Group B. Moore
Request for Comments: 3060 IBM
Category: Standards Track E. Ellesson
LongBoard, Inc.
J. Strassner
A. Westerinen
Cisco Systems
February 2001
Policy Core Information Model -- Version 1 Specification
策略核心信息模型--版本1规范
Status of this Memo
本备忘录的状况
This document specifies an Internet standards track protocol for the Internet community, and requests discussion and suggestions for improvements. Please refer to the current edition of the "Internet Official Protocol Standards" (STD 1) for the standardization state and status of this protocol. Distribution of this memo is unlimited.
本文件规定了互联网社区的互联网标准跟踪协议,并要求进行讨论和提出改进建议。有关本协议的标准化状态和状态,请参考当前版本的“互联网官方协议标准”(STD 1)。本备忘录的分发不受限制。
Copyright Notice
版权公告
Copyright (C) The Internet Society (2001). All Rights Reserved.
版权所有(C)互联网协会(2001年)。版权所有。
Abstract
摘要
This document presents the object-oriented information model for representing policy information developed jointly in the IETF Policy Framework WG and as extensions to the Common Information Model (CIM) activity in the Distributed Management Task Force (DMTF). This model defines two hierarchies of object classes: structural classes representing policy information and control of policies, and association classes that indicate how instances of the structural classes are related to each other. Subsequent documents will define mappings of this information model to various concrete implementations, for example, to a directory that uses LDAPv3 as its access protocol.
本文档介绍了面向对象的信息模型,用于表示IETF策略框架WG中联合开发的策略信息,并作为分布式管理任务组(DMTF)中公共信息模型(CIM)活动的扩展。该模型定义了对象类的两个层次结构:表示策略信息和策略控制的结构类,以及表示结构类实例如何相互关联的关联类。后续文档将定义此信息模型到各种具体实现的映射,例如,到使用LDAPv3作为其访问协议的目录的映射。
Table of Contents
目录
1. Introduction.................................................... 4
2. Modeling Policies............................................... 5
2.1. Policy Scope............................................... 8
2.2. Declarative versus Procedural Model........................ 8
3. Overview of the Policy Core Information Model.................. 10
4. Inheritance Hierarchies for the Policy Core Information Model.. 13
4.1. Implications of CIM Inheritance........................... 15
5. Details of the Model........................................... 15
1. Introduction.................................................... 4
2. Modeling Policies............................................... 5
2.1. Policy Scope............................................... 8
2.2. Declarative versus Procedural Model........................ 8
3. Overview of the Policy Core Information Model.................. 10
4. Inheritance Hierarchies for the Policy Core Information Model.. 13
4.1. Implications of CIM Inheritance........................... 15
5. Details of the Model........................................... 15
5.1. Reusable versus Rule-Specific Conditions and Actions...... 15
5.2. Roles..................................................... 17
5.2.1. Roles and Role Combinations............................. 17
5.2.2. The PolicyRoles Property................................ 21
5.3. Local Time and UTC Time in PolicyTimePeriodConditions..... 21
5.4. CIM Data Types............................................ 23
5.5. Comparison between CIM and LDAP Class Specifications...... 24
6. Class Definitions.............................................. 25
6.1. The Abstract Class "Policy"............................... 25
6.1.1. The Property "CommonName (CN)".......................... 26
6.1.2. The Multi-valued Property "PolicyKeywords".............. 26
6.1.3. The Property "Caption" (Inherited from ManagedElement).. 27
6.1.4. The Property "Description" (Inherited from
ManagedElement)......................................... 27
6.2. The Class "PolicyGroup"................................... 27
6.3. The Class "PolicyRule".................................... 29
6.3.1. The Property "Enabled".................................. 31
6.3.2. The Property "ConditionListType"........................ 31
6.3.3. The Property "RuleUsage"................................ 31
6.3.4. The Property "Priority"................................. 32
6.3.5. The Property "Mandatory"................................ 32
6.3.6. The Property "SequencedActions"......................... 33
6.3.7. The Multi-valued Property "PolicyRoles"................. 33
6.4. The Abstract Class "PolicyCondition"...................... 34
6.5. The Class "PolicyTimePeriodCondition"..................... 36
6.5.1. The Property "TimePeriod"............................... 38
6.5.2. The Property "MonthOfYearMask".......................... 39
6.5.3. The Property "DayOfMonthMask"........................... 39
6.5.4. The Property "DayOfWeekMask"............................ 40
6.5.5. The Property "TimeOfDayMask"............................ 41
6.5.6. The Property "LocalOrUtcTime"........................... 42
6.6. The Class "VendorPolicyCondition"......................... 42
6.6.1. The Multi-valued Property "Constraint".................. 43
6.6.2. The Property "ConstraintEncoding"....................... 43
6.7. The Abstract Class "PolicyAction"......................... 44
6.8. The Class "VendorPolicyAction"............................ 45
6.8.1. The Multi-valued Property "ActionData".................. 45
6.8.2. The Property "ActionEncoding"........................... 46
6.9. The Class "PolicyRepository".............................. 46
7. Association and Aggregation Definitions........................ 46
7.1. Associations.............................................. 47
7.2. Aggregations.............................................. 47
7.3. The Abstract Aggregation "PolicyComponent................. 47
7.4. The Aggregation "PolicyGroupInPolicyGroup"................ 47
7.4.1. The Reference "GroupComponent".......................... 48
7.4.2. The Reference "PartComponent"........................... 48
7.5. The Aggregation "PolicyRuleInPolicyGroup"................. 48
7.5.1. The Reference "GroupComponent".......................... 49
5.1. Reusable versus Rule-Specific Conditions and Actions...... 15
5.2. Roles..................................................... 17
5.2.1. Roles and Role Combinations............................. 17
5.2.2. The PolicyRoles Property................................ 21
5.3. Local Time and UTC Time in PolicyTimePeriodConditions..... 21
5.4. CIM Data Types............................................ 23
5.5. Comparison between CIM and LDAP Class Specifications...... 24
6. Class Definitions.............................................. 25
6.1. The Abstract Class "Policy"............................... 25
6.1.1. The Property "CommonName (CN)".......................... 26
6.1.2. The Multi-valued Property "PolicyKeywords".............. 26
6.1.3. The Property "Caption" (Inherited from ManagedElement).. 27
6.1.4. The Property "Description" (Inherited from
ManagedElement)......................................... 27
6.2. The Class "PolicyGroup"................................... 27
6.3. The Class "PolicyRule".................................... 29
6.3.1. The Property "Enabled".................................. 31
6.3.2. The Property "ConditionListType"........................ 31
6.3.3. The Property "RuleUsage"................................ 31
6.3.4. The Property "Priority"................................. 32
6.3.5. The Property "Mandatory"................................ 32
6.3.6. The Property "SequencedActions"......................... 33
6.3.7. The Multi-valued Property "PolicyRoles"................. 33
6.4. The Abstract Class "PolicyCondition"...................... 34
6.5. The Class "PolicyTimePeriodCondition"..................... 36
6.5.1. The Property "TimePeriod"............................... 38
6.5.2. The Property "MonthOfYearMask".......................... 39
6.5.3. The Property "DayOfMonthMask"........................... 39
6.5.4. The Property "DayOfWeekMask"............................ 40
6.5.5. The Property "TimeOfDayMask"............................ 41
6.5.6. The Property "LocalOrUtcTime"........................... 42
6.6. The Class "VendorPolicyCondition"......................... 42
6.6.1. The Multi-valued Property "Constraint".................. 43
6.6.2. The Property "ConstraintEncoding"....................... 43
6.7. The Abstract Class "PolicyAction"......................... 44
6.8. The Class "VendorPolicyAction"............................ 45
6.8.1. The Multi-valued Property "ActionData".................. 45
6.8.2. The Property "ActionEncoding"........................... 46
6.9. The Class "PolicyRepository".............................. 46
7. Association and Aggregation Definitions........................ 46
7.1. Associations.............................................. 47
7.2. Aggregations.............................................. 47
7.3. The Abstract Aggregation "PolicyComponent................. 47
7.4. The Aggregation "PolicyGroupInPolicyGroup"................ 47
7.4.1. The Reference "GroupComponent".......................... 48
7.4.2. The Reference "PartComponent"........................... 48
7.5. The Aggregation "PolicyRuleInPolicyGroup"................. 48
7.5.1. The Reference "GroupComponent".......................... 49
7.5.2. The Reference "PartComponent"........................... 49
7.6. The Aggregation "PolicyConditionInPolicyRule"............. 49
7.6.1. The Reference "GroupComponent".......................... 50
7.6.2. The Reference "PartComponent"........................... 50
7.6.3. The Property "GroupNumber".............................. 50
7.6.4. The Property "ConditionNegated"......................... 51
7.7. The Aggregation "PolicyRuleValidityPeriod"................ 51
7.7.1. The Reference "GroupComponent".......................... 52
7.7.2. The Reference "PartComponent"........................... 52
7.8. The Aggregation "PolicyActionInPolicyRule"................ 52
7.8.1. The Reference "GroupComponent".......................... 53
7.8.2. The Reference "PartComponent"........................... 53
7.8.3. The Property "ActionOrder".............................. 53
7.9. The Abstract Association "PolicyInSystem"................. 54
7.10. The Weak Association "PolicyGroupInSystem"............... 55
7.10.1. The Reference "Antecedent"............................. 55
7.10.2. The Reference "Dependent".............................. 55
7.11. The Weak Association "PolicyRuleInSystem"................ 56
7.11.1. The Reference "Antecedent"............................. 56
7.11.2. The Reference "Dependent".............................. 56
7.12. The Association "PolicyConditionInPolicyRepository"...... 56
7.12.1. The Reference "Antecedent"............................. 57
7.12.2. The Reference "Dependent".............................. 57
7.13. The Association "PolicyActionInPolicyRepository"......... 57
7.13.1. The Reference "Antecedent"............................. 58
7.13.2. The Reference "Dependent".............................. 58
7.14. The Aggregation "PolicyRepositoryInPolicyRepository"..... 58
7.14.1. The Reference "GroupComponent"......................... 58
7.14.2. The Reference "PartComponent".......................... 59
8. Intellectual Property.......................................... 59
9. Acknowledgements............................................... 59
10. Security Considerations....................................... 60
11. References.................................................... 62
12. Authors' Addresses............................................ 64
13. Appendix A: Class Identification in a Native CIM
Implementation................................................ 65
13.1. Naming Instances of PolicyGroup and PolicyRule........... 65
13.1.1. PolicyGroup's CIM Keys................................. 65
13.1.2. PolicyRule's CIM Keys.................................. 66
13.2. Naming Instances of PolicyCondition and Its Subclasses... 67
13.2.1. PolicyCondition's CIM Keys............................. 69
13.3. Naming Instances of PolicyAction and Its Subclasses...... 71
13.4. Naming Instances of PolicyRepository..................... 72
13.5. Role of the CreationClassName Property in Naming......... 73
13.6. Object References........................................ 73
14. Appendix B: The Core Policy MOF.............................. 75
15. Full Copyright Statement..................................... 100
7.5.2. The Reference "PartComponent"........................... 49
7.6. The Aggregation "PolicyConditionInPolicyRule"............. 49
7.6.1. The Reference "GroupComponent".......................... 50
7.6.2. The Reference "PartComponent"........................... 50
7.6.3. The Property "GroupNumber".............................. 50
7.6.4. The Property "ConditionNegated"......................... 51
7.7. The Aggregation "PolicyRuleValidityPeriod"................ 51
7.7.1. The Reference "GroupComponent".......................... 52
7.7.2. The Reference "PartComponent"........................... 52
7.8. The Aggregation "PolicyActionInPolicyRule"................ 52
7.8.1. The Reference "GroupComponent".......................... 53
7.8.2. The Reference "PartComponent"........................... 53
7.8.3. The Property "ActionOrder".............................. 53
7.9. The Abstract Association "PolicyInSystem"................. 54
7.10. The Weak Association "PolicyGroupInSystem"............... 55
7.10.1. The Reference "Antecedent"............................. 55
7.10.2. The Reference "Dependent".............................. 55
7.11. The Weak Association "PolicyRuleInSystem"................ 56
7.11.1. The Reference "Antecedent"............................. 56
7.11.2. The Reference "Dependent".............................. 56
7.12. The Association "PolicyConditionInPolicyRepository"...... 56
7.12.1. The Reference "Antecedent"............................. 57
7.12.2. The Reference "Dependent".............................. 57
7.13. The Association "PolicyActionInPolicyRepository"......... 57
7.13.1. The Reference "Antecedent"............................. 58
7.13.2. The Reference "Dependent".............................. 58
7.14. The Aggregation "PolicyRepositoryInPolicyRepository"..... 58
7.14.1. The Reference "GroupComponent"......................... 58
7.14.2. The Reference "PartComponent".......................... 59
8. Intellectual Property.......................................... 59
9. Acknowledgements............................................... 59
10. Security Considerations....................................... 60
11. References.................................................... 62
12. Authors' Addresses............................................ 64
13. Appendix A: Class Identification in a Native CIM
Implementation................................................ 65
13.1. Naming Instances of PolicyGroup and PolicyRule........... 65
13.1.1. PolicyGroup's CIM Keys................................. 65
13.1.2. PolicyRule's CIM Keys.................................. 66
13.2. Naming Instances of PolicyCondition and Its Subclasses... 67
13.2.1. PolicyCondition's CIM Keys............................. 69
13.3. Naming Instances of PolicyAction and Its Subclasses...... 71
13.4. Naming Instances of PolicyRepository..................... 72
13.5. Role of the CreationClassName Property in Naming......... 73
13.6. Object References........................................ 73
14. Appendix B: The Core Policy MOF.............................. 75
15. Full Copyright Statement..................................... 100
This document presents the object-oriented information model for representing policy information currently under joint development in the IETF Policy Framework WG and as extensions to the Common Information Model (CIM) activity in the Distributed Management Task Force (DMTF). This model defines two hierarchies of object classes: structural classes representing policy information and control of policies, and association classes that indicate how instances of the structural classes are related to each other. Subsequent documents will define mappings of this information model to various concrete implementations, for example, to a directory that uses LDAPv3 as its access protocol. The components of the CIM schema are available via the following URL: http://www.dmtf.org/spec/cims.html [1].
本文档介绍了面向对象的信息模型,用于表示IETF策略框架WG中当前正在联合开发的策略信息,并作为分布式管理任务组(DMTF)中公共信息模型(CIM)活动的扩展。该模型定义了对象类的两个层次结构:表示策略信息和策略控制的结构类,以及表示结构类实例如何相互关联的关联类。后续文档将定义此信息模型到各种具体实现的映射,例如,到使用LDAPv3作为其访问协议的目录的映射。CIM架构的组件可通过以下URL访问:http://www.dmtf.org/spec/cims.html [1].
The policy classes and associations defined in this model are sufficiently generic to allow them to represent policies related to anything. However, it is expected that their initial application in the IETF will be for representing policies related to QoS (DiffServ and IntServ) and to IPSec. Policy models for application-specific areas such as these may extend the Core Model in several ways. The preferred way is to use the PolicyGroup, PolicyRule, and PolicyTimePeriodCondition classes directly, as a foundation for representing and communicating policy information. Then, specific subclasses derived from PolicyCondition and PolicyAction can capture application-specific definitions of conditions and actions of policies.
此模型中定义的策略类和关联具有足够的通用性,允许它们表示与任何内容相关的策略。然而,预计它们在IETF中的初始应用将用于表示与QoS(区分服务和IntServ)和IPSec相关的策略。针对特定于应用程序的策略模型(如这些)可以通过多种方式扩展核心模型。首选的方法是直接使用策略组、策略规则和策略时间周期条件类,作为表示和传递策略信息的基础。然后,从PolicyCondition和PolicyAction派生的特定子类可以捕获策略的条件和操作的特定于应用程序的定义。
Two subclasses, VendorPolicyCondition and VendorPolicyAction, are also included in this document, to provide a standard extension mechanism for vendor-specific extensions to the Policy Core Information Model.
本文档中还包括两个子类VendorPolicyCondition和VendorPolicyAction,为策略核心信息模型的特定于供应商的扩展提供标准扩展机制。
This document fits into the overall framework for representing, deploying, and managing policies being developed by the Policy Framework Working Group. It traces its origins to work that was originally done for the Directory-enabled Networks (DEN) specification, reference [5]. Work on the DEN specification by the DEN Ad-Hoc Working Group itself has been completed. Further work to standardize the models contained in it will be the responsibility of selected working groups of the CIM effort in the Distributed Management Task Force (DMTF). DMTF standardization of the core policy model is the responsibility of the SLA Policy working group in the DMTF.
本文档适用于表示、部署和管理政策框架工作组正在制定的政策的总体框架。它追溯到最初为目录启用网络(DEN)规范(参考文献[5])所做的工作。DEN特设工作组本身关于DEN规范的工作已经完成。分布式管理任务组(DMTF)中CIM工作的选定工作组将负责进一步标准化其中包含的模型。DMTF核心策略模型的标准化由DMTF中的SLA策略工作组负责。
This document is organized in the following manner:
本文件的组织方式如下:
o Section 2 provides a general overview of policies and how they are modeled.
o 第2节概述了策略及其建模方式。
o Section 3 presents a high-level overview of the classes and associations comprising the Policy Core Information Model.
o 第3节从高层次概述了构成策略核心信息模型的类和关联。
o The remainder of the document presents the detailed specifications for each of the classes and associations.
o 本文档的其余部分给出了每个类和关联的详细规范。
o Appendix A overviews naming for native CIM implementations. Other mappings, such as LDAPv3, will have their own naming mechanisms.
o 附录A概述了本机CIM实现的命名。其他映射(如LDAPv3)将有自己的命名机制。
o Appendix B reproduces the DMTF's Core Policy MOF specification.
o 附录B复制了DMTF的核心政策MOF规范。
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119, reference [3].
本文件中的关键词“必须”、“不得”、“要求”、“应”、“不得”、“应”、“不应”、“建议”、“可”和“可选”应按照RFC 2119,参考文献[3]中的描述进行解释。
The classes comprising the Policy Core Information Model are intended to serve as an extensible class hierarchy (through specialization) for defining policy objects that enable application developers, network administrators, and policy administrators to represent policies of different types.
构成策略核心信息模型的类旨在用作可扩展的类层次结构(通过专门化),用于定义策略对象,使应用程序开发人员、网络管理员和策略管理员能够表示不同类型的策略。
One way to think of a policy-controlled network is to first model the network as a state machine and then use policy to control which state a policy-controlled device should be in or is allowed to be in at any given time. Given this approach, policy is applied using a set of policy rules. Each policy rule consists of a set of conditions and a set of actions. Policy rules may be aggregated into policy groups. These groups may be nested, to represent a hierarchy of policies.
考虑策略控制网络的一种方法是首先将网络建模为状态机,然后使用策略控制策略控制设备在任何给定时间应处于或允许处于哪个状态。给定这种方法,使用一组策略规则应用策略。每个策略规则由一组条件和一组操作组成。策略规则可以聚合到策略组中。这些组可以嵌套,以表示策略的层次结构。
The set of conditions associated with a policy rule specifies when the policy rule is applicable. The set of conditions can be expressed as either an ORed set of ANDed sets of condition statements or an ANDed set of ORed sets of statements. Individual condition statements can also be negated. These combinations are termed, respectively, Disjunctive Normal Form (DNF) and Conjunctive Normal Form (CNF) for the conditions.
与策略规则关联的条件集指定策略规则何时适用。条件集可以表示为条件语句的ANDed集合或语句的ANDed集合。个别条件语句也可以被否定。这些组合分别称为条件的析取范式(DNF)和合取范式(CNF)。
If the set of conditions associated with a policy rule evaluates to TRUE, then a set of actions that either maintain the current state of the object or transition the object to a new state may be executed.
如果与策略规则关联的一组条件的计算结果为TRUE,则可以执行一组操作,这些操作要么保持对象的当前状态,要么将对象转换为新状态。
For the set of actions associated with a policy rule, it is possible to specify an order of execution, as well as an indication of whether the order is required or merely recommended. It is also possible to indicate that the order in which the actions are executed does not matter.
对于与策略规则关联的一组操作,可以指定执行顺序,以及指示该顺序是必需的还是仅建议的。也可以指示操作的执行顺序无关紧要。
Policy rules themselves can be prioritized. One common reason for doing this is to express an overall policy that has a general case with a few specific exceptions.
可以对策略规则本身进行优先级排序。这样做的一个常见原因是表达一个总体策略,该策略具有一般情况和一些特定例外情况。
For example, a general QoS policy rule might specify that traffic originating from members of the engineering group is to get Bronze Service. A second policy rule might express an exception: traffic originating from John, a specific member of the engineering group, is to get Gold Service. Since traffic originating from John satisfies the conditions of both policy rules, and since the actions associated with the two rules are incompatible, a priority needs to be established. By giving the second rule (the exception) a higher priority than the first rule (the general case), a policy administrator can get the desired effect: traffic originating from John gets Gold Service, and traffic originating from all the other members of the engineering group gets Bronze Service.
例如,一般QoS策略规则可能指定来自工程组成员的通信量将获得青铜服务。第二个策略规则可能表示一个例外:来自工程组特定成员John的流量将获得Gold服务。由于来自John的流量满足这两个策略规则的条件,并且与这两个规则关联的操作不兼容,因此需要建立优先级。通过赋予第二条规则(例外)比第一条规则(一般情况)更高的优先级,策略管理员可以获得所需的效果:来自John的流量获得Gold服务,来自engineering group所有其他成员的流量获得Brown服务。
Policies can either be used in a stand-alone fashion or aggregated into policy groups to perform more elaborate functions. Stand-alone policies are called policy rules. Policy groups are aggregations of policy rules, or aggregations of policy groups, but not both. Policy groups can model intricate interactions between objects that have complex interdependencies. Examples of this include a sophisticated user logon policy that sets up application access, security, and reconfigures network connections based on a combination of user identity, network location, logon method and time of day. A policy group represents a unit of reusability and manageability in that its management is handled by an identifiable group of administrators and its policy rules would be consistently applied
策略可以单独使用,也可以聚合到策略组中以执行更复杂的功能。独立策略称为策略规则。策略组是策略规则的聚合或策略组的聚合,但不是两者都是。策略组可以为具有复杂相互依赖关系的对象之间的复杂交互建模。这方面的示例包括一个复杂的用户登录策略,该策略根据用户身份、网络位置、登录方法和时间组合设置应用程序访问、安全性和重新配置网络连接。策略组表示可重用性和可管理性的一个单元,因为它的管理由可识别的管理员组处理,并且它的策略规则将被一致地应用
Stand-alone policies are those that can be expressed in a simple statement. They can be represented effectively in schemata or MIBs. Examples of this are VLAN assignments, simple YES/NO QoS requests, and IP address allocations. A specific design goal of this model is to support both stand-alone and aggregated policies.
独立策略是那些可以用简单语句表示的策略。它们可以在模式或MIB中有效地表示。例如VLAN分配、简单的是/否QoS请求和IP地址分配。此模型的一个特定设计目标是支持独立策略和聚合策略。
Policy groups and rules can be classified by their purpose and intent. This classification is useful in querying or grouping policy rules. It indicates whether the policy is used to motivate when or how an action occurs, or to characterize services (that can then be used, for example, to bind clients to network services). Describing each of these concepts in more detail,
策略组和规则可以根据其目的和意图进行分类。此分类在查询或分组策略规则时很有用。它指示该策略是用于激励何时或如何发生操作,还是用于描述服务(然后可用于将客户端绑定到网络服务)。更详细地描述这些概念,
o Motivational Policies are solely targeted at whether or how a policy's goal is accomplished. Configuration and Usage Policies are specific kinds of Motivational Policies. Another example is the scheduling of file backup based on disk write activity from 8am to 3pm, M-F.
o 激励政策仅针对是否或如何实现政策目标。配置和使用策略是特定类型的激励策略。另一个示例是基于磁盘写入活动从上午8点到下午3点(M-F)安排文件备份。
o Configuration Policies define the default (or generic) setup of a managed entity (for example, a network service). Examples of Configuration Policies are the setup of a network forwarding service or a network-hosted print queue.
o 配置策略定义托管实体(例如,网络服务)的默认(或通用)设置。配置策略的示例包括设置网络转发服务或网络承载的打印队列。
o Installation Policies define what can and cannot be put on a system or component, as well as the configuration of the mechanisms that perform the install. Installation policies typically represent specific administrative permissions, and can also represent dependencies between different components (e.g., to complete the installation of component A, components B and C must be previously successfully installed or uninstalled).
o 安装策略定义什么可以和什么不能放在系统或组件上,以及执行安装的机制的配置。安装策略通常表示特定的管理权限,也可以表示不同组件之间的依赖关系(例如,要完成组件A的安装,必须事先成功安装或卸载组件B和C)。
o Error and Event Policies. For example, if a device fails between 8am and 9pm, call the system administrator, otherwise call the Help Desk.
o 错误和事件策略。例如,如果设备在上午8点到晚上9点之间出现故障,请致电系统管理员,否则请致电帮助热线。
o Usage Policies control the selection and configuration of entities based on specific "usage" data. Configuration Policies can be modified or simply re-applied by Usage Policies. Examples of Usage Policies include upgrading network forwarding services after a user is verified to be a member of a "gold" service group, or reconfiguring a printer to be able to handle the next job in its queue.
o 使用策略根据特定的“使用”数据控制实体的选择和配置。配置策略可以通过使用策略进行修改或重新应用。使用策略的示例包括在验证用户是“黄金”服务组的成员后升级网络转发服务,或重新配置打印机以处理其队列中的下一个作业。
o Security Policies deal with verifying that the client is actually who the client purports to be, permitting or denying access to resources, selecting and applying appropriate authentication mechanisms, and performing accounting and auditing of resources.
o 安全策略涉及验证客户机实际上就是客户机声称的用户,允许或拒绝访问资源,选择和应用适当的身份验证机制,以及对资源执行记帐和审核。
o Service Policies characterize network and other services (not use them). For example, all wide-area backbone interfaces shall use a specific type of queuing.
o 服务策略是网络和其他服务的特征(不使用它们)。例如,所有广域主干网接口应使用特定类型的队列。
Service policies describe services available in the network. Usage policies describe the particular binding of a client of the network to services available in the network.
服务策略描述网络中可用的服务。使用策略描述网络客户端与网络中可用服务的特定绑定。
These categories are represented in the Policy Core Information Model by special values defined for the PolicyKeywords property of the abstract class Policy.
这些类别在策略核心信息模型中由为抽象类策略的PolicyKeywords属性定义的特殊值表示。
Policies represent business goals and objectives. A translation must be made between these goals and objectives and their realization in the network. An example of this could be a Service Level Agreement (SLA), and its objectives and metrics (Service Level Objectives, or SLOs), that are used to specify services that the network will provide for a given client. The SLA will usually be written in high-level business terminology. SLOs address more specific metrics in support of the SLA. These high-level descriptions of network services and metrics must be translated into lower-level, but also vendor-and device-independent specifications. The Policy Core Information Model classes are intended to serve as the foundation for these lower-level, vendor- and device-independent specifications.
策略代表业务目标。必须在这些目标和目的及其在网络中的实现之间进行转换。例如,服务级别协议(SLA)及其目标和指标(服务级别目标或SLO),用于指定网络将为给定客户机提供的服务。SLA通常使用高级业务术语编写。SLO解决了支持SLA的更具体的指标。这些网络服务和指标的高级描述必须转换为较低级别的规范,但也必须转换为独立于供应商和设备的规范。策略核心信息模型类旨在作为这些较低级别、供应商和设备无关的规范的基础。
It is envisioned that the definition of the Policy Core Informational Model in this document is generic in nature and is applicable to Quality of Service (QoS), to non-QoS networking applications (e.g., DHCP and IPSec), and to non-networking applications (e.g., backup policies, auditing access, etc.).
可以预见,本文档中策略核心信息模型的定义本质上是通用的,适用于服务质量(QoS)、非QoS网络应用程序(如DHCP和IPSec)和非网络应用程序(如备份策略、审核访问等)。
The design of the Policy Core Information Model is influenced by a declarative, not procedural, approach. More formally, a declarative language is used to describe relational and functional languages. Declarative languages describe relationships between variables in terms of functions or inference rules, to which the interpreter or compiler can apply a fixed algorithm in order to produce a result. An imperative (or procedural) language specifies an explicit sequence of steps to follow in order to produce a result.
策略核心信息模型的设计受声明性而非程序性方法的影响。更正式地说,声明性语言用于描述关系语言和函数语言。声明性语言用函数或推理规则描述变量之间的关系,解释器或编译器可以对其应用固定的算法以生成结果。命令式(或过程式)语言指定了为了产生结果而要遵循的一系列明确的步骤。
It is important to note that this information model does not rule out the use of procedural languages. Rather, it recognizes that both declarative as well as procedural languages can be used to implement policy. This information model is better viewed as being declarative because the sequence of steps for doing the processing of declarative statements tends to be left to the implementer. However, we have provided the option of expressing the desired order of action execution in this policy information model, and for expressing whether the order is mandatory or not. In addition, rather than trying to define algorithms or sets of instructions or steps that must be followed by a policy rule, we instead define a set of modular building blocks and relationships that can be used in a declarative or procedural fashion to define policies.
需要注意的是,此信息模型不排除使用过程语言。相反,它认识到可以使用声明性语言和过程性语言来实现策略。此信息模型最好被视为声明性的,因为处理声明性语句的步骤顺序往往留给实现者。但是,我们提供了在该策略信息模型中表示所需操作执行顺序的选项,以及表示该顺序是否为强制性的选项。此外,我们不是试图定义必须遵循策略规则的算法或指令集或步骤,而是定义一组模块化构建块和关系,这些模块和关系可以以声明或过程的方式用于定义策略。
Compare this to a strictly procedural model. Taking such an approach would require that we specify the condition testing sequence, and the action execution sequence, in the policy repository itself. This would, indeed, constrain the implementer. This is why the policy model is characterized as a declarative one. That is, the information model defines a set of attributes, and a set of entities that contain these attributes. However, it does NOT define either the algorithm to produce a result using the attributes or an explicit sequence of steps to produce a result.
将此与严格的程序模型进行比较。采取这种方法需要在策略存储库本身中指定条件测试序列和操作执行序列。这确实会约束实现者。这就是策略模型被描述为声明性模型的原因。也就是说,信息模型定义了一组属性和一组包含这些属性的实体。但是,它既没有定义使用属性生成结果的算法,也没有定义生成结果的显式步骤序列。
There are several design considerations and trade-offs to make in this respect.
在这方面有几个设计考虑和权衡。
1. On the one hand, we would like a policy definition language to be reasonably human-friendly for ease of definitions and diagnostics. On the other hand, given the diversity of devices (in terms of their processing capabilities) which could act as policy decision points, we would like to keep the language somewhat machine-friendly. That is, it should be relatively simple to automate the parsing and processing of the language in network elements. The approach taken is to provide a set of classes and attributes that can be combined in either a declarative or procedural approach to express policies that manage network elements and services. The key point is to avoid trying to standardize rules or sets of steps to be followed in defining a policy. These must be left up to an implementation. Interoperability is achieved by standardizing the building blocks that are used to represent policy data and information.
1. 一方面,我们希望政策定义语言合理人性化,便于定义和诊断。另一方面,考虑到可作为决策点的设备的多样性(就其处理能力而言),我们希望保持语言的机器友好性。也就是说,自动化网络元素中语言的解析和处理应该相对简单。所采用的方法是提供一组类和属性,这些类和属性可以以声明性或过程性方法组合,以表示管理网络元素和服务的策略。关键是避免试图标准化定义策略时要遵循的规则或步骤集。这些必须留待实现。互操作性是通过标准化用于表示策略数据和信息的构建块来实现的。
2. An important decision to make is the semantic style of the representation of the information.
2. 一个重要的决策是信息表示的语义风格。
The declarative approach that we are describing falls short of being a "true" declarative model. Such a model would also specify the algorithms used to combine the information and policy rules to achieve particular behavior. We avoid specifying algorithms for the same reason that we avoid specifying sets of steps to be followed in a policy rule. However, the design of the information model more closely follows that of a declarative language, and may be easier to understand if such a conceptual model is used. This leads to our third point, acknowledging a lack of "completeness" and instead relying on presenting information that the policy processing entity will work with.
我们正在描述的声明性方法没有成为“真正的”声明性模型。这种模型还将指定用于组合信息和策略规则以实现特定行为的算法。我们避免指定算法的原因与我们避免指定策略规则中要遵循的步骤集的原因相同。然而,信息模型的设计更接近于声明性语言的设计,如果使用这样的概念模型,可能更容易理解。这引出了我们的第三点,即承认缺乏“完整性”,而是依赖于提供策略处理实体将处理的信息。
3. It is important to control the complexity of the specification, trading off richness of expression of data in the core information model for ease of implementation and use. It is important to acknowledge the collective lack of experience in the field
3. 重要的是要控制规范的复杂性,权衡核心信息模型中数据表达的丰富性,以便于实现和使用。必须承认在这一领域集体缺乏经验
regarding policies to control and manage network services and hence avoid the temptation of aiming for "completeness". We should instead strive to facilitate definition of a set of common policies that customers require today (e.g., VPN and QoS) and allow migration paths towards supporting complex policies as customer needs and our understanding of these policies evolve with experience. Specifically, in the context of the declarative style language discussed above, it is important to avoid having full blown predicate calculus as the language, as it would render many important problems such as consistency checking and policy decision point algorithms intractable. It is useful to consider a reasonably constrained language from these perspectives.
关于控制和管理网络服务的策略,从而避免追求“完整性”的诱惑。相反,我们应该努力促进定义客户当前需要的一组通用策略(如VPN和QoS),并允许迁移路径支持复杂的策略,因为客户需要以及我们对这些策略的理解随着经验的发展而变化。具体地说,在上面讨论的声明式语言的上下文中,避免使用成熟的谓词演算作为语言是很重要的,因为它会使许多重要问题,例如一致性检查和策略决策点算法变得难以解决。从这些角度考虑合理的约束语言是有用的。
The Policy Core Information Model strikes a balance between complexity and lack of power by using the well understood logical concepts of Disjunctive Normal Form and Conjunctive Normal Form for combining simple policy conditions into more complex ones.
策略核心信息模型通过使用人们熟知的析取范式和合取范式的逻辑概念,将简单的策略条件组合成更复杂的条件,从而在复杂性和缺乏能力之间取得平衡。
The following diagram provides an overview of the five central classes comprising the Policy Core Information Model, their associations to each other, and their associations to other classes in the overall CIM model. Note that the abstract class Policy and the two extension classes VendorPolicyCondition and VendorPolicyAction are not shown.
下图概述了由策略核心信息模型组成的五个中心类、它们之间的关联以及它们与整个CIM模型中其他类的关联。请注意,抽象类策略以及两个扩展类VendorPolicyCondition和VendorPolicyAction未显示。
NOTE: For cardinalities, "*" is an abbreviation for "0..n".
注意:对于基数,“*”是“0..n”的缩写。
+-----------+
| System |
..... +--^-----^--+ .....
. . 1. 1. . .
*.(a).* .(b) .(c) *.(d).*
+--v---v---------+ . . +-v---v------------+
| PolicyGroup <........ . | PolicyRepository |
| | w * . | |
+------^---------+ . +-----^---------^--+
*. . 0..1 . 0..1 .
.(e) . .(f) .(g)
*. . . .
+------v------+ w * . . .
| <................. . .
| PolicyRule | . .
| | . .
| | . .
| <........................ . .
| |* (h) . . .
| | . . .
| | . . .
| | . . .
| | . . .
| | . . .
| | . . .
| | .* .* .
| | +---------v-------v--+ .
| | | PolicyCondition | .
| | *+--------------------+ .
| | (i) ^ .
| <.............. I .
| |* . I .
| | .* ^ .
| | +----v----------------------+ .
| | | PolicyTimePeriodCondition | .
| | +---------------------------+ .
| | (j) .
| <......................... .
| |* . .
| | .* .
| | +----------v---------+* .
| | | PolicyAction <.......
+-------------+ +--------------------+
+-----------+
| System |
..... +--^-----^--+ .....
. . 1. 1. . .
*.(a).* .(b) .(c) *.(d).*
+--v---v---------+ . . +-v---v------------+
| PolicyGroup <........ . | PolicyRepository |
| | w * . | |
+------^---------+ . +-----^---------^--+
*. . 0..1 . 0..1 .
.(e) . .(f) .(g)
*. . . .
+------v------+ w * . . .
| <................. . .
| PolicyRule | . .
| | . .
| | . .
| <........................ . .
| |* (h) . . .
| | . . .
| | . . .
| | . . .
| | . . .
| | . . .
| | . . .
| | .* .* .
| | +---------v-------v--+ .
| | | PolicyCondition | .
| | *+--------------------+ .
| | (i) ^ .
| <.............. I .
| |* . I .
| | .* ^ .
| | +----v----------------------+ .
| | | PolicyTimePeriodCondition | .
| | +---------------------------+ .
| | (j) .
| <......................... .
| |* . .
| | .* .
| | +----------v---------+* .
| | | PolicyAction <.......
+-------------+ +--------------------+
Figure 1. Overview of the Core Policy Classes and Relationships
图1。核心策略类和关系概述
In this figure the boxes represent the classes, and the dotted arrows represent the associations. The following associations appear:
在此图中,框表示类,虚线箭头表示关联。出现以下关联:
(a) PolicyGroupInPolicyGroup
(a) 政策组政策组
(b) PolicyGroupInSystem
(b) 政策组系统
(c) PolicyRuleInSystem
(c) 政策规则系统
(d) PolicyRepositoryInPolicyRepository
(d) PolicyRepositoryInPolicyRepository
(e) PolicyRuleInPolicyGroup
(e) PolicyRuleInPolicyGroup
(f) PolicyConditionInPolicyRepository
(f) PolicyConditionInPolicyRepository
(g) PolicyActionInPolicyRepository
(g) PolicyActionInPolicyRepository
(h) PolicyConditionInPolicyRule
(h) 政策规则中的政策条件
(i) PolicyRuleValidityPeriod
(i) PolicyRuleValidityPeriod
(j) PolicyActionInPolicyRule
(j) 政策规则中的政策操作
An association always connects two classes. The "two" classes may, however, be the same class, as is the case with the PolicyGroupInPolicyGroup association, which represents the recursive containment of PolicyGroups in other PolicyGroups. The PolicyRepositoryInPolicyRepository association is recursive in the same way.
