// =================================================================== // Title: CIM_Policy // $State: Exp $ // $Date: 2005/02/17 00:09:56 $ // $RCSfile: CIM_Policy.mof,v $ // $Revision: 1.1 $ // =================================================================== //#pragma inLine ("Includes/copyright.inc") // Copyright 1998-2005 Distributed Management Task Force, Inc. (DMTF). // All rights reserved. // DMTF is a not-for-profit association of industry members dedicated // to promoting enterprise and systems management and interoperability. // DMTF specifications and documents may be reproduced for uses // consistent with this purpose by members and non-members, // provided that correct attribution is given. // As DMTF specifications may be revised from time to time, // the particular version and release date should always be noted. // // Implementation of certain elements of this standard or proposed // standard may be subject to third party patent rights, including // provisional patent rights (herein "patent rights"). DMTF makes // no representations to users of the standard as to the existence // of such rights, and is not responsible to recognize, disclose, or // identify any or all such third party patent right, owners or // claimants, nor for any incomplete or inaccurate identification or // disclosure of such rights, owners or claimants. DMTF shall have no // liability to any party, in any manner or circumstance, under any // legal theory whatsoever, for failure to recognize, disclose, or // identify any such third party patent rights, or for such party's // reliance on the standard or incorporation thereof in its product, // protocols or testing procedures. DMTF shall have no liability to // any party implementing such standard, whether such implementation // is foreseeable or not, nor to any patent owner or claimant, and shall // have no liability or responsibility for costs or losses incurred if // a standard is withdrawn or modified after publication, and shall be // indemnified and held harmless by any party implementing the // standard from any and all claims of infringement by a patent owner // for such implementations. // // For information about patents held by third-parties which have // notified the DMTF that, in their opinion, such patent may relate to // or impact implementations of DMTF standards, visit // http://www.dmtf.org/about/policies/disclosures.php. //#pragma inLine // =================================================================== // Description: The Policy Model provides a framework for specifying // configuration and operational information in a scalable // way using rules composed of conditions and actions. // // The object classes below are listed in an order that // avoids forward references. Required objects, defined // by other working groups, are omitted. // =================================================================== // CIM V2.8 Changes (Company Review) // DMTFCR1104 -Replace the class definition of // AuthenticationCondition // Add the following class defintions: // SharedSecretAuthentication, AccountAuthentication, // BiometricAuthentication, NetworkingIDAuthentication, // PublicPrivateKeyAuthentication, KerberosAuthentication, // DocumentAuthentication, ChallengeQuestionAuthentication // (Deleted in Final), // and PhysicalCredentialAuthentication // DMTFCR1105 - Generalize the SACondition class (from the Networks) // to be PacketFilterCondition and defined here in Policy. // Add FilterOfPacketCondition and AcceptCredentialFrom // class definitions. // Move FilterOfPacketCondition to Network_IPsecPolicy to // avoid a forward reference. // DMTFCR1106 - Add DoActionLogging property to PolicyAction // Add NetworkPacketAction class definition // Add RejectConnectionAction class definition // DMTFCR1128 - Change subclassing of PolicyInSystem from // Dependency to HostedDependency. // // CIM V2.8 Changes // DMTFCR1057 - Explicit declaration of PolicySets that apply to // ManagedElements, via PolicyRoleCollections // DMTFCR1058 - Activate/deactivate PolicySets which match a // particular PolicyRole on a particular ManagedElement // DMTFCR1060 - Add AuthenticationCondition and AuthenticationRule // subclasses of PolicyCondition/PolicyRule // // CIM V2.7 Changes // DMTFCR985 - Promote Deprecations to V2.7 Final // DMTFCR960 - Remove Weak Qualifier from PolicyRoleCollection and // derive from SystemSpecificCollection instead of Collection // DMTFCR930 - Implementation Experience with the Policy 2.7 Model // - Move PolicyRule.Enabled to PolicySet.Enabled // - Move PolicyTimePeriodCondition up to PolicySet and // make clear how to specify global time period with respect // a given time zone // - Deprecate policy role combinations // - Add Unconditional to PolicyRule.ConditionListType // - Deprecate PolicyRule.Mandatory // CIMCR914 - Added propagated keys in PolicyRoleCollection // CIMCR906 - Add text to PolicySetComponent's Description and the // class' Priority property to indicate that the values // of Priority must be unique // With promotion of Component to ManagedElement, // added CIM_Component as superclass of CIM_PolicyComponent // (there is no other change to the semantics or syntax) // CIMCR625 - Add CompoundPolicyCondition as PolicyCondition // subclass // - Add PolicyConditionStructure abstract aggregation as a // subclass of PolicyComponent // - Change derivation of PolicyConditionInPolicyRule from // PolicyComponent to PolicyConditionStructure and move // GroupNumber and ConditionNegated properties up to parent // class // - Add PolicyConditionInPolicyCondition aggregation as a // subclass of PolicyConditionStructure // - Add PolicyRoleCollection as Collection subclass // - Add ElementInPolicyRoleCollection as MemberOfCollection // subclass // - Add PolicyRoleCollectionInSystem as Dependency subclass // // CIM V2.6 Changes // CIMCR614 - Add CompoundPolicyAction // - Add CompoundPolicyAction as a subclass of PolicyAction // - Add PolicyActionStructure abstract aggregation as a // subclass of PolicyComponent // - Change derivation of PolicyActionInPolicyRule from // PolicyComponent to PolicyActionStructure and, thus, // move ActionOrder property up to parent class // - Add PolicyActionInPolicyAction aggregation as a // subclass of PolicyActionStructure // CIMCR597a - PCIMe updates // - Edit Policy description // - Add PolicySet & derive PolicyGroup & PolicyRule // - Deprecate PolicyRule.Priority for // PolicySetComponent.Priority // - Remove PolicyRule.PolicyRoles (it's in PolicySet) // - Add PolicyRule.ExecutionStrategy // - Deprecate PolicyRepository & replace with // ReusablePolicyContainer // - Add PolicySetInSystem // - Add PolicySetComponent & deprecate ...InPolicyGroup // & derive PolicyGroupInSystem & PolicyRuleInSystem // - Add ContainedDomain (to Core) // & deprecate PolicyRepositoryInPolicyRepository // - Add ReusablePolicy & deprecate ...InPolicyRepository // ================================================================== #pragma Locale ("en-US") // ================================================================== // Compile prerequisite: Core, Network and User MOFs // Network MOF is needed for FilterList, and the User MOF for // CredentialManagementService // ================================================================== // ================================================================== // Policy // ================================================================== [Abstract, Version ( "2.6.0" ), Description ( "An abstract class defining the common properties of the policy " "managed elements derived from CIM_Policy. The subclasses are " "used to create rules and groups of rules that work together to " "form a coherent set of policies within an administrative " "domain or set of domains.")] class CIM_Policy : CIM_ManagedElement { [Description ( "A user-friendly name of this policy-related object.")] string CommonName; [Description ( "An array of keywords for characterizing / categorizing " "policy objects. Keywords are of one of two types: \n" "- Keywords defined in this and other MOFs, or in DMTF white " "papers. These keywords provide a vendor- independent, " "installation-independent way of characterizing policy " "objects. \n" "- Installation-dependent keywords for characterizing policy " "objects. Examples include 'Engineering', 'Billing', and " "'Review in December 2000'. \n" "This MOF defines the following keywords: 'UNKNOWN', " "'CONFIGURATION', 'USAGE', 'SECURITY', 'SERVICE', " "'MOTIVATIONAL', 'INSTALLATION', and 'EVENT'. These concepts " "are self-explanatory and are further discussed in the " "SLA/Policy White Paper. One additional keyword is defined: " "'POLICY'. The role of this keyword is to identify " "policy-related instances that may not be otherwise " "identifiable, in some implementations. The keyword 'POLICY' " "is NOT mutually exclusive of the other keywords specified " "above.")] string PolicyKeywords[]; }; // ================================================================== // PolicySet // ================================================================== [Abstract, Version ( "2.8.0" ), Description ( "PolicySet is an abstract class that represents a set of " "policies that form a coherent set. The set of contained " "policies has a common decision strategy and a common set of " "policy roles (defined via the PolicySetInRole Collection " "association). Subclasses include PolicyGroup and PolicyRule.")] class CIM_PolicySet : CIM_Policy { [Description ( "PolicyDecisionStrategy defines the evaluation method used " "for policies contained in the PolicySet. FirstMatching " "enforces the actions of the first rule that evaluates to " "TRUE. It is the only value currently defined."), ValueMap { "1" }, Values { "First Matching" }] uint16 PolicyDecisionStrategy; [Deprecated { "CIM_PolicySetInRoleCollection" }, Description ( "The PolicyRoles property represents the roles associated " "with a PolicySet. All contained PolicySet instances inherit " "the values of the PolicyRoles of the aggregating PolicySet " "but the values are not copied. A contained PolicySet " "instance may, however, add additional PolicyRoles to those " "it inherits from its aggregating PolicySet(s). Each value " "in PolicyRoles multi-valued property represents a role for " "which the PolicySet applies, i.e., the PolicySet should be " "used by any enforcement point that assumes any of the " "listed PolicyRoles values. \n" "\n" "Although not officially designated as 'role combinations', " "multiple roles may be specified using the form: \n" "[&&]* \n" "where the individual role names appear in alphabetical " "order (according to the collating sequence for UCS-2). " "Implementations may treat PolicyRoles values that are " "specified as 'role combinations' as simple strings. \n" "\n" "This property is deprecated in lieu of the use of an " "association, CIM_PolicySetInRoleCollection. The latter is a " "more explicit and less error-prone approach to modeling " "that a PolicySet has one or more PolicyRoles.")] string PolicyRoles[]; [Description ( "Indicates whether this PolicySet is administratively " "enabled, administratively disabled, or enabled for debug. " "The \"EnabledForDebug\" property value is deprecated and, " "when it or any value not understood by the receiver is " "specified, the receiving enforcement point treats the " "PolicySet as \"Disabled\". To determine if a PolicySet is " "\"Enabled\", the containment hierarchy specified by the " "PolicySetComponent aggregation is examined and the Enabled " "property values of the hierarchy are ANDed together. Thus, " "for example, everything aggregated by a PolicyGroup may be " "disabled by setting the Enabled property in the PolicyGroup " "instance to \"Disabled\" without changing the Enabled " "property values of any of the aggregated instances. The " "default value is 1 (\"Enabled\")."), ValueMap { "1", "2", "3" }, Values { "Enabled", "Disabled", "Enabled For Debug" }] uint16 Enabled = 1; }; // ================================================================== // PolicyGroup // ================================================================== [Version ( "2.6.0" ), Description ( "An aggregation of PolicySet instances (PolicyGroups and/or " "PolicyRules) that have the same decision strategy and inherit " "policy roles. PolicyGroup instances are defined and named " "relative to the CIM_System that provides their context.")] class CIM_PolicyGroup : CIM_PolicySet { [Key, Propagated ( "CIM_System.CreationClassName" ), Description ( "The scoping System's CreationClassName."), MaxLen ( 256 )] string SystemCreationClassName; [Key, Propagated ( "CIM_System.Name" ), Description ( "The scoping System's Name."), MaxLen ( 256 )] string SystemName; [Key, Description ( "CreationClassName indicates the name of the class or the " "subclass used in the creation of an instance. When used " "with the other key properties of this class, this property " "allows all instances of this class and its subclasses to be " "uniquely identified."), MaxLen ( 256 )] string CreationClassName; [Key, Description ( "A user-friendly name of this PolicyGroup."), MaxLen ( 256 )] string PolicyGroupName; }; // ================================================================== // PolicyRule // ================================================================== [Version ( "2.7.0" ), Description ( "The central class used for representing the 'If Condition then " "Action' semantics of a policy rule. A PolicyRule condition, in " "the most general sense, is represented as either an ORed set " "of ANDed conditions (Disjunctive Normal Form, or DNF) or an " "ANDed set of ORed conditions (Conjunctive Normal Form, or " "CNF). Individual conditions may either be negated (NOT C) or " "unnegated (C). The actions specified by a PolicyRule are to be " "performed if and only if the PolicyRule condition (whether it " "is represented in DNF or CNF) evaluates to TRUE. \n" "\n" "The conditions and actions associated with a PolicyRule are " "modeled, respectively, with subclasses of PolicyCondition and " "PolicyAction. These condition and action objects are tied to " "instances of PolicyRule by the PolicyConditionInPolicyRule and " "PolicyActionInPolicyRule aggregations. \n" "\n" "A PolicyRule may also be associated with one or more policy " "time periods, indicating the schedule according to which the " "policy rule is active and inactive. In this case it is the " "PolicySetValidityPeriod aggregation that provides this " "linkage. \n" "\n" "The PolicyRule class uses the property ConditionListType, to " "indicate whether the conditions for the rule are in DNF " "(disjunctive normal form), CNF (conjunctive normal form) or, " "in the case of a rule with no conditions, as an " "UnconditionalRule. The PolicyConditionInPolicyRule aggregation " "contains two additional properties to complete the " "representation of the Rule's conditional expression. The first " "of these properties is an integer to partition the referenced " "PolicyConditions into one or more groups, and the second is a " "Boolean to indicate whether a referenced Condition is negated. " "An example shows how ConditionListType and these two " "additional properties provide a unique representation of a set " "of PolicyConditions in either DNF or CNF. \n" "\n" "Suppose we have a PolicyRule that aggregates five " "PolicyConditions C1 through C5, with the following values in " "the properties of the five PolicyConditionInPolicyRule " "associations: \n" "C1: GroupNumber = 1, ConditionNegated = FALSE \n" "C2: GroupNumber = 1, ConditionNegated = TRUE \n" "C3: GroupNumber = 1, ConditionNegated = FALSE \n" "C4: GroupNumber = 2, ConditionNegated = FALSE \n" "C5: GroupNumber = 2, ConditionNegated = FALSE \n" "\n" "If ConditionListType = DNF, then the overall condition for the " "PolicyRule is: \n" "(C1 AND (NOT C2) AND C3) OR (C4 AND C5) \n" "\n" "On the other hand, if ConditionListType = CNF, then the " "overall condition for the PolicyRule is: \n" "(C1 OR (NOT C2) OR C3) AND (C4 OR C5) \n" "\n" "In both cases, there is an unambiguous specification of the " "overall condition that is tested to determine whether to " "perform the PolicyActions associated with the PolicyRule. \n" "\n" "PolicyRule instances may also be used to aggregate other " "PolicyRules and/or PolicyGroups. When used in this way to " "implement nested rules, the conditions of the aggregating rule " "apply to the subordinate rules as well. However, any side " "effects of condition evaluation or the execution of actions " "MUST NOT affect the result of the evaluation of other " "conditions evaluated by the rule engine in the same evaluation " "pass. That is, an implementation of a rule engine MAY evaluate " "all conditions in any order before applying the priority and " "determining which actions are to be executed.")] class CIM_PolicyRule : CIM_PolicySet { [Key, Propagated ( "CIM_System.CreationClassName" ), Description ( "The scoping System's CreationClassName."), MaxLen ( 256 )] string SystemCreationClassName; [Key, Propagated ( "CIM_System.Name" ), Description ( "The scoping System's Name."), MaxLen ( 256 )] string SystemName; [Key, Description ( "CreationClassName indicates the name of the class or the " "subclass used in the creation of an instance. When used " "with the other key properties of this class, this property " "allows all instances of this class and its subclasses to be " "uniquely identified."), MaxLen ( 256 )] string CreationClassName; [Key, Description ( "A user-friendly name of this PolicyRule."), MaxLen ( 256 )] string PolicyRuleName; [Description ( "Indicates whether the list of PolicyConditions associated " "with this PolicyRule is in disjunctive normal form (DNF), " "conjunctive normal form (CNF), or has no conditions (i.e., " "is an UnconditionalRule) and is automatically evaluated to " "\"True.\" The default value is 1 (\"DNF\")."), ValueMap { "0", "1", "2" }, Values { "Unconditional Rule", "DNF", "CNF" }] uint16 ConditionListType = 1; [Description ( "A free-form string that can be used to provide guidelines " "on how this PolicyRule should be used.")] string RuleUsage; [Deprecated { "CIM_PolicySetComponent.Priority" }, Description ( "PolicyRule.Priority is deprecated and replaced by providing " "the priority for a rule (and a group) in the context of the " "aggregating PolicySet instead of the priority being used " "for all aggregating PolicySet instances. Thus, the " "assignment of priority values is much simpler. \n" "\n" "A non-negative integer for prioritizing this Policy Rule " "relative to other Rules. A larger value indicates a higher " "priority. The default value is 0.")] uint16 Priority=0; [Deprecated { "No Value" }, Description ( "A flag indicating that the evaluation of the Policy " "Conditions and execution of PolicyActions (if the " "Conditions evaluate to TRUE) is required. The evaluation of " "a PolicyRule MUST be attempted if the Mandatory property " "value is TRUE. If the Mandatory property is FALSE, then the " "evaluation of the Rule is 'best effort' and MAY be ignored.")] boolean Mandatory; [Description ( "This property gives a policy administrator a way of " "specifying how the ordering of the PolicyActions associated " "with this PolicyRule is to be interpreted. Three values are " "supported: \n" "o mandatory(1): Do the actions in the indicated order, or " "don't do them at all. \n" "o recommended(2): Do the actions in the indicated order if " "you can, but if you can't do them in this order, do them in " "another order if you can. \n" "o dontCare(3): Do them -- I don't care about the order. \n" "The default value is 3 (\"DontCare\")."), ValueMap { "1", "2", "3" }, Values { "Mandatory", "Recommended", "Dont Care" }] uint16 SequencedActions = 3; [Description ( "ExecutionStrategy defines the strategy to be used in " "executing the sequenced actions aggregated by this " "PolicyRule. There are three execution strategies: \n" "\n" "Do Until Success - execute actions according to predefined " "order, until successful execution of a single action. \n" "Do All - execute ALL actions which are part of the modeled " "set, according to their predefined order. Continue doing " "this, even if one or more of the actions fails. \n" "Do Until Failure - execute actions according to predefined " "order, until the first failure in execution of an action " "instance."), ValueMap { "1", "2", "3" }, Values { "Do Until Success", "Do All", "Do Until Failure" }] uint16 ExecutionStrategy; }; // ================================================================== // AuthenticationRule // ================================================================== [Version ( "2.8.0" ), Description ( "A class representing a company's and/or administrator's " "authentication requirements for a CIM_Identity. The " "PolicyConditions collected by an instance of " "AuthenticationRule describe the various requirements under " "which a CIM_Identity's CurrentlyAuthenticated Boolean is set " "to TRUE. Note that the CIM_Identities which are authenticated " "are tied to the Rule by the association, PolicySet " "AppliesToElement. \n" "\n" "At this time, there are no actions associated with this " "PolicyRule. This is because the actions are implicit. When the " "conditions of the rule are met, then the " "CurrentlyAuthenticated Boolean properties of the associated " "instances of CIM_Identity are set to TRUE.")] class CIM_AuthenticationRule : CIM_PolicyRule { }; // ================================================================== // ReusablePolicyContainer // ================================================================== [Version ( "2.6.0" ), Description ( "A class representing an administratively defined container for " "reusable policy-related information. This class does not " "introduce any additional properties beyond those in its " "superclass AdminDomain. It does, however, participate in a " "unique association for containing policy elements. \n" "\n" "An instance of this class uses the NameFormat value " "\"ReusablePolicyContainer\".")] class CIM_ReusablePolicyContainer : CIM_AdminDomain { }; // ================================================================== // PolicyRepository *** deprecated // ================================================================== [Deprecated { "CIM_ReusablePolicyContainer" }, Version ( "2.7.0" ), Description ( "The term 'PolicyRepository' has been confusing to both " "developers and users of the model. The replacement class name " "describes model element properly and is less likely to be " "confused with a data repository. \n" "\n" "A class representing an administratively defined container for " "reusable policy-related information. This class does not " "introduce any additional properties beyond those in its " "superclass AdminDomain. It does, however, participate in a " "number of unique associations. \n" "\n" "An instance of this class uses the NameFormat value " "\"PolicyRepository\".")] class CIM_PolicyRepository : CIM_AdminDomain { }; // ================================================================== // PolicyCondition // ================================================================== [Abstract, Version ( "2.6.0" ), Description ( "A class representing a rule-specific or reusable policy " "condition to be evaluated in conjunction with a Policy Rule. " "Since all operational details of a PolicyCondition are " "provided in subclasses of this object, this class is abstract.")] class CIM_PolicyCondition : CIM_Policy { [Key, Description ( "The name of the class or the subclass used in the creation " "of the System object in whose scope this PolicyCondition is " "defined. \n" "\n" "This property helps to identify the System object in whose " "scope this instance of PolicyCondition exists. For a " "rule-specific PolicyCondition, this is the System in whose " "context the PolicyRule is defined. For a reusable " "PolicyCondition, this is the instance of PolicyRepository " "(which is a subclass of System) that holds the Condition. \n" "\n" "Note that this property, and the analogous property " "SystemName, do not represent propagated keys from an " "instance of the class System. Instead, they are properties " "defined in the context of this class, which repeat the " "values from the instance of System to which this " "PolicyCondition is related, either directly via the " "PolicyConditionInPolicyRepository association or indirectly " "via the PolicyConditionInPolicyRule aggregation."), MaxLen ( 256 )] string SystemCreationClassName; [Key, Description ( "The name of the System object in whose scope this " "PolicyCondition is defined. \n" "\n" "This property completes the identification of the System " "object in whose scope this instance of PolicyCondition " "exists. For a rule-specific PolicyCondition, this is the " "System in whose context the PolicyRule is defined. For a " "reusable PolicyCondition, this is the instance of " "PolicyRepository (which is a subclass of System) that holds " "the Condition."), MaxLen ( 256 )] string SystemName; [Key, Description ( "For a rule-specific PolicyCondition, the CreationClassName " "of the PolicyRule object with which this Condition is " "associated. For a reusable Policy Condition, a special " "value, 'NO RULE', should be used to indicate that this " "Condition is reusable and not associated with a single " "PolicyRule."), MaxLen ( 256 )] string PolicyRuleCreationClassName; [Key, Description ( "For a rule-specific PolicyCondition, the name of the " "PolicyRule object with which this Condition is associated. " "For a reusable PolicyCondition, a special value, 'NO RULE', " "should be used to indicate that this Condition is reusable " "and not associated with a single PolicyRule."), MaxLen ( 256 )] string PolicyRuleName; [Key, Description ( "CreationClassName indicates the name of the class or the " "subclass used in the creation of an instance. When used " "with the other key properties of this class, this property " "allows all instances of this class and its subclasses to be " "uniquely identified."), MaxLen ( 256 )] string CreationClassName; [Key, Description ( "A user-friendly name of this PolicyCondition."), MaxLen ( 256 )] string PolicyConditionName; }; // ================================================================== // PolicyTimePeriodCondition // ================================================================== [Version ( "2.7.0" ), Description ( "This class provides a means of representing the time periods " "during which a PolicySet is valid, i.e., active. At all times " "that fall outside these time