关联始终连接两个类。但是,“两个”类可能是同一个类,PolicyGroupInPolicyGroup关联就是这种情况,它表示其他PolicyGroup中PolicyGroup的递归包含。PolicyRepositoryInPolicyRepository关联也是以相同的方式递归的。
An association includes cardinalities for each of the related classes. These cardinalities indicate how many instances of each class may be related to an instance of the other class. For example, the PolicyRuleInPolicyGroup association has the cardinality range "*' (that is, "0..n") for both the PolicyGroup and PolicyRule classes. These ranges are interpreted as follows:
关联包括每个相关类的基数。这些基数表示每个类的多少个实例可能与另一个类的实例相关。例如,PolicyRuleInPolicyGroup关联对于PolicyGroup和PolicyRule类都具有基数范围“*”(即“0..n”)。这些范围解释如下:
o The "*" written next to PolicyGroup indicates that a PolicyRule may be related to no PolicyGroups, to one PolicyGroup, or to more than one PolicyGroup via the PolicyRuleInPolicyGroup association. In other words, a PolicyRule may be contained in no PolicyGroups, in one PolicyGroups, or in more than one PolicyGroup.
o PolicyGroup旁边的“*”表示PolicyRule可能不与任何PolicyGroup、一个PolicyGroup或通过PolicyRuleInPolicyGroup关联与多个PolicyGroup相关。换句话说,PolicyRule可能不包含在任何PolicyGroup、一个PolicyGroup或多个PolicyGroup中。
o The "*" written next to PolicyRule indicates that a PolicyGroup may be related to no PolicyRules, to one PolicyRule, or to more than one PolicyRule via the PolicyRuleInPolicyGroup association. In other words, a PolicyGroup may contain no PolicyRules, one PolicyRule, or more than one PolicyRule.
o PolicyRule旁边的“*”表示一个PolicyGroup可能通过PolicyRuleInPolicyGroup关联与无PolicyRules、一个PolicyRule或多个PolicyRule相关。换句话说,一个PolicyGroup可能不包含PolicyRules、一个PolicyRule或多个PolicyRule。
The "w" written next to the PolicyGroupInSystem and PolicyRuleInSystem indicates that these are what CIM terms "aggregations with weak references", or more briefly, "weak aggregations". A weak aggregation is simply an indication of a naming scope. Thus these two aggregations indicate that an instance of a PolicyGroup or PolicyRule is named within the scope of a System object. A weak aggregation implicitly has the cardinality 1..1 at the end opposite the 'w'.
写在PolicyGroupInSystem和PolicyRuleInSystem旁边的“w”表示这些是CIM术语“弱引用聚合”,或者更简单地说,“弱聚合”。弱聚合只是一个命名范围的指示。因此,这两个聚合表示在系统对象的范围内命名了PolicyGroup或PolicyRule的实例。弱聚合隐式地在“w”的另一端具有基数1..1。
The associations shown in Figure 1 are discussed in more detail in Section 7.
图1所示的关联在第7节中进行了更详细的讨论。
The following diagram illustrates the inheritance hierarchy for the core policy classes:
下图说明了核心策略类的继承层次结构:
ManagedElement (abstract)
|
+--Policy (abstract)
| |
| +---PolicyGroup
| |
| +---PolicyRule
| |
| +---PolicyCondition (abstract)
| | |
| | +---PolicyTimePeriodCondition
| | |
| | +---VendorPolicyCondition
| |
| +---PolicyAction (abstract)
| |
| +---VendorPolicyAction
|
+--ManagedSystemElement (abstract)
|
+--LogicalElement (abstract)
|
+--System (abstract)
|
+--AdminDomain (abstract)
|
+---PolicyRepository
ManagedElement (abstract)
|
+--Policy (abstract)
| |
| +---PolicyGroup
| |
| +---PolicyRule
| |
| +---PolicyCondition (abstract)
| | |
| | +---PolicyTimePeriodCondition
| | |
| | +---VendorPolicyCondition
| |
| +---PolicyAction (abstract)
| |
| +---VendorPolicyAction
|
+--ManagedSystemElement (abstract)
|
+--LogicalElement (abstract)
|
+--System (abstract)
|
+--AdminDomain (abstract)
|
+---PolicyRepository
Figure 2. Inheritance Hierarchy for the Core Policy Classes
图2。核心策略类的继承层次结构
ManagedElement, ManagedSystemElement, LogicalElement, System, and AdminDomain are defined in the CIM schema [1]. These classes are not discussed in detail in this document.
ManagedElement、ManagedSystemElement、LogicalElement、System和AdminDomain在CIM架构[1]中定义。本文档中不详细讨论这些类。
In CIM, associations are also modeled as classes. For the Policy Core Information Model, the inheritance hierarchy for the associations is as follows:
在CIM中,关联也被建模为类。对于策略核心信息模型,关联的继承层次结构如下所示:
[unrooted]
|
+---PolicyComponent (abstract)
| |
| +---PolicyGroupInPolicyGroup
| |
| +---PolicyRuleInPolicyGroup
| |
| +---PolicyConditionInPolicyRule
| |
| +---PolicyRuleValidityPeriod
| |
| +---PolicyActionInPolicyRule
|
+---Dependency (abstract)
| |
| +---PolicyInSystem (abstract)
| |
| +---PolicyGroupInSystem
| |
| +---PolicyRuleInSystem
| |
| +---PolicyConditionInPolicyRepository
| |
| +---PolicyActionInPolicyRepository
|
+---Component (abstract)
|
+---SystemComponent
|
+---PolicyRepositoryInPolicyRepository
[unrooted]
|
+---PolicyComponent (abstract)
| |
| +---PolicyGroupInPolicyGroup
| |
| +---PolicyRuleInPolicyGroup
| |
| +---PolicyConditionInPolicyRule
| |
| +---PolicyRuleValidityPeriod
| |
| +---PolicyActionInPolicyRule
|
+---Dependency (abstract)
| |
| +---PolicyInSystem (abstract)
| |
| +---PolicyGroupInSystem
| |
| +---PolicyRuleInSystem
| |
| +---PolicyConditionInPolicyRepository
| |
| +---PolicyActionInPolicyRepository
|
+---Component (abstract)
|
+---SystemComponent
|
+---PolicyRepositoryInPolicyRepository
Figure 3. Inheritance Hierarchy for the Core Policy Associations
图3。核心策略关联的继承层次结构
The Dependency, Component, and SystemComponent associations are defined in the CIM schema [1], and are not discussed further in this document.
依赖项、组件和系统组件关联在CIM模式[1]中定义,本文档中不再进一步讨论。
From the CIM schema, both properties and associations are inherited to the Policy classes. For example, the class ManagedElement is referenced in the associations Dependency, Statistics and MemberOfCollection. And, the Dependency association is in turn referenced in the DependencyContext association. At this very abstract and high level in the inheritance hierarchy, the number of these associations is very small and their semantics are quite general.
从CIM模式中,属性和关联都继承到策略类。例如,类ManagedElement在associations依赖项、Statistics和MemberOfCollection中引用。并且,依赖关系关联在DependencyContext关联中依次引用。在继承层次结构的这个非常抽象和高级的层次上,这些关联的数量非常少,并且它们的语义非常通用。
Many of these inherited associations convey additional semantics that are not needed in understanding the Policy Core Information Model. In fact, they are defined as OPTIONAL in the CIM Schema - since their cardinality is "0..n" on all references. The PCIM document specifically discusses what is necessary to support and instantiate. For example, through subclassing of the Dependency association, the exact Dependency semantics in PCIM are described.
许多继承的关联传递了理解策略核心信息模型时不需要的附加语义。事实上,它们在CIM模式中被定义为可选的,因为它们的基数在所有引用上都是“0..n”。PCIM文档专门讨论了支持和实例化所需的内容。例如,通过依赖关联的子类化,描述了PCIM中的确切依赖语义。
So, one may wonder what to do with these other inherited associations. The answer is "ignore them unless you need them". You would need them to describe additional information and semantics for policy data. For example, it may be necessary to capture statistical data for a PolicyRule (either for the rule in a repository or for when it is executing in a policy system). Some examples of statistical data for a rule are the number of times it was downloaded, the number of times its conditions were evaluated, and the number of times its actions were executed. (These types of data would be described in a subclass of CIM_StatisticalInformation.) In these cases, the Statistics association inherited from ManagedElement to PolicyRule may be used to describe the tie between an instance of a PolicyRule and the set of statistics for it.
因此,人们可能想知道如何处理这些其他继承的关联。答案是“忽略它们,除非你需要它们”。您需要它们来描述策略数据的附加信息和语义。例如,可能需要捕获PolicyRule(存储库中的规则或在策略系统中执行时的规则)的统计数据。规则的一些统计数据示例包括其下载次数、评估其条件的次数以及执行其操作的次数。(这些类型的数据将在CIM_StatisticalInformation的子类中描述。)在这些情况下,可以使用从ManagedElement继承到PolicyRule的统计关联来描述PolicyRule实例与其统计集之间的关联。
The following subsections discuss several specific issues related to the Policy Core Information Model.
以下小节讨论与策略核心信息模型相关的几个具体问题。
Policy conditions and policy actions can be partitioned into two groups: ones associated with a single policy rule, and ones that are reusable, in the sense that they may be associated with more than one policy rule. Conditions and actions in the first group are termed "rule-specific" conditions and actions; those in the second group are characterized as "reusable".
策略条件和策略操作可以分为两个组:与单个策略规则关联的组和可重用的组,因为它们可能与多个策略规则关联。第一组中的条件和动作称为“特定于规则的”条件和动作;第二组的特征是“可重复使用”。
It is important to understand that the difference between a rule-specific condition or action and a reusable one is based on the intent of the policy administrator for the condition or action, rather than on the current associations in which the condition or action participates. Thus a reusable condition or action (that is, one that a policy administrator has created to be reusable) may at some point in time be associated with exactly one policy rule, without thereby becoming rule-specific.
必须了解,特定于规则的条件或操作与可重用的条件或操作之间的区别取决于策略管理员对该条件或操作的意图,而不是该条件或操作所参与的当前关联。因此,可重用条件或操作(即策略管理员创建的可重用条件或操作)可能在某个时间点与一个策略规则关联,而不会因此变得特定于规则。
There is no inherent difference between a rule-specific condition or action and a reusable one. There are, however, differences in how they are treated in a policy repository. For example, it's natural to make the access permissions for a rule-specific condition or action identical to those for the rule itself. It's also natural for a rule-specific condition or action to be removed from the policy repository at the same time the rule is. With reusable conditions and actions, on the other hand, access permissions and existence criteria must be expressible without reference to a policy rule.
特定于规则的条件或操作与可重用的条件或操作之间没有固有的区别。但是,在策略存储库中处理它们的方式存在差异。例如,使特定于规则的条件或操作的访问权限与规则本身的访问权限相同是很自然的。在删除规则的同时,从策略存储库中删除特定于规则的条件或操作也是很自然的。另一方面,对于可重用的条件和操作,访问权限和存在条件必须是可表达的,而无需参考策略规则。
The preceding paragraph does not contain an exhaustive list of the ways in which reusable and rule-specific conditions should be treated differently. Its purpose is merely to justify making a semantic distinction between rule-specific and reusable, and then reflecting this distinction in the policy model itself.
上一段并未详尽列出应以何种方式区别对待可重用条件和特定于规则的条件。其目的仅仅是为了证明在规则特定和可重用之间进行语义区分的合理性,然后在策略模型本身中反映这种区分。
An issue is highlighted by reusable and rule-specific policy conditions and policy actions: the lack of a programmatic capability for expressing complex constraints involving multiple associations. Taking PolicyCondition as an example, there are two aggregations to look at. PolicyConditionInPolicyRule has the cardinality * at both ends, and PolicyConditionInPolicyRepository has the cardinality * at the PolicyCondition end, and [0..1] at the PolicyRepository end.
可重用和特定于规则的策略条件和策略操作突出了一个问题:缺乏表达涉及多个关联的复杂约束的编程能力。以PolicyCondition为例,需要查看两个聚合。PolicyConditionInPolicyRule在两端具有基数*,PolicyConditionInPolicyRepository在PolicyCondition端具有基数*,在PolicyRepository端具有[0..1]。
Globally, these cardinalities are correct. However, there's more to the story, which only becomes clear if we examine the cardinalities separately for the two cases of a rule-specific PolicyCondition and a reusable one.
从全球来看,这些基数是正确的。然而,还有更多的故事,只有当我们分别检查特定于规则的PolicyCondition和可重用PolicyCondition这两种情况下的基数时,这一点才变得清晰。
For a rule-specific PolicyCondition, the cardinality of PolicyConditionInPolicyRule at the PolicyRule end is [1..1], rather than [0..n] (recall that * is an abbreviation for [0..n]), since the condition is unique to one policy rule. And the cardinality of PolicyConditionInPolicyRepository at the PolicyRepository end is [0..0], since the condition is not in the "re-usable" repository. This is OK, since these are both subsets of the specified cardinalities.
对于特定于规则的PolicyCondition,PolicyRule结尾处PolicyConditionInPolicyRule的基数为[1..1],而不是[0..n](回想一下,*是[0..n]的缩写),因为该条件对于一个策略规则是唯一的。PolicyRepository端的PolicyConditionInPolicyRepository的基数为[0..0],因为该条件不在“可重用”存储库中。这是可以的,因为它们都是指定基数的子集。
For a reusable PolicyCondition, however, the cardinality of PolicyConditionInPolicyRepository at the PolicyRepository end is [1..1], since the condition must be in the repository. And, the cardinality of PolicyConditionInPolicyRule at the PolicyRule end is [0..n]. This last point is important: a reusable PolicyCondition may be associated with 0, 1, or more than 1 PolicyRules, via exactly the same association PolicyConditionInPolicyRule that binds a rule-specific condition to its PolicyRule.
但是,对于可重用的PolicyCondition,PolicyRepository端的PolicyConditionInPolicyRepository的基数为[1..1],因为该条件必须位于存储库中。并且,PolicyRule端的PolicyConditionInPolicyRule的基数为[0..n]。最后一点很重要:可重用的PolicyCondition可以通过将特定于规则的条件绑定到其PolicyRule的完全相同的关联PolicyConditionInPolicyRule与0、1或多个PolicyRules相关联。
Currently the only way to document constraints of this type is textually. More formal methods for documenting complex constraints are needed.
目前,记录此类约束的唯一方法是文本。需要更正式的方法来记录复杂的约束。
The concept of role is central to the design of the entire Policy Framework. The idea behind roles is a simple one. Rather than configuring, and then later having to update the configuration of, hundreds or thousands (or more) of resources in a network, a policy administrator assigns each resource to one or more roles, and then specifies the policies for each of these roles. The Policy Framework is then responsible for configuring each of the resources associated with a role in such a way that it behaves according to the policies specified for that role. When network behavior must be changed, the policy administrator can perform a single update to the policy for a role, and the Policy Framework will ensure that the necessary configuration updates are performed on all the resources playing that role.
角色概念是整个政策框架设计的核心。角色背后的想法很简单。策略管理员不必配置网络中的数百或数千(或更多)资源,然后更新其配置,而是将每个资源分配给一个或多个角色,然后为每个角色指定策略。然后,策略框架负责配置与角色相关联的每个资源,使其按照为该角色指定的策略运行。当必须更改网络行为时,策略管理员可以对角色的策略执行单个更新,策略框架将确保对扮演该角色的所有资源执行必要的配置更新。
A more formal definition of a role is as follows:
更正式的角色定义如下:
A role is a type of attribute that is used to select one or more policies for a set of entities and/or components from among a much larger set of available policies.
角色是一种属性类型,用于从更大的可用策略集中为一组实体和/或组件选择一个或多个策略。
Roles can be combined together. Here is a formal definition of a "role- combination":
角色可以组合在一起。以下是“角色组合”的正式定义:
A role-combination is a set of attributes that are used to select one or more policies for a set of entities and/or components from among a much larger set of available policies. As the examples below illustrate, the selection process for a role combination chooses policies associated with the combination itself, policies associated with each of its sub-combinations, and policies associated with each of the individual roles in the role-combination.
角色组合是一组属性,用于从更大的可用策略集中为一组实体和/或组件选择一个或多个策略。如下面的示例所示,角色组合的选择过程选择与组合本身相关联的策略、与其每个子组合相关联的策略以及与角色组合中的每个单独角色相关联的策略。
It is important to note that a role is more than an attribute. A role defines a particular function of an entity or component that can be used to identify particular behavior associated with that entity or component. This difference is critical, and is most easily understood by thinking of a role as a selector. When used in this manner, one role (or role-combination) selects a different set of policies than a different role (or role-combination) does.
需要注意的是,角色不仅仅是一个属性。角色定义实体或组件的特定功能,可用于标识与该实体或组件关联的特定行为。这种差异是至关重要的,将角色视为选择器最容易理解。以这种方式使用时,一个角色(或角色组合)选择的策略集与另一个角色(或角色组合)选择的策略集不同。
Roles and role-combinations are especially useful in selecting which policies are applicable to a particular set of entities or components when the policy repository can store thousands or hundreds of thousands of policies. This use emphasizes the ability of the role (or role- combination) to select the small subset of policies that are applicable from a huge set of policies that are available.
当策略存储库可以存储数千或数十万个策略时,角色和角色组合在选择哪些策略适用于一组特定的实体或组件时特别有用。这种用法强调了角色(或角色组合)从大量可用策略中选择适用策略子集的能力。
An example will illustrate how role-combinations actually work. Suppose an installation has three roles defined for interfaces: "Ethernet", "Campus", and "WAN". In the Policy Repository, some policy rules could be associated with the role "Ethernet"; these rules would apply to all Ethernet interfaces, regardless of whether they were on the campus side or the WAN side. Other rules could be associated with the role-combination "Campus"+"Ethernet"; these rules would apply to the campus-side Ethernet interfaces, but not to those on the WAN side. Finally, a third set of rules could be associated with the role-combination "Ethernet"+"WAN"; these rules would apply to the WAN-side Ethernet interfaces, but not to those on the campus side. (The roles in a role-combination appear in alphabetical order in these examples, because that is how they appear in the information model.)
一个例子将说明角色组合实际上是如何工作的。假设一个安装为接口定义了三个角色:“以太网”、“校园网”和“广域网”。在策略库中,一些策略规则可以与角色“Ethernet”关联;这些规则将适用于所有以太网接口,无论它们是在校园端还是WAN端。其他规则可能与角色组合“校园”+“以太网”相关联;这些规则将适用于校园端以太网接口,但不适用于WAN端的接口。最后,第三组规则可以与角色组合“Ethernet”+“WAN”相关联;这些规则将适用于WAN端以太网接口,但不适用于校园端的接口。(在这些示例中,角色组合中的角色按字母顺序显示,因为这就是它们在信息模型中的显示方式。)
If we have a specific interface A that's associated with the role-combination "Ethernet"+"WAN", we see that it should have three categories of policy rules applied to it: those for the "Ethernet" role, those for the "WAN" role, and those for the role-combination "Ethernet"+"WAN". Going one step further, if interface B is associated with the role- combination "branch-office"+"Ethernet"+"WAN", then B should have seven categories of policy rules applied to it - those associated with the following role-combinations:
如果我们有一个与角色组合“Ethernet”+“WAN”关联的特定接口a,我们会发现它应该有三类应用于它的策略规则:“Ethernet”角色的策略规则、“WAN”角色的策略规则,以及角色组合“Ethernet”+“WAN”的策略规则。更进一步,如果接口B与角色组合“分支机构”+“以太网”+“广域网”相关联,则B应具有应用于它的七类策略规则-与以下角色组合相关联的规则:
o "branch-office"
o "Ethernet"
o "WAN"
o "branch-office"+"Ethernet"
o "branch-office"+"WAN"
o "Ethernet"+"WAN"
o "branch-office"+"Ethernet"+"WAN".
o "branch-office"
o "Ethernet"
o "WAN"
o "branch-office"+"Ethernet"
o "branch-office"+"WAN"
o "Ethernet"+"WAN"
o "branch-office"+"Ethernet"+"WAN".
In order to get all of the right policy rules for a resource like interface B, a PDP must expand the single role-combination it receives for B into this list of seven role-combinations, and then retrieve from the Policy Repository the corresponding seven sets of policy rules. Of course this example is unusually complicated: the normal case will involve expanding a two-role combination into three values identifying three sets of policy rules.
为了为接口B这样的资源获取所有正确的策略规则,PDP必须将它为B接收的单个角色组合扩展到七个角色组合的列表中,然后从策略存储库中检索相应的七组策略规则。当然,这个例子异常复杂:正常情况下,需要将两个角色的组合扩展为三个值,标识三组策略规则。
Role-combinations also help to simplify somewhat the problem of identifying conflicts between policy rules. With role-combinations, it is possible for a policy administrator to specify one set of policy rules for campus-side Ethernet interfaces, and a second set of policy rules for WAN-side Ethernet interfaces, without having to worry about conflicts between the two sets of rules. The policy administrator simply "turns off" conflict detection for these two sets of rules, by telling the policy management system that the roles "Campus" and "WAN" are incompatible with each other. This indicates that the role combination will never occur, and therefore conflicts will never occur. In some cases the technology itself might identify incompatible roles: "Ethernet" and "FrameRelay", for example. But for less precise terms like "Campus" and "WAN", the policy administrator must say whether they identify incompatible roles.
角色组合还有助于在某种程度上简化识别策略规则之间冲突的问题。通过角色组合,策略管理员可以为校园端以太网接口指定一组策略规则,为WAN端以太网接口指定第二组策略规则,而不必担心这两组规则之间的冲突。策略管理员只需告诉策略管理系统“校园”和“广域网”角色彼此不兼容,即可“关闭”这两组规则的冲突检测。这表明角色组合永远不会发生,因此冲突也永远不会发生。在某些情况下,技术本身可能会识别不兼容的角色:“以太网”和“帧中继”,例如。但对于“校园”和“广域网”等不太准确的术语,策略管理员必须说明它们是否确定了不兼容的角色。
When the policy administrator does this, there are three effects:
策略管理员执行此操作时,有三种效果:
1. If an interface has assigned to it a role-combination involving both "Campus" and "WAN", then the policy management system can flag it as an error.
1. 如果接口已为其分配了一个同时涉及“校园”和“广域网”的角色组合,则策略管理系统可以将其标记为错误。
2. If a policy rule is associated with a role-combination involving both "Campus" and "WAN", then the policy management system can flag it as an error.
2. 如果策略规则与同时涉及“校园”和“广域网”的角色组合相关联,则策略管理系统可以将其标记为错误。
3. If the policy management system sees two policy rules, where one is tied to the role "Campus" (or to a role-combination that includes the role "Campus") and the other is tied to the role "WAN" (or to a role- combination that includes the role "WAN"), then the system does not need to look for conflicts between the two policy rules: because of the incompatible roles, the two rules cannot possibly conflict.
3. 如果策略管理系统看到两个策略规则,其中一个绑定到角色“校园”(或绑定到包含角色“校园”的角色组合),另一个绑定到角色“WAN”(或绑定到包含角色“WAN”的角色组合),然后,系统不需要查找两个策略规则之间的冲突:由于角色不兼容,这两个规则不可能冲突。
+-------------------+
| Policy Repository |
+-------------------+
V
V retrieval of policy
V
+---------+
| PDP/PEP |
+---------+
v
v application of policy
v
+----------------+
| Network Entity |
+----------------+
+-------------------+
| Policy Repository |
+-------------------+
V
V retrieval of policy
V
+---------+
| PDP/PEP |
+---------+
v
v application of policy
v
+----------------+
| Network Entity |
+----------------+
Figure 4. Retrieval and Application of a Policy
图4。策略的检索和应用
Figure 4, which is introduced only as an example of how the Policy Framework might be implemented by a collection of network components, illustrates how roles operate within the Policy Framework. Because the distinction between them is not important to this discussion, the PDP and the PEP are combined in one box. The points illustrated here apply equally well, though, to an environment where the PDP and the PEP are implemented separately.
图4仅作为一个示例介绍了如何通过一组网络组件实现策略框架,它说明了角色如何在策略框架内运行。由于两者之间的区别对本次讨论并不重要,因此PDP和政治公众人物组合在一个框中。然而,此处所示的要点同样适用于PDP和PEP分别实现的环境。
A role represents a functional characteristic or capability of a resource to which policies are applied. Examples of roles include Backbone interface, Frame Relay interface, BGP-capable router, web server, firewall, etc. The multiple roles assigned to a single resource are combined to form that resource's role combination. Role combinations are represented in the PCIM by values of the PolicyRoles property in the PolicyRule class. A PDP uses policy roles as follows to identify the policies it needs to be aware of:
角色表示应用策略的资源的功能特征或能力。角色示例包括主干接口、帧中继接口、支持BGP的路由器、web服务器、防火墙等。分配给单个资源的多个角色组合在一起,形成该资源的角色组合。角色组合在PCIM中由PolicyRule类中PolicyRoles属性的值表示。PDP使用以下策略角色来确定其需要了解的策略:
1. The PDP learns in some way the list of roles that its PEPs play. This information might be configured at the PDP, the PEPs might supply it to the PDP, or the PDP might retrieve it from a repository.
1. PDP以某种方式了解其政治公众人物扮演的角色列表。该信息可以在PDP上配置,PEP可以将其提供给PDP,或者PDP可以从存储库中检索该信息。
2. Using repository-specific means, the PDP determines where to look for policy rules that might apply to it.
2. 使用特定于存储库的方法,PDP确定在何处查找可能应用于它的策略规则。
3. Using the roles and role-combinations it received from its PEPs as indicated in the examples above, the PDP is able to locate and retrieve the policy rules that are relevant to it.
3. 使用上面示例中所示的从其PEP接收的角色和角色组合,PDP能够定位和检索与其相关的策略规则。
As indicated earlier, PolicyRoles is a property associated with a policy rule. It is an array holding "role combinations" for the policy rule, and correlates with the roles defined for a network resource. Using the PolicyRoles property, it is possible to mark a policy rule as applying, for example, to a Frame Relay interface or to a backbone ATM interface. The PolicyRoles property take strings of the form:
如前所述,PolicyRoles是与策略规则关联的属性。它是一个数组,包含策略规则的“角色组合”,并与为网络资源定义的角色相关联。使用PolicyRoles属性,可以将策略规则标记为应用于(例如)帧中继接口或主干ATM接口。PolicyRoles属性采用以下格式的字符串:
<RoleName>[&&<RoleName>]*
<RoleName>[&&<RoleName>]*
Each value of this property represents a role combination, including the special case of a "combination" containing only one role. As the format indicates, the role names in a role combination are ANDed together to form a single selector. The multiple values of the PolicyRoles property are logically ORed, to make it possible for a policy rule to have multiple selectors.
此属性的每个值表示一个角色组合,包括仅包含一个角色的“组合”的特例。如格式所示,角色组合中的角色名称将与一起构成一个选择器。PolicyRoles属性的多个值在逻辑上是OR的,以使策略规则具有多个选择器。
The individual role names in a role combination must appear in alphabetical order (according to the collating sequence for UCS-2 characters), to make the string matches work correctly. The role names used in an environment are specified by the policy administrator.
角色组合中的各个角色名称必须按字母顺序显示(根据UCS-2字符的排序顺序),以使字符串匹配正确工作。环境中使用的角色名称由策略管理员指定。
An instance of PolicyTimePeriodCondition has up to five properties that represent times: TimePeriod, MonthOfYearMask, DayOfMonthMask, DayOfWeekMask, and TimeOfDayMask. All of the time-related properties in an instance of PolicyTimePeriodCondition represent one of two types of times: local time at the place where a policy rule is applied, or UTC time. The property LocalOrUtcTime indicates which time representation applies to an instance of PolicyTimePeriodCondition.
PolicyTimePeriodCondition的实例最多有五个表示时间的属性:TimePeriod、MonthOfYearMask、DayOfMonthMask、DayOfWeekMask和TimeOfDayMask。PolicyTimePeriodCondition实例中所有与时间相关的属性表示两种时间类型之一:应用策略规则所在地的本地时间或UTC时间。属性LocalOrUtcTime指示哪个时间表示应用于PolicyTimePeriodCondition的实例。
Since the PCIM provides only for local time and UTC time, a Policy Management Tool that provides for other time representations (for example, a fixed time at a particular location) will need to map from these other representations to either local time or UTC time. An example will illustrate the nature of this mapping.
由于PCIM仅提供本地时间和UTC时间,因此提供其他时间表示(例如,特定位置的固定时间)的策略管理工具将需要从这些其他表示映射到本地时间或UTC时间。一个示例将说明此映射的性质。
Suppose a policy rule is tied to the hours of operation for a Help Desk: 0800 to 2000 Monday through Friday [US] Eastern Time. In order to express these times in PolicyTimePeriodCondition, a management tool must convert them to UTC times. (They are not local times, because they refer to a single time interval worldwide, not to intervals tied to the local clocks at the locations where the
假设一项政策规则与服务台的工作时间相关联:美国东部时间周一至周五上午8点至2000点。为了在PolicyTimePeriodCondition中表示这些时间,管理工具必须将它们转换为UTC时间。(它们不是本地时间,因为它们指的是全球范围内的单一时间间隔,而不是与所在位置的本地时钟相关的时间间隔。)
PolicyRule is being applied.) As reference [10] points out, mapping from [US] Eastern Time to UTC time is not simply a matter of applying an offset: the offset between [US] Eastern Time and UTC time switches between -0500 and -0400 depending on whether Daylight Savings Time is in effect in the US.
正如参考文献[10]所指出的,从[美国]东部时间到UTC时间的映射不仅仅是应用偏移量的问题:[美国]东部时间和UTC时间之间的偏移量在-0500和-0400之间切换,这取决于夏令时是否在美国生效。
Suppose the policy administrator's goal is to have a policy rule be valid from 0800 until 1200 [US] Eastern Time on every Monday, within the overall time period from the beginning of 2000 until the end of 2001. The Policy Management Tool could either be configured with the definition of what [US] Eastern Time means, or it could be configured with knowledge of where to go to get this information. Reference [10] contains further discussion of time zone definitions and where they might reside.
假设政策管理员的目标是在2000年初到2001年底的整个时间段内,使政策规则在每周一东部时间0800点到1200点之间有效。策略管理工具可以配置为定义[美国]东部时间的含义,也可以配置为知道从何处获取此信息。参考文献[10]进一步讨论了时区定义及其可能的位置。
Armed with knowledge about [US] Eastern Time, the Policy Management Tool would create however many instances of PolicyTimePeriodCondition it needed to represent the desired intervals. Note that while there is an increased number of PolicyTimePeriodCondition instances, there is still just one PolicyRule, which is tied to all the PolicyTimePeriodCondition instances via the aggregation PolicyRuleValidityPeriod. Here are the first two of these instances:
凭借对[美国]东部时间的了解,策略管理工具将创建表示所需时间间隔所需的PolicyTimePeriodCondition实例。请注意,虽然PolicyTimePeriodCondition实例的数量有所增加,但仍然只有一个PolicyRule,它通过聚合PolicyRuleValidityPeriod绑定到所有PolicyTimePeriodCondition实例。以下是前两个实例:
1. TimePeriod: 20000101T050000/20000402T070000 DayOfWeekMask: { Monday } TimeOfDayMask: T130000/T170000 LocalOrUtcTime: UTC
1. 时间段:20000101T0500000/20000402T070000工作日掩码:{星期一}工作日掩码时间:T130000/T170000本地或超时:UTC
2. TimePeriod: 20000402T070000/20001029T070000 DayOfWeekMask: { Monday } TimeOfDayMask: T120000/T160000 LocalOrUtcTime: UTC
2. 时间段:20000402T070000/20001029T070000工作日掩码:{星期一}工作日掩码时间:T120000/T160000本地或外地时间:UTC
There would be three more similar instances, for winter 2000-2001, summer 2001, and winter 2001 up through December 31.
在2000-2001年冬季、2001年夏季和2001年冬季直至12月31日,还有三个类似的情况。
Had the example been chosen differently, there could have been even more instances of PolicyTimePeriodCondition. If, for example, the
如果选择不同的示例,可能会有更多的PolicyTimePeriodCondition实例。例如,如果
time interval had been from 0800 - 2200 [US] Eastern Time on Mondays, instance 1 above would have split into two instances: one with a UTC time interval of T130000/T240000 on Mondays, and another with a UTC time interval of T000000/T030000 on Tuesdays. So the end result would have been ten instances of PolicyTimePeriodCondition, not five.
时间间隔为周一东部时间0800-2200,上述实例1将分为两个实例:一个在周一UTC时间间隔为T130000/T240000,另一个在周二UTC时间间隔为T000000/T030000。因此,最终结果应该是10个PolicyTimePeriodCondition实例,而不是5个。
By restricting PolicyTimePeriodCondition to local time and UTC time, the PCIM places the difficult and expensive task of mapping from "human" time representations to machine-friendly ones in the Policy
通过将PolicyTimePeriodCondition限制为本地时间和UTC时间,PCIM将困难且昂贵的任务从“人工”时间表示映射到策略中的机器友好时间表示
Management Tool. Another approach would have been to place in PolicyTimePeriodCondition a means of representing a named time zone, such as [US] Eastern Time. This, however, would have passed the difficult mapping responsibility down to the PDPs and PEPs. It is better to have a mapping such as the one described above done once in a Policy Management Tool, rather than having it done over and over in each of the PDPs (and possibly PEPs) that need to apply a PolicyRule.
管理工具。另一种方法是在PolicyTimePeriodCondition中放置一种表示指定时区的方法,例如[美国]东部时间。然而,这将把困难的映射责任推给PDP和PEP。最好在策略管理工具中一次性完成上述映射,而不是在需要应用策略规则的每个PDP(可能还有PEP)中反复进行映射。
Since PCIM extends the CIM Schema, a correspondence between data types used in both CIM and PCIM is needed. The following CIM data types are used in the class definitions that follow in Sections 6 and 7:
由于PCIM扩展了CIM模式,因此需要在CIM和PCIM中使用的数据类型之间建立对应关系。第6节和第7节中的类定义中使用了以下CIM数据类型:
o uint8 unsigned 8-bit integer
o uint8无符号8位整数
o uint16 unsigned 16-bit integer
o uint16无符号16位整数
o boolean Boolean
o 布尔
o string UCS-2 string.
o 字符串UCS-2字符串。
Strings in CIM are stored as UCS-2 characters, where each character is encoded in two octets. Thus string values may need to be converted when moving between a CIM environment and one that uses a different string encoding. For example, in an LDAP-accessible directory, attributes of type DirectoryString are stored in UTF-8 format. RFC 2279 [7] explains how to convert between these two formats.
CIM中的字符串存储为UCS-2字符,其中每个字符编码为两个八位字节。因此,在CIM环境和使用不同字符串编码的环境之间移动时,可能需要转换字符串值。例如,在LDAP可访问目录中,DirectoryString类型的属性以UTF-8格式存储。RFC 2279[7]解释了如何在这两种格式之间进行转换。
When it is applied to a CIM string, a MaxLen value refers to the maximum number of characters in the string, rather than to the maximum number of octets.
当它应用于CIM字符串时,MaxLen值指的是字符串中的最大字符数,而不是最大八位字节数。
In addition to the CIM data types listed above, the association classes in Section 7 use the following type:
除了上面列出的CIM数据类型外,第7节中的关联类还使用以下类型:
o <classname> ref strongly typed reference.
o <classname>ref强类型引用。
There is one obvious omission from this list of CIM data types: octet strings. This is because CIM treats octet strings as a derived data type. There are two forms of octet strings in CIM - an ordered uint8 array for single-valued strings, and a string array for multi-valued properties. Both are described by adding an "OctetString" qualifier (meta-data) to the property. This qualifier functions exactly like an SMIv2 (SNMP) Textual Convention, refining the syntax and semantics of the existing CIM data type.
CIM数据类型列表中有一个明显的遗漏:八位字节字符串。这是因为CIM将八位字节字符串视为派生数据类型。CIM中有两种形式的八位字节字符串-单值字符串的有序uint8数组和多值属性的字符串数组。通过在属性中添加“OctetString”限定符(元数据)来描述这两种方法。此限定符的功能与SMIv2(SNMP)文本约定完全相同,可细化现有CIM数据类型的语法和语义。
The first four numeric elements of both of the "OctetString" representations are a length field. (The reason that the "numeric" adjective is added to the previous sentence is that the string property also includes '0' and 'x', as its first characters.) In both cases, these 4 numeric elements (octets) are included in calculating the length. For example, a single-valued octet string property having the value X'7C' would be represented by the uint8 array, X'00 00 00 05 7C'.
“OctetString”表示法的前四个数字元素都是长度字段。(将“数字”形容词添加到上一句的原因是字符串属性还包括“0”和“x”,作为其第一个字符。)在这两种情况下,计算长度时都包括这4个数字元素(八位字节)。例如,值为X'7C'的单值八位字节字符串属性将由uint8数组X'00057c'表示。
The strings representing the individual values of a multi-valued property qualified with the "OctetString" qualifier are constructed similarly:
表示用“OctetString”限定符限定的多值属性的单个值的字符串构造类似:
1. Take a value to be encoded as an octet string (we'll use X'7C' as above), and prepend to it a four-octet length. The result is the same, X'00 00 00 05 7C'.
1. 取一个要编码为八位字节字符串的值(如上所述,我们将使用X'7C'),并在其前面加上四个八位字节的长度。结果是一样的,X'0005 7C'。
2. Convert this to a character string by introducing '0' and 'x' at the front, and removing all white space. Thus we have the 12- character string "0x000000057C". This string is the value of one of the array elements in the CIM string array. Since CIM uses the UCS-2 character set, it will require 24 octets to encode this 12- character string.
2. 通过在前面引入“0”和“x”并删除所有空白,将其转换为字符串。因此,我们有12个字符的字符串“0x000000057C”。此字符串是CIM字符串数组中一个数组元素的值。由于CIM使用UCS-2字符集,因此需要24个八位字节来编码这个12个字符的字符串。
Mappings of the PCIM to particular data models are not required to follow this CIM technique of representing multi-valued octet strings as length- prefixed character strings. In an LDAP mapping, for example, it would be much more natural to simply use the Octet String syntax, and omit the prepended length octets.
PCIM到特定数据模型的映射不需要遵循将多值八位组字符串表示为长度前缀字符串的CIM技术。例如,在LDAP映射中,更自然的做法是简单地使用八位字节字符串语法,而忽略前面的长度八位字节。
There are a number of differences between CIM and LDAP class specifications. The ones that are relevant to the abbreviated class specifications in this document are listed below. These items are included here to help introduce the IETF community, which is already familiar with LDAP, to CIM modeling, and by extension, to information modeling in general.
CIM和LDAP类规范之间存在许多差异。下面列出了与本文件中的缩略类规范相关的规范。这里包含这些项目是为了帮助将已经熟悉LDAP的IETF社区引入CIM建模,并扩展到一般的信息建模。
o Instead of LDAP's three class types (abstract, auxiliary, structural), CIM has only two: abstract and instantiable. The type of a CIM class is indicated by the Boolean qualifier ABSTRACT.
o 与LDAP的三种类类型(抽象、辅助、结构)不同,CIM只有两种:抽象和实例化。CIM类的类型由布尔限定符抽象表示。
o CIM uses the term "property" for what LDAP terms an "attribute".
o CIM使用术语“属性”表示LDAP所称的“属性”。
o CIM uses the array notation "[ ]" to indicate that a property is multi-valued. CIM defines three types of arrays: bags (contents are unordered, duplicates allowed), ordered bags (contents are ordered but duplicates are allowed) and indexed arrays (contents are ordered and no duplicates are allowed).
o CIM使用数组符号“[]”表示属性是多值的。CIM定义了三种类型的数组:包(内容无序,允许重复)、有序包(内容有序,但允许重复)和索引数组(内容有序,不允许重复)。
o CIM classes and properties are identified by name, not by OID.
o CIM类和属性由名称标识,而不是由OID标识。
o CIM classes use a different naming scheme for native implementations, than LDAP. The CIM naming scheme is documented in Appendix A since it is not critical to understanding the information model, and only applies when communicating with a native CIM implementation.
o CIM类对本机实现使用不同于LDAP的命名方案。CIM命名方案记录在附录A中,因为它对于理解信息模型并不重要,仅在与本机CIM实现通信时适用。
o In LDAP, attribute definitions are global, and the same attribute may appear in multiple classes. In CIM, a property is defined within the scope of a single class definition. The property may be inherited into subclasses of the class in which it is defined, but otherwise it cannot appear in other classes. One side effect of this difference is that CIM property names tend to be much shorter than LDAP attribute names, since they are implicitly scoped by the name of the class in which they are defined.
o 在LDAP中,属性定义是全局的,同一属性可能出现在多个类中。在CIM中,属性是在单个类定义的范围内定义的。该属性可以继承到定义它的类的子类中,但否则它不能出现在其他类中。这种差异的一个副作用是CIM属性名称往往比LDAP属性名称短得多,因为它们的作用域由定义它们的类的名称隐式限定。
There is also a notational convention that this document follows, to improve readability. In CIM, all class and property names are prefixed with the characters "CIM_". These prefixes have been omitted throughout this document, with one exception regarding naming, documented in Appendix A.
为了提高可读性,本文件还遵循了一个符号约定。在CIM中,所有类和属性名称的前缀都是字符“CIM_3;”。本文件中省略了这些前缀,附录A中记录了一个关于命名的例外。
For the complete definition of the CIM specification language, see reference [2].
有关CIM规范语言的完整定义,请参阅参考文献[2]。
The following sections contain the definitions of the PCIM classes.
以下部分包含PCIM类的定义。
The abstract class Policy collects several properties that may be included in instances of any of the Core Policy classes (or their subclasses). For convenience, the two properties that Policy inherits from ManagedElement in the CIM schema are shown here as well.
抽象类策略收集多个属性,这些属性可能包含在任何核心策略类(或其子类)的实例中。为方便起见,此处还显示了策略从CIM模式中的ManagedElement继承的两个属性。
The class definition is as follows:
类别定义如下:
NAME Policy DESCRIPTION An abstract class with four properties for describing a policy-related instance. DERIVED FROM ManagedElement ABSTRACT TRUE PROPERTIES CommonName (CN) PolicyKeywords[ ] // Caption (inherited) // Description (inherited)
名称策略描述具有四个属性的抽象类,用于描述与策略相关的实例。派生自ManagedElement抽象真实属性CommonName(CN)PolicyKeywords[]//标题(继承)//说明(继承)
The CN, or CommonName, property corresponds to the X.500 attribute commonName (cn). In X.500 this property specifies one or more user-friendly names (typically only one name) by which an object is commonly known, names that conform to the naming conventions of the country or culture with which the object is associated. In the CIM model, however, the CommonName property is single-valued.
CN或CommonName属性对应于X.500属性CommonName(CN)。在X.500中,此属性指定一个或多个用户友好名称(通常只有一个名称),对象通常通过这些名称为人所知,这些名称符合与对象关联的国家或文化的命名约定。但是,在CIM模型中,CommonName属性是单值的。
NAME CN DESCRIPTION A user-friendly name of a policy-related object. SYNTAX string
名称CN说明策略相关对象的用户友好名称。语法字符串
This property provides a set of one or more keywords that a policy administrator may use to assist in characterizing or categorizing a policy object. Keywords are of one of two types:
此属性提供一组一个或多个关键字,策略管理员可以使用这些关键字来帮助描述或分类策略对象。关键字属于以下两种类型之一:
o Keywords defined in this document, or in documents that define subclasses of the classes defined in this document. These keywords provide a vendor-independent, installation-independent way of characterizing policy objects.
o 在本文档中定义的关键字,或在定义本文档中定义的类的子类的文档中定义的关键字。这些关键字提供了一种独立于供应商、独立于安装的描述策略对象的方法。
o Installation-dependent keywords for characterizing policy objects. Examples include "Engineering", "Billing", and "Review in December 2000".
o 用于表征策略对象的与安装相关的关键字。例如“工程”、“账单”和“2000年12月审查”。
This document defines the following keywords: "UNKNOWN", "CONFIGURATION", "USAGE", "SECURITY", "SERVICE", "MOTIVATIONAL", "INSTALLATION", and "EVENT". These concepts were defined earlier in Section 2.
本文档定义了以下关键词:“未知”、“配置”、“使用”、“安全”、“服务”、“激励”、“安装”和“事件”。这些概念在前面的第2节中有定义。
One additional keyword is defined: "POLICY". The role of this keyword is to identify policy-related instances that would not otherwise be identifiable as being related to policy. It may be needed in some repository implementations.
另外定义了一个关键字:“POLICY”。此关键字的作用是标识与策略相关的实例,否则无法将其标识为与策略相关。在某些存储库实现中可能需要它。
Documents that define subclasses of the Policy Core Information Model classes SHOULD define additional keywords to characterize instances of these subclasses. By convention, keywords defined in conjunction with class definitions are in uppercase. Installation-defined keywords can be in any case.
定义策略核心信息模型类的子类的文档应该定义额外的关键字来描述这些子类的实例。按照惯例,与类定义一起定义的关键字是大写的。在任何情况下都可以使用安装定义的关键字。
The property definition is as follows:
物业定义如下:
NAME PolicyKeywords DESCRIPTION A set of keywords for characterizing /categorizing policy objects. SYNTAX string
NAME PolicyKeywords DESCRIPTION用于描述/分类策略对象的一组关键字。语法字符串
This property provides a one-line description of a policy-related object.
此属性提供策略相关对象的单行描述。
NAME Caption DESCRIPTION A one-line description of this policy-related object. SYNTAX string
名称标题说明此策略相关对象的单行说明。语法字符串
This property provides a longer description than that provided by the caption property.
此属性提供的描述比caption属性提供的描述更长。
NAME Description DESCRIPTION A long description of this policy-related object. SYNTAX string
名称说明此策略相关对象的详细说明。语法字符串
This class is a generalized aggregation container. It enables either PolicyRules or PolicyGroups to be aggregated in a single container. Loops, including the degenerate case of a PolicyGroup that contains itself, are not allowed when PolicyGroups contain other PolicyGroups.
此类是一个通用聚合容器。它允许将PolicyRules或PolicyGroup聚合到单个容器中。当PolicyGroup包含其他PolicyGroup时,不允许循环,包括包含自身的PolicyGroup的退化情况。
PolicyGroups and their nesting capabilities are shown in Figure 5 below. Note that a PolicyGroup can nest other PolicyGroups, and there is no restriction on the depth of the nesting in sibling PolicyGroups.
策略组及其嵌套功能如下图5所示。请注意,一个策略组可以嵌套其他策略组,并且在兄弟策略组中嵌套的深度没有限制。
+---------------------------------------------------+
| PolicyGroup |
| |
| +--------------------+ +-----------------+ |
| | PolicyGroup A | | PolicyGroup X | |
| | | | | |
| | +----------------+ | ooo | | |
| | | PolicyGroup A1 | | | | |
| | +----------------+ | | | |
| +--------------------+ +-----------------+ |
+---------------------------------------------------+
+---------------------------------------------------+
| PolicyGroup |
| |
| +--------------------+ +-----------------+ |
| | PolicyGroup A | | PolicyGroup X | |
| | | | | |
| | +----------------+ | ooo | | |
| | | PolicyGroup A1 | | | | |
| | +----------------+ | | | |
| +--------------------+ +-----------------+ |
+---------------------------------------------------+
Figure 5. Overview of the PolicyGroup class
图5。PolicyGroup类概述
As a simple example, think of the highest level PolicyGroup shown in Figure 5 above as a logon policy for US employees of a company. This PolicyGroup may be called USEmployeeLogonPolicy, and may aggregate several PolicyGroups that provide specialized rules per location. Hence, PolicyGroup A in Figure 5 above may define logon rules for employees on the West Coast, while another PolicyGroup might define logon rules for the Midwest (e.g., PolicyGroup X), and so forth.
作为一个简单的例子,请将上图5所示的最高级别的PolicyGroup视为公司美国员工的登录策略。此策略组可以称为USEmployeeLogonPolicy,并且可以聚合多个策略组,这些策略组为每个位置提供专门的规则。因此,上图5中的PolicyGroup A可以为西海岸的员工定义登录规则,而另一个PolicyGroup可以为Midwest定义登录规则(例如PolicyGroup X),以此类推。
Note also that the depth of each PolicyGroup does not need to be the same. Thus, the WestCoast PolicyGroup might have several additional layers of PolicyGroups defined for any of several reasons (different locales, number of subnets, etc..). The PolicyRules are therefore contained at n levels from the USEmployeeLogonPolicyGroup. Compare this to the Midwest PolicyGroup (PolicyGroup X), which might directly contain PolicyRules.
还请注意,每个策略组的深度不必相同。因此,WestCoast策略组可能会因多种原因(不同的地区、子网数量等)中的任何一种而定义多个额外的策略组层。因此,策略规则包含在USEmployeeLogonPolicyGroup的n个级别。将此与Midwest PolicyGroup(PolicyGroup X)进行比较,后者可能直接包含PolicyRules。
The class definition for PolicyGroup is as follows:
PolicyGroup的类定义如下所示:
NAME PolicyGroup DESCRIPTION A container for either a set of related PolicyRules or a set of related PolicyGroups. DERIVED FROM Policy ABSTRACT FALSE PROPERTIES NONE
名称PolicyGroup描述一组相关PolicyRules或一组相关PolicyGroup的容器。从策略抽象派生的假属性无
No properties are defined for this class since it inherits all its properties from Policy. The class exists to aggregate PolicyRules or other PolicyGroups. It is directly instantiable. In an implementation, various key/identification properties MUST be defined. The keys for a native CIM implementation are defined in Appendix A, Section 13.1.1. Keys for an LDAP implementation will be defined in the LDAP mapping of this information model [11].
没有为此类定义属性,因为它从策略继承其所有属性。该类用于聚合PolicyRules或其他PolicyGroup。它是可直接实例化的。在实现中,必须定义各种密钥/标识属性。本机CIM实现的密钥在附录a第13.1.1节中定义。LDAP实现的键将在此信息模型的LDAP映射中定义[11]。
This class represents the "If Condition then Action" semantics associated with a policy. A PolicyRule condition, in the most general sense, is represented as either an ORed set of ANDed conditions (Disjunctive Normal Form, or DNF) or an ANDed set of ORed conditions (Conjunctive Normal Form, or CNF). Individual conditions may either be negated (NOT C) or unnegated (C). The actions specified by a PolicyRule are to be performed if and only if the PolicyRule condition (whether it is represented in DNF or CNF) evaluates to TRUE.
此类表示与策略关联的“If条件然后操作”语义。在最一般的意义上,PolicyRule条件表示为ANDed条件的or集(析取范式,或DNF)或or条件的ANDed集(合取范式,或CNF)。个别条件可以是否定的(非C)或非否定的(C)。当且仅当PolicyRule条件(无论在DNF或CNF中表示)计算为TRUE时,才会执行PolicyRule指定的操作。
The conditions and actions associated with a policy rule are modeled, respectively, with subclasses of the classes PolicyCondition and PolicyAction. These condition and action objects are tied to instances of PolicyRule by the PolicyConditionInPolicyRule and PolicyActionInPolicyRule aggregations.
与策略规则关联的条件和操作分别使用PolicyCondition和PolicyAction类的子类进行建模。这些条件和操作对象通过PolicyConditionInPolicyRule和PolicyActionInPolicyRule聚合绑定到PolicyRule实例。
As illustrated above in Section 3, a policy rule may also be associated with one or more policy time periods, indicating the schedule according to which the policy rule is active and inactive. In this case it is the PolicyRuleValidityPeriod aggregation that provides the linkage.
如上文第3节所述,策略规则还可以与一个或多个策略时间段相关联,指示策略规则处于活动和非活动状态所依据的时间表。在本例中,提供链接的是PolicyRuleValidityPeriod聚合。
A policy rule is illustrated conceptually in Figure 6. below.
图6从概念上说明了策略规则。在下面
+------------------------------------------------+
| PolicyRule |
| |
| +--------------------+ +-----------------+ |
| | PolicyCondition(s) | | PolicyAction(s) | |
| +--------------------+ +-----------------+ |
| |
| +------------------------------+ |
| | PolicyTimePeriodCondition(s) | |
| +------------------------------+ |
+------------------------------------------------+
+------------------------------------------------+
| PolicyRule |
| |
| +--------------------+ +-----------------+ |
| | PolicyCondition(s) | | PolicyAction(s) | |
| +--------------------+ +-----------------+ |
| |
| +------------------------------+ |
| | PolicyTimePeriodCondition(s) | |
| +------------------------------+ |
+------------------------------------------------+
Figure 6. Overview of the PolicyRule Class
图6。PolicyRule类概述
The PolicyRule class uses the property ConditionListType, to indicate whether the conditions for the rule are in DNF or CNF. The PolicyConditionInPolicyRule aggregation contains two additional properties to complete the representation of the rule's conditional expression. The first of these properties is an integer to partition the referenced conditions into one or more groups, and the second is a Boolean to indicate whether a referenced condition is negated. An
PolicyRule类使用属性ConditionListType来指示规则的条件是DNF还是CNF。PolicyConditionInPolicyRule聚合包含两个附加属性,用于完成规则条件表达式的表示。这些属性中的第一个是整数,用于将引用的条件划分为一个或多个组,第二个是布尔值,用于指示引用的条件是否为反。一
example shows how ConditionListType and these two additional properties provide a unique representation of a set of conditions in either DNF or CNF.
示例显示ConditionListType和这两个附加属性如何在DNF或CNF中提供一组条件的唯一表示。
Suppose we have a PolicyRule that aggregates five PolicyConditions C1 through C5, with the following values in the properties of the five PolicyConditionInPolicyRule associations:
假设我们有一个PolicyRule,它聚合了五个PolicyConditionC1到C5,在五个PolicyConditionInPolicyRule关联的属性中具有以下值:
C1: GroupNumber = 1, ConditionNegated = FALSE
C2: GroupNumber = 1, ConditionNegated = TRUE
C3: GroupNumber = 1, ConditionNegated = FALSE
C4: GroupNumber = 2, ConditionNegated = FALSE
C5: GroupNumber = 2, ConditionNegated = FALSE
C1: GroupNumber = 1, ConditionNegated = FALSE
C2: GroupNumber = 1, ConditionNegated = TRUE
C3: GroupNumber = 1, ConditionNegated = FALSE
C4: GroupNumber = 2, ConditionNegated = FALSE
C5: GroupNumber = 2, ConditionNegated = FALSE
If ConditionListType = DNF, then the overall condition for the PolicyRule is:
如果ConditionListType=DNF,则PolicyRule的总体条件为:
(C1 AND (NOT C2) AND C3) OR (C4 AND C5)
(C1和(不是C2和C3)或(C4和C5)
On the other hand, if ConditionListType = CNF, then the overall condition for the PolicyRule is:
另一方面,如果ConditionListType=CNF,则PolicyRule的总体条件为:
(C1 OR (NOT C2) OR C3) AND (C4 OR C5)
(C1或(不是C2或C3)和(C4或C5)
In both cases, there is an unambiguous specification of the overall condition that is tested to determine whether to perform the actions associated with the PolicyRule.
在这两种情况下,都有一个明确的总体条件规范,测试该规范以确定是否执行与PolicyRule关联的操作。
The class definition is as follows:
类别定义如下:
NAME PolicyRule DESCRIPTION The central class for representing the "If Condition then Action" semantics associated with a policy rule. DERIVED FROM Policy ABSTRACT FALSE PROPERTIES Enabled ConditionListType RuleUsage Priority Mandatory SequencedActions PolicyRoles
NAME PolicyRule DESCRIPTION用于表示与策略规则关联的“If Condition then Action”语义的中心类。派生自策略抽象错误属性启用的条件列表类型规则使用优先级强制序列操作策略角色
The PolicyRule class is directly instantiable. In an implementation, various key/identification properties MUST be defined. The keys for a native CIM implementation are defined in Appendix A, Section 13.1.2. Keys for an LDAP implementation will be defined in the LDAP mapping of this information model [11].
PolicyRule类是可直接实例化的。在实现中,必须定义各种密钥/标识属性。本机CIM实现的密钥在附录a第13.1.2节中定义。LDAP实现的键将在此信息模型的LDAP映射中定义[11]。
This property indicates whether a policy rule is currently enabled, from an administrative point of view. Its purpose is to allow a policy administrator to enable or disable a policy rule without having to add it to, or remove it from, the policy repository.
此属性从管理角度指示当前是否启用了策略规则。其目的是允许策略管理员启用或禁用策略规则,而无需将其添加到策略存储库或从中删除。
The property also supports the value 'enabledForDebug'. When the property has this value, the entity evaluating the policy condition(s) is being told to evaluate the conditions for the policy rule, but not to perform the actions if the conditions evaluate to TRUE. This value serves as a debug vehicle when attempting to determine what policies would execute in a particular scenario, without taking any actions to change state during the debugging.
该属性还支持值“enabledForDebug”。当属性具有此值时,将告知评估策略条件的实体评估策略规则的条件,但如果条件评估为TRUE,则不执行操作。当试图确定在特定场景中将执行哪些策略时,此值用作调试工具,而无需在调试期间采取任何更改状态的操作。
The property definition is as follows:
物业定义如下:
NAME Enabled DESCRIPTION An enumeration indicating whether a policy rule is administratively enabled, administratively disabled, or enabled for debug mode. SYNTAX uint16 VALUES enabled(1), disabled(2), enabledForDebug(3) DEFAULT VALUE enabled(1)
NAME Enabled DESCRIPTION枚举,指示策略规则是以管理方式启用、以管理方式禁用还是以调试模式启用。语法uint16值已启用(1)、已禁用(2)、已启用ForDeBug(3)默认值已启用(1)
This property is used to specify whether the list of policy conditions associated with this policy rule is in disjunctive normal form (DNF) or conjunctive normal form (CNF). If this property is not present, the list type defaults to DNF. The property definition is as follows:
此属性用于指定与此策略规则关联的策略条件列表是析取范式(DNF)还是合取范式(CNF)。如果此属性不存在,则列表类型默认为DNF。物业定义如下:
NAME ConditionListType DESCRIPTION Indicates whether the list of policy conditions associated with this policy rule is in disjunctive normal form (DNF) or conjunctive normal form (CNF). SYNTAX uint16 VALUES DNF(1), CNF(2) DEFAULT VALUE DNF(1)
NAME ConditionListType DESCRIPTION指示与此策略规则关联的策略条件列表是析取范式(DNF)还是合取范式(CNF)。语法uint16值DNF(1),CNF(2)默认值DNF(1)
This property is a free-form string that recommends how this policy should be used. The property definition is as follows:
此属性是一个自由格式字符串,建议如何使用此策略。物业定义如下:
NAME RuleUsage DESCRIPTION This property is used to provide guidelines on how this policy should be used. SYNTAX string
NAME RuleUsage DESCRIPTION此属性用于提供有关如何使用此策略的指导原则。语法字符串
This property provides a non-negative integer for prioritizing policy rules relative to each other. Larger integer values indicate higher priority. Since one purpose of this property is to allow specific, ad hoc policy rules to temporarily override established policy rules, an instance that has this property set has a higher priority than all instances that use or set the default value of zero.
此属性提供一个非负整数,用于确定策略规则之间的优先级。较大的整数值表示优先级较高。由于此属性的一个用途是允许特定的特殊策略规则临时覆盖已建立的策略规则,因此设置了此属性的实例的优先级高于使用或设置默认值为零的所有实例。
Prioritization among policy rules provides a basic mechanism for resolving policy conflicts.
策略规则之间的优先级划分提供了解决策略冲突的基本机制。
The property definition is as follows:
物业定义如下:
NAME Priority DESCRIPTION A non-negative integer for prioritizing this PolicyRule relative to other PolicyRules. A larger value indicates a higher priority. SYNTAX uint16 DEFAULT VALUE 0
NAME Priority DESCRIPTION一个非负整数,用于将此PolicyRule相对于其他PolicyRule进行优先级排序。值越大表示优先级越高。语法uint16默认值0
This property indicates whether evaluation (and possibly action execution) of a PolicyRule is mandatory or not. Its concept is similar to the ability to mark packets for delivery or possible discard, based on network traffic and device load.
此属性指示PolicyRule的评估(以及可能的操作执行)是否为强制执行。它的概念类似于根据网络流量和设备负载标记数据包以供发送或可能丢弃的能力。
The evaluation of a PolicyRule MUST be attempted if the Mandatory property value is TRUE. If the Mandatory property value of a PolicyRule is FALSE, then the evaluation of the rule is "best effort" and MAY be ignored.
如果强制属性值为TRUE,则必须尝试计算PolicyRule。如果PolicyRule的强制属性值为FALSE,则该规则的评估为“尽力而为”,可能会被忽略。
The property definition is as follows:
物业定义如下:
NAME Mandatory DESCRIPTION A flag indicating that the evaluation of the PolicyConditions and execution of PolicyActions (if the condition list evaluates to TRUE) is required. SYNTAX boolean DEFAULT VALUE TRUE
名称强制说明指示需要评估PolicyConditions和执行PolicyActions(如果条件列表评估为TRUE)的标志。语法布尔默认值TRUE
This property gives a policy administrator a way of specifying how the ordering of the policy actions associated with this PolicyRule is to be interpreted. Three values are supported:
此属性为策略管理员提供了一种指定如何解释与此PolicyRule关联的策略操作顺序的方法。支持三个值:
o mandatory(1): Do the actions in the indicated order, or don't do them at all.
o 强制(1):按照指定的顺序执行操作,或者根本不执行。
o recommended(2): Do the actions in the indicated order if you can, but if you can't do them in this order, do them in another order if you can.
o 建议(2):如果可以,请按指定的顺序执行操作,如果不能按此顺序执行,请按其他顺序执行。
o dontCare(3): Do them -- I don't care about the order.
o dontCare(3):做吧——我不在乎订单。
When error / event reporting is addressed for the Policy Framework, suitable codes will be defined for reporting that a set of actions could not be performed in an order specified as mandatory (and thus were not performed at all), that a set of actions could not be performed in a recommended order (and moreover could not be performed in any order), or that a set of actions could not be performed in a recommended order (but were performed in a different order). The property definition is as follows:
当针对政策框架提出错误/事件报告时,将定义适当的代码,用于报告一组行动不能按规定的强制性顺序执行(因此根本没有执行),一组行动不能按建议的顺序执行(而且不能按任何顺序执行),或者一组操作无法按建议的顺序执行(但按不同的顺序执行)。物业定义如下:
NAME SequencedActions DESCRIPTION An enumeration indicating how to interpret the action ordering indicated via the PolicyActionInPolicyRule aggregation. SYNTAX uint16 VALUES mandatory(1), recommended(2), dontCare(3) DEFAULT VALUE dontCare(3)
NAME SequencedActions DESCRIPTION枚举,指示如何解释通过PolicyActionInPolicyRule聚合指示的操作顺序。语法uint16值强制(1)、建议(2)、dontCare(3)默认值dontCare(3)
This property represents the roles and role combinations associated with a policy rule. Each value represents one role combination. Since this is a multi-valued property, more than one role combination can be associated with a single policy rule. Each value is a string of the form
此属性表示与策略规则关联的角色和角色组合。每个值代表一个角色组合。由于这是一个多值属性,因此可以将多个角色组合与单个策略规则关联。每个值都是表单的字符串
<RoleName>[&&<RoleName>]*
<RoleName>[&&<RoleName>]*
where the individual role names appear in alphabetical order (according to the collating sequence for UCS-2). The property definition is as follows:
其中各个角色名称按字母顺序显示(根据UCS-2的排序顺序)。物业定义如下:
NAME PolicyRoles DESCRIPTION A set of strings representing the roles and role combinations associated with a policy rule. Each value represents one role combination. SYNTAX string
NAME PolicyRoles DESCRIPTION一组字符串,表示与策略规则关联的角色和角色组合。每个值代表一个角色组合。语法字符串
The purpose of a policy condition is to determine whether or not the set of actions (aggregated in the PolicyRule that the condition applies to) should be executed or not. For the purposes of the Policy Core Information Model, all that matters about an individual PolicyCondition is that it evaluates to TRUE or FALSE. (The individual PolicyConditions associated with a PolicyRule are combined to form a compound expression in either DNF or CNF, but this is accomplished via the ConditionListType property, discussed above, and by the properties of the PolicyConditionInPolicyRule aggregation, introduced above and discussed further in Section 7.6 below.) A logical structure within an individual PolicyCondition may also be introduced, but this would have to be done in a subclass of PolicyCondition.
策略条件的目的是确定是否应执行一组操作(聚合在条件适用的PolicyRule中)。就策略核心信息模型而言,与单个策略条件相关的所有问题都是它的计算结果是否为真。(与PolicyRule关联的各个PolicyConditions组合在一起,形成DNF或CNF中的复合表达式,但这是通过上面讨论的ConditionListType属性和上面介绍的PolicyConditionInPolicyRule聚合的属性实现的,并在下面的7.6节中进一步讨论。)也可以在单个PolicyCondition中引入逻辑结构,但这必须在PolicyCondition的子类中完成。
Because it is general, the PolicyCondition class does not itself contain any "real" conditions. These will be represented by properties of the domain-specific subclasses of PolicyCondition.
因为它是通用的,所以PolicyCondition类本身不包含任何“真实”条件。这些将由PolicyCondition的特定于域的子类的属性表示。
+---------------------------------------------------------------+
| Policy Conditions in DNF |
| +-------------------------+ +-----------------------+ |
| | AND list | | AND list | |
| | +-------------------+ | | +-----------------+ | |
| | | PolicyCondition | | | | PolicyCondition | | |
| | +-------------------+ | | +-----------------+ | |
| | +-------------------+ | | +-----------------+ | |
| | | PolicyCondition | | ... | | PolicyCondition | | |
| | +-------------------+ | ORed | +-----------------+ | |
| | ... | | ... | |
| | ANDed | | ANDed | |
| | +-------------------+ | | +-----------------+ | |
| | | PolicyCondition | | | | PolicyCondition | | |
| | +-------------------+ | | +-----------------+ | |
| +-------------------------+ +-----------------------+ |
+---------------------------------------------------------------+
+---------------------------------------------------------------+
| Policy Conditions in DNF |
| +-------------------------+ +-----------------------+ |
| | AND list | | AND list | |
| | +-------------------+ | | +-----------------+ | |
| | | PolicyCondition | | | | PolicyCondition | | |
| | +-------------------+ | | +-----------------+ | |
| | +-------------------+ | | +-----------------+ | |
| | | PolicyCondition | | ... | | PolicyCondition | | |
| | +-------------------+ | ORed | +-----------------+ | |
| | ... | | ... | |
| | ANDed | | ANDed | |
| | +-------------------+ | | +-----------------+ | |
| | | PolicyCondition | | | | PolicyCondition | | |
| | +-------------------+ | | +-----------------+ | |
| +-------------------------+ +-----------------------+ |
+---------------------------------------------------------------+
Figure 7. Overview of Policy Conditions in DNF
图7。DNF中的政策条件概述
This figure illustrates that when policy conditions are in DNF, there are one or more sets of conditions that are ANDed together to form AND lists. An AND list evaluates to TRUE if and only if all of its constituent conditions evaluate to TRUE. The overall condition then evaluates to TRUE if and only if at least one of its constituent AND lists evaluates to TRUE.
此图说明,当策略条件位于DNF中时,有一组或多组条件被AND组合在一起形成AND列表。当且仅当AND列表的所有组成条件都计算为TRUE时,AND列表才会计算为TRUE。然后,当且仅当至少一个组成条件和列表的计算结果为真时,整体条件的计算结果为真。
+---------------------------------------------------------------+
| Policy Conditions in CNF |
| +-------------------------+ +-----------------------+ |
| | OR list | | OR list | |
| | +-------------------+ | | +-----------------+ | |
| | | PolicyCondition | | | | PolicyCondition | | |
| | +-------------------+ | | +-----------------+ | |
| | +-------------------+ | | +-----------------+ | |
| | | PolicyCondition | | ... | | PolicyCondition | | |
| | +-------------------+ | ANDed | +-----------------+ | |
| | ... | | ... | |
| | ORed | | ORed | |
| | +-------------------+ | | +-----------------+ | |
| | | PolicyCondition | | | | PolicyCondition | | |
| | +-------------------+ | | +-----------------+ | |
| +-------------------------+ +-----------------------+ |
+---------------------------------------------------------------+
+---------------------------------------------------------------+
| Policy Conditions in CNF |
| +-------------------------+ +-----------------------+ |
| | OR list | | OR list | |
| | +-------------------+ | | +-----------------+ | |
| | | PolicyCondition | | | | PolicyCondition | | |
| | +-------------------+ | | +-----------------+ | |
| | +-------------------+ | | +-----------------+ | |
| | | PolicyCondition | | ... | | PolicyCondition | | |
| | +-------------------+ | ANDed | +-----------------+ | |
| | ... | | ... | |
| | ORed | | ORed | |
| | +-------------------+ | | +-----------------+ | |
| | | PolicyCondition | | | | PolicyCondition | | |
| | +-------------------+ | | +-----------------+ | |
| +-------------------------+ +-----------------------+ |
+---------------------------------------------------------------+
Figure 8. Overview of Policy Conditions in CNF
图8。CNF的政策条件概述
In this figure, the policy conditions are in CNF. Consequently, there are one or more OR lists, each of which evaluates to TRUE if and only if at least one of its constituent conditions evaluates to TRUE. The overall condition then evaluates to TRUE if and only if ALL of its constituent OR lists evaluate to TRUE.
在此图中,政策条件以CNF为单位。因此,存在一个或多个or列表,当且仅当其至少一个组成条件的计算结果为TRUE时,每个or列表的计算结果才为TRUE。然后,当且仅当整体条件的所有成分或列表的值均为TRUE时,整体条件的值才为TRUE。
The class definition of PolicyCondition is as follows:
PolicyCondition的类定义如下:
NAME PolicyCondition DESCRIPTION A class representing a rule-specific or reusable policy condition to be evaluated in conjunction with a policy rule. DERIVED FROM Policy ABSTRACT TRUE PROPERTIES NONE
NAME PolicyCondition DESCRIPTION表示要与策略规则一起评估的特定于规则或可重用策略条件的类。从策略抽象派生的真实属性无
No properties are defined for this class since it inherits all its properties from Policy. The class exists as an abstract superclass for domain-specific policy conditions, defined in subclasses. In an implementation, various key/identification properties MUST be defined for the class or its instantiable subclasses. The keys for a native
没有为此类定义属性,因为它从策略继承其所有属性。该类作为特定于域的策略条件的抽象超类存在,在子类中定义。在实现中,必须为类或其可实例化子类定义各种键/标识属性。本地人的钥匙
CIM implementation are defined in Appendix A, Section 13.2. Keys for an LDAP implementation will be defined in the LDAP mapping of this information model [11].
CIM实施定义见附录A第13.2节。LDAP实现的键将在此信息模型的LDAP映射中定义[11]。
When identifying and using the PolicyCondition class, it is necessary to remember that a condition can be rule-specific or reusable. This was discussed above in Section 5.1. The distinction between the two types of policy conditions lies in the associations in which an instance can participate, and in how the different instances are named. Conceptually, a reusable policy condition resides in a policy repository, and is named within the scope of that repository. On the other hand, a rule-specific policy condition is, as the name suggests, named within the scope of the single policy rule to which it is related.
识别和使用PolicyCondition类时,必须记住,条件可以是特定于规则的,也可以是可重用的。上文第5.1节对此进行了讨论。这两种策略条件之间的区别在于实例可以参与的关联以及不同实例的命名方式。从概念上讲,可重用策略条件驻留在策略存储库中,并在该存储库的范围内命名。另一方面,顾名思义,特定于规则的策略条件是在与其相关的单个策略规则的范围内命名的。
The distinction between rule-specific and reusable PolicyConditions affects the CIM naming, defined in Appendix A, and the LDAP mapping [11].
特定规则和可重用策略条件之间的区别会影响附录A中定义的CIM命名和LDAP映射[11]。
This class provides a means of representing the time periods during which a policy rule is valid, i.e., active. At all times that fall outside these time periods, the policy rule has no effect. A policy rule is treated as valid at all times if it does not specify a PolicyTimePeriodCondition.
此类提供了一种表示策略规则有效(即活动)的时间段的方法。在这些时间段之外的所有时间,政策规则都无效。如果策略规则未指定PolicyTimePeriodCondition,则它将始终视为有效。
In some cases a PDP may need to perform certain setup / cleanup actions when a policy rule becomes active / inactive. For example, sessions that were established while a policy rule was active might need to be taken down when the rule becomes inactive. In other cases, however, such sessions might be left up: in this case, the effect of deactivating the policy rule would just be to prevent the establishment of new sessions. Setup / cleanup behaviors on validity period transitions are not currently addressed by the PCIM, and must be specified in 'guideline' documents, or via subclasses of PolicyRule, PolicyTimePeriodCondition or other concrete subclasses of Policy. If such behaviors need to be under the control of the policy administrator, then a mechanism to allow this control must also be specified in the subclass.
在某些情况下,当策略规则变为活动/非活动时,PDP可能需要执行某些设置/清理操作。例如,在策略规则处于活动状态时建立的会话可能需要在规则变为非活动状态时关闭。但是,在其他情况下,此类会话可能会被搁置:在这种情况下,停用策略规则的效果只会阻止建立新会话。有效期转换的设置/清理行为目前未由PCIM解决,必须在“指南”文档中指定,或通过PolicyRule、PolicyTimePeriodCondition子类或策略的其他具体子类指定。如果此类行为需要由策略管理员控制,则还必须在子类中指定允许此控制的机制。
PolicyTimePeriodCondition is defined as a subclass of PolicyCondition. This is to allow the inclusion of time-based criteria in the AND/OR condition definitions for a PolicyRule.
PolicyTimePeriodCondition定义为PolicyCondition的子类。这是为了允许在PolicyRule的和/或条件定义中包含基于时间的条件。
Instances of this class may have up to five properties identifying time periods at different levels. The values of all the properties present in an instance are ANDed together to determine the validity
此类的实例最多可以有五个属性来标识不同级别的时间段。实例中存在的所有属性的值将被和在一起以确定有效性
period(s) for the instance. For example, an instance with an overall validity range of January 1, 2000 through December 31, 2000; a month mask that selects March and April; a day-of-the-week mask that selects Fridays; and a time of day range of 0800 through 1600 would represent the following time periods:
实例的周期。例如,总体有效范围为2000年1月1日至2000年12月31日的实例;选择三月和四月的月份遮罩;选择星期五的一周中的一天面具;一天中的时间范围为0800到1600将代表以下时间段:
Friday, March 5, 2000, from 0800 through 1600;
Friday, March 12, 2000, from 0800 through 1600;
Friday, March 19, 2000, from 0800 through 1600;
Friday, March 26, 2000, from 0800 through 1600;
Friday, April 2, 2000, from 0800 through 1600;
Friday, April 9, 2000, from 0800 through 1600;
Friday, April 16, 2000, from 0800 through 1600;
Friday, April 23, 2000, from 0800 through 1600;
Friday, April 30, 2000, from 0800 through 1600.
Friday, March 5, 2000, from 0800 through 1600;
Friday, March 12, 2000, from 0800 through 1600;
Friday, March 19, 2000, from 0800 through 1600;
Friday, March 26, 2000, from 0800 through 1600;
Friday, April 2, 2000, from 0800 through 1600;
Friday, April 9, 2000, from 0800 through 1600;
Friday, April 16, 2000, from 0800 through 1600;
Friday, April 23, 2000, from 0800 through 1600;
Friday, April 30, 2000, from 0800 through 1600.
Properties not present in an instance of PolicyTimePeriodCondition are implicitly treated as having their value "always enabled". Thus, in the example above, the day-of-the-month mask is not present, and so the validity period for the instance implicitly includes a day-of-the-month mask that selects all days of the month. If we apply this "missing property" rule to its fullest, we see that there is a second way to indicate that a policy rule is always enabled: have it point to an instance of PolicyTimePeriodCondition whose only properties are its naming properties.
PolicyTimePeriodCondition实例中不存在的属性被隐式视为其值为“始终启用”。因此,在上面的示例中,不存在月日掩码,因此实例的有效期隐式地包括选择月内所有天的月日掩码。如果我们完全应用这个“缺少属性”规则,我们会发现还有第二种方法可以指示策略规则始终处于启用状态:让它指向PolicyTimePeriodCondition的实例,该实例的唯一属性是其命名属性。
The property LocalOrUtcTime indicates whether the times represented in the other five time-related properties of an instance of PolicyTimePeriodCondition are to be interpreted as local times for the location where a policy rule is being applied, or as UTC times.
属性LocalOrUtcTime指示是将PolicyTimePeriodCondition实例的其他五个与时间相关的属性中表示的时间解释为应用策略规则的位置的本地时间,还是UTC时间。
The class definition is as follows.