periods, the PolicySet has no " "effect. A PolicySet is treated as valid at ALL times, if it " "does not specify a PolicyTimePeriodCondition. \n" "\n" "In some cases a Policy Consumer may need to perform certain " "setup / cleanup actions when a PolicySet becomes active / " "inactive. For example, sessions that were established while a " "PolicySet was active might need to be taken down when the " "PolicySet becomes inactive. In other cases, however, such " "sessions might be left up. In this case, the effect of " "deactivating the PolicySet would just be to prevent the " "establishment of new sessions. \n" "\n" "Setup / cleanup behaviors on validity period transitions are " "not currently addressed by the Policy Model, and must be " "specified in 'guideline' documents or via subclasses of " "CIM_PolicySet, CIM_PolicyTimePeriod Condition or other " "concrete subclasses of CIM_Policy. If such behaviors need to " "be under the control of the policy administrator, then a " "mechanism to allow this control must also be specified in the " "subclasses. \n" "\n" "PolicyTimePeriodCondition is defined as a subclass of " "PolicyCondition. This is to allow the inclusion of time-based " "criteria in the AND/OR condition definitions for a PolicyRule. " "\n\n" "Instances of this class may have up to five properties " "identifying time periods at different levels. The values of " "all the properties present in an instance are ANDed together " "to determine the validity period(s) for the instance. For " "example, an instance with an overall validity range of January " "1, 2000 through December 31, 2000; a month mask that selects " "March and April; a day-of-the-week mask that selects Fridays; " "and a time of day range of 0800 through 1600 would be " "represented using the following time periods: \n" "Friday, March 5, 2000, from 0800 through 1600; \n" "Friday, March 12, 2000, from 0800 through 1600; \n" "Friday, March 19, 2000, from 0800 through 1600; \n" "Friday, March 26, 2000, from 0800 through 1600; \n" "Friday, April 2, 2000, from 0800 through 1600; \n" "Friday, April 9, 2000, from 0800 through 1600; \n" "Friday, April 16, 2000, from 0800 through 1600; \n" "Friday, April 23, 2000, from 0800 through 1600; \n" "Friday, April 30, 2000, from 0800 through 1600. \n" "\n" "Properties not present in an instance of " "PolicyTimePeriodCondition are implicitly treated as having " "their value 'always enabled'. Thus, in the example above, the " "day-of-the-month mask is not present, and so the validity " "period for the instance implicitly includes a day-of-the-month " "mask that selects all days of the month. If this 'missing " "property' rule is applied to its fullest, we see that there is " "a second way to indicate that a PolicySet is always enabled: " "associate with it an instance of PolicyTimePeriodCondition " "whose only properties with specific values are its key " "properties.")] class CIM_PolicyTimePeriodCondition : CIM_PolicyCondition { [Description ( "This property identifies an overall range of calendar dates " "and times over which a PolicySet is valid. It is formatted " "as a string representing a start date and time, in which " "the character 'T' indicates the beginning of the time " "portion, followed by the solidus character '/', followed by " "a similar string representing an end date and time. The " "first date indicates the beginning of the range, while the " "second date indicates the end. Thus, the second date and " "time must be later than the first. Date/times are expressed " "as substrings of the form yyyymmddThhmmss. For example: \n" "20000101T080000/20000131T120000 defines \n" "January 1, 2000, 0800 through January 31, 2000, noon \n" "\n" "There are also two special cases in which one of the " "date/time strings is replaced with a special string defined " "in RFC 2445. \n" "o If the first date/time is replaced with the string " "'THISANDPRIOR', then the property indicates that a " "PolicySet is valid [from now] until the date/time that " "appears after the '/'. \n" "o If the second date/time is replaced with the string " "'THISANDFUTURE', then the property indicates that a " "PolicySet becomes valid on the date/time that appears " "before the '/', and remains valid from that point on."), ModelCorrespondence { "CIM_PolicyTimePeriodCondition.MonthOfYearMask", "CIM_PolicyTimePeriodCondition.DayOfMonthMask", "CIM_PolicyTimePeriodCondition.DayOfWeekMask", "CIM_PolicyTimePeriodCondition.TimeOfDayMask", "CIM_PolicyTimePeriodCondition.LocalOrUtcTime" }] string TimePeriod; [Description ( "The purpose of this property is to refine the valid time " "period that is defined by the TimePeriod property, by " "explicitly specifying in which months the PolicySet is " "valid. These properties work together, with the TimePeriod " "used to specify the overall time period in which the " "PolicySet is valid, and the MonthOfYearMask used to pick " "out the months during which the PolicySet is valid. \n" "\n" "This property is formatted as an octet string, structured " "as follows: \n" "o a 4-octet length field, indicating the length of the " "entire octet string; this field is always set to 0x00000006 " "for this property; \n" "o a 2-octet field consisting of 12 bits identifying the 12 " "months of the year, beginning with January and ending with " "December, followed by 4 bits that are always set to '0'. " "For each month, the value '1' indicates that the policy is " "valid for that month, and the value '0' indicates that it " "is not valid. \n" "\n" "The value 0x000000060830, for example, indicates that a " "PolicySet is valid only in the months May, November, and " "December. \n" "\n" "If a value for this property is not provided, then the " "PolicySet is treated as valid for all twelve months, and " "only restricted by its TimePeriod property value and the " "other Mask properties."), OctetString, ModelCorrespondence { "CIM_PolicyTimePeriodCondition.TimePeriod", "CIM_PolicyTimePeriodCondition.LocalOrUtcTime" }] uint8 MonthOfYearMask[]; [Description ( "The purpose of this property is to refine the valid time " "period that is defined by the TimePeriod property, by " "explicitly specifying in which days of the month the " "PolicySet is valid. These properties work together, with " "the TimePeriod used to specify the overall time period in " "which the PolicySet is valid, and the DayOfMonthMask used " "to pick out the days of the month during which the " "PolicySet is valid. \n" "\n" "This property is formatted as an octet string, structured " "as follows: \n" "o a 4-octet length field, indicating the length of the " "entire octet string; this field is always set to 