类定义如下所示。
NAME PolicyTimePeriodCondition DESCRIPTION A class that provides the capability of enabling / disabling a policy rule according to a pre-determined schedule. DERIVED FROM PolicyCondition ABSTRACT FALSE PROPERTIES TimePeriod MonthOfYearMask DayOfMonthMask DayOfWeekMask TimeOfDayMask LocalOrUtcTime
名称PolicyTimePeriodCondition描述一个类,该类提供根据预先确定的计划启用/禁用策略规则的功能。从PolicyCondition抽象假属性TimePeriod MonthOfYearMask DayOfMonthMask DayOfWeekMask TimeOfDayMask LocalOrUtcTime派生
This property identifies an overall range of calendar dates and times over which a policy rule is valid. It reuses the format for an explicit time period defined in RFC 2445 (reference [10]): a string representing a starting date and time, in which the character 'T' indicates the beginning of the time portion, followed by the solidus character '/', followed by a similar string representing an end date and time. The first date indicates the beginning of the range, while the second date indicates the end. Thus, the second date and time must be later than the first. Date/times are expressed as substrings of the form "yyyymmddThhmmss". For example:
此属性标识策略规则有效的日历日期和时间的总体范围。它重用RFC 2445(参考文献[10])中定义的显式时间段格式:一个表示开始日期和时间的字符串,其中字符“T”表示时间部分的开始,后跟实线字符“/”,后跟表示结束日期和时间的类似字符串。第一个日期表示范围的开始,第二个日期表示范围的结束。因此,第二个日期和时间必须晚于第一个日期和时间。日期/时间表示为格式为“yyyymmddThhmmss”的子字符串。例如:
20000101T080000/20000131T120000
20000101T080000/20000131T1120000
January 1, 2000, 0800 through January 31, 2000, noon
2000年1月1日0800至2000年1月31日中午
There are also two special cases in which one of the date/time strings is replaced with a special string defined in RFC 2445.
还有两种特殊情况,其中一个日期/时间字符串替换为RFC 2445中定义的特殊字符串。
o If the first date/time is replaced with the string "THISANDPRIOR", then the property indicates that a policy rule is valid [from now] until the date/time that appears after the '/'.
o 如果第一个日期/时间替换为字符串“ThisandPrevior”,则该属性表示策略规则在“/”之后出现的日期/时间之前[从现在起]是有效的。
o If the second date/time is replaced with the string "THISANDFUTURE", then the property indicates that a policy rule becomes valid on the date/time that appears before the '/', and remains valid from that point on.
o 如果第二个日期/时间替换为字符串“THISANDFUTURE”,则该属性表示策略规则在“/”之前出现的日期/时间生效,并从该日期/时间起保持有效。
Note that RFC 2445 does not use these two strings in connection with explicit time periods. Thus the PCIM is combining two elements from RFC 2445 that are not combined in the RFC itself.
请注意,RFC2445在显式时间段中不使用这两个字符串。因此,PCIM将来自RFC 2445的两个未在RFC本身中组合的元素组合在一起。
The property definition is as follows:
物业定义如下:
NAME TimePeriod DESCRIPTION The range of calendar dates on which a policy rule is valid. SYNTAX string FORMAT yyyymmddThhmmss/yyyymmddThhmmss, where the first date/time may be replaced with the string "THISANDPRIOR" or the second date/time may be replaced with the string "THISANDFUTURE"
NAME TimePeriod DESCRIPTION策略规则有效的日历日期范围。语法字符串格式yyyymmddThhmmss/yyymmddthhmmss,其中第一个日期/时间可以替换为字符串“ThisandPrevior”,第二个日期/时间可以替换为字符串“THISANDFUTURE”
The purpose of this property is to refine the definition of the valid time period that is defined by the TimePeriod property, by explicitly specifying the months when the policy is valid. These properties work together, with the TimePeriod used to specify the overall time period during which the policy might be valid, and the MonthOfYearMask used to pick out the specific months within that time period when the policy is valid.
此属性的目的是通过显式指定策略有效的月份,细化由TimePeriod属性定义的有效时间段的定义。这些属性协同工作,其中时间段用于指定策略可能有效的总时间段,MonthOfYearMask用于选择该时间段内策略有效时的特定月份。
This property is formatted as an octet string of size 2, consisting of 12 bits identifying the 12 months of the year, beginning with January and ending with December, followed by 4 bits that are always set to '0'. For each month, the value '1' indicates that the policy is valid for that month, and the value '0' indicates that it is not valid. The value X'08 30', for example, indicates that a policy rule is valid only in the months May, November, and December.
此属性的格式为大小为2的八位字节字符串,由12位组成,标识一年中的12个月,从1月开始,到12月结束,然后是始终设置为“0”的4位。对于每个月,值“1”表示策略对该月有效,值“0”表示策略无效。例如,值X'08 30'表示策略规则仅在5月、11月和12月有效。
See section 5.4 for details of how CIM represents a single-valued octet string property such as this one. (Basically, CIM prepends a 4-octet length to the octet string.)
有关CIM如何表示单值八位字节字符串属性(如此属性)的详细信息,请参见第5.4节。(基本上,CIM在八位字节字符串前加上4个八位字节长度。)
If this property is omitted, then the policy rule is treated as valid for all twelve months. The property definition is as follows:
如果省略此属性,则保单规则在所有十二个月内均视为有效。物业定义如下:
NAME MonthOfYearMask DESCRIPTION A mask identifying the months of the year in which a policy rule is valid. SYNTAX octet string FORMAT X'hh h0'
名称MonthOfYearMask说明标识策略规则有效的月份的掩码。语法八位字符串格式X'hh h0'
The purpose of this property is to refine the definition of the valid time period that is defined by the TimePeriod property, by explicitly specifying the days of the month when the policy is valid. These properties work together, with the TimePeriod used to specify the overall time period during which the policy might be valid, and the DayOfMonthMask used to pick out the specific days of the month within that time period when the policy is valid.
此属性的目的是通过显式指定策略有效的月份天数,细化由TimePeriod属性定义的有效时间段的定义。这些属性协同工作,其中时间段用于指定策略可能有效的总时间段,DayOfMonthMask用于在该时间段内选择策略有效时该月的特定天数。
This property is formatted as an octet string of size 8, consisting of 31 bits identifying the days of the month counting from the beginning, followed by 31 more bits identifying the days of the month counting from the end, followed by 2 bits that are always set to '0'. For each day, the value '1' indicates that the policy is valid for that day, and the value '0' indicates that it is not valid.
此属性的格式为大小为8的八位字节字符串,由31位组成,用于标识从开始算起的月份天数,然后是31位,用于标识从结束算起的月份天数,最后是2位,始终设置为“0”。对于每一天,值“1”表示该策略在该天有效,值“0”表示该策略无效。
The value X'80 00 00 01 00 00 00 00', for example, indicates that a policy rule is valid on the first and last days of the month.
例如,值X'80 00 01 00'表示策略规则在当月的第一天和最后一天有效。
For months with fewer than 31 days, the digits corresponding to days that the months do not have (counting in both directions) are ignored.
对于少于31天的月份,与该月份没有的天数(双向计数)对应的数字将被忽略。
The encoding of the 62 significant bits in the octet string matches that used for the schedDay object in the DISMAN-SCHEDULE-MIB. See reference [8] for more details on this object.
八位字节字符串中62个有效位的编码与DISAN-SCHEDUCE-MIB中用于schedDay对象的编码相匹配。有关此对象的更多详细信息,请参阅参考文献[8]。
See section 5.4 for details of how CIM represents a single-valued octet string property such as this one. (Basically, CIM prepends a 4-octet length to the octet string.)
有关CIM如何表示单值八位字节字符串属性(如此属性)的详细信息,请参见第5.4节。(基本上,CIM在八位字节字符串前加上4个八位字节长度。)
The property definition is as follows:
物业定义如下:
NAME DayOfMonthMask DESCRIPTION A mask identifying the days of the month on which a policy rule is valid. SYNTAX octet string FORMAT X'hh hh hh hh hh hh hh hh'
NAME DayOfMonthMask说明标识策略规则有效的月份天数的掩码。语法八位字符串格式X'hh hh hh hh hh
The purpose of this property is to refine the definition of the valid time period that is defined by the TimePeriod property by explicitly specifying the days of the week when the policy is valid. These properties work together, with the TimePeriod used to specify the overall time period when the policy might be valid, and the DayOfWeekMask used to pick out the specific days of the week in that time period when the policy is valid.
此属性的目的是通过显式指定策略有效的星期几,细化由TimePeriod属性定义的有效时间段的定义。这些属性一起工作,其中时间段用于指定策略可能有效时的总时间段,DayOfWeekMask用于选择策略有效时该时间段内的一周中的特定天数。
This property is formatted as an octet string of size 1, consisting of 7 bits identifying the 7 days of the week, beginning with Sunday and ending with Saturday, followed by 1 bit that is always set to '0'. For each day of the week, the value '1' indicates that the policy is valid for that day, and the value '0' indicates that it is not valid.
此属性的格式为大小为1的八位字节字符串,由7位组成,标识一周中的7天,从星期日开始,到星期六结束,然后是始终设置为“0”的1位。对于一周中的每一天,值“1”表示策略在该天有效,值“0”表示策略无效。
The value X'7C', for example, indicates that a policy rule is valid Monday through Friday.
例如,值X'7C'表示策略规则从周一到周五有效。
See section 5.4 for details of how CIM represents a single-valued octet string property such as this one. (Basically, CIM prepends a 4-octet length to the octet string.)
有关CIM如何表示单值八位字节字符串属性(如此属性)的详细信息,请参见第5.4节。(基本上,CIM在八位字节字符串前加上4个八位字节长度。)
The property definition is as follows:
物业定义如下:
NAME DayOfWeekMask DESCRIPTION A mask identifying the days of the week on which a policy rule is valid. SYNTAX octet string FORMAT B'bbbb bbb0'
NAME DayOfWeekMask DESCRIPTION标识策略规则有效的星期几的掩码。语法八位字节字符串格式B'BBBBB0'
The purpose of this property is to refine the definition of the valid time period that is defined by the TimePeriod property by explicitly specifying a range of times in a day the policy is valid for. These properties work together, with the TimePeriod used to specify the overall time period that the policy is valid for, and the TimeOfDayMask used to pick out which range of time periods in a given day of that time period the policy is valid for.
此属性的目的是通过显式指定策略在一天中的有效时间范围,细化由TimePeriod属性定义的有效时间段的定义。这些属性一起工作,时间段用于指定策略有效的总时间段,时间段掩码用于选择该时间段的给定日期中策略有效的时间段范围。
This property is formatted in the style of RFC 2445 [10]: a time string beginning with the character 'T', followed by the solidus character '/', followed by a second time string. The first time indicates the beginning of the range, while the second time indicates the end. Times are expressed as substrings of the form "Thhmmss".
此属性的格式为RFC 2445[10]:一个时间字符串,以字符“T”开头,后跟索利多士字符“/”,后跟第二个时间字符串。第一次表示范围的开始,第二次表示范围的结束。时间表示为“Thhmmss”形式的子字符串。
The second substring always identifies a later time than the first substring. To allow for ranges that span midnight, however, the value of the second string may be smaller than the value of the first substring. Thus, "T080000/T210000" identifies the range from 0800 until 2100, while "T210000/T080000" identifies the range from 2100 until 0800 of the following day.
第二个子串始终标识比第一个子串晚的时间。然而,为了允许跨越午夜的范围,第二个字符串的值可能小于第一个子字符串的值。因此,“T080000/T210000”表示从0800到2100的范围,而“T210000/T080000”表示从2100到次日0800的范围。
When a range spans midnight, it by definition includes parts of two successive days. When one of these days is also selected by either the MonthOfYearMask, DayOfMonthMask, and/or DayOfWeekMask, but the other day is not, then the policy is active only during the portion of the range that falls on the selected day. For example, if the range extends from 2100 until 0800, and the day of week mask selects Monday and Tuesday, then the policy is active during the following three intervals:
当一个范围跨越午夜时,根据定义,它包括连续两天的部分时间。如果MonthOfYearMask、DayOfMonthMask和/或DayOfWeekMask也选择了其中一天,但另一天未选择,则策略仅在所选日期的范围内处于活动状态。例如,如果范围从2100扩展到0800,并且星期几掩码选择星期一和星期二,则策略在以下三个时间间隔内处于活动状态:
From midnight Sunday until 0800 Monday;
From 2100 Monday until 0800 Tuesday;
From 2100 Tuesday until 23:59:59 Tuesday.
From midnight Sunday until 0800 Monday;
From 2100 Monday until 0800 Tuesday;
From 2100 Tuesday until 23:59:59 Tuesday.
The property definition is as follows:
物业定义如下:
NAME TimeOfDayMask DESCRIPTION The range of times at which a policy rule is valid. If the second time is earlier than the first, then the interval spans midnight. SYNTAX string FORMAT Thhmmss/Thhmmss
NAME TimeOfDayMask描述策略规则有效的时间范围。如果第二次早于第一次,则间隔跨越午夜。语法字符串格式Thhmmss/Thhmmss
This property indicates whether the times represented in the TimePeriod property and in the various Mask properties represent local times or UTC times. There is no provision for mixing of local times and UTC times: the value of this property applies to all of the other time-related properties.
此属性指示TimePeriod属性和各种掩码属性中表示的时间是本地时间还是UTC时间。没有混合使用本地时间和UTC时间的规定:此属性的值适用于所有其他与时间相关的属性。
The property definition is as follows:
物业定义如下:
NAME LocalOrUtcTime DESCRIPTION An indication of whether the other times in this instance represent local times or UTC times. SYNTAX uint16 VALUES localTime(1), utcTime(2) DEFAULT VALUE utcTime(2)
名称LocalOrUtcTime DESCRIPTION指示此实例中的其他时间是表示本地时间还是UTC时间。语法uint16值localTime(1),utcTime(2)默认值utcTime(2)
The purpose of this class is to provide a general extension mechanism for representing policy conditions that have not been modeled with specific properties. Instead, the two properties Constraint and ConstraintEncoding are used to define the content and format of the condition, as explained below.
此类的目的是提供一种通用扩展机制,用于表示尚未使用特定属性建模的策略条件。相反,Constraint和ConstraintEncoding这两个属性用于定义条件的内容和格式,如下所述。
As its name suggests, this class is intended for vendor-specific extensions to the Policy Core Information Model. Standardized extensions are not expected to use this class.
顾名思义,此类用于策略核心信息模型的特定于供应商的扩展。标准化扩展不应使用此类。
The class definition is as follows:
类别定义如下:
NAME VendorPolicyCondition DESCRIPTION A class that defines a registered means to describe a policy condition. DERIVED FROM PolicyCondition ABSTRACT FALSE PROPERTIES Constraint[ ] ConstraintEncoding
名称VendorPolicyCondition描述定义用于描述策略条件的注册方法的类。派生自PolicyCondition抽象假属性约束[]ConstraintEncoding
This property provides a general extension mechanism for representing policy conditions that have not been modeled with specific properties. The format of the octet strings in the array is left unspecified in this definition. It is determined by the OID value stored in the property ConstraintEncoding. Since ConstraintEncoding is single-valued, all the values of Constraint share the same format and semantics.
此属性提供了一种通用扩展机制,用于表示未使用特定属性建模的策略条件。此定义中未指定数组中八位字节字符串的格式。它由存储在属性ConstraintEncoding中的OID值确定。因为ConstraintEncoding是单值的,所以Constraint的所有值共享相同的格式和语义。
See Section 5.4 for a description of how CIM encodes an array of octet strings like this one.
请参阅第5.4节,以了解CIM如何对像这样的八位字节字符串数组进行编码。
A policy decision point can readily determine whether it supports the values stored in an instance of Constraint by checking the OID value from ConstraintEncoding against the set of OIDs it recognizes. The action for the policy decision point to take in case it does not recognize the format of this data could itself be modeled as a policy rule, governing the behavior of the policy decision point.
策略决策点可以通过对照其识别的OID集检查ConstraintEncoding中的OID值,轻松确定其是否支持存储在约束实例中的值。如果策略决策点不识别此数据的格式,则它要采取的操作本身可以建模为策略规则,以控制策略决策点的行为。
The property is defined as follows:
该属性的定义如下:
NAME Constraint DESCRIPTION Extension mechanism for representing constraints that have not been modeled as specific properties. The format of the values is identified by the OID stored in the property ConstraintEncoding. SYNTAX octet string
名称约束描述扩展机制,用于表示尚未建模为特定属性的约束。值的格式由存储在属性ConstraintEncoding中的OID标识。语法八位组字符串
This property identifies the encoding and semantics of the Constraint property values in this instance. The value of this property is a single string, representing a single OID.
此属性标识此实例中约束属性值的编码和语义。此属性的值是单个字符串,表示单个OID。
The property is defined as follows:
该属性的定义如下:
NAME ConstraintEncoding DESCRIPTION An OID encoded as a string, identifying the format and semantics for this instance's Constraint property. The value is a dotted sequence of decimal digits (for example, "1.2.100.200") representing the arcs of the OID. The characters in the string are the UCS-2 characters corresponding to the US ASCII encodings of the numeric characters and the period. SYNTAX string
名称约束编码描述编码为字符串的OID,标识此实例约束属性的格式和语义。该值是表示OID圆弧的十进制数字点序列(例如,“1.2.100.200”)。字符串中的字符是与数字字符和句点的美国ASCII编码相对应的UCS-2字符。语法字符串
The purpose of a policy action is to execute one or more operations that will affect network traffic and/or systems, devices, etc., in order to achieve a desired state. This (new) state provides one or more (new) behaviors. A policy action ordinarily changes the configuration of one or more elements.
策略操作的目的是执行将影响网络流量和/或系统、设备等的一个或多个操作,以实现所需状态。此(新)状态提供一个或多个(新)行为。策略操作通常会更改一个或多个元素的配置。
A PolicyRule contains one or more policy actions. A policy administrator can assign an order to the actions associated with a PolicyRule, complete with an indication of whether the indicated order is mandatory, recommended, or of no significance. Ordering of the actions associated with a PolicyRule is accomplished via a property in the PolicyActionInPolicyRule aggregation.
PolicyRule包含一个或多个策略操作。策略管理员可以为与PolicyRule关联的操作分配一个订单,并指示所指示的订单是强制的、推荐的还是无意义的。与PolicyRule关联的操作的排序是通过PolicyActionInPolicyRule聚合中的属性完成的。
The actions associated with a PolicyRule are executed if and only if the overall condition(s) of the PolicyRule evaluates to TRUE.
当且仅当PolicyRule的总体条件计算为TRUE时,才会执行与PolicyRule关联的操作。
The class definition of PolicyAction is as follows:
PolicyAction的类定义如下:
NAME PolicyAction DESCRIPTION A class representing a rule-specific or reusable policy action to be performed if the condition for a policy rule evaluates to TRUE. DERIVED FROM Policy ABSTRACT TRUE PROPERTIES NONE
NAME PolicyAction DESCRIPTION表示在策略规则的条件计算为TRUE时要执行的特定于规则或可重用策略操作的类。从策略抽象派生的真实属性无
No properties are defined for this class since it inherits all its properties from Policy. The class exists as an abstract superclass for domain-specific policy actions, defined in subclasses. In an implementation, various key/identification properties MUST be defined for the class or its instantiable subclasses. The keys for a native CIM implementation are defined in Appendix A, Section 13.3. Keys for an LDAP implementation will be defined in the LDAP mapping of this information model [11].
没有为此类定义属性,因为它从策略继承其所有属性。该类作为特定于域的策略操作的抽象超类存在,在子类中定义。在实现中,必须为类或其可实例化子类定义各种键/标识属性。本机CIM实现的密钥在附录a第13.3节中定义。LDAP实现的键将在此信息模型的LDAP映射中定义[11]。
When identifying and using the PolicyAction class, it is necessary to remember that an action can be rule-specific or reusable. This was discussed above in Section 5.1. The distinction between the two types of policy actions lies in the associations in which an instance can participate, and in how the different instances are named. Conceptually, a reusable policy action resides in a policy repository, and is named within the scope of that repository. On the other hand, a rule-specific policy action is named within the scope of the single policy rule to which it is related.
识别和使用PolicyAction类时,必须记住操作可以是特定于规则的,也可以是可重用的。上文第5.1节对此进行了讨论。这两种类型的策略操作之间的区别在于实例可以参与的关联以及不同实例的命名方式。从概念上讲,可重用策略操作驻留在策略存储库中,并在该存储库的范围内命名。另一方面,特定于规则的策略操作在与其相关的单个策略规则的范围内命名。
The distinction between rule-specific and reusable PolicyActions affects the CIM naming, defined in Appendix A, and the LDAP mapping [11].
特定于规则和可重用策略操作之间的区别会影响附录A中定义的CIM命名和LDAP映射[11]。
The purpose of this class is to provide a general extension mechanism for representing policy actions that have not been modeled with specific properties. Instead, the two properties ActionData and ActionEncoding are used to define the content and format of the action, as explained below.
此类的目的是提供一种通用扩展机制,用于表示尚未使用特定属性建模的策略操作。相反,ActionData和ActionEncoding这两个属性用于定义操作的内容和格式,如下所述。
As its name suggests, this class is intended for vendor-specific extensions to the Policy Core Information Model. Standardized extensions are not expected to use this class.
顾名思义,此类用于策略核心信息模型的特定于供应商的扩展。标准化扩展不应使用此类。
The class definition is as follows:
类别定义如下:
NAME VendorPolicyAction DESCRIPTION A class that defines a registered means to describe a policy action. DERIVED FROM PolicyAction ABSTRACT FALSE PROPERTIES ActionData[ ] ActionEncoding
NAME VendorPolicyAction DESCRIPTION定义用于描述策略操作的注册方法的类。派生自PolicyAction抽象错误属性ActionData[]ActionEncoding
This property provides a general extension mechanism for representing policy actions that have not been modeled with specific properties. The format of the octet strings in the array is left unspecified in this definition. It is determined by the OID value stored in the property ActionEncoding. Since ActionEncoding is single-valued, all the values of ActionData share the same format and semantics. See Section 5.4 for a discussion of how CIM encodes an array of octet strings like this one.
此属性提供了一种通用扩展机制,用于表示未使用特定属性建模的策略操作。此定义中未指定数组中八位字节字符串的格式。它由属性ActionEncoding中存储的OID值确定。因为ActionEncoding是单值的,所以ActionData的所有值共享相同的格式和语义。请参阅第5.4节,以了解CIM如何对像这样的八位字节字符串数组进行编码。
A policy decision point can readily determine whether it supports the values stored in an instance of ActionData by checking the OID value from ActionEncoding against the set of OIDs it recognizes. The action for the policy decision point to take in case it does not recognize the format of this data could itself be modeled as a policy rule, governing the behavior of the policy decision point.
策略决策点可以通过检查ActionEncoding中的OID值与它识别的OID集,轻松确定它是否支持ActionData实例中存储的值。如果策略决策点不识别此数据的格式,则它要采取的操作本身可以建模为策略规则,以控制策略决策点的行为。
The property is defined as follows:
该属性的定义如下:
NAME ActionData DESCRIPTION Extension mechanism for representing actions that have not been modeled as specific properties. The format of the values is identified by the OID stored in the property ActionEncoding. SYNTAX octet string
名称ActionData描述扩展机制,用于表示尚未建模为特定属性的操作。值的格式由属性ActionEncoding中存储的OID标识。语法八位组字符串
This property identifies the encoding and semantics of the ActionData property values in this instance. The value of this property is a single string, representing a single OID.
此属性标识此实例中ActionData属性值的编码和语义。此属性的值是单个字符串,表示单个OID。
The property is defined as follows:
该属性的定义如下:
NAME ActionEncoding DESCRIPTION An OID encoded as a string, identifying the format and semantics for this instance's ActionData property. The value is a dotted sequence of decimal digits (for example, "1.2.100.200") representing the arcs of the OID. The characters in the string are the UCS-2 characters corresponding to the US ASCII encodings of the numeric characters and the period. SYNTAX string
名称ActionEncoding描述编码为字符串的OID,标识此实例ActionData属性的格式和语义。该值是表示OID圆弧的十进制数字点序列(例如,“1.2.100.200”)。字符串中的字符是与数字字符和句点的美国ASCII编码相对应的UCS-2字符。语法字符串
The class definition of PolicyRepository is as follows:
PolicyRepository的类定义如下:
NAME PolicyRepository DESCRIPTION A class representing an administratively defined container for reusable policy-related information. This class does not introduce any additional properties beyond those in its superclass AdminDomain. It does, however, participate in a number of unique associations. DERIVED FROM AdminDomain ABSTRACT FALSE
NAME PolicyRepository DESCRIPTION表示可重用策略相关信息的管理定义容器的类。此类不会引入超出其超类AdminDomain中的属性之外的任何其他属性。然而,它确实参加了一些独特的协会。源于AdminDomain抽象FALSE
The first two subsections of this section introduce associations and aggregations as they are used in CIM. The remaining subsections present the class definitions for the associations and aggregations that are part of the Policy Core Information Model.
本节的前两小节介绍了CIM中使用的关联和聚合。其余小节介绍了作为策略核心信息模型一部分的关联和聚合的类定义。
An association is a CIM construct representing a relationship between two (or theoretically more) objects. It is modeled as a class containing typically two object references. Associations can be defined between classes without affecting any of the related classes. That is, addition of an association does not affect the interface of the related classes.
关联是表示两个(或理论上更多)对象之间关系的CIM构造。它被建模为一个类,通常包含两个对象引用。可以在类之间定义关联,而不影响任何相关类。也就是说,添加关联不会影响相关类的接口。
An aggregation is a strong form of an association, which usually represents a "whole-part" or a "collection" relationship. For example, CIM uses an aggregation to represent the containment relationship between a system and the components that make up the system. Aggregation as a "whole-part" relationship often implies, but does not require, that the aggregated objects have mutual dependencies.
聚合是一种强大的关联形式,通常表示“整体-部分”或“集合”关系。例如,CIM使用聚合来表示系统和组成系统的组件之间的包含关系。作为“整体-部分”关系的聚合通常意味着(但不要求)聚合对象具有相互依赖性。
This abstract aggregation defines two object references that will be overridden in each of five subclasses, to become references to the concrete policy classes PolicyGroup, PolicyRule, PolicyCondition, PolicyAction, and PolicyTimePeriodCondition. The value of the abstract superclass is to convey that all five subclasses have the same "whole- part" semantics, and for ease of query to locate all "components" of a PolicyGroup or PolicyRule.
此抽象聚合定义了两个对象引用,这两个对象引用将在五个子类中的每一个子类中被重写,以成为对具体策略类PolicyGroup、PolicyRule、PolicyCondition、PolicyAction和PolicyTimePeriodCondition的引用。抽象超类的价值在于传达所有五个子类都具有相同的“整体-部分”语义,并且便于查询以定位PolicyGroup或PolicyRule的所有“组件”。
The class definition for the aggregation is as follows:
聚合的类定义如下所示:
NAME PolicyComponent DESCRIPTION A generic aggregation used to establish 'part of' relationships between the subclasses of Policy. For example, the PolicyConditionInPolicyRule aggregation defines that PolicyConditions are part of a PolicyRule. ABSTRACT TRUE PROPERTIES GroupComponent[ref Policy[0..n]] PartComponent[ref Policy[0..n]]
名称PolicyComponent描述用于在策略子类之间建立“部分”关系的通用聚合。例如,PolicyConditionInPolicyRule聚合定义PolicyConditions是PolicyRule的一部分。抽象真实属性GroupComponent[ref策略[0..n]]PartComponent[ref策略[0..n]]
The PolicyGroupInPolicyGroup aggregation enables policy groups to be nested. This is critical for scalability and manageability, as it enables complex policies to be constructed from multiple simpler
PolicyGroupInPolicyGroup聚合允许嵌套策略组。这对于可伸缩性和可管理性至关重要,因为它使复杂的策略能够从多个更简单的对象构建
policies for administrative convenience. For example, a policy group representing policies for the US might have nested within it policy groups for the Eastern and Western US.
行政便利政策。例如,代表美国政策的政策组可能嵌套在美国东部和西部的it政策组中。
A PolicyGroup may aggregate other PolicyGroups via this aggregation, or it may aggregate PolicyRules via the PolicyRuleInPolicyGroup aggregation. Note that it is assumed that this aggregation is used to form directed acyclic graphs and NOT ring structures.The class definition for the aggregation is as follows:
PolicyGroup可以通过此聚合聚合其他PolicyGroup,也可以通过PolicyRuleInPolicyGroup聚合聚合PolicyRules。注意,假设此聚合用于形成有向无环图而不是环结构。聚合的类定义如下:
NAME PolicyGroupInPolicyGroup DESCRIPTION A class representing the aggregation of PolicyGroups by a higher-level PolicyGroup. DERIVED FROM PolicyComponent ABSTRACT FALSE PROPERTIES GroupComponent[ref PolicyGroup[0..n]] PartComponent[ref PolicyGroup[0..n]]
名称PolicyGroupInPolicyGroup描述表示由更高级别的PolicyGroup聚合的PolicyGroup的类。派生自PolicyComponent抽象属性GroupComponent[ref PolicyGroup[0..n]]PartComponent[ref PolicyGroup[0..n]]
This property is inherited from PolicyComponent, and overridden to become an object reference to a PolicyGroup that contains one or more other PolicyGroups. Note that for any single instance of the aggregation class PolicyGroupInPolicyGroup, this property (like all Reference properties) is single-valued. The [0..n] cardinality indicates that there may be 0, 1, or more than one PolicyGroups that contain any given PolicyGroup.
此属性从PolicyComponent继承,并被重写为对包含一个或多个其他PolicyGroup的PolicyGroup的对象引用。请注意,对于聚合类PolicyGroupInPolicyGroup的任何单个实例,此属性(与所有引用属性一样)都是单值的。[0..n]基数表示可能有0个、1个或多个PolicyGroup包含任何给定的PolicyGroup。
This property is inherited from PolicyComponent, and overridden to become an object reference to a PolicyGroup contained by one or more other PolicyGroups. Note that for any single instance of the aggregation class PolicyGroupInPolicyGroup, this property (like all Reference properties) is single-valued. The [0..n] cardinality indicates that a given PolicyGroup may contain 0, 1, or more than one other PolicyGroups.
此属性从PolicyComponent继承,并被重写为对一个或多个其他PolicyGroup所包含的PolicyGroup的对象引用。请注意,对于聚合类PolicyGroupInPolicyGroup的任何单个实例,此属性(与所有引用属性一样)都是单值的。[0..n]基数表示给定的策略组可能包含0、1或多个其他策略组。
A policy group may aggregate one or more policy rules, via the PolicyRuleInPolicyGroup aggregation. Grouping of policy rules into a policy group is again for administrative convenience; a policy rule may also be used by itself, without belonging to a policy group.
策略组可以通过PolicyRuleInPolicyGroup聚合聚合一个或多个策略规则。将策略规则分组到策略组也是为了便于管理;策略规则也可以自己使用,而不属于策略组。
A PolicyGroup may aggregate PolicyRules via this aggregation, or it may aggregate other PolicyGroups via the PolicyGroupInPolicyGroup aggregation.
PolicyGroup可以通过此聚合聚合PolicyRules,也可以通过PolicyGroupInPolicyGroup聚合聚合其他PolicyGroup。
The class definition for the aggregation is as follows:
聚合的类定义如下所示:
NAME PolicyRuleInPolicyGroup DESCRIPTION A class representing the aggregation of PolicyRules by a PolicyGroup. DERIVED FROM PolicyComponent ABSTRACT FALSE PROPERTIES GroupComponent[ref PolicyGroup[0..n]] PartComponent[ref PolicyRule[0..n]]
名称PolicyRuleInPolicyGroup描述表示PolicyGroup对PolicyRules的聚合的类。派生自PolicyComponent抽象错误属性GroupComponent[ref PolicyGroup[0..n]]PartComponent[ref PolicyRule[0..n]]
This property is inherited from PolicyComponent, and overridden to become an object reference to a PolicyGroup that contains one or more PolicyRules. Note that for any single instance of the aggregation class PolicyRuleInPolicyGroup, this property (like all Reference properties) is single-valued. The [0..n] cardinality indicates that there may be 0, 1, or more than one PolicyGroups that contain any given PolicyRule.
此属性从PolicyComponent继承,并被重写为对包含一个或多个PolicyRules的PolicyGroup的对象引用。请注意,对于聚合类PolicyRuleInPolicyGroup的任何单个实例,此属性(与所有引用属性一样)都是单值的。[0..n]基数表示可能有0、1或多个PolicyGroup包含任何给定的PolicyRule。
This property is inherited from PolicyComponent, and overridden to become an object reference to a PolicyRule contained by one or more PolicyGroups. Note that for any single instance of the aggregation class PolicyRuleInPolicyGroup, this property (like all Reference properties) is single-valued. The [0..n] cardinality indicates that a given PolicyGroup may contain 0, 1, or more than one PolicyRules.
此属性从PolicyComponent继承,并被重写为对一个或多个PolicyGroup包含的PolicyRule的对象引用。请注意,对于聚合类PolicyRuleInPolicyGroup的任何单个实例,此属性(与所有引用属性一样)都是单值的。[0..n]基数表示给定的PolicyGroup可能包含0、1或多个PolicyRules。
A policy rule aggregates zero or more instances of the PolicyCondition class, via the PolicyConditionInPolicyRule association. A policy rule that aggregates zero policy conditions must indicate in its class definition what "triggers" the performance of its actions. In short, it must describe its implicit PolicyConditions, since none are explicitly associated. For example, there might be a subclass of PolicyRule named "HttpPolicyRule", where the class definition assumes that the condition, "If HTTP traffic," is true before the rule's actions would be performed. There is no need to formalize and instantiate this condition, since it is obvious in the semantics of the PolicyRule.
策略规则通过PolicyConditionInPolicyRule关联聚合PolicyCondition类的零个或多个实例。聚合零策略条件的策略规则必须在其类定义中指示什么“触发”其操作的性能。简言之,它必须描述其隐含的PolicyConditions,因为它们都没有显式关联。例如,可能有一个名为“HttpPolicyRule”的PolicyRule子类,其中类定义假设“If HTTP traffic”的条件在执行规则的操作之前为true。无需对该条件进行形式化和实例化,因为它在PolicyRule的语义中是显而易见的。
The conditions aggregated by a policy rule are grouped into two levels of lists: either an ORed set of ANDed sets of conditions (DNF, the default) or an ANDed set of ORed sets of conditions (CNF). Individual conditions in these lists may be negated. The property ConditionListType (in PolicyRule) specifies which of these two
由策略规则聚合的条件分为两个级别的列表:一个或多个或多个条件集(DNF,默认值)或一个或多个或多个条件集(CNF)。这些列表中的个别条件可能被否定。属性ConditionListType(在PolicyRule中)指定这两者中的哪一个
grouping schemes applies to a particular PolicyRule. The conditions are used to determine whether to perform the actions associated with the PolicyRule.
分组方案适用于特定的策略规则。这些条件用于确定是否执行与PolicyRule关联的操作。
One or more policy time periods may be among the conditions associated with a policy rule via the PolicyConditionInPolicyRule association. In this case, the time periods are simply additional conditions to be evaluated along with any other conditions specified for the rule.
一个或多个策略时间段可以是通过PolicyConditionInPolicyRule关联与策略规则关联的条件之一。在这种情况下,时间段只是要计算的附加条件以及为规则指定的任何其他条件。
The class definition for the aggregation is as follows:
聚合的类定义如下所示:
NAME PolicyConditionInPolicyRule DESCRIPTION A class representing the aggregation of PolicyConditions by a PolicyRule. DERIVED FROM PolicyComponent ABSTRACT FALSE PROPERTIES GroupComponent[ref PolicyRule[0..n]] PartComponent[ref PolicyCondition[0..n]] GroupNumber ConditionNegated
名称PolicyConditionInPolicyRule描述表示PolicyRule对PolicyConditions的聚合的类。派生自PolicyComponent抽象属性GroupComponent[ref PolicyRule[0..n]]PartComponent[ref PolicyCondition[0..n]]GroupNumber ConditionNegated
This property is inherited from PolicyComponent, and overridden to become an object reference to a PolicyRule that contains one or more PolicyConditions. Note that for any single instance of the aggregation class PolicyConditionInPolicyRule, this property (like all Reference properties) is single-valued. The [0..n] cardinality indicates that there may be 0, 1, or more than one PolicyRules that contain any given PolicyCondition.
此属性从PolicyComponent继承,并被重写为对包含一个或多个PolicyConditions的PolicyRule的对象引用。请注意,对于聚合类PolicyConditionInPolicyRule的任何单个实例,此属性(与所有引用属性一样)都是单值的。[0..n]基数表示可能存在0、1或多个包含任何给定PolicyCondition的PolicyRules。
This property is inherited from PolicyComponent, and overridden to become an object reference to a PolicyCondition contained by one or more PolicyRules. Note that for any single instance of the aggregation class PolicyConditionInPolicyRule, this property (like all Reference properties) is single-valued. The [0..n] cardinality indicates that a given PolicyRule may contain 0, 1, or more than one PolicyConditions.
此属性从PolicyComponent继承,并被重写为对一个或多个PolicyRules包含的PolicyCondition的对象引用。请注意,对于聚合类PolicyConditionInPolicyRule的任何单个实例,此属性(与所有引用属性一样)都是单值的。[0..n]基数表示给定的PolicyRule可能包含0、1或多个PolicyConditions。
This property contains an integer identifying the group to which the condition referenced by the PartComponent property is assigned in forming the overall conditional expression for the policy rule identified by the GroupComponent reference.
此属性包含一个整数,用于标识PartComponent属性引用的条件在形成GroupComponent引用标识的策略规则的整体条件表达式时分配给的组。
The property is defined as follows:
该属性的定义如下:
NAME GroupNumber DESCRIPTION Unsigned integer indicating the group to which the condition identified by the PartComponent property is to be assigned. SYNTAX uint16 DEFAULT 0
NAME GroupNumber DESCRIPTION无符号整数,指示将PartComponent属性标识的条件分配给的组。语法uint16默认值0
This property is a boolean, indicating whether the condition referenced by the PartComponent property is negated in forming the overall conditional expression for the policy rule identified by the GroupComponent reference.
此属性是布尔值,指示在形成GroupComponent引用标识的策略规则的整体条件表达式时,PartComponent属性引用的条件是否为非。
The property is defined as follows:
该属性的定义如下:
NAME ConditionNegated DESCRIPTION Indication of whether the condition identified by the PartComponent property is negated. (TRUE indicates that the condition is negated, FALSE indicates that it is not negated.) SYNTAX boolean DEFAULT FALSE
NAME ConditionNegated描述指示PartComponent属性标识的条件是否被否定。(TRUE表示条件为否定,FALSE表示条件未为否定。)语法布尔默认值FALSE
A different relationship between a policy rule and a policy time period (than PolicyConditionInPolicyRule) is represented by the PolicyRuleValidityPeriod aggregation. The latter describes scheduled activation and deactivation of the policy rule.