0x0000000C " "for this property; \n" "o an 8-octet field consisting of 31 bits identifying the " "days of the month counting from the beginning, followed by " "31 more bits identifying the days of the month counting " "from the end, followed by 2 bits that are always set to " "'0'. For each day, the value '1' indicates that the " "PolicySet is valid for that day, and the value '0' " "indicates that it is not valid. \n" "\n" "The value 0x0000000C8000000100000000, for example, " "indicates that a PolicySet is valid on the first and last " "days of the month. \n" "\n" "For months with fewer than 31 days, the digits " "corresponding to days that the months do not have (counting " "in both directions) are ignored. \n" "\n" "If a value for this property is not provided, then the " "PolicySet is treated as valid for all days of the month, " "and only restricted by its TimePeriod property value and " "the other Mask properties."), OctetString, ModelCorrespondence { "CIM_PolicyTimePeriodCondition.TimePeriod", "CIM_PolicyTimePeriodCondition.LocalOrUtcTime" }] uint8 DayOfMonthMask[]; [Description ( "The purpose of this property is to refine the valid time " "period that is defined by the TimePeriod property, by " "explicitly specifying in which days of the week the " "PolicySet is valid. These properties work together, with " "the TimePeriod used to specify the overall time period in " "which the PolicySet is valid, and the DayOfWeekMask used to " "pick out the days of the week during which the PolicySet is " "valid. \n" "\n" "This property is formatted as an octet string, structured " "as follows: \n" "o a 4-octet length field, indicating the length of the " "entire octet string; this field is always set to 0x00000005 " "for this property; \n" "o a 1-octet field consisting of 7 bits identifying the 7 " "days of the week, beginning with Sunday and ending with " "Saturday, followed by 1 bit that is always set to '0'. For " "each day of the week, the value '1' indicates that the " "PolicySet is valid for that day, and the value '0' " "indicates that it is not valid. \n" "\n" "The value 0x000000057C, for example, indicates that a " "PolicySet is valid Monday through Friday. \n" "\n" "If a value for this property is not provided, then the " "PolicySet is treated as valid for all days of the week, and " "only restricted by its TimePeriod property value and the " "other Mask properties."), OctetString, ModelCorrespondence { "CIM_PolicyTimePeriodCondition.TimePeriod", "CIM_PolicyTimePeriodCondition.LocalOrUtcTime" }] uint8 DayOfWeekMask[]; [Description ( "The purpose of this property is to refine the valid time " "period that is defined by the TimePeriod property, by " "explicitly specifying a range of times in a day during " "which the PolicySet is valid. These properties work " "together, with the TimePeriod used to specify the overall " "time period in which the PolicySet is valid, and the " "TimeOfDayMask used to pick out the range of time periods in " "a given day of during which the PolicySet is valid. \n" "\n" "This property is formatted in the style of RFC 2445: a time " "string beginning with the character 'T', followed by the " "solidus character '/', followed by a second time string. " "The first time indicates the beginning of the range, while " "the second time indicates the end. Times are expressed as " "substrings of the form 'Thhmmss'. \n" "\n" "The second substring always identifies a later time than " "the first substring. To allow for ranges that span " "midnight, however, the value of the second string may be " "smaller than the value of the first substring. Thus, " "'T080000/T210000' identifies the range from 0800 until " "2100, while 'T210000/T080000' identifies the range from " "2100 until 0800 of the following day. \n" "\n" "When a range spans midnight, it by definition includes " "parts of two successive days. When one of these days is " "also selected by either the MonthOfYearMask, " "DayOfMonthMask, and/or DayOfWeekMask, but the other day is " "not, then the PolicySet is active only during the portion " "of the range that falls on the selected day. For example, " "if the range extends from 2100 until 0800, and the day of " "week mask selects Monday and Tuesday, then the PolicySet is " "active during the following three intervals: \n" "From midnight Sunday until 0800 Monday; \n" "From 2100 Monday until 0800 Tuesday; \n" "From 2100 Tuesday until 23:59:59 Tuesday. \n" "\n" "If a value for this property is not provided, then the " "PolicySet is treated as valid for all hours of the day, and " "only restricted by its TimePeriod property value and the " "other Mask properties."), ModelCorrespondence { "CIM_PolicyTimePeriodCondition.TimePeriod", "CIM_PolicyTimePeriodCondition.LocalOrUtcTime" }] string TimeOfDayMask; [Description ( "This property indicates whether the times represented in " "the TimePeriod property and in the various Mask properties " "represent local times or UTC times. There is no provision " "for mixing of local times and UTC times: the value of this " "property applies to all of the other time-related " "properties. TimePeriods are synchronized worldwide by using " "the enumeration value 'UTCTime'. If the goal is to " "synchronize worldwide on a particular local time (such as " "0300 - 0500 in New York), then if the TimePeriod property " "spans a Daylight Savings Time transition in New York, it " "will be necessary to create multiple instances of " "PolicyTimePeriodCondition, one based on the offset UTC-0500 " "for the part of each year when standard time is used in New " "York, and one based on the offset UTC-0400 for the part of " "each year when Daylight Savings Time is used there."), ValueMap { "1", "2" }, Values { "Local Time", "UTC Time" }, ModelCorrespondence { "CIM_PolicyTimePeriodCondition.TimePeriod", "CIM_PolicyTimePeriodCondition.MonthOfYearMask", "CIM_PolicyTimePeriodCondition.DayOfMonthMask", "CIM_PolicyTimePeriodCondition.DayOfWeekMask", "CIM_PolicyTimePeriodCondition.TimeOfDayMask" }] uint16 LocalOrUtcTime; }; // ================================================================== // CompoundPolicyCondition // ================================================================== [Version ( "2.7.0" ), Description ( "CompoundPolicyCondition is used to represent compound " "conditions formed by aggregating simpler policy conditions. " "Compound conditions are constructed by associating subordinate " "condition terms together using the " "PolicyConditionInPolicyCondition aggregation.")] class CIM_CompoundPolicyCondition : CIM_PolicyCondition { [Description ( "Indicates whether the list of CompoundPolicyConditions " "associated with this PolicyRule is in disjunctive normal " "form (DNF) or conjunctive normal form (CNF). The default " "value is 1 (\"DNF\")."), ValueMap { "1", "2" }, Values { "DNF", "CNF" }] uint16 ConditionListType; }; // ================================================================== // AuthenticationCondition // ================================================================== [Abstract, Version ( "2.8.0" ), Description ( "An abstract class whose subclasses describe one of a company's " "and/or administrator's credential requirements, and/or other " "information that should be authenticated in order to " "establish/trust a CIM_Identity. The PolicyConditions collected " "by an instance of AuthenticationRule describe the various " "requirements under which a CIM_Identity's " "CurrentlyAuthenticated Boolean is set to TRUE. Note that the " "CIM_Identities which are authenticated are specified through " "the AuthenticationRule, using the PolicySet AppliesToElement " "association.")] class CIM_AuthenticationCondition : CIM_PolicyCondition { }; // ================================================================== // SharedSecretAuthentication // ================================================================== [Version ( "2.8.0" ), Description ( "A class describing a company's and/or administrator's " "credential requirements that should be authenticated in order " "to establish/trust a CIM_Identity. This class defines a " "specific identity whose shared secret should be authenticated.")] class CIM_SharedSecretAuthentication : CIM_AuthenticationCondition { [Description ( "String defining the principal's ID whose secret is " "authenticated.")] string IDOfPrincipal; [Description ( "String defining a hostname, URI or service/application " "name. It defines the specific system or service which " "provides the context for the shared secret.")] string ContextOfSecret; }; // ================================================================== // AccountAuthentication // ================================================================== [Version ( "2.8.0" ), Description ( "A class describing a company's and/or administrator's " "credential requirements that should be authenticated in order " "to establish/trust a CIM_Identity. This class defines a " "specific identity whose account credentials should be " "authenticated.")] class CIM_AccountAuthentication : CIM_AuthenticationCondition { [Description ( "String defining the account's ID which is authenticated.")] string AccountID; [Description ( "String defining a hostname, URI or other information " "identifying the system where the Account resides.")] string AccountContext; }; // ================================================================== // BiometricAuthentication // ================================================================== [Version ( "2.8.0" ), Description ( "A class describing a company's and/or administrator's " "credential requirements that should be authenticated in order " "to establish/trust a CIM_Identity. This class defines specific " "biometric data that should be authenticated.")] class CIM_BiometricAuthentication : CIM_AuthenticationCondition { [Description ( "Integer enumeration identifying the biometric data that " "should be authenticated."), ValueMap { "1", "2", "3", "4", "5", "6","7", "8" }, Values { "Other", "Facial", "Retina", "Mark", "Finger", "Voice", "DNA-RNA", "EEG" }, ModelCorrespondence { "CIM_BiometricAuthentication.OtherBiometric" }] uint16 TypeOfBiometric; [Description ( "String specifying the biometric when the TypeOfBiometric " "property is set to 1, \"Other\"."), ModelCorrespondence { "CIM_BiometricAuthentication.TypeOfBiometric" }] string OtherBiometric; [Description ( "String defining a specific biometric code, which may be " "validated by the security infrastructure. If this property " "is left blank, it is the responsibility of the " "infrastructure to verify the biometric (which MUST be of a " "type specified by the TypeOfBiometric property).")] string PersonalIdentifier; }; // ================================================================== // NetworkingIDAuthentication // ================================================================== [Version ( "2.8.0" ), Description ( "A class describing a company's and/or administrator's " "credential requirements that should be authenticated in order " "to establish/trust a CIM_Identity. This class specifies that a " "networking ID or address should be verified.")] class CIM_NetworkingIDAuthentication : CIM_AuthenticationCondition { [Description ( "A string defining the specific type/subclass of " "CIM_Identity which specifies the networking information. " "For example, CIM_StorageHardwareID would be entered in this " "property to identify that a 'known' port should be " "observed.")] string NetworkingIdentityClassName; }; // ================================================================== // PublicPrivateKeyAuthentication // ================================================================== [Version ( "2.8.0" ), Description ( "A class describing a company's and/or administrator's " "credential requirements that should be authenticated in order " "to establish/trust a CIM_Identity. This class defines the " "specific public/private key pair that should be authenticated.")] class CIM_PublicPrivateKeyAuthentication : CIM_AuthenticationCondition { [Description ( "Boolean indicating whether the key pair is self-issued " "(TRUE) or issued by a Certificate Authority (FALSE).")] boolean SelfIssuedKey; [Description ( "String holding the user's (distinguished) name.")] string DistinguishedName; [Description ( "String holding the public key data.")] string PublicKey; }; // ================================================================== // KerberosAuthentication // ================================================================== [Version ( "2.8.0" ), Description ( "A class describing a company's and/or administrator's " "credential requirements that should be authenticated in order " "to establish/trust a CIM_Identity. This class defines a user " "whose Kerberos ticket should be authenticated.")] class CIM_KerberosAuthentication : CIM_AuthenticationCondition { [Description ( "String holding the user name for which the ticket is " "issued.")] string UserName; }; // ================================================================== // DocumentAuthentication // ================================================================== [Version ( "2.8.0" ), Description ( "A class describing a company's and/or administrator's " "credential requirements that should be authenticated in order " "to establish/trust a CIM_Identity. This