策略规则和策略时间段(而不是PolicyConditionInPolicyRule)之间的不同关系由PolicyRuleValidityPeriod聚合表示。后者描述策略规则的计划激活和停用。
If a policy rule is associated with multiple policy time periods via this association, then the rule is active if at least one of the time periods indicates that it is active. (In other words, the time periods are ORed to determine whether the rule is active.) A policy time period may be aggregated by multiple policy rules. A rule that does not point to a policy time period via this aggregation is, from the point of view of scheduling, always active. It may, however, be inactive for other reasons.
如果策略规则通过此关联与多个策略时间段相关联,则如果至少一个时间段指示该规则处于活动状态,则该规则处于活动状态。(换句话说,对时间段进行OR运算以确定规则是否处于活动状态。)策略时间段可以由多个策略规则聚合。从调度的角度来看,不通过此聚合指向策略时间段的规则始终处于活动状态。但是,它可能由于其他原因而处于非活动状态。
Time periods are a general concept that can be used in other applications. However, they are mentioned explicitly here in this specification since they are frequently used in policy applications.
时间段是一个通用概念,可用于其他应用程序。但是,本规范中明确提到了它们,因为它们经常用于策略应用程序中。
The class definition for the aggregation is as follows:
聚合的类定义如下所示:
NAME PolicyRuleValidityPeriod DESCRIPTION A class representing the aggregation of PolicyTimePeriodConditions by a PolicyRule. DERIVED FROM PolicyComponent ABSTRACT FALSE PROPERTIES GroupComponent[ref PolicyRule[0..n]] PartComponent[ref PolicyTimePeriodCondition[0..n]]
名称PolicyRuleValidityPeriod描述表示PolicyRule聚合的PolicyTimePeriod条件的类。派生自PolicyComponent抽象错误属性GroupComponent[ref PolicyRule[0..n]]PartComponent[ref PolicyTimePeriodCondition[0..n]]
This property is inherited from PolicyComponent, and overridden to become an object reference to a PolicyRule that contains one or more PolicyTimePeriodConditions. Note that for any single instance of the aggregation class PolicyRuleValidityPeriod, this property (like all Reference properties) is single-valued. The [0..n] cardinality indicates that there may be 0, 1, or more than one PolicyRules that contain any given PolicyTimePeriodCondition.
此属性从PolicyComponent继承,并被重写为对包含一个或多个PolicyTimePeriodConditions的PolicyRule的对象引用。请注意,对于聚合类PolicyRuleValidityPeriod的任何单个实例,此属性(与所有引用属性一样)都是单值的。[0..n]基数表示可能存在0、1或多个包含任何给定PolicyTimePeriodCondition的PolicyRules。
This property is inherited from PolicyComponent, and overridden to become an object reference to a PolicyTimePeriodCondition contained by one or more PolicyRules. Note that for any single instance of the aggregation class PolicyRuleValidityPeriod, this property (like all Reference properties) is single-valued. The [0..n] cardinality indicates that a given PolicyRule may contain 0, 1, or more than one PolicyTimePeriodConditions.
此属性从PolicyComponent继承,并被重写为对一个或多个PolicyRules包含的PolicyTimePeriodCondition的对象引用。请注意,对于聚合类PolicyRuleValidityPeriod的任何单个实例,此属性(与所有引用属性一样)都是单值的。[0..n]基数表示给定的PolicyRule可能包含0、1或多个PolicyTimePeriodConditions。
A policy rule may aggregate zero or more policy actions. A policy rule that aggregates zero policy actions must indicate in its class definition what actions are taken when the rule's conditions evaluate to TRUE. In short, it must describe its implicit PolicyActions, since none are explicitly associated. For example, there might be a subclass of PolicyRule representing a Diffserv absolute dropper, where the subclass itself indicates the action to be taken. There is no need to formalize and instantiate this action, since it is obvious in the semantics of the PolicyRule.
策略规则可以聚合零个或多个策略操作。聚合零策略操作的策略规则必须在其类定义中指示当规则的条件计算为TRUE时所采取的操作。简言之,它必须描述其隐含的PolicyActions,因为它们都没有显式关联。例如,PolicyRule可能有一个子类表示Diffserv绝对滴管,其中该子类本身指示要采取的操作。无需对该操作进行形式化和实例化,因为这在PolicyRule的语义中是显而易见的。
The actions associated with a PolicyRule may be given a required order, a recommended order, or no order at all. For actions represented as separate objects, the PolicyActionInPolicyRule aggregation can be used to express an order.
与PolicyRule关联的操作可能会获得必需的命令、建议的命令或根本没有命令。对于表示为单独对象的操作,可以使用PolicyActionInPolicyRule聚合来表示订单。
This aggregation does not indicate whether a specified action order is required, recommended, or of no significance; the property SequencedActions in the aggregating instance of PolicyRule provides this indication.
该汇总不表示是否需要、建议或不重要的指定行动顺序;PolicyRule聚合实例中的属性SequencedActions提供了此指示。
The class definition for the aggregation is as follows:
聚合的类定义如下所示:
NAME PolicyActionInPolicyRule DESCRIPTION A class representing the aggregation of PolicyActions by a PolicyCondition. DERIVED FROM PolicyComponent ABSTRACT FALSE PROPERTIES GroupComponent[ref PolicyRule[0..n]] PartComponent[ref PolicyAction[0..n]] ActionOrder
名称PolicyActionInPolicyRule描述表示PolicyCondition聚合的PolicyActions的类。派生自PolicyComponent抽象错误属性GroupComponent[ref PolicyRule[0..n]]PartComponent[ref PolicyAction[0..n]]ActionOrder
This property is inherited from PolicyComponent, and overridden to become an object reference to a PolicyRule that contains one or more PolicyActions. Note that for any single instance of the aggregation class PolicyActionInPolicyRule, this property (like all Reference properties) is single-valued. The [0..n] cardinality indicates that there may be 0, 1, or more than one PolicyRules that contain any given PolicyAction.
此属性从PolicyComponent继承,并被重写为对包含一个或多个PolicyActions的PolicyRule的对象引用。请注意,对于聚合类PolicyActionInPolicyRule的任何单个实例,此属性(与所有引用属性一样)都是单值的。[0..n]基数表示可能有0、1或多个PolicyRules包含任何给定的PolicyAction。
This property is inherited from PolicyComponent, and overridden to become an object reference to a PolicyAction contained by one or more PolicyRules. Note that for any single instance of the aggregation class PolicyActionInPolicyRule, this property (like all Reference properties) is single-valued. The [0..n] cardinality indicates that a given PolicyRule may contain 0, 1, or more than one PolicyActions.
此属性从PolicyComponent继承,并被重写为对一个或多个PolicyRules包含的PolicyAction的对象引用。请注意,对于聚合类PolicyActionInPolicyRule的任何单个实例,此属性(与所有引用属性一样)都是单值的。[0..n]基数表示给定的PolicyRule可能包含0、1或多个PolicyActions。
This property provides an unsigned integer 'n' that indicates the relative position of an action in the sequence of actions associated with a policy rule. When 'n' is a positive integer, it indicates a place in the sequence of actions to be performed, with smaller integers indicating earlier positions in the sequence. The special value '0' indicates "don't care". If two or more actions have the same non-zero sequence number, they may be performed in any order, but they must all be performed at the appropriate place in the overall action sequence.
此属性提供一个无符号整数“n”,它指示操作在与策略规则关联的操作序列中的相对位置。当“n”为正整数时,它表示要执行的操作序列中的一个位置,较小的整数表示序列中较早的位置。特殊值“0”表示“不在乎”。如果两个或多个动作具有相同的非零序编号,则可以按任何顺序执行,但必须在整个动作序列中的适当位置执行。
A series of examples will make ordering of actions clearer:
一系列示例将使行动顺序更加清晰:
o If all actions have the same sequence number, regardless of whether it is '0' or non-zero, any order is acceptable.
o 如果所有操作都具有相同的序列号,无论是“0”还是非零,任何顺序都是可以接受的。
o The values
o 价值观
1:ACTION A 2:ACTION B 1:ACTION C 3:ACTION D
1:行动A 2:行动B 1:行动C 3:行动D
indicate two acceptable orders: A,C,B,D or C,A,B,D, since A and C can be performed in either order, but only at the '1' position.
指出两个可接受的顺序:A、C、B、D或C、A、B、D,因为A和C可以按任意顺序执行,但只能在“1”位置执行。
o The values
o 价值观
0:ACTION A 2:ACTION B 3:ACTION C 3:ACTION D
0:动作A 2:动作B 3:动作C 3:动作D
require that B,C, and D occur either as B,C,D or as B,D,C. Action A may appear at any point relative to B,C, and D. Thus the complete set of acceptable orders is: A,B,C,D; B,A,C,D; B,C,A,D; B,C,D,A; A,B,D,C; B,A,D,C; B,D,A,C; B,D,C,A.
要求B、C和D以B、C、D或B、D、C的形式出现。动作A可能出现在相对于B、C和D的任何点上。因此,完整的可接受顺序为:A、B、C、D;B、 A,C,D;B、 C,A,D;B、 C,D,A;A、 B,D,C;B、 A,D,C;B、 D,A,C;B、 D,C,A。
Note that the non-zero sequence numbers need not start with '1', and they need not be consecutive. All that matters is their relative magnitude.
请注意,非零序编号不必以“1”开头,也不必是连续的。重要的是它们的相对大小。
The property is defined as follows:
该属性的定义如下:
NAME ActionOrder DESCRIPTION Unsigned integer indicating the relative position of an action in the sequence of actions aggregated by a policy rule. SYNTAX uint16
NAME ActionOrder DESCRIPTION无符号整数,指示操作在策略规则聚合的操作序列中的相对位置。语法uint16
This abstract association inherits two object references from a higher- level CIM association class, Dependency. It overrides these object references to make them references to instances of the classes System and Policy. Subclasses of PolicyInSystem then override these object references again, to make them references to concrete policy classes.
此抽象关联从更高级别的CIM关联类Dependency继承两个对象引用。它重写这些对象引用,使它们引用类系统和策略的实例。然后,PolicyInSystem的子类再次重写这些对象引用,使它们引用具体的策略类。
The value of the abstract superclass is to convey that all subclasses have the same "dependency" semantics, and for ease of query to locate all policy "dependencies" on a System. These dependencies are related to scoping or hosting of the Policy.
抽象超类的价值在于传达所有子类都具有相同的“依赖性”语义,并且为了便于查询,可以定位系统上的所有策略“依赖性”。这些依赖关系与策略的作用域或宿主相关。
The class definition for the association is as follows:
关联的类定义如下所示:
NAME PolicyInSystem DESCRIPTION A generic association used to establish dependency relationships between Policies and the Systems that host them. DERIVED FROM Dependency ABSTRACT TRUE PROPERTIES Antecedent[ref System[0..1]] Dependent[ref Policy[0..n]]
名称PolicyInSystem DESCRIPTION用于在策略和承载它们的系统之间建立依赖关系的通用关联。派生自依赖项抽象真实属性先行项[ref-System[0..1]]依赖项[ref-Policy[0..n]]
This association links a PolicyGroup to the System in whose scope the PolicyGroup is defined.
此关联将策略组链接到在其范围内定义策略组的系统。
The class definition for the association is as follows:
关联的类定义如下所示:
NAME PolicyGroupInSystem DESCRIPTION A class representing the fact that a PolicyGroup is defined within the scope of a System. DERIVED FROM PolicyInSystem ABSTRACT FALSE PROPERTIES Antecedent[ref System[1..1]] Dependent[ref PolicyGroup[weak]]
名称PolicyGroupInSystem DESCRIPTION表示在系统范围内定义了PolicyGroup这一事实的类。派生自PolicyInSystem抽象假属性先行项[ref System[1..1]]依赖[ref PolicyGroup[weak]]
This property is inherited from PolicyInSystem, and overridden to restrict its cardinality to [1..1]. It serves as an object reference to a System that provides a scope for one or more PolicyGroups. Since this is a weak association, the cardinality for this object reference is always 1, that is, a PolicyGroup is always defined within the scope of exactly one System.
此属性从PolicyInSystem继承,并被重写以将其基数限制为[1..1]。它用作为一个或多个策略组提供范围的系统的对象引用。由于这是一个弱关联,因此此对象引用的基数始终为1,也就是说,一个PolicyGroup始终在一个系统的范围内定义。
This property is inherited from PolicyInSystem, and overridden to become an object reference to a PolicyGroup defined within the scope of a System. Note that for any single instance of the association class PolicyGroupInSystem, this property (like all Reference
此属性从PolicyInSystem继承,并被重写为对系统范围内定义的PolicyGroup的对象引用。请注意,对于关联类PolicyGroupInSystem的任何单个实例,此属性(如所有引用
properties) is single-valued. The [0..n] cardinality indicates that a given System may have 0, 1, or more than one PolicyGroups defined within its scope.
属性)是单值的。[0..n]基数表示给定系统可能在其范围内定义了0、1或多个策略组。
Regardless of whether it belongs to a PolicyGroup (or to multiple PolicyGroups), a PolicyRule is itself defined within the scope of a System. This association links a PolicyRule to the System in whose scope the PolicyRule is defined.
无论它属于一个PolicyGroup(或多个PolicyGroup),PolicyRule本身都是在系统范围内定义的。此关联将PolicyRule链接到在其范围内定义PolicyRule的系统。
The class definition for the association is as follows:
关联的类定义如下所示:
NAME PolicyRuleInSystem DESCRIPTION A class representing the fact that a PolicyRule is defined within the scope of a System. DERIVED FROM PolicyInSystem ABSTRACT FALSE PROPERTIES Antecedent[ref System[1..1]] Dependent[ref PolicyRule[weak]]
名称PolicyRuleInSystem DESCRIPTION表示PolicyRule是在系统范围内定义的事实的类。派生自PolicyInSystem抽象假属性先行项[ref System[1..1]]依赖项[ref PolicyRule[weak]]
This property is inherited from PolicyInSystem, and overridden to restrict its cardinality to [1..1]. It serves as an object reference to a System that provides a scope for one or more PolicyRules. Since this is a weak association, the cardinality for this object reference is always 1, that is, a PolicyRule is always defined within the scope of exactly one System.
此属性从PolicyInSystem继承,并被重写以将其基数限制为[1..1]。它用作系统的对象引用,该系统为一个或多个PolicyRules提供范围。由于这是一个弱关联,因此此对象引用的基数始终为1,也就是说,PolicyRule始终在一个系统的范围内定义。
This property is inherited from PolicyInSystem, and overridden to become an object reference to a PolicyRule defined within the scope of a System. Note that for any single instance of the association class PolicyRuleInSystem, this property (like all Reference properties) is single-valued. The [0..n] cardinality indicates that a given System may have 0, 1, or more than one PolicyRules defined within its scope.
此属性从PolicyInSystem继承,并被重写为对系统范围内定义的PolicyRule的对象引用。请注意,对于关联类PolicyRuleInSystem的任何单个实例,此属性(与所有引用属性一样)都是单值的。[0..n]基数表示给定系统可能在其范围内定义了0、1或多个PolicyRules。
A reusable policy condition is always related to a single PolicyRepository, via the PolicyConditionInPolicyRepository association. This is not true for all PolicyConditions, however. An instance of PolicyCondition that represents a rule-specific condition is not related to any policy repository via this association.
可重用策略条件始终通过PolicyConditionInPolicyRepository关联与单个PolicyRepository相关。然而,并非所有政策条件都是如此。表示特定于规则的条件的PolicyCondition实例不通过此关联与任何策略存储库相关。
The class definition for the association is as follows:
关联的类定义如下所示:
NAME PolicyConditionInPolicyRepository DESCRIPTION A class representing the inclusion of a reusable PolicyCondition in a PolicyRepository. DERIVED FROM PolicyInSystem ABSTRACT FALSE PROPERTIES Antecedent[ref PolicyRepository[0..1]] Dependent[ref PolicyCondition[0..n]]
名称PolicyConditionInPolicyRepository描述表示在PolicyRepository中包含可重用PolicyCondition的类。派生自PolicyInSystem抽象假属性先行[ref PolicyRepository[0..1]]依赖[ref PolicyCondition[0..n]]
This property is inherited from PolicyInSystem, and overridden to become an object reference to a PolicyRepository containing one or more PolicyConditions. A reusable PolicyCondition is always related to exactly one PolicyRepository via the PolicyConditionInPolicyRepository association. The [0..1] cardinality for this property covers the two types of PolicyConditions: 0 for a rule-specific PolicyCondition, 1 for a reusable one.
此属性从PolicyInSystem继承,并被重写为对包含一个或多个PolicyConditions的PolicyRepository的对象引用。可重用的PolicyCondition始终通过PolicyConditionInPolicyRepository关联与一个PolicyRepository关联。此属性的[0..1]基数包括两种类型的PolicyConditions:0表示特定于规则的PolicyCondition,1表示可重用的PolicyCondition。
This property is inherited from PolicyInSystem, and overridden to become an object reference to a PolicyCondition included in a PolicyRepository. Note that for any single instance of the association class PolicyConditionInPolicyRepository, this property (like all Reference properties) is single-valued. The [0..n] cardinality indicates that a given PolicyRepository may contain 0, 1, or more than one PolicyConditions.
此属性从PolicyInSystem继承,并被重写为对PolicyRepository中包含的PolicyCondition的对象引用。请注意,对于关联类PolicyConditionInPolicyRepository的任何单个实例,此属性(与所有引用属性一样)都是单值的。[0..n]基数表示给定的PolicyRepository可能包含0、1或多个PolicyConditions。
A reusable policy action is always related to a single PolicyRepository, via the PolicyActionInPolicyRepository association. This is not true for all PolicyActions, however. An instance of PolicyAction that represents a rule-specific action is not related to any policy repository via this association.
可重用策略操作始终通过PolicyActionInPolicyRepository关联与单个PolicyRepository相关。然而,并非所有政策行动都是如此。表示特定于规则的操作的PolicyAction实例不通过此关联与任何策略存储库相关。
The class definition for the association is as follows:
关联的类定义如下所示:
NAME PolicyActionInPolicyRepository DESCRIPTION A class representing the inclusion of a reusable PolicyAction in a PolicyRepository. DERIVED FROM PolicyInSystem ABSTRACT FALSE PROPERTIES Antecedent[ref PolicyRepository[0..1]] Dependent[ref PolicyAction[0..n]]
名称PolicyActionInPolicyRepository描述表示在PolicyRepository中包含可重用PolicyAction的类。派生自PolicyInSystem抽象假属性先行[ref PolicyRepository[0..1]]依赖[ref PolicyAction[0..n]]
This property is inherited from PolicyInSystem, and overridden to become an object reference to a PolicyRepository containing one or more PolicyActions. A reusable PolicyAction is always related to exactly one PolicyRepository via the PolicyActionInPolicyRepository association. The [0..1] cardinality for this property covers the two types of PolicyActions: 0 for a rule-specific PolicyAction, 1 for a reusable one.
此属性从PolicyInSystem继承,并被重写为对包含一个或多个PolicyActions的PolicyRepository的对象引用。可重用的PolicyAction始终通过PolicyActionInPolicyRepository关联与一个PolicyRepository关联。此属性的[0..1]基数包括两种类型的PolicyAction:0表示特定于规则的PolicyAction,1表示可重用的PolicyAction。
This property is inherited from PolicyInSystem, and overridden to become an object reference to a PolicyAction included in a PolicyRepository. Note that for any single instance of the association class PolicyActionInPolicyRepository, this property (like all Reference properties) is single-valued. The [0..n] cardinality indicates that a given PolicyRepository may contain 0, 1, or more than one PolicyActions.
此属性从PolicyInSystem继承,并被重写为对PolicyRepository中包含的PolicyAction的对象引用。请注意,对于关联类PolicyActionInPolicyRepository的任何单个实例,此属性(与所有引用属性一样)都是单值的。[0..n]基数表示给定的PolicyRepository可能包含0、1或多个PolicyActions。
The PolicyRepositoryInPolicyRepository aggregation enables policy repositories to be nested. This derives from the higher level CIM association, CIM_SystemComponent, describing that Systems contain other ManagedSystemElements. This superclass could not be used for the other Policy aggregations, since Policies are not ManagedSystemElements, but ManagedElements. Note that it is assumed that this aggregation is used to form directed acyclic graphs and NOT ring structures.
PolicyRepositoryInPolicyRepository聚合允许嵌套策略存储库。这源自更高级别的CIM关联CIM_SystemComponent,描述系统包含其他ManagedSystemElement。此超类无法用于其他策略聚合,因为策略不是ManagedSystemElement,而是ManagedElement。注意,假设此聚合用于形成有向无环图,而不是环结构。
The class definition for the aggregation is as follows:
聚合的类定义如下所示:
NAME PolicyRepositoryInPolicyRepository DESCRIPTION A class representing the aggregation of PolicyRepositories by a higher-level PolicyRepository. DERIVED FROM SystemComponent ABSTRACT FALSE PROPERTIES GroupComponent[ref PolicyRepository[0..n]] PartComponent[ref PolicyRepository[0..n]] 7.14.1. The Reference "GroupComponent"
名称PolicyRepositoryInPolicyRepository描述表示由更高级别的PolicyRepository聚合的PolicyRepository类。派生自SystemComponent抽象属性GroupComponent[ref PolicyRepository[0..n]]PartComponent[ref PolicyRepository[0..n]]7.14.1。参考“GroupComponent”
This property is inherited from the CIM class SystemComponent, and overridden to become an object reference to a PolicyRepository that contains one or more other PolicyRepositories. Note that for any single instance of the aggregation class PolicyRepositoryInPolicyRepository, this property (like all Reference
此属性从CIM类SystemComponent继承,并被重写为对包含一个或多个其他PolicyRepository的PolicyRepository的对象引用。请注意,对于聚合类PolicyRepositoryInPolicyRepository的任何单个实例,此属性(如所有引用
properties) is single-valued. The [0..n] cardinality indicates that there may be 0, 1, or more than one PolicyRepositories that contain any given PolicyRepository.
属性)是单值的。[0..n]基数表示可能有0、1或多个包含任何给定PolicyRepository的PolicyRepositories。
This property is inherited from the CIM class SystemComponent, and overridden to become an object reference to a PolicyRepository contained by one or more other PolicyRepositories. Note that for any single instance of the aggregation class PolicyRepositoryInPolicyRepository, this property (like all Reference properties) is single-valued. The [0..n] cardinality indicates that a given PolicyRepository may contain 0, 1, or more than one other PolicyRepositories.
此属性从CIM类SystemComponent继承,并被重写为对一个或多个其他PolicyRepositories包含的PolicyRepository的对象引用。请注意,对于聚合类PolicyRepositoryInPolicyRepository的任何单个实例,此属性(与所有引用属性一样)都是单值的。[0..n]基数表示给定的PolicyRepository可能包含0、1或多个其他PolicyRepositories。
The IETF takes no position regarding the validity or scope of any intellectual property or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; neither does it represent that it has made any effort to identify any such rights. Information on the IETF's procedures with respect to rights in standards-track and standards-related documentation can be found in BCP-11.
IETF对可能声称与本文件所述技术的实施或使用有关的任何知识产权或其他权利的有效性或范围,或此类权利下的任何许可可能或可能不可用的程度,不采取任何立场;它也不表示它已作出任何努力来确定任何此类权利。有关IETF在标准跟踪和标准相关文件中权利的程序信息,请参见BCP-11。
Copies of claims of rights made available for publication and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this specification can be obtained from the IETF Secretariat.
可从IETF秘书处获得可供发布的权利声明副本和任何许可证保证,或本规范实施者或用户试图获得使用此类专有权利的一般许可证或许可的结果。
The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights which may cover technology that may be required to practice this standard. Please address the information to the IETF Executive Director.
IETF邀请任何相关方提请其注意任何版权、专利或专利申请,或其他可能涉及实施本标准所需技术的专有权利。请将信息发送给IETF执行董事。
The Policy Core Information Model in this document is closely based on the work of the DMTF's Service Level Agreements working group, so thanks are due to the members of that working group. Several of the policy classes in this model first appeared in early drafts on IPSec policy and QoS policy. The authors of these drafts were Partha Bhattacharya, Rob Adams, William Dixon, Roy Pereira, Raju Rajan, Jean-Christophe Martin, Sanjay Kamat, Michael See, Rajiv Chaudhury, Dinesh Verma, George Powers, and Raj Yavatkar. Some other elements
本文档中的策略核心信息模型紧密基于DMTF的服务级别协议工作组的工作,因此感谢该工作组的成员。该模型中的几个策略类首先出现在IPSec策略和QoS策略的早期草案中。这些草案的作者是帕塔·巴塔查里亚、罗布·亚当斯、威廉·迪克森、罗伊·佩雷拉、拉朱·拉詹、让·克里斯托夫·马丁、桑杰·卡马特、迈克尔·西、拉吉夫·乔杜里、迪内什·维尔马、乔治·鲍尔斯和拉吉·亚瓦卡尔。其他一些因素
of the model originated in work done by Yoram Snir, Yoram Ramberg, and Ron Cohen. In addition, we would like to thank Harald Alvestrand for conducting a thorough review of this document and providing many helpful suggestions, and Luis Sanchez and Russ Mundy for their help with the document's Security Considerations.
这个模型的起源于约拉姆·斯尼尔、约拉姆·兰伯格和罗恩·科恩的工作。此外,我们要感谢Harald Alvestrand对本文件进行了全面审查并提供了许多有益的建议,感谢Luis Sanchez和Russ Mundy在文件安全方面提供的帮助。
The Policy Core Information Model (PCIM) presented in this document provides an object-oriented model for describing policy information. It provides a basic framework for describing the structure of policy information, in a form independent of any specific repository or access protocol, for use by an operational system. PCIM is not intended to represent any particular system design or implementation, nor does it define a protocol, and as such it does not have any specific security requirements.
本文介绍的策略核心信息模型(PCIM)为描述策略信息提供了一个面向对象的模型。它以独立于任何特定存储库或访问协议的形式提供了一个基本框架,用于描述策略信息的结构,供操作系统使用。PCIM不代表任何特定的系统设计或实现,也不定义协议,因此没有任何特定的安全要求。
However, it should also be noted that certain derivative documents, which use PCIM as a base, will need to convey more specific security considerations. In order to communicate the nature of what will be expected in these follow-on derivative documents, it is necessary to review the reasons that PCIM, as defined in this document, is neither implementable, nor representative of any real-world system, as well as the nature of the expected follow-on extensions and mappings.
但是,还应注意的是,某些使用PCIM作为基础的衍生文件需要传达更具体的安全注意事项。为了传达这些后续衍生文件中预期内容的性质,有必要审查本文件中定义的PCIM既不可实施,也不代表任何实际系统的原因,以及预期后续扩展和映射的性质。
There are three independent reasons that PCIM, as defined here, is neither implementable nor representative of any real-world system:
这里定义的PCIM既不能实现,也不能代表任何现实系统,有三个独立的原因:
1. Its classes are independent of any specific repository that uses any specific access protocol. Therefore, its classes are designed not to be implemented directly. PCIM should instead be viewed as a schematic that directs how information should be represented, independent of any specific model implementation constraints.
1. 它的类独立于使用任何特定访问协议的任何特定存储库。因此,其类的设计不是为了直接实现。相反,PCIM应被视为指示信息应如何表示的示意图,与任何特定的模型实现约束无关。
2. Its classes were designed to be independent of any specific policy domain. For example, DiffServ and IPSec represent two different policy domains. Each document which extends PCIM to one of these domains will derive subclasses from the classes and relationships defined in PCIM, in order to represent extensions of a generic model to cover specific technical domains.
2. 它的类被设计为独立于任何特定的策略域。例如,DiffServ和IPSec代表两个不同的策略域。将PCIM扩展到其中一个域的每个文档都将从PCIM中定义的类和关系派生子类,以便表示通用模型的扩展,以覆盖特定的技术域。
3. It's an information model, which must be mapped to a specific data model (native CIM schema, LDAP schema, MIB, whatever) before it can be implemented. Derivative documents will map the extended information models noted in item 2, above, to specific types of data model implementations.
3. 它是一个信息模型,必须映射到特定的数据模型(本机CIM模式、LDAP模式、MIB等),然后才能实现。衍生文档将上述第2项中提到的扩展信息模型映射到特定类型的数据模型实现。
Even though specific security requirements are not appropriate for PCIM, specific security requirements MUST be defined for each operational real- world application of PCIM. Just as there will be a wide range of operational, real-world systems using PCIM, there will also be a wide range of security requirements for these systems. Some operational, real-world systems that are deployed using PCIM may have extensive security requirements that impact nearly all classes and subclasses utilized by such a system, while other systems' security requirements might have very little impact.
尽管特定的安全需求不适合PCIM,但必须为PCIM的每个实际操作应用程序定义特定的安全需求。正如使用PCIM的各种实际操作系统一样,这些系统也有各种各样的安全要求。使用PCIM部署的一些可操作、真实世界的系统可能具有广泛的安全需求,影响此类系统使用的几乎所有类和子类,而其他系统的安全需求可能影响甚微。
The derivative documents, discussed above, will create the context for applying operational, real-world, system-level security requirements against the various models which derive from PCIM.
上面讨论的衍生文档将为针对从PCIM衍生的各种模型应用操作、真实世界、系统级安全需求创造环境。
For example, in some real-world scenarios, the values associated with certain properties, within certain instantiated classes, may represent information associated with scarce, and/or costly (and therefore valuable) resources. It may be the case that these values must not be disclosed to, or manipulated by, unauthorized parties. As long as the derived model remains an information model (as opposed to a data model), it is not possible to discuss the data model-specific tools and mechanisms that are available for achieving the authentication and authorization implicit in a requirement that restricts read and/or read- write access to these values. Therefore, these mechanisms will need to be discussed in each of the data models to which the derived information models are mapped. If there are any general security requirements that can be identified and can be applied across multiple types of data models, it would be appropriate to discuss those at the information model level, rather than the data model level. In any case, any identified security requirements that are not dealt with in the information model document, MUST be dealt with in the derivative data model documents.
例如,在一些真实场景中,与某些实例化类中的某些属性相关联的值可能表示与稀缺和/或昂贵(因此有价值)资源相关联的信息。在这种情况下,不得向未经授权的方披露或操纵这些价值。只要派生模型仍然是一个信息模型(与数据模型相反),就不可能讨论数据模型特定的工具和机制,这些工具和机制可用于实现限制对这些值的读写访问的需求中隐含的身份验证和授权。因此,需要在衍生信息模型映射到的每个数据模型中讨论这些机制。如果有任何通用的安全需求可以确定,并且可以应用于多种类型的数据模型,那么最好在信息模型级别(而不是数据模型级别)讨论这些需求。在任何情况下,未在信息模型文档中处理的任何已确定的安全要求都必须在衍生数据模型文档中处理。
We can illustrate these points by extending the example from Section 2. A real-world system that provides QoS Gold Service to John would likely need to provide at least the following security-related capabilities and mechanisms (see [12] for definitions of security related terms):
我们可以通过扩展第2节中的示例来说明这些要点。为John提供QoS Gold服务的真实系统可能需要至少提供以下安全相关功能和机制(有关安全相关术语的定义,请参见[12]):
o Data integrity for the information (e.g., property values and instantiated relationships) that specify that John gets QoS Gold Service, from the point(s) that the information is entered into the system to the point(s) where network components actually provide that Service.
o 指定John获得QoS Gold服务的信息(如属性值和实例化关系)的数据完整性,从信息输入系统的点到网络组件实际提供该服务的点。
o Authentication and Authorization methods to ensure that only system administrators (and not John or other engineers) can remotely administer components of the system.
o 身份验证和授权方法,以确保只有系统管理员(而不是John或其他工程师)可以远程管理系统组件。
o An Authentication method to insure that John receives Gold Service, and the other members of the engineering group receive Bronze Service.
o 一种认证方法,确保John获得金牌服务,工程组的其他成员获得铜牌服务。
These are one possible set of requirements associated with an example real-world system which delivers Gold Service, and the appropriate place to document these would be in some combination of the information model and the derivative data models for QoS Policy. Each of the data models would also need to discuss how these requirements are satisfied, using the mechanisms typically available to such a data model, given the particular technology or set of technologies which it may employ.
这些是与提供黄金服务的示例真实世界系统相关联的一组可能的需求,记录这些需求的适当位置是QoS策略的信息模型和衍生数据模型的某种组合。鉴于可能采用的特定技术或一组技术,每个数据模型还需要讨论如何使用此类数据模型通常可用的机制来满足这些要求。
[1] Distributed Management Task Force, Inc., "DMTF Technologies: CIM Standards << CIM Schema: Version 2.4", available via links on the following DMTF web page: http://www.dmtf.org/spec/cim_schema_v24.html.
[1] 分布式管理工作组有限公司,“DMTF技术:CIM标准<<CIM模式:版本2.4”,可通过以下DMTF网页上的链接获得:http://www.dmtf.org/spec/cim_schema_v24.html.
[2] Distributed Management Task Force, Inc., "Common Information Model (CIM) Specification, version 2.2, June 1999. This document is available on the following DMTF web page: http://www.dmtf.org/spec/cims.html.
[2] 分布式管理工作组,Inc.,“公共信息模型(CIM)规范,版本2.2,1999年6月。本文件可在以下DMTF网页上获得:http://www.dmtf.org/spec/cims.html.
[3] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997.
[3] Bradner,S.,“RFC中用于表示需求水平的关键词”,BCP 14,RFC 2119,1997年3月。
[4] Hovey, R. and S. Bradner, "The Organizations Involved in the IETF Standards Process", BCP 11, RFC 2028, October 1996.
[4] Hovey,R.和S.Bradner,“参与IETF标准过程的组织”,BCP 11,RFC 2028,1996年10月。
[5] J. Strassner and S. Judd, "Directory-Enabled Networks", version 3.0c5 (August 1998). A PDF file is available at http://www.murchiso.com/den/#denspec.
[5] J.Strassner和S.Judd,“目录启用网络”,版本3.0c5(1998年8月)。PDF文件可在http://www.murchiso.com/den/#denspec.
[6] J. Strassner, policy architecture BOF presentation, 42nd IETF Meeting, Chicago, Illinois, October, 1998. Minutes of this BOF are available at the following location: http://www.ietf.org/proceedings/98aug/index.html.
[6] J.Strassner,政策架构BOF演讲,第42届IETF会议,伊利诺伊州芝加哥,1998年10月。该转炉的会议记录可在以下位置查阅:http://www.ietf.org/proceedings/98aug/index.html.
[7] Yergeau, F., "UTF-8, a transformation format of ISO 10646", RFC 2279, January 1998.
[7] “UTF-8,ISO 10646的转换格式”,RFC 2279,1998年1月。
[8] Levi, D. and J. Schoenwaelder, "Definitions of Managed Objects for Scheduling Management Operations", RFC 2591, May 1999.
[8] Levi,D.和J.Schoenwaeld,“调度管理操作的托管对象定义”,RFC 2591,1999年5月。
[9] Yavatkar, R., Pendarakis, D. and R. Guerin, "A Framework for Policy-based Admission Control", RFC 2753, January 2000.
[9] Yavatkar,R.,Pendarakis,D.和R.Guerin,“基于政策的准入控制框架”,RFC 2753,2000年1月。
[10] Dawson, F. and D. Stenerson, "Internet Calendaring and Scheduling Core Object Specification (iCalendar)", RFC 2445, November 1998.
[10] Dawson,F.和D.Stenerson,“互联网日历和调度核心对象规范(iCalendar)”,RFC 24451998年11月。
[11] Strassner, J., and E. Ellesson, B. Moore, R. Moats, "Policy Core LDAP Schema", Work in Progress.
[11] Strassner,J.和E.Ellsson,B.Moore,R.Moats,“策略核心LDAP模式”,正在进行中。
[12] Shirey, R., "Internet Security Glossary", FYI 36, RFC 2828, May 2000.
[12] Shirey,R.,“互联网安全词汇表”,供参考36,RFC 28282000年5月。
Note: the CIM 2.4 Schema specification is defined by the following set of MOF files, available from the following URL:
注意:CIM 2.4模式规范由以下MOF文件集定义,可从以下URL获得:
http://www.dmtf.org/spec/CIM_Schema24/CIM_Schema24.zip
http://www.dmtf.org/spec/CIM_Schema24/CIM_Schema24.zip
Ed Ellesson LongBoard, Inc. 2505 Meridian Pkwy, #100 Durham, NC 27713
Ed Ellsson LongBoard,Inc.美国北卡罗来纳州达勒姆100#Meridian Pkwy 2505号,邮编27713
Phone: +1 919-361-3230
Fax: +1 919-361-3299
EMail: eellesson@lboard.com
Phone: +1 919-361-3230
Fax: +1 919-361-3299
EMail: eellesson@lboard.com
Bob Moore IBM Corporation, BRQA/502 4205 S. Miami Blvd. Research Triangle Park, NC 27709
鲍勃·摩尔IBM公司,迈阿密大道南BRQA/502 4205号。研究三角公园,北卡罗来纳州27709
Phone: +1 919-254-4436
Fax: +1 919-254-6243
EMail: remoore@us.ibm.com
Phone: +1 919-254-4436
Fax: +1 919-254-6243
EMail: remoore@us.ibm.com
John Strassner Cisco Systems, Bldg 15 170 West Tasman Drive San Jose, CA 95134
约翰·斯特拉斯纳思科系统公司,地址:加利福尼亚州圣何塞市西塔斯曼大道170号15栋,邮编:95134
Phone: +1 408-527-1069
Fax: +1 408-527-6351
EMail: johns@cisco.com
Phone: +1 408-527-1069
Fax: +1 408-527-6351
EMail: johns@cisco.com
Andrea Westerinen Cisco Systems 170 West Tasman Drive San Jose, CA 95134
加利福尼亚州圣何塞市西塔斯曼大道170号思科系统公司Andrea Westerinen,邮编:95134
Phone: +1 408-853-8294
Fax: +1 408-527-6351
EMail: andreaw@cisco.com
Phone: +1 408-853-8294
Fax: +1 408-527-6351
EMail: andreaw@cisco.com
While the CommonName property is present in the abstract superclass Policy, and is thus available in all of its instantiable subclasses, CIM does not use this property for naming instances. The following subsections discuss how naming is handled in a native CIM implementation for each of the instantiable classes in the Policy Core Information Model.
虽然CommonName属性存在于抽象超类策略中,因此在其所有可实例化子类中都可用,但CIM不使用此属性命名实例。以下小节讨论如何在本机CIM实现中为策略核心信息模型中的每个实例类处理命名。
Two things should be noted regarding CIM naming:
关于CIM命名,应注意两点:
o When a CIM association is specified as "weak", this is a statement about naming scopes: an instance of the class at the weak end of the association is named within the scope of an instance of the class at the other end of the association. This is accomplished by propagation of keys from the instance of the scoping class to the instance of the weak class. Thus the weak class has, via key propagation, all the keys from the scoping class, and it also has one or more additional keys for distinguishing instances of the weak class, within the context of the scoping class.
o 当CIM关联指定为“弱”时,这是一个关于命名范围的语句:位于关联弱端的类的实例在关联另一端的类的实例的范围内命名。这是通过将键从作用域类的实例传播到弱类的实例来实现的。因此,通过密钥传播,弱类具有来自作用域类的所有密钥,并且它还具有一个或多个附加密钥,用于在作用域类的上下文中区分弱类的实例。
o All class names in CIM are limited to alphabetic and numeric characters plus the underscore, with the restriction that the first character cannot be numeric. Refer to Appendix F "Unicode Usage" in reference [2] for an exact specification of how CIM class names are encoded in CIM strings.
o CIM中的所有类名都限制为字母和数字字符加下划线,限制为第一个字符不能是数字。请参阅参考文献[2]中的附录F“Unicode用法”,了解CIM类名在CIM字符串中编码方式的确切说明。
A policy group always exists in the context of a system. In the Policy Core Information Model, this is captured by the weak aggregation PolicyGroupInSystem between a PolicyGroup and a System. Note that System serves as the base class for describing network devices and administrative domains.
策略组始终存在于系统的上下文中。在策略核心信息模型中,这由策略组和系统之间的弱聚合PolicyGroupInSystem捕获。请注意,System用作描述网络设备和管理域的基类。
A policy rule also exists in the context of a system. In the Policy Core Information Model, this is captured by the weak association PolicyRuleInSystem between a PolicyRule and a System.
策略规则也存在于系统的上下文中。在策略核心信息模型中,这由PolicyRule和系统之间的弱关联PolicyRuleInSystem捕获。
The following sections define the CIM keys for PolicyGroup and PolicyRule.
以下各节定义了PolicyGroup和PolicyRule的CIM键。
The CIM keys of the PolicyGroup class are:
PolicyGroup类的CIM键为:
o SystemCreationClassName (A CIM_System key, propagated due to the weak association, PolicyGroupInSystem)
o SystemCreationClassName(CIM_系统密钥,由于弱关联而传播,PolicyGroupInSystem)
o SystemName (A CIM_System key, propagated due to the weak association, PolicyGroupInSystem) o CreationClassName o PolicyGroupName
o SystemName(CIM_系统密钥,由于弱关联而传播,PolicyGroupInSystem)o CreationClassName o PolicyGroupName
They are defined in Reference [1] as follows:
它们在参考文献[1]中定义如下:
NAME SystemCreationClassName DESCRIPTION SystemCreationClassName represents the class name of the CIM System object providing the naming scope for the instance of PolicyGroup. SYNTAX string [MaxLen 256] QUALIFIER key
名称SystemCreationClassName描述SystemCreationClassName表示为PolicyGroup实例提供命名范围的CIM系统对象的类名。语法字符串[MaxLen 256]限定符键
NAME SystemName DESCRIPTION SystemName represent the individual name of the particular System object, providing the naming scope for the instance of PolicyGroup. SYNTAX string [MaxLen 256] QUALIFIER key
名称SystemName描述SystemName表示特定系统对象的单个名称,提供PolicyGroup实例的命名范围。语法字符串[MaxLen 256]限定符键
NAME CreationClassName DESCRIPTION This property is set to "CIM_PolicyGroup", if the PolicyGroup object is directly instantiated. Or, it is equal to the class name of the PolicyGroup subclass that is instantiated. SYNTAX string [MaxLen 256] QUALIFIER key
名称CreationClassName说明如果直接实例化PolicyGroup对象,则此属性设置为“CIM_PolicyGroup”。或者,它等于实例化的PolicyGroup子类的类名。语法字符串[MaxLen 256]限定符键
NAME PolicyGroupName DESCRIPTION The identifying name of this policy group. SYNTAX string [MaxLen 256] QUALIFIER key
名称PolicyGroupName描述此策略组的标识名称。语法字符串[MaxLen 256]限定符键
The CIM keys of the PolicyRule class are:
PolicyRule类的CIM键为:
o SystemCreationClassName (A CIM_System key, propagated due to the weak association PolicyRuleInSystem) o SystemName (A CIM_System key, propagated due to the weak association PolicyRuleInSystem) o CreationClassName o PolicyRuleName
o SystemCreationClassName(CIM_系统密钥,因弱关联PolicyRuleInSystem而传播)o SystemName(CIM_系统密钥,因弱关联PolicyRuleInSystem而传播)o CreationClassName o PolicyRuleName
SystemCreationClassName and SystemName work the same as defined for the class PolicyGroup. See Section 13.1.1 for details.
SystemCreationClassName和SystemName的工作原理与为类PolicyGroup定义的相同。详见第13.1.1节。
The other two properties are defined in Reference [1] as follows:
参考文献[1]对其他两个特性的定义如下:
NAME CreationClassName DESCRIPTION This property is set to "CIM_PolicyRule", if the PolicyRule object is directly instantiated. Or, it is equal to the class name of the PolicyRule subclass that is instantiated. SYNTAX string [MaxLen 256] QUALIFIER key
名称CreationClassName描述如果直接实例化PolicyRule对象,则此属性设置为“CIM_PolicyRule”。或者,它等于实例化的PolicyRule子类的类名。语法字符串[MaxLen 256]限定符键
NAME PolicyRuleName DESCRIPTION The identifying name of this policy rule. SYNTAX string [MaxLen 256] QUALIFIER key
名称PolicyRuleName描述此策略规则的标识名称。语法字符串[MaxLen 256]限定符键
The CIM keys of the PolicyCondition class are:
PolicyCondition类的CIM键为:
o SystemCreationClassName o SystemName o PolicyRuleCreationClassName o PolicyRuleName o CreationClassName o PolicyConditionName
o SystemCreationClassName o SystemName o PolicyRuleCreationClassName o PolicyRuleName o CreationClassName o PolicyConditionName
Note that none of the keys are defined as propagated, although they appear to fit this convention. The reason for this difference is because (as indicated in Sections 5.1 and 6.4) the PolicyCondition class is used to represent both reusable and rule-specific conditions. This, in turn, affects what associations are valid for an instance of PolicyCondition, and how that instance is named.
请注意,没有一个键被定义为已传播,尽管它们似乎符合此约定。产生这种差异的原因是(如第5.1节和第6.4节所示),PolicyCondition类用于表示可重用条件和特定于规则的条件。这反过来会影响对PolicyCondition实例有效的关联以及该实例的命名方式。
In an ideal world, an instance of the PolicyCondition class would be scoped either by its PolicyRepository (for a reusable condition) or by its PolicyRule (for a rule-specific condition). However, CIM has the restriction that a given class can only be "weak" to one other class (i.e., defined by one weak association).
在理想情况下,PolicyCondition类的实例将由其PolicyRepository(对于可重用条件)或PolicyRule(对于特定于规则的条件)确定范围。但是,CIM有一个限制,即给定的类只能对另一个类“弱”(即,由一个弱关联定义)。
To work within the restrictions of CIM naming, it is necessary to "simulate" weak associations between PolicyCondition and PolicyRule, and between PolicyCondition and PolicyRepository, through a technique we'll call manual key propagation. Strictly speaking, manual key propagation isn't key propagation at all. But it has the same effect as (true) key propagation, so the name fits.
为了在CIM命名的限制下工作,有必要通过一种我们称之为手动密钥传播的技术“模拟”PolicyCondition和PolicyRule之间以及PolicyCondition和PolicyRepository之间的弱关联。严格地说,手动密钥传播根本不是密钥传播。但它与(真正的)密钥传播具有相同的效果,因此名称合适。
Figure 9 illustrates how manual propagation works in the case of PolicyCondition. (Note that only the key properties are shown for each of the classes.) In the figure, the line composed of 'I's indicates class inheritance, the one composed of 'P's indicates (true) key propagation via the weak aggregation PolicyRuleInSystem, and the ones composed of 'M's indicate manual key propagation.
图9说明了在PolicyCondition情况下手动传播的工作方式。(请注意,每个类只显示密钥属性。)在图中,由'I'组成的行表示类继承,由'P'组成的行表示通过弱聚合PolicyRuleInSystem进行(真)密钥传播,由'M'组成的行表示手动密钥传播。
+------------------+
| System |
+------------------+
|CreationClassName |
|Name |
+------------------+
^ P
I PPPPPPPPPPPPPPPPPPPPPPPPPPPP
I P
+------------------+ +---------------v--------------+
| AdminDomain | | PolicyRule |
+------------------+ +------------------------------+
|CreationClassName | | System.CreationClassName |
|Name | | System.Name |
+------------------+ | CreationClassName |
^ | PolicyRuleName |
I +------------------------------+
I M
I M
+------------------+ M
| PolicyRepository | M
+------------------+ M
|CreationClassName | M
|Name | M
+------------------+ M
M M
M M
M M
+----v-------------------v----+
| PolicyCondition |
+-----------------------------+
| SystemCreationClassName |
| SystemName |
| PolicyRuleCreationClassName |
| PolicyRuleName |
| CreationClassName |
| PolicyConditionName |
+-----------------------------+
+------------------+
| System |
+------------------+
|CreationClassName |
|Name |
+------------------+
^ P
I PPPPPPPPPPPPPPPPPPPPPPPPPPPP
I P
+------------------+ +---------------v--------------+
| AdminDomain | | PolicyRule |
+------------------+ +------------------------------+
|CreationClassName | | System.CreationClassName |
|Name | | System.Name |
+------------------+ | CreationClassName |
^ | PolicyRuleName |
I +------------------------------+
I M
I M
+------------------+ M
| PolicyRepository | M
+------------------+ M
|CreationClassName | M
|Name | M
+------------------+ M
M M
M M
M M
+----v-------------------v----+
| PolicyCondition |
+-----------------------------+
| SystemCreationClassName |
| SystemName |
| PolicyRuleCreationClassName |
| PolicyRuleName |
| CreationClassName |
| PolicyConditionName |
+-----------------------------+
Figure 9. Manual Key Propagation for Naming PolicyConditions
图9。命名策略条件的手动密钥传播
Looking at Figure 9, we see that two key properties, CreationClassName and Name, are defined in the System class, and inherited by its subclasses AdminDomain and PolicyRepository. Since PolicyRule is weak to System, these two keys are propagated to it; it also has its own keys CreationClassName and PolicyRuleName.
查看图9,我们看到两个关键属性CreationClassName和Name在系统类中定义,并由其子类AdminDomain和PolicyRepository继承。由于PolicyRule对系统很弱,这两个键被传播到它;它还有自己的键CreationClassName和PolicyRuleName。
A similar approach, though not automatic, is used in "manual key propagation". Here is the approach for rule-specific and reusable PolicyConditions:
类似的方法虽然不是自动的,但也用于“手动密钥传播”。以下是针对特定于规则且可重用的PolicyConditions的方法:
o The manual propagation of keys from PolicyRule to PolicyCondition involves copying the values of PolicyRule's four key properties into four similarly named key properties in PolicyCondition. From the point of view of the CIM specification language, the property SystemName in PolicyCondition is a completely new key property. However, the relationship to the Name property in System is defined in the description of SystemName.
o 键从PolicyRule手动传播到PolicyCondition涉及将PolicyRule的四个键属性的值复制到PolicyCondition中四个名称类似的键属性。从CIM规范语言的角度来看,PolicyCondition中的属性SystemName是一个全新的密钥属性。但是,与System中Name属性的关系在SystemName的描述中定义。
o The manual propagation of keys from PolicyRepository to PolicyCondition works in exactly the same way for the first two key properties. However, since PolicyRepository doesn't include PolicyRule properties, the PolicyRuleCreationClassName and PolicyRuleName have no values. A special value, "No Rule", is assigned to both of these properties in this case, indicating that this instance of PolicyCondition is not named within the scope of any particular policy rule.
o 密钥从PolicyRepository手动传播到PolicyCondition的方式与前两个密钥属性的工作方式完全相同。但是,由于PolicyRepository不包括PolicyRule属性,因此PolicyRuleCreationClassName和PolicyRuleName没有值。在本例中,为这两个属性都指定了一个特殊值“No Rule”,表示PolicyCondition的此实例不在任何特定策略规则的范围内。
The following section defines the specific CIM keys for PolicyCondition.
以下部分定义了PolicyCondition的特定CIM键。
PolicyCondition's key properties are defined in Reference [1] as follows:
PolicyCondition的关键属性在参考文献[1]中定义如下:
NAME SystemCreationClassName DESCRIPTION SystemCreationClassName represents the class name of the CIM System object providing the naming scope for the instance of PolicyCondition. For a rule-specific policy condition, this is the type of system (e.g., the name of the class that created this instance) in whose context the policy rule is defined. For a reusable policy condition, this is set to "CIM_PolicyRepository", if the PolicyRepository object is directly instantiated. Or, it is equal to the class name of the PolicyRepository subclass that is instantiated. SYNTAX string [MaxLen 256]
名称SystemCreationClassName描述SystemCreationClassName表示为PolicyCondition实例提供命名范围的CIM系统对象的类名。对于特定于规则的策略条件,这是在其上下文中定义策略规则的系统类型(例如,创建此实例的类的名称)。对于可重用策略条件,如果直接实例化PolicyRepository对象,则将其设置为“CIM_PolicyRepository”。或者,它等于实例化的PolicyRepository子类的类名。语法字符串[MaxLen 256]
QUALIFIER key
限定符键
NAME SystemName DESCRIPTION The name of the System object in whose scope this policy condition is defined. This property completes the identification of the System object. For a rule-specific policy condition, this is the name of the instance of the system in whose context the policy rule is defined. For a reusable policy condition, this is name of the instance of PolicyRepository that holds the policy condition. SYNTAX string [MaxLen 256] QUALIFIER key
NAME SystemName DESCRIPTION在其范围内定义此策略条件的系统对象的名称。此属性完成系统对象的标识。对于特定于规则的策略条件,这是在其上下文中定义策略规则的系统实例的名称。对于可重用策略条件,这是保存策略条件的PolicyRepository实例的名称。语法字符串[MaxLen 256]限定符键
NAME PolicyRuleCreationClassName DESCRIPTION For a rule-specific policy condition, this property identifies the class name of the policy rule instance, in whose scope this instance of PolicyCondition exists. For a reusable policy condition, this property is set to a special value, "No Rule", indicating that this instance of PolicyCondition is not unique to one policy rule. SYNTAX string [MaxLen 256] QUALIFIER key
名称PolicyRuleCreationClassName描述对于特定于规则的策略条件,此属性标识策略规则实例的类名,此PolicyCondition实例存在于其范围内。对于可重用策略条件,此属性设置为特殊值“无规则”,表示此PolicyCondition实例对于一个策略规则不是唯一的。语法字符串[MaxLen 256]限定符键
NAME PolicyRuleName DESCRIPTION For a rule-specific policy condition, PolicyRuleName completes the identification of the PolicyRule object with which this condition is associated. For a reusable policy condition, a special value, "No Rule", is used to indicate that this condition is reusable. SYNTAX string [MaxLen 256] QUALIFIER key
名称PolicyRuleName描述对于特定于规则的策略条件,PolicyRuleName完成与此条件关联的PolicyRule对象的标识。对于可重用的策略条件,使用一个特殊值“无规则”来指示该条件是可重用的。语法字符串[MaxLen 256]限定符键
NAME CreationClassName DESCRIPTION The class name of the PolicyCondition subclass that is instantiated. SYNTAX string [MaxLen 256] QUALIFIER key
NAME CreationClassName描述实例化的PolicyCondition子类的类名。语法字符串[MaxLen 256]限定符键
NAME PolicyConditionName DESCRIPTION The identifying name of this policy condition. SYNTAX string [MaxLen 256] QUALIFIER key
名称PolicyConditionName描述此策略条件的标识名称。语法字符串[MaxLen 256]限定符键
From the point of view of naming, the PolicyAction class and its subclasses work exactly like the PolicyCondition class and its subclasses. See Section 13.2 and 13.2.1 for details.
从命名的角度来看,PolicyAction类及其子类的工作方式与PolicyCondition类及其子类完全相同。详见第13.2节和第13.2.1节。
Specifically, the CIM keys of PolicyAction are:
具体而言,PolicyAction的CIM键为:
o SystemCreationClassName o SystemName o PolicyRuleCreationClassName o PolicyRuleName o CreationClassName o PolicyActionName
o SystemCreationClassName o SystemName o PolicyRuleCreationClassName o PolicyRuleName o CreationClassName o PolicyActionName
They are defined in Reference [1] as follows:
它们在参考文献[1]中定义如下:
NAME SystemCreationClassName DESCRIPTION SystemCreationClassName represents the class name of the CIM System object providing the naming scope for the instance of PolicyAction. For a rule-specific policy action, this is the type of system (e.g., the name of the class that created this instance) in whose context the policy rule is defined. For a reusable policy action, this is set to "CIM_PolicyRepository", if the PolicyRepository object is directly instantiated. Or, it is equal to the class name of the PolicyRepository subclass that is instantiated. SYNTAX string [MaxLen 256] QUALIFIER key
名称SystemCreationClassName描述SystemCreationClassName表示为PolicyAction实例提供命名范围的CIM系统对象的类名。对于特定于规则的策略操作,这是在其上下文中定义策略规则的系统类型(例如,创建此实例的类的名称)。对于可重用策略操作,如果直接实例化PolicyRepository对象,则将其设置为“CIM_PolicyRepository”。或者,它等于实例化的PolicyRepository子类的类名。语法字符串[MaxLen 256]限定符键
NAME SystemName DESCRIPTION The name of the System object in whose scope this policy action is defined. This property completes the identification of the System object. For a rule-specific policy action, this is the name of the instance of the system in whose context the policy rule is defined. For a reusable policy action, this is name of the instance of PolicyRepository that holds the policy action. SYNTAX string [MaxLen 256] QUALIFIER key
NAME SystemName DESCRIPTION在其范围内定义此策略操作的系统对象的名称。此属性完成系统对象的标识。对于特定于规则的策略操作,这是在其上下文中定义策略规则的系统实例的名称。对于可重用策略操作,这是保存策略操作的PolicyRepository实例的名称。语法字符串[MaxLen 256]限定符键
NAME PolicyRuleCreationClassName DESCRIPTION For a rule-specific policy action, this property identifies the class name of the policy rule instance, in whose scope this instance of
名称PolicyRuleCreationClassName描述对于特定于规则的策略操作,此属性标识策略规则实例的类名,此实例在其范围内
PolicyAction exists. For a reusable policy action, this property is set to a special value, "No Rule", indicating that this instance of PolicyAction is not unique to one policy rule. SYNTAX string [MaxLen 256] QUALIFIER key
政策行动存在。对于可重用策略操作,此属性设置为一个特殊值“无规则”,表示此PolicyAction实例对于一个策略规则不是唯一的。语法字符串[MaxLen 256]限定符键
NAME PolicyRuleName DESCRIPTION For a rule-specific policy action, PolicyRuleName completes the identification of the PolicyRule object with which this action is associated. For a reusable policy action, a special value, "No Rule", is used to indicate that this action is reusable. SYNTAX string [MaxLen 256] QUALIFIER key
名称PolicyRuleName描述对于特定于规则的策略操作,PolicyRuleName完成与此操作关联的PolicyRule对象的标识。对于可重用策略操作,使用一个特殊值“无规则”来指示此操作是可重用的。语法字符串[MaxLen 256]限定符键
NAME CreationClassName DESCRIPTION The class name of the PolicyAction subclass that is instantiated. SYNTAX string [MaxLen 256] QUALIFIER key
NAME CreationClassName描述实例化的PolicyAction子类的类名。语法字符串[MaxLen 256]限定符键
NAME PolicyActionName DESCRIPTION The identifying name of this policy action. SYNTAX string [MaxLen 256] QUALIFIER key
NAME PolicyActionName描述此策略操作的标识名称。语法字符串[MaxLen 256]限定符键
An instance of PolicyRepository is named by the two key properties CreationClassName and Name that it inherits from its superclass AdminDomain. These properties are actually defined in AdminDomain's superclass, System, and then inherited by AdminDomain.
PolicyRepository的实例由CreationClassName和它从其超类AdminDomain继承的Name这两个关键属性命名。这些属性实际上是在AdminDomain的超类System中定义的,然后由AdminDomain继承。
For instances of PolicyRepository itself, the value of CreationClassName must be "CIM_PolicyRepository". (Recall that for readability the prefix "CIM_" has been omitted from all class names in this document). If a subclass of PolicyRepository (perhaps QosPolicyRepository) is defined and instantiated, then the class name "CIM_QosPolicyRepository" is used in CreationClassName.
对于PolicyRepository本身的实例,CreationClassName的值必须为“CIM_PolicyRepository”。(回想一下,为了可读性,本文档中的所有类名中都省略了前缀“CIM_”)。如果定义并实例化了PolicyRepository的子类(可能是QosPolicyRepository),则在CreationClassName中使用类名“CIM_QosPolicyRepository”。
The Name property simply completes the identification of the instance of PolicyRepository.
Name属性仅完成PolicyRepository实例的标识。
To provide for more flexibility in instance naming, CIM makes use of a property called CreationClassName. The idea of CreationClassName is to provide another dimension that can be used to avoid naming collisions, in the specific case of instances belonging to two different subclasses of a common superclass. An example will illustrate how CreationClassName works.
为了在实例命名方面提供更大的灵活性,CIM使用了名为CreationClassName的属性。CreationClassName的思想是提供另一个维度,在实例属于公共超类的两个不同子类的特定情况下,可以使用该维度避免命名冲突。下面的示例将说明CreationClassName是如何工作的。
Suppose we have instances of two different subclasses of PolicyCondition, FrameRelayPolicyCondition and BgpPolicyCondition, and that these instances apply to the same context. If we had only the single key property PolicyConditionName available for distinguishing the two instances, then a collision would result from naming both of the instances with the key value PCName = "PC-1". Thus policy administrators from widely different disciplines would have to coordinate their naming of PolicyConditions for this context.
假设我们有两个不同的PolicyCondition子类FrameRelayPolicyCondition和BgpPolicyCondition的实例,并且这些实例应用于相同的上下文。如果只有一个键属性PolicyConditionName可用于区分这两个实例,那么使用键值PCName=“PC-1”命名这两个实例将导致冲突。因此,来自不同学科的策略管理员必须在此上下文中协调其策略条件的命名。
With CreationClassName, collisions of this type can be eliminated, without requiring coordination among the policy administrators. The two instances can be distinguished by giving their CreationClassNames different values. One instance is now identified with the two keys
使用CreationClassName,可以消除这种类型的冲突,而无需策略管理员之间的协调。这两个实例可以通过为其CreationClassName指定不同的值来区分。一个实例现在用两个键标识
CreationClassName = "FrameRelayPolicyCondition" + PCName = "PC-1",
CreationClassName=“FrameRelayPolicyCondition”+PCName=“PC-1”,
while the other is identified with
而另一个则与
CreationClassName = "BgpPolicyCondition" + PCName = "PC-1".
CreationClassName=“BgpPolicyCondition”+PCName=“PC-1”。
Each of the instantiable classes in the Core Model includes the CreationClassName property as a key in addition to its own class-specific key property.
核心模型中的每个可实例化类都包括CreationClassName属性作为一个键,以及它自己的特定于类的键属性。
Today, all CIM associations involve two object references. CIM decomposes an object reference into two parts: a high-order part that identifies an object manager and namespace, and a model path that identifies an object instance within a namespace. The model path, in turn, can be decomposed into an object class identifier and a set of key values needed to identify an instance of that class.
现在,所有CIM关联都涉及两个对象引用。CIM将对象引用分解为两部分:标识对象管理器和命名空间的高阶部分,以及标识命名空间内对象实例的模型路径。反过来,模型路径可以分解为对象类标识符和标识该类实例所需的一组键值。
Because the object class identifier is part of the model path, a CIM object reference is strongly typed. The GroupComponent object reference in the PolicyGroupInPolicyGroup association, for example, can only point to an instance of PolicyGroup, or to an instance of a
因为对象类标识符是模型路径的一部分,所以CIM对象引用是强类型的。例如,PolicyGroupInPolicyGroup关联中的GroupComponent对象引用只能指向PolicyGroup的实例或
subclass of PolicyGroup. Contrast this with LDAP, where a DN pointer is completely untyped: it identifies (by DN) an entry, but places no restriction on that entry's object class(es).
PolicyGroup的子类。与LDAP相比,LDAP中的DN指针是完全非类型化的:它(通过DN)标识一个条目,但不限制该条目的对象类。
An important difference between CIM property definitions and LDAP attribute type definitions was identified earlier in Section 6: while an LDAP attribute type definition has global scope, a CIM property definition applies only to the class in which it is defined. Thus properties having the same name in two different classes are free to have different data types. CIM takes advantage of this flexibility by allowing the data type of an object reference to be overridden in a subclass of the association class in which it was initially defined.
CIM属性定义和LDAP属性类型定义之间的一个重要区别在前面的第6节中已经确定:虽然LDAP属性类型定义具有全局作用域,但CIM属性定义仅适用于定义它的类。因此,在两个不同类中具有相同名称的属性可以自由地具有不同的数据类型。CIM利用了这种灵活性,允许在最初定义对象引用的关联类的子类中重写对象引用的数据类型。
For example, the object reference GroupComponent is defined in the abstract aggregation class PolicyComponent to be a reference to an instance of the class Policy. This data type for GroupComponent is then overridden in subclasses of PolicyComponent. In PolicyGroupInPolicyGroup, for example, GroupComponent becomes a reference to an instance of PolicyGroup. But in PolicyConditionInPolicyRule it becomes a reference to an instance of PolicyRule. Of course there is not total freedom in this overriding of object references. In order to remain consistent with its abstract superclass, a subclass of PolicyComponent can only override GroupComponent to be a reference to a subclass of Policy. A Policy class is the generic context for the GroupComponent reference in PolicyComponent.
例如,对象引用GroupComponent在抽象聚合类PolicyComponent中定义为对类策略实例的引用。然后在PolicyComponent的子类中重写GroupComponent的此数据类型。例如,在PolicyGroupInPolicyGroup中,GroupComponent成为对PolicyGroup实例的引用。但在PolicyConditionInPolicyRule中,它成为对PolicyRule实例的引用。当然,在对象引用的覆盖中并没有完全的自由。为了与其抽象超类保持一致,PolicyComponent的子类只能重写GroupComponent作为对Policy子类的引用。策略类是PolicyComponent中GroupComponent引用的通用上下文。
// ==================================================================
// Title: Core Policy MOF Specification 2.4
// Filename: CIM_Policy24.MOF
// Version: 2.4
// Release: 0
// Description: The object classes below are listed in an order that
// avoids forward references. Required objects, defined
// by other working groups, are omitted.
// Date: 06/27/2000
// CIMCR516a - Rooted the model associations under Policy
// Component or PolicyInSystem. Corrected PolicyCondition/
// PolicyActionInPolicyRepository to subclass from
// PolicyInSystem (similar to Groups and Roles 'InSystem')
// ==================================================================
// Author: DMTF SLA (Service Level Agreement) Working Group
// ==================================================================
// Pragmas
// ==================================================================
#pragma Locale ("en-US")
// ==================================================================
// Title: Core Policy MOF Specification 2.4
// Filename: CIM_Policy24.MOF
// Version: 2.4
// Release: 0
// Description: The object classes below are listed in an order that
// avoids forward references. Required objects, defined
// by other working groups, are omitted.
// Date: 06/27/2000
// CIMCR516a - Rooted the model associations under Policy
// Component or PolicyInSystem. Corrected PolicyCondition/
// PolicyActionInPolicyRepository to subclass from
// PolicyInSystem (similar to Groups and Roles 'InSystem')
// ==================================================================
// Author: DMTF SLA (Service Level Agreement) Working Group
// ==================================================================
// Pragmas
// ==================================================================
#pragma Locale ("en-US")
// ==================================================================
// Policy
// ==================================================================
[Abstract, Description (
"An abstract class describing common properties of all "
"policy rule-related subclasses, such as PolicyGroup, Policy"
"Rule and PolicyCondition. All instances of policy rule-"
"related entities will be created from subclasses of CIM_"
"Policy. The exception to this statement is PolicyRepository "
"which is a type of CIM_System.")
]
class CIM_Policy : CIM_ManagedElement
{
[Description (
"A user-friendly name of this policy-related object.")
]
string CommonName;
[Description (
"An array of keywords for characterizing / categorizing "
"policy objects. Keywords are of one of two types: \n"
" o Keywords defined in this and other MOFs, or in DMTF "
" white papers. These keywords provide a vendor-"
" independent, installation-independent way of "
" characterizing policy objects. \n"
" o Installation-dependent keywords for characterizing "
// ==================================================================
// Policy
// ==================================================================
[Abstract, Description (
"An abstract class describing common properties of all "
"policy rule-related subclasses, such as PolicyGroup, Policy"
"Rule and PolicyCondition. All instances of policy rule-"
"related entities will be created from subclasses of CIM_"
"Policy. The exception to this statement is PolicyRepository "
"which is a type of CIM_System.")
]
class CIM_Policy : CIM_ManagedElement
{
[Description (
"A user-friendly name of this policy-related object.")
]
string CommonName;
[Description (
"An array of keywords for characterizing / categorizing "
"policy objects. Keywords are of one of two types: \n"
" o Keywords defined in this and other MOFs, or in DMTF "
" white papers. These keywords provide a vendor-"
" independent, installation-independent way of "
" characterizing policy objects. \n"
" o Installation-dependent keywords for characterizing "
" policy objects. Examples include 'Engineering', "
" 'Billing', and 'Review in December 2000'. \n"
"This MOF defines the following keywords: 'UNKNOWN', "
"'CONFIGURATION', 'USAGE', 'SECURITY', 'SERVICE', "
"'MOTIVATIONAL', 'INSTALLATION', and 'EVENT'. These "
"concepts are self-explanatory and are further discussed "
"in the SLA/Policy White Paper. One additional keyword "
"is defined: 'POLICY'. The role of this keyword is to "
"identify policy-related instances that may not be otherwise "
"identifiable, in some implementations. The keyword 'POLICY' "
"is NOT mutually exclusive of the other keywords "
"specified above.")
]
string PolicyKeywords [];
};
" policy objects. Examples include 'Engineering', "
" 'Billing', and 'Review in December 2000'. \n"
"This MOF defines the following keywords: 'UNKNOWN', "
"'CONFIGURATION', 'USAGE', 'SECURITY', 'SERVICE', "
"'MOTIVATIONAL', 'INSTALLATION', and 'EVENT'. These "
"concepts are self-explanatory and are further discussed "
"in the SLA/Policy White Paper. One additional keyword "
"is defined: 'POLICY'. The role of this keyword is to "
"identify policy-related instances that may not be otherwise "
"identifiable, in some implementations. The keyword 'POLICY' "
"is NOT mutually exclusive of the other keywords "
"specified above.")
]
string PolicyKeywords [];
};
// ==================================================================
// PolicyComponent
// ==================================================================
[Association, Abstract, Aggregation, Description (
"CIM_PolicyComponent is a generic association used to "
"establish 'part of' relationships between the subclasses of "
"CIM_Policy. For example, the PolicyConditionInPolicyRule "
"association defines that PolicyConditions are part of a "
"PolicyRule.")
]
class CIM_PolicyComponent
{
[Aggregate, Key, Description (
"The parent Policy in the association.")
]
CIM_Policy REF GroupComponent;
[Key, Description (
"The child/part Policy in the association.")
]
CIM_Policy REF PartComponent;
};
// ==================================================================
// PolicyComponent
// ==================================================================
[Association, Abstract, Aggregation, Description (
"CIM_PolicyComponent is a generic association used to "
"establish 'part of' relationships between the subclasses of "
"CIM_Policy. For example, the PolicyConditionInPolicyRule "
"association defines that PolicyConditions are part of a "
"PolicyRule.")
]
class CIM_PolicyComponent
{
[Aggregate, Key, Description (
"The parent Policy in the association.")
]
CIM_Policy REF GroupComponent;
[Key, Description (
"The child/part Policy in the association.")
]
CIM_Policy REF PartComponent;
};
// ==================================================================
// PolicyInSystem
// ==================================================================
[Association, Abstract, Description (
" CIM_PolicyInSystem is a generic association used to "
"establish dependency relationships between Policies and the "
"Systems that host them. These Systems may be ComputerSystems "
"where Policies are 'running' or they may be Policy"
"Repositories where Policies are stored. This relationship "
"is similar to the concept of CIM_Services being dependent "
// ==================================================================
// PolicyInSystem
// ==================================================================
[Association, Abstract, Description (
" CIM_PolicyInSystem is a generic association used to "
"establish dependency relationships between Policies and the "
"Systems that host them. These Systems may be ComputerSystems "
"where Policies are 'running' or they may be Policy"
"Repositories where Policies are stored. This relationship "
"is similar to the concept of CIM_Services being dependent "
"on CIM_Systems as defined by the HostedService "
"association. \n"
" Cardinality is Max(1) for the Antecedent/System "
"reference since Policies can only be hosted in at most one "
"System context. Some subclasses of the association will "
"further refine this definition to make the Policies Weak "
"to Systems. Other subclasses of PolicyInSystem will "
"define an optional hosting relationship. Examples of each "
"of these are the PolicyRuleInSystem and PolicyConditionIn"
"PolicyRepository associations, respectively.")
]
class CIM_PolicyInSystem : CIM_Dependency
{
[Override ("Antecedent"), Max (1), Description (
"The hosting System.")
]
CIM_System REF Antecedent;
[Override ("Dependent"), Description (
"The hosted Policy.")
]
CIM_Policy REF Dependent;
};
"on CIM_Systems as defined by the HostedService "
"association. \n"
" Cardinality is Max(1) for the Antecedent/System "
"reference since Policies can only be hosted in at most one "
"System context. Some subclasses of the association will "
"further refine this definition to make the Policies Weak "
"to Systems. Other subclasses of PolicyInSystem will "
"define an optional hosting relationship. Examples of each "
"of these are the PolicyRuleInSystem and PolicyConditionIn"
"PolicyRepository associations, respectively.")
]
class CIM_PolicyInSystem : CIM_Dependency
{
[Override ("Antecedent"), Max (1), Description (
"The hosting System.")
]
CIM_System REF Antecedent;
[Override ("Dependent"), Description (
"The hosted Policy.")
]
CIM_Policy REF Dependent;
};
// ==================================================================
// PolicyGroup
// ==================================================================
[Description (
"A container for either a set of related PolicyGroups "
"or a set of related PolicyRules, but not both. Policy"
"Groups are defined and named relative to the CIM_System "
"which provides their context.")
]
class CIM_PolicyGroup : CIM_Policy
{
[Propagated("CIM_System.CreationClassName"),
Key, MaxLen (256),
Description ("The scoping System's CreationClassName.")
]
string SystemCreationClassName;
[Propagated("CIM_System.Name"),
Key, MaxLen (256),
Description ("The scoping System's Name.")
]
string SystemName;
[Key, MaxLen (256), Description (
"CreationClassName indicates the name of the class or the "
"subclass used in the creation of an instance. When used "
"with the other key properties of this class, this property "
// ==================================================================
// PolicyGroup
// ==================================================================
[Description (
"A container for either a set of related PolicyGroups "
"or a set of related PolicyRules, but not both. Policy"
"Groups are defined and named relative to the CIM_System "
"which provides their context.")
]
class CIM_PolicyGroup : CIM_Policy
{
[Propagated("CIM_System.CreationClassName"),
Key, MaxLen (256),
Description ("The scoping System's CreationClassName.")
]
string SystemCreationClassName;
[Propagated("CIM_System.Name"),
Key, MaxLen (256),
Description ("The scoping System's Name.")
]
string SystemName;
[Key, MaxLen (256), Description (
"CreationClassName indicates the name of the class or the "
"subclass used in the creation of an instance. When used "
"with the other key properties of this class, this property "
"allows all instances of this class and its subclasses to "
"be uniquely identified.") ]
string CreationClassName;
[Key, MaxLen (256), Description (
"A user-friendly name of this PolicyGroup.")
]
string PolicyGroupName;
};
"allows all instances of this class and its subclasses to "
"be uniquely identified.") ]
string CreationClassName;
[Key, MaxLen (256), Description (
"A user-friendly name of this PolicyGroup.")
]
string PolicyGroupName;
};
// ==================================================================
// PolicyGroupInPolicyGroup
// ==================================================================
[Association, Aggregation, Description (
"A relationship that aggregates one or more lower-level "
"PolicyGroups into a higher-level Group. A Policy"
"Group may aggregate either PolicyRules or other Policy"
"Groups, but not both.")
]
class CIM_PolicyGroupInPolicyGroup : CIM_PolicyComponent
{
[Override ("GroupComponent"), Aggregate, Description (
"A PolicyGroup that aggregates other Groups.")
]
CIM_PolicyGroup REF GroupComponent;
[Override ("PartComponent"), Description (
"A PolicyGroup aggregated by another Group.")
]
CIM_PolicyGroup REF PartComponent;
};
// ==================================================================
// PolicyGroupInPolicyGroup
// ==================================================================
[Association, Aggregation, Description (
"A relationship that aggregates one or more lower-level "
"PolicyGroups into a higher-level Group. A Policy"
"Group may aggregate either PolicyRules or other Policy"
"Groups, but not both.")
]
class CIM_PolicyGroupInPolicyGroup : CIM_PolicyComponent
{
[Override ("GroupComponent"), Aggregate, Description (
"A PolicyGroup that aggregates other Groups.")
]
CIM_PolicyGroup REF GroupComponent;
[Override ("PartComponent"), Description (
"A PolicyGroup aggregated by another Group.")
]
CIM_PolicyGroup REF PartComponent;
};
// ==================================================================
// PolicyGroupInSystem
// ==================================================================
[Association, Description (
"An association that links a PolicyGroup to the System "
"in whose scope the Group is defined.")
]
class CIM_PolicyGroupInSystem : CIM_PolicyInSystem
{
[Override ("Antecedent"), Min(1), Max(1), Description (
"The System in whose scope a PolicyGroup is defined.")
]
CIM_System REF Antecedent;
[Override ("Dependent"), Weak, Description (
"A PolicyGroup named within the scope of a System.")
]
CIM_PolicyGroup REF Dependent;
};
// ==================================================================
// PolicyGroupInSystem
// ==================================================================
[Association, Description (
"An association that links a PolicyGroup to the System "
"in whose scope the Group is defined.")
]
class CIM_PolicyGroupInSystem : CIM_PolicyInSystem
{
[Override ("Antecedent"), Min(1), Max(1), Description (
"The System in whose scope a PolicyGroup is defined.")
]
CIM_System REF Antecedent;
[Override ("Dependent"), Weak, Description (
"A PolicyGroup named within the scope of a System.")
]
CIM_PolicyGroup REF Dependent;
};
// ==================================================================
// PolicyRule
// ==================================================================
[Description (
" The central class for representing the 'If Condition then "
"Action' semantics associated with a policy rule. "
"A PolicyRule condition, in the most general sense, is "
"represented as either an ORed set of ANDed conditions "
"(Disjunctive Normal Form, or DNF) or an ANDed set of ORed "
"conditions (Conjunctive Normal Form, or CNF). Individual "
"conditions may either be negated (NOT C) or unnegated (C). "
"The actions specified by a PolicyRule are to be performed "
"if and only if the PolicyRule condition (whether it is "
"represented in DNF or CNF) evaluates to TRUE.\n\n"
" "
"The conditions and actions associated with a PolicyRule "
"are modeled, respectively, with subclasses of Policy"
"Condition and PolicyAction. These condition and action "
"objects are tied to instances of PolicyRule by the Policy"
"ConditionInPolicyRule and PolicyActionInPolicyRule "
"aggregations.\n\n"
" "
"A PolicyRule may also be associated with one or more policy "
"time periods, indicating the schedule according to which the "
"policy rule is active and inactive. In this case it is the "
"PolicyRuleValidityPeriod aggregation that provides this "
"linkage.\n\n"
" "
"The PolicyRule class uses the property ConditionListType, to "
"indicate whether the conditions for the rule are in DNF or "
"CNF. The PolicyConditionInPolicyRule aggregation contains "
"two additional properties to complete the representation of "
"the Rule's conditional expression. The first of these "
"properties is an integer to partition the referenced "
"PolicyConditions into one or more groups, and the second is a "
"Boolean to indicate whether a referenced Condition is "
"negated. An example shows how ConditionListType and these "
"two additional properties provide a unique representation "
"of a set of PolicyConditions in either DNF or CNF.\n\n"
" "
"Suppose we have a PolicyRule that aggregates five "
"PolicyConditions C1 through C5, with the following values "
"in the properties of the five PolicyConditionInPolicyRule "
"associations:\n"
" C1: GroupNumber = 1, ConditionNegated = FALSE\n "
" C2: GroupNumber = 1, ConditionNegated = TRUE\n "
" C3: GroupNumber = 1, ConditionNegated = FALSE\n "
" C4: GroupNumber = 2, ConditionNegated = FALSE\n "
// ==================================================================
// PolicyRule
// ==================================================================
[Description (
" The central class for representing the 'If Condition then "
"Action' semantics associated with a policy rule. "
"A PolicyRule condition, in the most general sense, is "
"represented as either an ORed set of ANDed conditions "
"(Disjunctive Normal Form, or DNF) or an ANDed set of ORed "
"conditions (Conjunctive Normal Form, or CNF). Individual "
"conditions may either be negated (NOT C) or unnegated (C). "
"The actions specified by a PolicyRule are to be performed "
"if and only if the PolicyRule condition (whether it is "
"represented in DNF or CNF) evaluates to TRUE.\n\n"
" "
"The conditions and actions associated with a PolicyRule "
"are modeled, respectively, with subclasses of Policy"
"Condition and PolicyAction. These condition and action "
"objects are tied to instances of PolicyRule by the Policy"
"ConditionInPolicyRule and PolicyActionInPolicyRule "
"aggregations.\n\n"
" "
"A PolicyRule may also be associated with one or more policy "
"time periods, indicating the schedule according to which the "
"policy rule is active and inactive. In this case it is the "
"PolicyRuleValidityPeriod aggregation that provides this "
"linkage.\n\n"
" "
"The PolicyRule class uses the property ConditionListType, to "
"indicate whether the conditions for the rule are in DNF or "
"CNF. The PolicyConditionInPolicyRule aggregation contains "
"two additional properties to complete the representation of "
"the Rule's conditional expression. The first of these "
"properties is an integer to partition the referenced "
"PolicyConditions into one or more groups, and the second is a "
"Boolean to indicate whether a referenced Condition is "
"negated. An example shows how ConditionListType and these "
"two additional properties provide a unique representation "
"of a set of PolicyConditions in either DNF or CNF.\n\n"
" "
"Suppose we have a PolicyRule that aggregates five "
"PolicyConditions C1 through C5, with the following values "
"in the properties of the five PolicyConditionInPolicyRule "
"associations:\n"
" C1: GroupNumber = 1, ConditionNegated = FALSE\n "
" C2: GroupNumber = 1, ConditionNegated = TRUE\n "
" C3: GroupNumber = 1, ConditionNegated = FALSE\n "
" C4: GroupNumber = 2, ConditionNegated = FALSE\n "
" C5: GroupNumber = 2, ConditionNegated = FALSE\n\n "
" "
"If ConditionListType = DNF, then the overall condition for "
"the PolicyRule is:\n"
" (C1 AND (NOT C2) AND C3) OR (C4 AND C5)\n\n"
" "
"On the other hand, if ConditionListType = CNF, then the "
"overall condition for the PolicyRule is:\n"
" (C1 OR (NOT C2) OR C3) AND (C4 OR C5)\n\n"
" "
"In both cases, there is an unambiguous specification of "
"the overall condition that is tested to determine whether "
"to perform the PolicyActions associated with the PolicyRule.")
]
class CIM_PolicyRule : CIM_Policy
{
[Propagated("CIM_System.CreationClassName"),
Key, MaxLen (256),
Description ("The scoping System's CreationClassName.")
]
string SystemCreationClassName;
[Propagated("CIM_System.Name"),
Key, MaxLen (256),
Description ("The scoping System's Name.")
]
string SystemName;
[Key, MaxLen (256), Description (
"CreationClassName indicates the name of the class or the "
"subclass used in the creation of an instance. When used "
"with the other key properties of this class, this property "
"allows all instances of this class and its subclasses to "
"be uniquely identified.") ]
string CreationClassName;
[Key, MaxLen (256), Description (
"A user-friendly name of this PolicyRule.")
]
string PolicyRuleName;
[Description (
"Indicates whether this PolicyRule is administratively "
"enabled, administratively disabled, or enabled for "
"debug. When the property has the value 3 (\"enabledFor"
"Debug\"), the entity evaluating the PolicyConditions is "
"instructed to evaluate the conditions for the Rule, but not "
"to perform the actions if the PolicyConditions evaluate to "
"TRUE. This serves as a debug vehicle when attempting to "
"determine what policies would execute in a particular "
"scenario, without taking any actions to change state "
"during the debugging. The default value is 1
" C5: GroupNumber = 2, ConditionNegated = FALSE\n\n "
" "
"If ConditionListType = DNF, then the overall condition for "
"the PolicyRule is:\n"
" (C1 AND (NOT C2) AND C3) OR (C4 AND C5)\n\n"
" "
"On the other hand, if ConditionListType = CNF, then the "
"overall condition for the PolicyRule is:\n"
" (C1 OR (NOT C2) OR C3) AND (C4 OR C5)\n\n"
" "
"In both cases, there is an unambiguous specification of "
"the overall condition that is tested to determine whether "
"to perform the PolicyActions associated with the PolicyRule.")
]
class CIM_PolicyRule : CIM_Policy
{
[Propagated("CIM_System.CreationClassName"),
Key, MaxLen (256),
Description ("The scoping System's CreationClassName.")
]
string SystemCreationClassName;
[Propagated("CIM_System.Name"),
Key, MaxLen (256),
Description ("The scoping System's Name.")
]
string SystemName;
[Key, MaxLen (256), Description (
"CreationClassName indicates the name of the class or the "
"subclass used in the creation of an instance. When used "
"with the other key properties of this class, this property "
"allows all instances of this class and its subclasses to "
"be uniquely identified.") ]
string CreationClassName;
[Key, MaxLen (256), Description (
"A user-friendly name of this PolicyRule.")
]
string PolicyRuleName;
[Description (
"Indicates whether this PolicyRule is administratively "
"enabled, administratively disabled, or enabled for "
"debug. When the property has the value 3 (\"enabledFor"
"Debug\"), the entity evaluating the PolicyConditions is "
"instructed to evaluate the conditions for the Rule, but not "
"to perform the actions if the PolicyConditions evaluate to "
"TRUE. This serves as a debug vehicle when attempting to "
"determine what policies would execute in a particular "
"scenario, without taking any actions to change state "
"during the debugging. The default value is 1
(\"enabled\")."),
ValueMap { "1", "2", "3" },
Values { "enabled", "disabled", "enabledForDebug" }
]
uint16 Enabled;
[Description (
"Indicates whether the list of PolicyConditions "
"associated with this PolicyRule is in disjunctive "
"normal form (DNF) or conjunctive normal form (CNF)."
"The default value is 1 (\"DNF\")."),
ValueMap { "1", "2" },
Values { "DNF", "CNF" }
]
uint16 ConditionListType;
[Description (
"A free-form string that can be used to provide "
"guidelines on how this PolicyRule should be used.")
]
string RuleUsage;
[Description (
"A non-negative integer for prioritizing this Policy"
"Rule relative to other Rules. A larger value "
"indicates a higher priority. The default value is 0.")
]
uint16 Priority;
[Description (
"A flag indicating that the evaluation of the Policy"
"Conditions and execution of PolicyActions (if the "
"Conditions evaluate to TRUE) is required. The "
"evaluation of a PolicyRule MUST be attempted if the "
"Mandatory property value is TRUE. If the Mandatory "
"property is FALSE, then the evaluation of the Rule "
"is 'best effort' and MAY be ignored.")
]
boolean Mandatory;
[Description (
"This property gives a policy administrator a way "
"of specifying how the ordering of the PolicyActions "
"associated with this PolicyRule is to be interpreted. "
"Three values are supported:\n"
" o mandatory(1): Do the actions in the indicated "
" order, or don't do them at all.\n"
" o recommended(2): Do the actions in the indicated "
" order if you can, but if you can't do them in this "
" order, do them in another order if you can.\n"
" o dontCare(3): Do them -- I don't care about the "
" order.\n"
"The default value is 3 (\"dontCare\")."),
(\"enabled\")."),
ValueMap { "1", "2", "3" },
Values { "enabled", "disabled", "enabledForDebug" }
]
uint16 Enabled;
[Description (
"Indicates whether the list of PolicyConditions "
"associated with this PolicyRule is in disjunctive "
"normal form (DNF) or conjunctive normal form (CNF)."
"The default value is 1 (\"DNF\")."),
ValueMap { "1", "2" },
Values { "DNF", "CNF" }
]
uint16 ConditionListType;
[Description (
"A free-form string that can be used to provide "
"guidelines on how this PolicyRule should be used.")
]
string RuleUsage;
[Description (
"A non-negative integer for prioritizing this Policy"
"Rule relative to other Rules. A larger value "
"indicates a higher priority. The default value is 0.")
]
uint16 Priority;
[Description (
"A flag indicating that the evaluation of the Policy"
"Conditions and execution of PolicyActions (if the "
"Conditions evaluate to TRUE) is required. The "
"evaluation of a PolicyRule MUST be attempted if the "
"Mandatory property value is TRUE. If the Mandatory "
"property is FALSE, then the evaluation of the Rule "
"is 'best effort' and MAY be ignored.")
]
boolean Mandatory;
[Description (
"This property gives a policy administrator a way "
"of specifying how the ordering of the PolicyActions "
"associated with this PolicyRule is to be interpreted. "
"Three values are supported:\n"
" o mandatory(1): Do the actions in the indicated "
" order, or don't do them at all.\n"
" o recommended(2): Do the actions in the indicated "
" order if you can, but if you can't do them in this "
" order, do them in another order if you can.\n"
" o dontCare(3): Do them -- I don't care about the "
" order.\n"
"The default value is 3 (\"dontCare\")."),
ValueMap { "1", "2", "3" },
Values { "mandatory", "recommended", "dontCare" }
]
uint16 SequencedActions;
[Description (
"This property represents the roles and role combinations "
"associated with a PolicyRule. Each value represents one "
"role or role combination. Since this is a multi-valued "
"property, more than one role or combination can be associated "
"with a single policy rule. Each value is a string of the "
"form:\n"
" <RoleName>[&&<RoleName>]*\n"
"where the individual role names appear in alphabetical order "
"(according to the collating sequence for UCS-2).")
]
string PolicyRoles [];
};
ValueMap { "1", "2", "3" },
Values { "mandatory", "recommended", "dontCare" }
]
uint16 SequencedActions;
[Description (
"This property represents the roles and role combinations "
"associated with a PolicyRule. Each value represents one "
"role or role combination. Since this is a multi-valued "
"property, more than one role or combination can be associated "
"with a single policy rule. Each value is a string of the "
"form:\n"
" <RoleName>[&&<RoleName>]*\n"
"where the individual role names appear in alphabetical order "
"(according to the collating sequence for UCS-2).")
]
string PolicyRoles [];
};
// ==================================================================
// PolicyRuleInPolicyGroup
// ==================================================================
[Association, Aggregation, Description (
"A relationship that aggregates one or more PolicyRules "
"into a PolicyGroup. A PolicyGroup may aggregate either "
"PolicyRules or other PolicyGroups, but not both.")
]
class CIM_PolicyRuleInPolicyGroup : CIM_PolicyComponent
{
[Override ("GroupComponent"), Aggregate, Description (
"A PolicyGroup that aggregates one or more PolicyRules.")
]
CIM_PolicyGroup REF GroupComponent;
[Override ("PartComponent"), Description (
"A PolicyRule aggregated by a PolicyGroup.")
]
CIM_PolicyRule REF PartComponent;
};
// ==================================================================
// PolicyRuleInPolicyGroup
// ==================================================================
[Association, Aggregation, Description (
"A relationship that aggregates one or more PolicyRules "
"into a PolicyGroup. A PolicyGroup may aggregate either "
"PolicyRules or other PolicyGroups, but not both.")
]
class CIM_PolicyRuleInPolicyGroup : CIM_PolicyComponent
{
[Override ("GroupComponent"), Aggregate, Description (
"A PolicyGroup that aggregates one or more PolicyRules.")
]
CIM_PolicyGroup REF GroupComponent;
[Override ("PartComponent"), Description (
"A PolicyRule aggregated by a PolicyGroup.")
]
CIM_PolicyRule REF PartComponent;
};
// ==================================================================
// PolicyRuleInSystem
// ==================================================================
[Association, Description (
"An association that links a PolicyRule to the System "
"in whose scope the Rule is defined.")
]
class CIM_PolicyRuleInSystem : CIM_PolicyInSystem
{
[Override ("Antecedent"), Min(1), Max(1), Description (
// ==================================================================
// PolicyRuleInSystem
// ==================================================================
[Association, Description (
"An association that links a PolicyRule to the System "
"in whose scope the Rule is defined.")
]
class CIM_PolicyRuleInSystem : CIM_PolicyInSystem
{
[Override ("Antecedent"), Min(1), Max(1), Description (
"The System in whose scope a PolicyRule is defined.")
]
CIM_System REF Antecedent;
[Override ("Dependent"), Weak, Description (
"A PolicyRule named within the scope of a System.")
]
CIM_PolicyRule REF Dependent;
};
"The System in whose scope a PolicyRule is defined.")
]
CIM_System REF Antecedent;
[Override ("Dependent"), Weak, Description (
"A PolicyRule named within the scope of a System.")
]
CIM_PolicyRule REF Dependent;
};
// ==================================================================
// PolicyRepository
// ==================================================================
[Description (
"A class representing an administratively defined "
"container for reusable policy-related information. "
"This class does not introduce any additional "
"properties beyond those in its superclass "
"AdminDomain. It does, however, participate in a "
"number of unique associations."
"\n\n"
"An instance of this class uses the NameFormat value"
"\"PolicyRepository\", which is defined in the AdminDomain"
"class.")
]
class CIM_PolicyRepository : CIM_AdminDomain
{
};
// ==================================================================
// PolicyRepository
// ==================================================================
[Description (
"A class representing an administratively defined "
"container for reusable policy-related information. "
"This class does not introduce any additional "
"properties beyond those in its superclass "
"AdminDomain. It does, however, participate in a "
"number of unique associations."
"\n\n"
"An instance of this class uses the NameFormat value"
"\"PolicyRepository\", which is defined in the AdminDomain"
"class.")
]
class CIM_PolicyRepository : CIM_AdminDomain
{
};
// ==================================================================
// PolicyRepositoryInPolicyRepository
// ==================================================================
[Association, Aggregation, Description (
"A relationship that aggregates one or more lower-level "
"PolicyRepositories into a higher-level Repository.")
]
class CIM_PolicyRepositoryInPolicyRepository : CIM_SystemComponent
{
[Override ("GroupComponent"), Aggregate, Description (
"A PolicyRepository that aggregates other Repositories.")
]
CIM_PolicyRepository REF GroupComponent;
[Override ("PartComponent"), Description (
"A PolicyRepository aggregated by another Repository.")
]
CIM_PolicyRepository REF PartComponent;
};
// ==================================================================
// PolicyRepositoryInPolicyRepository
// ==================================================================
[Association, Aggregation, Description (
"A relationship that aggregates one or more lower-level "
"PolicyRepositories into a higher-level Repository.")
]
class CIM_PolicyRepositoryInPolicyRepository : CIM_SystemComponent
{
[Override ("GroupComponent"), Aggregate, Description (
"A PolicyRepository that aggregates other Repositories.")
]
CIM_PolicyRepository REF GroupComponent;
[Override ("PartComponent"), Description (
"A PolicyRepository aggregated by another Repository.")
]
CIM_PolicyRepository REF PartComponent;
};
// ==================================================================
// ==================================================================
// PolicyCondition
// ==================================================================
[Abstract, Description (
"A class representing a rule-specific or reusable policy "
"condition to be evaluated in conjunction with a Policy"
"Rule. Since all operational details of a PolicyCondition "
"are provided in subclasses of this object, this class is "
"abstract.")
]
class CIM_PolicyCondition : CIM_Policy
{
[Key, MaxLen (256), Description (
" The name of the class or the subclass used in the "
"creation of the System object in whose scope this "
"PolicyCondition is defined.\n\n"
" "
"This property helps to identify the System object in "
"whose scope this instance of PolicyCondition exists. "
"For a rule-specific PolicyCondition, this is the System "
"in whose context the PolicyRule is defined. For a "
"reusable PolicyCondition, this is the instance of "
"PolicyRepository (which is a subclass of System) that "
"holds the Condition.\n\n"
" "
"Note that this property, and the analogous property "
"SystemName, do not represent propagated keys from an "
"instance of the class System. Instead, they are "
"properties defined in the context of this class, which "
"repeat the values from the instance of System to which "
"this PolicyCondition is related, either directly via the "
"PolicyConditionInPolicyRepository aggregation or indirectly "
"via the PolicyConditionInPolicyRule aggregation.")
]
string SystemCreationClassName;
[Key, MaxLen (256), Description (
" The name of the System object in whose scope this "
"PolicyCondition is defined.\n\n"
" "
"This property completes the identification of the System "
"object in whose scope this instance of PolicyCondition "
"exists. For a rule-specific PolicyCondition, this is the "
"System in whose context the PolicyRule is defined. For a "
"reusable PolicyCondition, this is the instance of "
"PolicyRepository (which is a subclass of System) that "
"holds the Condition.")
]
string SystemName;
[Key, MaxLen (256), Description (
// PolicyCondition
// ==================================================================
[Abstract, Description (
"A class representing a rule-specific or reusable policy "
"condition to be evaluated in conjunction with a Policy"
"Rule. Since all operational details of a PolicyCondition "
"are provided in subclasses of this object, this class is "
"abstract.")
]
class CIM_PolicyCondition : CIM_Policy
{
[Key, MaxLen (256), Description (
" The name of the class or the subclass used in the "
"creation of the System object in whose scope this "
"PolicyCondition is defined.\n\n"
" "
"This property helps to identify the System object in "
"whose scope this instance of PolicyCondition exists. "
"For a rule-specific PolicyCondition, this is the System "
"in whose context the PolicyRule is defined. For a "
"reusable PolicyCondition, this is the instance of "
"PolicyRepository (which is a subclass of System) that "
"holds the Condition.\n\n"
" "
"Note that this property, and the analogous property "
"SystemName, do not represent propagated keys from an "
"instance of the class System. Instead, they are "
"properties defined in the context of this class, which "
"repeat the values from the instance of System to which "
"this PolicyCondition is related, either directly via the "
"PolicyConditionInPolicyRepository aggregation or indirectly "
"via the PolicyConditionInPolicyRule aggregation.")
]
string SystemCreationClassName;
[Key, MaxLen (256), Description (
" The name of the System object in whose scope this "
"PolicyCondition is defined.\n\n"
" "
"This property completes the identification of the System "
"object in whose scope this instance of PolicyCondition "
"exists. For a rule-specific PolicyCondition, this is the "
"System in whose context the PolicyRule is defined. For a "
"reusable PolicyCondition, this is the instance of "
"PolicyRepository (which is a subclass of System) that "
"holds the Condition.")
]
string SystemName;
[Key, MaxLen (256), Description (
"For a rule-specific PolicyCondition, the "
"CreationClassName of the PolicyRule object with which "
"this Condition is associated. For a reusable Policy"
"Condition, a special value, 'NO RULE', should be used to "
"indicate that this Condition is reusable and not "
"associated with a single PolicyRule.")
]
string PolicyRuleCreationClassName;
[Key, MaxLen (256), Description (
"For a rule-specific PolicyCondition, the name of "
"the PolicyRule object with which this Condition is "
"associated. For a reusable PolicyCondition, a "
"special value, 'NO RULE', should be used to indicate "
"that this Condition is reusable and not associated "
"with a single PolicyRule.")
]
string PolicyRuleName;
[Key, MaxLen (256), Description (
"CreationClassName indicates the name of the class or the "
"subclass used in the creation of an instance. When used "
"with the other key properties of this class, this property "
"allows all instances of this class and its subclasses to "
"be uniquely identified.") ]
string CreationClassName;
[Key, MaxLen (256), Description (
"A user-friendly name of this PolicyCondition.")
]
string PolicyConditionName;
};
"For a rule-specific PolicyCondition, the "
"CreationClassName of the PolicyRule object with which "
"this Condition is associated. For a reusable Policy"
"Condition, a special value, 'NO RULE', should be used to "
"indicate that this Condition is reusable and not "
"associated with a single PolicyRule.")
]
string PolicyRuleCreationClassName;
[Key, MaxLen (256), Description (
"For a rule-specific PolicyCondition, the name of "
"the PolicyRule object with which this Condition is "
"associated. For a reusable PolicyCondition, a "
"special value, 'NO RULE', should be used to indicate "
"that this Condition is reusable and not associated "
"with a single PolicyRule.")
]
string PolicyRuleName;
[Key, MaxLen (256), Description (
"CreationClassName indicates the name of the class or the "
"subclass used in the creation of an instance. When used "
"with the other key properties of this class, this property "
"allows all instances of this class and its subclasses to "
"be uniquely identified.") ]
string CreationClassName;
[Key, MaxLen (256), Description (
"A user-friendly name of this PolicyCondition.")
]
string PolicyConditionName;
};
// ==================================================================
// PolicyConditionInPolicyRule
// ==================================================================
[Association, Aggregation, Description (
" A PolicyRule aggregates zero or more instances of the "
"PolicyCondition class, via the PolicyConditionInPolicyRule "
"association. A Rule that aggregates zero Conditions is not "
"valid -- it may, however, be in the process of being entered "
"into a PolicyRepository or being defined for a System. Note "
"that a PolicyRule should have no effect until it is valid.\n\n"
" "
"The Conditions aggregated by a PolicyRule are grouped into "
"two levels of lists: either an ORed set of ANDed sets of "
"conditions (DNF, the default) or an ANDed set of ORed sets "
"of conditions (CNF). Individual PolicyConditions in these "
"lists may be negated. The property ConditionListType "
"specifies which of these two grouping schemes applies to a "
"particular PolicyRule.\n\n"
// ==================================================================
// PolicyConditionInPolicyRule
// ==================================================================
[Association, Aggregation, Description (
" A PolicyRule aggregates zero or more instances of the "
"PolicyCondition class, via the PolicyConditionInPolicyRule "
"association. A Rule that aggregates zero Conditions is not "
"valid -- it may, however, be in the process of being entered "
"into a PolicyRepository or being defined for a System. Note "
"that a PolicyRule should have no effect until it is valid.\n\n"
" "
"The Conditions aggregated by a PolicyRule are grouped into "
"two levels of lists: either an ORed set of ANDed sets of "
"conditions (DNF, the default) or an ANDed set of ORed sets "
"of conditions (CNF). Individual PolicyConditions in these "
"lists may be negated. The property ConditionListType "
"specifies which of these two grouping schemes applies to a "
"particular PolicyRule.\n\n"
" "
"In either case, PolicyConditions are used to determine whether "
"to perform the PolicyActions associated with the
PolicyRule.\n\n"
" "
"One or more PolicyTimePeriodConditions may be among the "
"conditions associated with a PolicyRule via the Policy"
"ConditionInPolicyRule association. In this case, the time "
"periods are simply additional Conditions to be evaluated "
"along with any others that are specified for the Rule. ")
]
class CIM_PolicyConditionInPolicyRule : CIM_PolicyComponent
{
[Override ("GroupComponent"), Aggregate, Description (
"This property represents the PolicyRule that "
"contains one or more PolicyConditions.")
]
CIM_PolicyRule REF GroupComponent;
[Override ("PartComponent"), Description (
"This property holds the name of a PolicyCondition "
"contained by one or more PolicyRules.")
]
CIM_PolicyCondition REF PartComponent;
[Description (
"Unsigned integer indicating the group to which the "
"PolicyCondition identified by the ContainedCondition "
"property belongs. This integer segments the Conditions "
"into the ANDed sets (when the ConditionListType is "
"\"DNF\") or similarly the ORed sets (when the Condition"
"ListType is \"CNF\") that are then evaluated.")
]
uint16 GroupNumber;
[Description (
"Indication of whether the Condition identified by "
"the ContainedCondition property is negated. TRUE "
"indicates that the PolicyCondition IS negated, FALSE "
"indicates that it IS NOT negated.")
]
boolean ConditionNegated;
};
" "
"In either case, PolicyConditions are used to determine whether "
"to perform the PolicyActions associated with the
PolicyRule.\n\n"
" "
"One or more PolicyTimePeriodConditions may be among the "
"conditions associated with a PolicyRule via the Policy"
"ConditionInPolicyRule association. In this case, the time "
"periods are simply additional Conditions to be evaluated "
"along with any others that are specified for the Rule. ")
]
class CIM_PolicyConditionInPolicyRule : CIM_PolicyComponent
{
[Override ("GroupComponent"), Aggregate, Description (
"This property represents the PolicyRule that "
"contains one or more PolicyConditions.")
]
CIM_PolicyRule REF GroupComponent;
[Override ("PartComponent"), Description (
"This property holds the name of a PolicyCondition "
"contained by one or more PolicyRules.")
]
CIM_PolicyCondition REF PartComponent;
[Description (
"Unsigned integer indicating the group to which the "
"PolicyCondition identified by the ContainedCondition "
"property belongs. This integer segments the Conditions "
"into the ANDed sets (when the ConditionListType is "
"\"DNF\") or similarly the ORed sets (when the Condition"
"ListType is \"CNF\") that are then evaluated.")
]
uint16 GroupNumber;
[Description (
"Indication of whether the Condition identified by "
"the ContainedCondition property is negated. TRUE "
"indicates that the PolicyCondition IS negated, FALSE "
"indicates that it IS NOT negated.")
]
boolean ConditionNegated;
};
// ==================================================================
// PolicyConditionInPolicyRepository
// ==================================================================
[Association, Description (
" A class representing the hosting of reusable "
"PolicyConditions by a PolicyRepository. A reusable Policy"
"Condition is always related to a single PolicyRepository, "
// ==================================================================
// PolicyConditionInPolicyRepository
// ==================================================================
[Association, Description (
" A class representing the hosting of reusable "
"PolicyConditions by a PolicyRepository. A reusable Policy"
"Condition is always related to a single PolicyRepository, "
"via this aggregation.\n\n"
" "
"Note, that an instance of PolicyCondition can be either "
"reusable or rule-specific. When the Condition is rule-"
"specific, it shall not be related to any "
"PolicyRepository via the PolicyConditionInPolicyRepository "
"aggregation.")
]
class CIM_PolicyConditionInPolicyRepository : CIM_PolicyInSystem
{
[Override ("Antecedent"), Max(1), Description (
"This property identifies a PolicyRepository "
"hosting one or more PolicyConditions. A reusable "
"PolicyCondition is always related to exactly one "
"PolicyRepository via the PolicyConditionInPolicyRepository "
"aggregation. The [0..1] cardinality for this property "
"covers the two types of PolicyConditions: 0 for a "
"rule-specific PolicyCondition, 1 for a reusable one.")
]
CIM_PolicyRepository REF Antecedent;
[Override ("Dependent"), Description (
"This property holds the name of a PolicyCondition"
"hosted in the PolicyRepository. ")
]
CIM_PolicyCondition REF Dependent;
};
"via this aggregation.\n\n"
" "
"Note, that an instance of PolicyCondition can be either "
"reusable or rule-specific. When the Condition is rule-"
"specific, it shall not be related to any "
"PolicyRepository via the PolicyConditionInPolicyRepository "
"aggregation.")
]
class CIM_PolicyConditionInPolicyRepository : CIM_PolicyInSystem
{
[Override ("Antecedent"), Max(1), Description (
"This property identifies a PolicyRepository "
"hosting one or more PolicyConditions. A reusable "
"PolicyCondition is always related to exactly one "
"PolicyRepository via the PolicyConditionInPolicyRepository "
"aggregation. The [0..1] cardinality for this property "
"covers the two types of PolicyConditions: 0 for a "
"rule-specific PolicyCondition, 1 for a reusable one.")
]
CIM_PolicyRepository REF Antecedent;
[Override ("Dependent"), Description (
"This property holds the name of a PolicyCondition"
"hosted in the PolicyRepository. ")
]
CIM_PolicyCondition REF Dependent;
};
// ==================================================================
// PolicyTimePeriodCondition
// ==================================================================
[Description (
" This class provides a means of representing the time "
"periods during which a PolicyRule is valid, i.e., active. "
"At all times that fall outside these time periods, the "
"PolicyRule has no effect. A Rule is treated as valid "
"at ALL times, if it does not specify a "
"PolicyTimePeriodCondition.\n\n"
" "
"In some cases a Policy Consumer may need to perform "
"certain setup / cleanup actions when a PolicyRule becomes "
"active / inactive. For example, sessions that were "
"established while a Rule was active might need to "
"be taken down when the Rule becomes inactive. In other "
"cases, however, such sessions might be left up. In this "
"case, the effect of deactivating the PolicyRule would "
"just be to prevent the establishment of new sessions. \n\n"
" "
"Setup / cleanup behaviors on validity period "
// ==================================================================
// PolicyTimePeriodCondition
// ==================================================================
[Description (
" This class provides a means of representing the time "
"periods during which a PolicyRule is valid, i.e., active. "
"At all times that fall outside these time periods, the "
"PolicyRule has no effect. A Rule is treated as valid "
"at ALL times, if it does not specify a "
"PolicyTimePeriodCondition.\n\n"
" "
"In some cases a Policy Consumer may need to perform "
"certain setup / cleanup actions when a PolicyRule becomes "
"active / inactive. For example, sessions that were "
"established while a Rule was active might need to "
"be taken down when the Rule becomes inactive. In other "
"cases, however, such sessions might be left up. In this "
"case, the effect of deactivating the PolicyRule would "
"just be to prevent the establishment of new sessions. \n\n"
" "
"Setup / cleanup behaviors on validity period "
"transitions are not currently addressed by the Policy " "Model, and must be specified in 'guideline' documents or " "via subclasses of CIM_PolicyRule, CIM_PolicyTimePeriod" "Condition or other concrete subclasses of CIM_Policy. If " "such behaviors need to be under the control of the policy " "administrator, then a mechanism to allow this control " "must also be specified in the subclasses.\n\n" " " "PolicyTimePeriodCondition is defined as a subclass of " "PolicyCondition. This is to allow the inclusion of " "time-based criteria in the AND/OR condition definitions " "for a PolicyRule.\n\n" " " "Instances of this class may have up to five properties " "identifying time periods at different levels. The values " "of all the properties present in an instance are ANDed " "together to determine the validity period(s) for the " "instance. For example, an instance with an overall " "validity range of January 1, 2000 through December 31, " "2000; a month mask that selects March and April; a " "day-of-the-week mask that selects Fridays; and a time " "of day range of 0800 through 1600 would be represented " "using the following time periods:\n" " Friday, March 5, 2000, from 0800 through 1600;\n " " Friday, March 12, 2000, from 0800 through 1600;\n " " Friday, March 19, 2000, from 0800 through 1600;\n " " Friday, March 26, 2000, from 0800 through 1600;\n " " Friday, April 2, 2000, from 0800 through 1600;\n " " Friday, April 9, 2000, from 0800 through 1600;\n " " Friday, April 16, 2000, from 0800 through 1600;\n " " Friday, April 23, 2000, from 0800 through 1600;\n " " Friday, April 30, 2000, from 0800 through 1600.\n\n" " " "Properties not present in an instance of " "PolicyTimePeriodCondition are implicitly treated as having " "their value 'always enabled'. Thus, in the example above, " "the day-of-the-month mask is not present, and so the " "validity period for the instance implicitly includes a " "day-of-the-month mask that selects all days of the month. " "If this 'missing property' rule is applied to its fullest, we " "see that there is a second way to indicate that a Policy" "Rule is always enabled: associate with it an instance of " "PolicyTimePeriodCondition whose only properties with " "specific values are its key properties.") ] class CIM_PolicyTimePeriodCondition : CIM_PolicyCondition { [Description (
“转换当前不是由策略”“模型解决的,必须在“指南”文档或”“通过CIM_PolicyRule、CIM_PolicyTimePeriod”“条件的子类或CIM_Policy的其他具体子类”“中指定。如果”“此类行为需要受策略控制”管理员,则还必须在子类中指定允许此控件“”的机制。\n\n“”PolicyTimePeriodCondition定义为“”PolicyCondition的子类。这是为了允许包含PolicyRule的“和/或条件定义中基于时间的条件”。\n\n此类的“”实例最多可以有五个属性“”,用于标识不同级别的时间段。实例中存在的所有属性的值“”一起与“”进行AND运算,以确定“”实例的有效期。例如,总体“有效期范围”为2000年1月1日至2000年12月31日的实例;选择三月和四月的月份遮罩;选择星期五的“一周中的一天”面具;一天中0800到1600的时间范围将使用以下时间段表示为:\n“2000年3月5日,星期五,0800到1600\二○○○年三月十二日(星期五)上午八时至下午六时\二○○○年三月十九日(星期五)上午八时至下午六时\二○○○年三月二十六日(星期五)上午八时至下午六时\二○○○年四月二日(星期五)上午八时至下午六时\二○○○年四月九日(星期五)上午八时至下午六时\二○○○年四月十六日(星期五)上午八时至下午六时\二○○○年四月二十三日(星期五)上午八时至下午六时\n“2000年4月30日星期五,从0800到1600。\n\n”“PolicyTimePeriodCondition实例中不存在的”“属性被隐式视为具有”“其值”“始终处于启用状态”。因此,在上面的示例中,“月日”掩码不存在,因此实例的“有效期”隐式地包括选择月内所有天的“月日”掩码。“”如果此“缺少属性”规则被完全应用,则我们“”看到有第二种方法指示策略“”规则始终处于启用状态:将“”PolicyTimePeriodCondition的实例与其关联,该实例的唯一属性为“”特定值为其键属性。“)]类CIM_PolicyTimePeriodCondition:CIM_PolicyCondition{[说明](
" This property identifies an overall range of calendar "
"dates and times over which a PolicyRule is valid. It is "
"formatted as a string representing a start date and time, "
"in which the character 'T' indicates the beginning of the "
"time portion, followed by the solidus character '/', "
"followed by a similar string representing an end date and "
"time. The first date indicates the beginning of the range, "
"while the second date indicates the end. Thus, the second "
"date and time must be later than the first. Date/times are "
"expressed as substrings of the form yyyymmddThhmmss. For "
"example: \n"
" 20000101T080000/20000131T120000 defines \n"
" January 1, 2000, 0800 through January 31, 2000, noon\n\n"
" "
"There are also two special cases in which one of the "
"date/time strings is replaced with a special string defined "
"in RFC 2445.\n "
" o If the first date/time is replaced with the string "
" 'THISANDPRIOR', then the property indicates that a "
" PolicyRule is valid [from now] until the date/time "
" that appears after the '/'.\n"
" o If the second date/time is replaced with the string "
" 'THISANDFUTURE', then the property indicates that a "
" PolicyRule becomes valid on the date/time that "
" appears before the '/', and remains valid from that "
" point on. "),
ModelCorrespondence {
"CIM_PolicyTimePeriodCondition.MonthOfYearMask",
"CIM_PolicyTimePeriodCondition.DayOfMonthMask",
"CIM_PolicyTimePeriodCondition.DayOfWeekMask",
"CIM_PolicyTimePeriodCondition.TimeOfDayMask",
"CIM_PolicyTimePeriodCondition.LocalOrUtcTime"}
]
string TimePeriod;
[Octetstring, Description (
" The purpose of this property is to refine the valid time "
"period that is defined by the TimePeriod property, by "
"explicitly specifying in which months the PolicyRule is "
"valid. These properties work together, with the "
"TimePeriod used to specify the overall time period in "
"which the PolicyRule is valid, and the MonthOfYearMask used "
"to pick out the months during which the Rule is valid.\n\n"
" "
"This property is formatted as an octet string, structured "
"as follows:\n"
" o a 4-octet length field, indicating the length of the "
" entire octet string; this field is always set to "
" 0x00000006 for this property;\n"
" This property identifies an overall range of calendar "
"dates and times over which a PolicyRule is valid. It is "
"formatted as a string representing a start date and time, "
"in which the character 'T' indicates the beginning of the "
"time portion, followed by the solidus character '/', "
"followed by a similar string representing an end date and "
"time. The first date indicates the beginning of the range, "
"while the second date indicates the end. Thus, the second "
"date and time must be later than the first. Date/times are "
"expressed as substrings of the form yyyymmddThhmmss. For "
"example: \n"
" 20000101T080000/20000131T120000 defines \n"
" January 1, 2000, 0800 through January 31, 2000, noon\n\n"
" "
"There are also two special cases in which one of the "
"date/time strings is replaced with a special string defined "
"in RFC 2445.\n "
" o If the first date/time is replaced with the string "
" 'THISANDPRIOR', then the property indicates that a "
" PolicyRule is valid [from now] until the date/time "
" that appears after the '/'.\n"
" o If the second date/time is replaced with the string "
" 'THISANDFUTURE', then the property indicates that a "
" PolicyRule becomes valid on the date/time that "
" appears before the '/', and remains valid from that "
" point on. "),
ModelCorrespondence {
"CIM_PolicyTimePeriodCondition.MonthOfYearMask",
"CIM_PolicyTimePeriodCondition.DayOfMonthMask",
"CIM_PolicyTimePeriodCondition.DayOfWeekMask",
"CIM_PolicyTimePeriodCondition.TimeOfDayMask",
"CIM_PolicyTimePeriodCondition.LocalOrUtcTime"}
]
string TimePeriod;
[Octetstring, Description (
" The purpose of this property is to refine the valid time "
"period that is defined by the TimePeriod property, by "
"explicitly specifying in which months the PolicyRule is "
"valid. These properties work together, with the "
"TimePeriod used to specify the overall time period in "
"which the PolicyRule is valid, and the MonthOfYearMask used "
"to pick out the months during which the Rule is valid.\n\n"
" "
"This property is formatted as an octet string, structured "
"as follows:\n"
" o a 4-octet length field, indicating the length of the "
" entire octet string; this field is always set to "
" 0x00000006 for this property;\n"
" o a 2-octet field consisting of 12 bits identifying the "
" 12 months of the year, beginning with January and "
" ending with December, followed by 4 bits that are "
" always set to '0'. For each month, the value '1' "
" indicates that the policy is valid for that month, "
" and the value '0' indicates that it is not valid.\n\n"
" "
"The value 0x000000060830, for example, indicates that a "
"PolicyRule is valid only in the months May, November, "
"and December.\n\n"
" "
"If a value for this property is not provided, then the "
"PolicyRule is treated as valid for all twelve months, and "
"only restricted by its TimePeriod property value and the "
"other Mask properties."),
ModelCorrespondence {
"CIM_PolicyTimePeriodCondition.TimePeriod",
"CIM_PolicyTimePeriodCondition.LocalOrUtcTime"}
]
uint8 MonthOfYearMask[];
[Octetstring, Description (
" The purpose of this property is to refine the valid time "
"period that is defined by the TimePeriod property, by "
"explicitly specifying in which days of the month the Policy"
"Rule is valid. These properties work together, "
"with the TimePeriod used to specify the overall time period "
"in which the PolicyRule is valid, and the DayOfMonthMask used "
"to pick out the days of the month during which the Rule "
"is valid.\n\n "
" "
"This property is formatted as an octet string, structured "
"as follows:\n"
" o a 4-octet length field, indicating the length of the "
" entire octet string; this field is always set to "
" 0x0000000C for this property; \n"
" o an 8-octet field consisting of 31 bits identifying "
" the days of the month counting from the beginning, "
" followed by 31 more bits identifying the days of the "
" month counting from the end, followed by 2 bits that "
" are always set to '0'. For each day, the value '1' "
" indicates that the policy is valid for that day, and "
" the value '0' indicates that it is not valid. \n\n"
" "
"The value 0x0000000C8000000100000000, for example, "
"indicates that a PolicyRule is valid on the first and "
"last days of the month.\n\n "
" "
"For months with fewer than 31 days, the digits corresponding "
" o a 2-octet field consisting of 12 bits identifying the "
" 12 months of the year, beginning with January and "
" ending with December, followed by 4 bits that are "
" always set to '0'. For each month, the value '1' "
" indicates that the policy is valid for that month, "
" and the value '0' indicates that it is not valid.\n\n"
" "
"The value 0x000000060830, for example, indicates that a "
"PolicyRule is valid only in the months May, November, "
"and December.\n\n"
" "
"If a value for this property is not provided, then the "
"PolicyRule is treated as valid for all twelve months, and "
"only restricted by its TimePeriod property value and the "
"other Mask properties."),
ModelCorrespondence {
"CIM_PolicyTimePeriodCondition.TimePeriod",
"CIM_PolicyTimePeriodCondition.LocalOrUtcTime"}
]
uint8 MonthOfYearMask[];
[Octetstring, Description (
" The purpose of this property is to refine the valid time "
"period that is defined by the TimePeriod property, by "
"explicitly specifying in which days of the month the Policy"
"Rule is valid. These properties work together, "
"with the TimePeriod used to specify the overall time period "
"in which the PolicyRule is valid, and the DayOfMonthMask used "
"to pick out the days of the month during which the Rule "
"is valid.\n\n "
" "
"This property is formatted as an octet string, structured "
"as follows:\n"
" o a 4-octet length field, indicating the length of the "
" entire octet string; this field is always set to "
" 0x0000000C for this property; \n"
" o an 8-octet field consisting of 31 bits identifying "
" the days of the month counting from the beginning, "
" followed by 31 more bits identifying the days of the "
" month counting from the end, followed by 2 bits that "
" are always set to '0'. For each day, the value '1' "
" indicates that the policy is valid for that day, and "
" the value '0' indicates that it is not valid. \n\n"
" "
"The value 0x0000000C8000000100000000, for example, "
"indicates that a PolicyRule is valid on the first and "
"last days of the month.\n\n "
" "
"For months with fewer than 31 days, the digits corresponding "
"to days that the months do not have (counting in both "
"directions) are ignored.\n\n"
" "
"If a value for this property is not provided, then the "
"PolicyRule is treated as valid for all days of the month, and "
"only restricted by its TimePeriod property value and the "
"other Mask properties."),
ModelCorrespondence {
"CIM_PolicyTimePeriodCondition.TimePeriod",
"CIM_PolicyTimePeriodCondition.LocalOrUtcTime"}
]
uint8 DayOfMonthMask[];
[Octetstring, Description (
" The purpose of this property is to refine the valid time "
"period that is defined by the TimePeriod property, by "
"explicitly specifying in which days of the month the Policy"
"Rule is valid. These properties work together, "
"with the TimePeriod used to specify the overall time period "
"in which the PolicyRule is valid, and the DayOfWeekMask used "
"to pick out the days of the week during which the Rule "
"is valid.\n\n "
" "
"This property is formatted as an octet string, structured "
"as follows:\n "
" o a 4-octet length field, indicating the length of the "
" entire octet string; this field is always set to "
" 0x00000005 for this property;\n"
" o a 1-octet field consisting of 7 bits identifying the 7 "
" days of the week, beginning with Sunday and ending with "
" Saturday, followed by 1 bit that is always set to '0'. "
" For each day of the week, the value '1' indicates that "
" the policy is valid for that day, and the value '0' "
" indicates that it is not valid. \n\n"
" "
"The value 0x000000057C, for example, indicates that a "
"PolicyRule is valid Monday through Friday.\n\n"
" "
"If a value for this property is not provided, then the "
"PolicyRule is treated as valid for all days of the week, "
"and only restricted by its TimePeriod property value and "
"the other Mask properties."),
ModelCorrespondence {
"CIM_PolicyTimePeriodCondition.TimePeriod",
"CIM_PolicyTimePeriodCondition.LocalOrUtcTime"}
]
uint8 DayOfWeekMask[];
[Description (
" The purpose of this property is to refine the valid time "
"to days that the months do not have (counting in both "
"directions) are ignored.\n\n"
" "
"If a value for this property is not provided, then the "
"PolicyRule is treated as valid for all days of the month, and "
"only restricted by its TimePeriod property value and the "
"other Mask properties."),
ModelCorrespondence {
"CIM_PolicyTimePeriodCondition.TimePeriod",
"CIM_PolicyTimePeriodCondition.LocalOrUtcTime"}
]
uint8 DayOfMonthMask[];
[Octetstring, Description (
" The purpose of this property is to refine the valid time "
"period that is defined by the TimePeriod property, by "
"explicitly specifying in which days of the month the Policy"
"Rule is valid. These properties work together, "
"with the TimePeriod used to specify the overall time period "
"in which the PolicyRule is valid, and the DayOfWeekMask used "
"to pick out the days of the week during which the Rule "
"is valid.\n\n "
" "
"This property is formatted as an octet string, structured "
"as follows:\n "
" o a 4-octet length field, indicating the length of the "
" entire octet string; this field is always set to "
" 0x00000005 for this property;\n"
" o a 1-octet field consisting of 7 bits identifying the 7 "
" days of the week, beginning with Sunday and ending with "
" Saturday, followed by 1 bit that is always set to '0'. "
" For each day of the week, the value '1' indicates that "
" the policy is valid for that day, and the value '0' "
" indicates that it is not valid. \n\n"
" "
"The value 0x000000057C, for example, indicates that a "
"PolicyRule is valid Monday through Friday.\n\n"
" "
"If a value for this property is not provided, then the "
"PolicyRule is treated as valid for all days of the week, "
"and only restricted by its TimePeriod property value and "
"the other Mask properties."),
ModelCorrespondence {
"CIM_PolicyTimePeriodCondition.TimePeriod",
"CIM_PolicyTimePeriodCondition.LocalOrUtcTime"}
]
uint8 DayOfWeekMask[];
[Description (
" The purpose of this property is to refine the valid time "
"period that is defined by the TimePeriod property, by "
"explicitly specifying a range of times in a day during which "
"the PolicyRule is valid. These properties work "
"together, with the TimePeriod used to specify the overall "
"time period in which the PolicyRule is valid, and the "
"TimeOfDayMask used to pick out the range of time periods "
"in a given day of during which the Rule is valid. \n\n"
" "
"This property is formatted in the style of RFC 2445: a "
"time string beginning with the character 'T', followed by "
"the solidus character '/', followed by a second time string. "
"The first time indicates the beginning of the range, while "
"the second time indicates the end. Times are expressed as "
"substrings of the form 'Thhmmss'. \n\n"
" "
"The second substring always identifies a later time than "
"the first substring. To allow for ranges that span "
"midnight, however, the value of the second string may be "
"smaller than the value of the first substring. Thus, "
"'T080000/T210000' identifies the range from 0800 until 2100, "
"while 'T210000/T080000' identifies the range from 2100 until "
"0800 of the following day. \n\n"
" "
"When a range spans midnight, it by definition includes "
"parts of two successive days. When one of these days is "
"also selected by either the MonthOfYearMask, "
"DayOfMonthMask, and/or DayOfWeekMask, but the other day is "
"not, then the policy is active only during the portion of "
"the range that falls on the selected day. For example, if "
"the range extends from 2100 until 0800, and the day of "
"week mask selects Monday and Tuesday, then the policy is "
"active during the following three intervals:\n"
" From midnight Sunday until 0800 Monday; \n"
" From 2100 Monday until 0800 Tuesday; \n"
" From 2100 Tuesday until 23:59:59 Tuesday. \n\n"
" "
"If a value for this property is not provided, then the "
"PolicyRule is treated as valid for all hours of the day, "
"and only restricted by its TimePeriod property value and "
"the other Mask properties."),
ModelCorrespondence {
"CIM_PolicyTimePeriodCondition.TimePeriod",
"CIM_PolicyTimePeriodCondition.LocalOrUtcTime"}
]
string TimeOfDayMask;
[Description (
" This property indicates whether the times represented "
"in the TimePeriod property and in the various Mask "
"period that is defined by the TimePeriod property, by "
"explicitly specifying a range of times in a day during which "
"the PolicyRule is valid. These properties work "
"together, with the TimePeriod used to specify the overall "
"time period in which the PolicyRule is valid, and the "
"TimeOfDayMask used to pick out the range of time periods "
"in a given day of during which the Rule is valid. \n\n"
" "
"This property is formatted in the style of RFC 2445: a "
"time string beginning with the character 'T', followed by "
"the solidus character '/', followed by a second time string. "
"The first time indicates the beginning of the range, while "
"the second time indicates the end. Times are expressed as "
"substrings of the form 'Thhmmss'. \n\n"
" "
"The second substring always identifies a later time than "
"the first substring. To allow for ranges that span "
"midnight, however, the value of the second string may be "
"smaller than the value of the first substring. Thus, "
"'T080000/T210000' identifies the range from 0800 until 2100, "
"while 'T210000/T080000' identifies the range from 2100 until "
"0800 of the following day. \n\n"
" "
"When a range spans midnight, it by definition includes "
"parts of two successive days. When one of these days is "
"also selected by either the MonthOfYearMask, "
"DayOfMonthMask, and/or DayOfWeekMask, but the other day is "
"not, then the policy is active only during the portion of "
"the range that falls on the selected day. For example, if "
"the range extends from 2100 until 0800, and the day of "
"week mask selects Monday and Tuesday, then the policy is "
"active during the following three intervals:\n"
" From midnight Sunday until 0800 Monday; \n"
" From 2100 Monday until 0800 Tuesday; \n"
" From 2100 Tuesday until 23:59:59 Tuesday. \n\n"
" "
"If a value for this property is not provided, then the "
"PolicyRule is treated as valid for all hours of the day, "
"and only restricted by its TimePeriod property value and "
"the other Mask properties."),
ModelCorrespondence {
"CIM_PolicyTimePeriodCondition.TimePeriod",
"CIM_PolicyTimePeriodCondition.LocalOrUtcTime"}
]
string TimeOfDayMask;
[Description (
" This property indicates whether the times represented "
"in the TimePeriod property and in the various Mask "
"properties represent local times or UTC times. There is "
"no provision for mixing of local times and UTC times: the "
"value of this property applies to all of the other "
"time-related properties."),
ValueMap { "1", "2" },
Values { "localTime", "utcTime" },
ModelCorrespondence {
"CIM_PolicyTimePeriodCondition.TimePeriod",
"CIM_PolicyTimePeriodCondition.MonthOfYearMask",
"CIM_PolicyTimePeriodCondition.DayOfMonthMask",
"CIM_PolicyTimePeriodCondition.DayOfWeekMask",
"CIM_PolicyTimePeriodCondition.TimeOfDayMask"}
]
uint16 LocalOrUtcTime;
};
"properties represent local times or UTC times. There is "
"no provision for mixing of local times and UTC times: the "
"value of this property applies to all of the other "
"time-related properties."),
ValueMap { "1", "2" },
Values { "localTime", "utcTime" },
ModelCorrespondence {
"CIM_PolicyTimePeriodCondition.TimePeriod",
"CIM_PolicyTimePeriodCondition.MonthOfYearMask",
"CIM_PolicyTimePeriodCondition.DayOfMonthMask",
"CIM_PolicyTimePeriodCondition.DayOfWeekMask",
"CIM_PolicyTimePeriodCondition.TimeOfDayMask"}
]
uint16 LocalOrUtcTime;
};
// ==================================================================
// PolicyRuleValidityPeriod
// ==================================================================
[Association, Aggregation, Description (
"The PolicyRuleValidityPeriod aggregation represents "
"scheduled activation and deactivation of a PolicyRule. "
"If a PolicyRule is associated with multiple policy time "
"periods via this association, then the Rule is active if "
"at least one of the time periods indicates that it is "
"active. (In other words, the PolicyTimePeriodConditions "
"are ORed to determine whether the Rule is active.) A Time"
"Period may be aggregated by multiple PolicyRules. A Rule "
"that does not point to a PolicyTimePeriodCondition via this "
"association is, from the point of view of scheduling, "
"always active. It may, however, be inactive for other "
"reasons. For example, the Rule's Enabled property may "
"be set to \"disabled\" (value=2).")
]
class CIM_PolicyRuleValidityPeriod : CIM_PolicyComponent
{
[Override ("GroupComponent"), Aggregate, Description (
"This property contains the name of a PolicyRule that "
"contains one or more PolicyTimePeriodConditions.")
]
CIM_PolicyRule REF GroupComponent;
[Override ("PartComponent"), Description (
"This property contains the name of a "
"PolicyTimePeriodCondition defining the valid time periods "
"for one or more PolicyRules.")
]
CIM_PolicyTimePeriodCondition REF PartComponent;
};
// ==================================================================
// PolicyRuleValidityPeriod
// ==================================================================
[Association, Aggregation, Description (
"The PolicyRuleValidityPeriod aggregation represents "
"scheduled activation and deactivation of a PolicyRule. "
"If a PolicyRule is associated with multiple policy time "
"periods via this association, then the Rule is active if "
"at least one of the time periods indicates that it is "
"active. (In other words, the PolicyTimePeriodConditions "
"are ORed to determine whether the Rule is active.) A Time"
"Period may be aggregated by multiple PolicyRules. A Rule "
"that does not point to a PolicyTimePeriodCondition via this "
"association is, from the point of view of scheduling, "
"always active. It may, however, be inactive for other "
"reasons. For example, the Rule's Enabled property may "
"be set to \"disabled\" (value=2).")
]
class CIM_PolicyRuleValidityPeriod : CIM_PolicyComponent
{
[Override ("GroupComponent"), Aggregate, Description (
"This property contains the name of a PolicyRule that "
"contains one or more PolicyTimePeriodConditions.")
]
CIM_PolicyRule REF GroupComponent;
[Override ("PartComponent"), Description (
"This property contains the name of a "
"PolicyTimePeriodCondition defining the valid time periods "
"for one or more PolicyRules.")
]
CIM_PolicyTimePeriodCondition REF PartComponent;
};
// ==================================================================
// VendorPolicyCondition
// ==================================================================
[Description (
" A class that provides a general extension mechanism for "
"representing PolicyConditions that have not been modeled "
"with specific properties. Instead, the two properties "
"Constraint and ConstraintEncoding are used to define the "
"content and format of the Condition, as explained below.\n\n"
" "
"As its name suggests, VendorPolicyCondition is intended for "
"vendor-specific extensions to the Policy Core Information "
"Model. Standardized extensions are not expected to use "
"this class.")
]
class CIM_VendorPolicyCondition : CIM_PolicyCondition
{
[Octetstring, Description (
"This property provides a general extension mechanism for "
"representing PolicyConditions that have not been "
"modeled with specific properties. The format of the "
"octet strings in the array is left unspecified in "
"this definition. It is determined by the OID value "
"stored in the property ConstraintEncoding. Since "
"ConstraintEncoding is single-valued, all the values of "
"Constraint share the same format and semantics."),
ModelCorrespondence {
"CIM_VendorPolicyCondition.ConstraintEncoding"}
]
string Constraint [];
[Description (
"An OID encoded as a string, identifying the format "
"and semantics for this instance's Constraint property."),
ModelCorrespondence {
"CIM_VendorPolicyCondition.Constraint"}
]
string ConstraintEncoding;
};
// ==================================================================
// VendorPolicyCondition
// ==================================================================
[Description (
" A class that provides a general extension mechanism for "
"representing PolicyConditions that have not been modeled "
"with specific properties. Instead, the two properties "
"Constraint and ConstraintEncoding are used to define the "
"content and format of the Condition, as explained below.\n\n"
" "
"As its name suggests, VendorPolicyCondition is intended for "
"vendor-specific extensions to the Policy Core Information "
"Model. Standardized extensions are not expected to use "
"this class.")
]
class CIM_VendorPolicyCondition : CIM_PolicyCondition
{
[Octetstring, Description (
"This property provides a general extension mechanism for "
"representing PolicyConditions that have not been "
"modeled with specific properties. The format of the "
"octet strings in the array is left unspecified in "
"this definition. It is determined by the OID value "
"stored in the property ConstraintEncoding. Since "
"ConstraintEncoding is single-valued, all the values of "
"Constraint share the same format and semantics."),
ModelCorrespondence {
"CIM_VendorPolicyCondition.ConstraintEncoding"}
]
string Constraint [];
[Description (
"An OID encoded as a string, identifying the format "
"and semantics for this instance's Constraint property."),
ModelCorrespondence {
"CIM_VendorPolicyCondition.Constraint"}
]
string ConstraintEncoding;
};
// ==================================================================
// PolicyAction
// ==================================================================
[Abstract, Description (
"A class representing a rule-specific or reusable policy "
"action to be performed if the PolicyConditions for a Policy"
"Rule evaluate to TRUE. Since all operational details of a "
"PolicyAction are provided in subclasses of this object, "
"this class is abstract.")
// ==================================================================
// PolicyAction
// ==================================================================
[Abstract, Description (
"A class representing a rule-specific or reusable policy "
"action to be performed if the PolicyConditions for a Policy"
"Rule evaluate to TRUE. Since all operational details of a "
"PolicyAction are provided in subclasses of this object, "
"this class is abstract.")
]
class CIM_PolicyAction : CIM_Policy
{
[Key, MaxLen (256), Description (
" The name of the class or the subclass used in the "
"creation of the System object in whose scope this "
"PolicyAction is defined. \n\n"
" "
"This property helps to identify the System object in "
"whose scope this instance of PolicyAction exists. "
"For a rule-specific PolicyAction, this is the System "
"in whose context the PolicyRule is defined. For a "
"reusable PolicyAction, this is the instance of "
"PolicyRepository (which is a subclass of System) that "
"holds the Action. \n\n"
" "
"Note that this property, and the analogous property "
"SystemName, do not represent propagated keys from an "
"instance of the class System. Instead, they are "
"properties defined in the context of this class, which "
"repeat the values from the instance of System to which "
"this PolicyAction is related, either directly via the "
"PolicyActionInPolicyRepository aggregation or indirectly "
"via the PolicyActionInPolicyRule aggregation.")
]
string SystemCreationClassName;
[Key, MaxLen (256), Description (
" The name of the System object in whose scope this "
"PolicyAction is defined. \n\n"
" "
"This property completes the identification of the System "
"object in whose scope this instance of PolicyAction "
"exists. For a rule-specific PolicyAction, this is the "
"System in whose context the PolicyRule is defined. For "
"a reusable PolicyAction, this is the instance of "
"PolicyRepository (which is a subclass of System) that "
"holds the Action.")
]
string SystemName;
[Key, MaxLen (256), Description (
"For a rule-specific PolicyAction, the CreationClassName "
"of the PolicyRule object with which this Action is "
"associated. For a reusable PolicyAction, a "
"special value, 'NO RULE', should be used to "
"indicate that this Action is reusable and not "
"associated with a single PolicyRule.")
]
string PolicyRuleCreationClassName;
]
class CIM_PolicyAction : CIM_Policy
{
[Key, MaxLen (256), Description (
" The name of the class or the subclass used in the "
"creation of the System object in whose scope this "
"PolicyAction is defined. \n\n"
" "
"This property helps to identify the System object in "
"whose scope this instance of PolicyAction exists. "
"For a rule-specific PolicyAction, this is the System "
"in whose context the PolicyRule is defined. For a "
"reusable PolicyAction, this is the instance of "
"PolicyRepository (which is a subclass of System) that "
"holds the Action. \n\n"
" "
"Note that this property, and the analogous property "
"SystemName, do not represent propagated keys from an "
"instance of the class System. Instead, they are "
"properties defined in the context of this class, which "
"repeat the values from the instance of System to which "
"this PolicyAction is related, either directly via the "
"PolicyActionInPolicyRepository aggregation or indirectly "
"via the PolicyActionInPolicyRule aggregation.")
]
string SystemCreationClassName;
[Key, MaxLen (256), Description (
" The name of the System object in whose scope this "
"PolicyAction is defined. \n\n"
" "
"This property completes the identification of the System "
"object in whose scope this instance of PolicyAction "
"exists. For a rule-specific PolicyAction, this is the "
"System in whose context the PolicyRule is defined. For "
"a reusable PolicyAction, this is the instance of "
"PolicyRepository (which is a subclass of System) that "
"holds the Action.")
]
string SystemName;
[Key, MaxLen (256), Description (
"For a rule-specific PolicyAction, the CreationClassName "
"of the PolicyRule object with which this Action is "
"associated. For a reusable PolicyAction, a "
"special value, 'NO RULE', should be used to "
"indicate that this Action is reusable and not "
"associated with a single PolicyRule.")
]
string PolicyRuleCreationClassName;
[Key, MaxLen (256), Description (
"For a rule-specific PolicyAction, the name of "
"the PolicyRule object with which this Action is "
"associated. For a reusable PolicyAction, a "
"special value, 'NO RULE', should be used to "
"indicate that this Action is reusable and not "
"associated with a single PolicyRule.")
]
string PolicyRuleName;
[Key, MaxLen (256), Description (
"CreationClassName indicates the name of the class or the "
"subclass used in the creation of an instance. When used "
"with the other key properties of this class, this property "
"allows all instances of this class and its subclasses to "
"be uniquely identified.") ]
string CreationClassName;
[Key, MaxLen (256), Description (
"A user-friendly name of this PolicyAction.")
]
string PolicyActionName;
};
[Key, MaxLen (256), Description (
"For a rule-specific PolicyAction, the name of "
"the PolicyRule object with which this Action is "
"associated. For a reusable PolicyAction, a "
"special value, 'NO RULE', should be used to "
"indicate that this Action is reusable and not "
"associated with a single PolicyRule.")
]
string PolicyRuleName;
[Key, MaxLen (256), Description (
"CreationClassName indicates the name of the class or the "
"subclass used in the creation of an instance. When used "
"with the other key properties of this class, this property "
"allows all instances of this class and its subclasses to "
"be uniquely identified.") ]
string CreationClassName;
[Key, MaxLen (256), Description (
"A user-friendly name of this PolicyAction.")
]
string PolicyActionName;
};
// ==================================================================
// PolicyActionInPolicyRepository
// ==================================================================
[Association, Description (
" A class representing the hosting of reusable "
"PolicyActions by a PolicyRepository. A reusable Policy"
"Action is always related to a single PolicyRepository, "
"via this aggregation.\n\n"
" "
"Note, that an instance of PolicyAction can be either "
"reusable or rule-specific. When the Action is rule-"
"specific, it shall not be related to any "
"PolicyRepository via the PolicyActionInPolicyRepository "
"aggregation.")
]
class CIM_PolicyActionInPolicyRepository : CIM_PolicyInSystem
{
[Override ("Antecedent"), Max(1), Description (
"This property represents a PolicyRepository "
"hosting one or more PolicyActions. A reusable "
"PolicyAction is always related to exactly one "
"PolicyRepository via the PolicyActionInPolicyRepository "
"aggregation. The [0..1] cardinality for this property "
"covers the two types of PolicyActions: 0 for a "
"rule-specific PolicyAction, 1 for a reusable one.")
]
// ==================================================================
// PolicyActionInPolicyRepository
// ==================================================================
[Association, Description (
" A class representing the hosting of reusable "
"PolicyActions by a PolicyRepository. A reusable Policy"
"Action is always related to a single PolicyRepository, "
"via this aggregation.\n\n"
" "
"Note, that an instance of PolicyAction can be either "
"reusable or rule-specific. When the Action is rule-"
"specific, it shall not be related to any "
"PolicyRepository via the PolicyActionInPolicyRepository "
"aggregation.")
]
class CIM_PolicyActionInPolicyRepository : CIM_PolicyInSystem
{
[Override ("Antecedent"), Max(1), Description (
"This property represents a PolicyRepository "
"hosting one or more PolicyActions. A reusable "
"PolicyAction is always related to exactly one "
"PolicyRepository via the PolicyActionInPolicyRepository "
"aggregation. The [0..1] cardinality for this property "
"covers the two types of PolicyActions: 0 for a "
"rule-specific PolicyAction, 1 for a reusable one.")
]
CIM_PolicyRepository REF Antecedent;
[Override ("Dependent"), Description (
"This property holds the name of a PolicyAction"
"hosted in the PolicyRepository. ")
]
CIM_PolicyAction REF Dependent;
};
CIM_PolicyRepository REF Antecedent;
[Override ("Dependent"), Description (
"This property holds the name of a PolicyAction"
"hosted in the PolicyRepository. ")
]
CIM_PolicyAction REF Dependent;
};
// ==================================================================
// PolicyActionInPolicyRule
// ==================================================================
[Association, Aggregation, Description (
" A PolicyRule aggregates zero or more instances of the "
"PolicyAction class, via the PolicyActionInPolicyRule "
"association. A Rule that aggregates zero Actions is not "
"valid -- it may, however, be in the process of being entered "
"into a PolicyRepository or being defined for a System. "
"Alternately, the actions of the policy may be explicit in "
"the definition of the PolicyRule. Note that a PolicyRule "
"should have no effect until it is valid.\n\n"
" "
"The Actions associated with a PolicyRule may be given a "
"required order, a recommended order, or no order at all. For "
"Actions represented as separate objects, the PolicyActionIn"
"PolicyRule aggregation can be used to express an order. \n\n"
" "
"This aggregation does not indicate whether a specified "
"action order is required, recommended, or of no significance; "
"the property SequencedActions in the aggregating instance of "
"PolicyRule provides this indication.")
]
class CIM_PolicyActionInPolicyRule : CIM_PolicyComponent
{
[Override ("GroupComponent"), Aggregate, Description (
"This property represents the PolicyRule that "
"contains one or more PolicyActions.")
]
CIM_PolicyRule REF GroupComponent;
[Override ("PartComponent"), Description (
"This property holds the name of a PolicyAction "
"contained by one or more PolicyRules.")
]
CIM_PolicyAction REF PartComponent;
[Description (
" This property provides an unsigned integer 'n' that"
"indicates the relative position of a PolicyAction in the "
"sequence of actions associated with a PolicyRule. "
"When 'n' is a positive integer, it indicates a place "
// ==================================================================
// PolicyActionInPolicyRule
// ==================================================================
[Association, Aggregation, Description (
" A PolicyRule aggregates zero or more instances of the "
"PolicyAction class, via the PolicyActionInPolicyRule "
"association. A Rule that aggregates zero Actions is not "
"valid -- it may, however, be in the process of being entered "
"into a PolicyRepository or being defined for a System. "
"Alternately, the actions of the policy may be explicit in "
"the definition of the PolicyRule. Note that a PolicyRule "
"should have no effect until it is valid.\n\n"
" "
"The Actions associated with a PolicyRule may be given a "
"required order, a recommended order, or no order at all. For "
"Actions represented as separate objects, the PolicyActionIn"
"PolicyRule aggregation can be used to express an order. \n\n"
" "
"This aggregation does not indicate whether a specified "
"action order is required, recommended, or of no significance; "
"the property SequencedActions in the aggregating instance of "
"PolicyRule provides this indication.")
]
class CIM_PolicyActionInPolicyRule : CIM_PolicyComponent
{
[Override ("GroupComponent"), Aggregate, Description (
"This property represents the PolicyRule that "
"contains one or more PolicyActions.")
]
CIM_PolicyRule REF GroupComponent;
[Override ("PartComponent"), Description (
"This property holds the name of a PolicyAction "
"contained by one or more PolicyRules.")
]
CIM_PolicyAction REF PartComponent;
[Description (
" This property provides an unsigned integer 'n' that"
"indicates the relative position of a PolicyAction in the "
"sequence of actions associated with a PolicyRule. "
"When 'n' is a positive integer, it indicates a place "
"in the sequence of actions to be performed, with "
"smaller integers indicating earlier positions in the "
"sequence. The special value '0' indicates 'don't care'. "
"If two or more PolicyActions have the same non-zero "
"sequence number, they may be performed in any order, but "
"they must all be performed at the appropriate place in the "
"overall action sequence. \n\n"
" "
"A series of examples will make ordering of PolicyActions "
"clearer: \n"
" o If all actions have the same sequence number, "
" regardless of whether it is '0' or non-zero, any "
" order is acceptable.\n "
" o The values: \n"
" 1:ACTION A \n"
" 2:ACTION B \n"
" 1:ACTION C \n"
" 3:ACTION D \n"
" indicate two acceptable orders: A,C,B,D or C,A,B,D, "
" since A and C can be performed in either order, but "
" only at the '1' position. \n"
" o The values: \n"
" 0:ACTION A \n"
" 2:ACTION B \n"
" 3:ACTION C \n"
" 3:ACTION D \n"
" require that B,C, and D occur either as B,C,D or as "
" B,D,C. Action A may appear at any point relative to "
" B, C, and D. Thus the complete set of acceptable "
" orders is: A,B,C,D; B,A,C,D; B,C,A,D; B,C,D,A; "
" A,B,D,C; B,A,D,C; B,D,A,C; B,D,C,A. \n\n"
" "
"Note that the non-zero sequence numbers need not start "
"with '1', and they need not be consecutive. All that "
"matters is their relative magnitude.")
]
uint16 ActionOrder;
};
"in the sequence of actions to be performed, with "
"smaller integers indicating earlier positions in the "
"sequence. The special value '0' indicates 'don't care'. "
"If two or more PolicyActions have the same non-zero "
"sequence number, they may be performed in any order, but "
"they must all be performed at the appropriate place in the "
"overall action sequence. \n\n"
" "
"A series of examples will make ordering of PolicyActions "
"clearer: \n"
" o If all actions have the same sequence number, "
" regardless of whether it is '0' or non-zero, any "
" order is acceptable.\n "
" o The values: \n"
" 1:ACTION A \n"
" 2:ACTION B \n"
" 1:ACTION C \n"
" 3:ACTION D \n"
" indicate two acceptable orders: A,C,B,D or C,A,B,D, "
" since A and C can be performed in either order, but "
" only at the '1' position. \n"
" o The values: \n"
" 0:ACTION A \n"
" 2:ACTION B \n"
" 3:ACTION C \n"
" 3:ACTION D \n"
" require that B,C, and D occur either as B,C,D or as "
" B,D,C. Action A may appear at any point relative to "
" B, C, and D. Thus the complete set of acceptable "
" orders is: A,B,C,D; B,A,C,D; B,C,A,D; B,C,D,A; "
" A,B,D,C; B,A,D,C; B,D,A,C; B,D,C,A. \n\n"
" "
"Note that the non-zero sequence numbers need not start "
"with '1', and they need not be consecutive. All that "
"matters is their relative magnitude.")
]
uint16 ActionOrder;
};
// ==================================================================
// VendorPolicyAction
// ==================================================================
[Description (
" A class that provides a general extension mechanism for "
"representing PolicyActions that have not been modeled "
"with specific properties. Instead, the two properties "
"ActionData and ActionEncoding are used to define the "
"content and format of the Action, as explained below.\n\n"
// ==================================================================
// VendorPolicyAction
// ==================================================================
[Description (
" A class that provides a general extension mechanism for "
"representing PolicyActions that have not been modeled "
"with specific properties. Instead, the two properties "
"ActionData and ActionEncoding are used to define the "
"content and format of the Action, as explained below.\n\n"
" "
"As its name suggests, VendorPolicyAction is intended for "
"vendor-specific extensions to the Policy Core Information "
"Model. Standardized extensions are not expected to use "
"this class.") ]
class CIM_VendorPolicyAction : CIM_PolicyAction
{
[Octetstring, Description (
"This property provides a general extension mechanism for "
"representing PolicyActions that have not been "
"modeled with specific properties. The format of the "
"octet strings in the array is left unspecified in "
"this definition. It is determined by the OID value "
"stored in the property ActionEncoding. Since "
"ActionEncoding is single-valued, all the values of "
"ActionData share the same format and semantics."),
ModelCorrespondence {
"CIM_VendorPolicyAction.ActionEncoding"}
]
string ActionData [];
[Description (
"An OID encoded as a string, identifying the format "
"and semantics for this instance's ActionData property."),
ModelCorrespondence {
"CIM_VendorPolicyAction.ActionData"}
]
string ActionEncoding;
};
" "
"As its name suggests, VendorPolicyAction is intended for "
"vendor-specific extensions to the Policy Core Information "
"Model. Standardized extensions are not expected to use "
"this class.") ]
class CIM_VendorPolicyAction : CIM_PolicyAction
{
[Octetstring, Description (
"This property provides a general extension mechanism for "
"representing PolicyActions that have not been "
"modeled with specific properties. The format of the "
"octet strings in the array is left unspecified in "
"this definition. It is determined by the OID value "
"stored in the property ActionEncoding. Since "
"ActionEncoding is single-valued, all the values of "
"ActionData share the same format and semantics."),
ModelCorrespondence {
"CIM_VendorPolicyAction.ActionEncoding"}
]
string ActionData [];
[Description (
"An OID encoded as a string, identifying the format "
"and semantics for this instance's ActionData property."),
ModelCorrespondence {
"CIM_VendorPolicyAction.ActionData"}
]
string ActionEncoding;
};
// ===================================================================
// end of file
// ===================================================================
// ===================================================================
// end of file
// ===================================================================
Copyright (C) The Internet Society (2001). All Rights Reserved.
版权所有(C)互联网协会(2001年)。版权所有。
This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared, copied, published and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this paragraph are included on all such copies and derivative works. However, this document itself may not be modified in any way, such as by removing the copyright notice or references to the Internet Society or other Internet organizations, except as needed for the purpose of developing Internet standards in which case the procedures for copyrights defined in the Internet Standards process must be followed, or as required to translate it into languages other than English.
本文件及其译本可复制并提供给他人,对其进行评论或解释或协助其实施的衍生作品可全部或部分编制、复制、出版和分发,不受任何限制,前提是上述版权声明和本段包含在所有此类副本和衍生作品中。但是,不得以任何方式修改本文件本身,例如删除版权通知或对互联网协会或其他互联网组织的引用,除非出于制定互联网标准的需要,在这种情况下,必须遵循互联网标准过程中定义的版权程序,或根据需要将其翻译成英语以外的其他语言。
The limited permissions granted above are perpetual and will not be revoked by the Internet Society or its successors or assigns.
上述授予的有限许可是永久性的,互联网协会或其继承人或受让人不会撤销。
This document and the information contained herein is provided on an "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
本文件和其中包含的信息是按“原样”提供的,互联网协会和互联网工程任务组否认所有明示或暗示的保证,包括但不限于任何保证,即使用本文中的信息不会侵犯任何权利,或对适销性或特定用途适用性的任何默示保证。
Acknowledgement
确认
Funding for the RFC Editor function is currently provided by the Internet Society.
RFC编辑功能的资金目前由互联网协会提供。