class defines the " "specific document that should be authenticated.")] class CIM_DocumentAuthentication : CIM_AuthenticationCondition { [Description ( "Integer enumeration identifying the document that should be " "authenticated."), ValueMap { "1", "2", "3", "4", "5", "6","7" }, Values { "Other", "Passport", "Birth Certificate", "Credit Card", "Drivers License", "Membership Card", "Social Security Card" }, ModelCorrespondence { "CIM_DocumentAuthentication.OtherDocument" }] uint16 TypeOfDocument; [Description ( "String specifying the document when the TypeOfDocument " "property is set to 1, \"Other\"."), ModelCorrespondence { "CIM_DocumentAuthentication.TypeOfDocument" }] string OtherDocument; [Description ( "String defining a particular document which may be used in " "the authentication process for example, a specific driver's " "license or passport number. If left blank, then any valid " "document matching the category specified by the " "TypeOfDocument property, can be accepted.")] string DocumentIdentifier; }; // ================================================================== // PhysicalCredentialAuthentication // ================================================================== [Version ( "2.8.0" ), Description ( "A class describing a company's and/or administrator's " "credential requirements that should be authenticated in order " "to establish/trust a CIM_Identity. This class defines the " "specific type of physical credential that should be " "authenticated.")] class CIM_PhysicalCredentialAuthentication : CIM_AuthenticationCondition { [Description ( "Integer enumeration identifying the credential that should " "be authenticated."), ValueMap { "1", "2", "3", "4" }, Values { "Other", "Magnetic Stripe Card", "Smart Card", "Password Generator Card" }, ModelCorrespondence { "CIM_PhysicalCredentialAuthentication.OtherCredential" }] uint16 TypeOfCredential; [Description ( "String specifying the credential when the TypeOfCredential " "property is set to 1, \"Other\"."), ModelCorrespondence { "CIM_PhysicalCredentialAuthentication.TypeOfCredential" }] string OtherCredential; [Description ( "String defining a character or binary sequence, which is " "built into the physical credential to identify it. If left " "blank, it is the responsibility of the security " "infrastructure to verify that a valid credential (of the " "specified type) has been used.")] string PhysicalIdentifier; }; // ================================================================== // VendorPolicyCondition // ================================================================== [Version ( "2.6.0" ), Description ( "A class that provides a general extension mechanism for " "representing PolicyConditions that have not been modeled with " "specific properties. Instead, the two properties Constraint " "and ConstraintEncoding are used to define the content and " "format of the Condition, as explained below. \n" "\n" "As its name suggests, VendorPolicyCondition is intended for " "vendor-specific extensions to the Policy Core Information " "Model. Standardized extensions are not expected to use this " "class.")] class CIM_VendorPolicyCondition : CIM_PolicyCondition { [Description ( "This property provides a general extension mechanism for " "representing PolicyConditions that have not been modeled " "with specific properties. The format of the octet strings " "in the array is left unspecified in this definition. It is " "determined by the OID value stored in the property " "ConstraintEncoding. Since ConstraintEncoding is " "single-valued, all the values of Constraint share the same " "format and semantics."), OctetString, ModelCorrespondence { "CIM_VendorPolicyCondition.ConstraintEncoding" }] string Constraint[]; [Description ( "An OID encoded as a string, identifying the format and " "semantics for this instance's Constraint property."), ModelCorrespondence { "CIM_VendorPolicyCondition.Constraint" }] string ConstraintEncoding; }; // ================================================================== // PacketFilterCondition // ================================================================== [Version ( "2.8.0" ), Description ( "PacketFilterCondition specifies packet selection criteria (via " "association to FilterLists) for firewall policies, IPsec " "policies and similar uses. It is used as an anchor point to " "associate various types of filters with policy rules via the " "FilterOfPacketCondition association. By definition, policy " "rules that aggregate PacketFilterCondition are assumed to " "operate against every packet received and/or transmitted from " "an ingress and/or egress point. (Whether policy condition " "evaluation occurs at ingress or egress is specified by the " "Direction property in the associated FilterList.) " "PacketFilterCondition MAY also be used to define the specific " "CredentialManagementService that validates the credentials " "carried in a packet. This is accomplished using the " "association, AcceptCredentialFrom. \n" "\n" "Associated objects (such as FilterListsor Credential " "ManagementServices) represent components of the condition that " "MAY or MAY NOT apply at a given rule evaluation. For example, " "an AcceptCredentialFrom evaluation is only performed when a " "credential is available to be evaluated and compared against " "the list of trusted credential management services. Similarly, " "a PeerIDPayloadFilterEntry MAY only be evaluated when an ID " "payload is available for checking. Condition components that " "do not have applicability at rule evaluation time, MUST be " "evaluated to TRUE."), MappingStrings { "IPSP Policy Model.IETF|SACondition" }] class CIM_PacketFilterCondition : CIM_PolicyCondition { }; // ================================================================== // PolicyAction // ================================================================== [Abstract, Version ( "2.8.0" ), Description ( "A class representing a rule-specific or reusable policy action " "to be performed if the PolicyConditions for a Policy Rule " "evaluate to TRUE. Since all operational details of a " "PolicyAction are provided in subclasses of this object, this " "class is abstract.")] class CIM_PolicyAction : CIM_Policy { [Key, Description ( "The name of the class or the subclass used in the creation " "of the System object in whose scope this PolicyAction is " "defined. \n" "\n" "This property helps to identify the System object in whose " "scope this instance of PolicyAction exists. For a " "rule-specific PolicyAction, this is the System in whose " "context the PolicyRule is defined. For a reusable " "PolicyAction, this is the instance of PolicyRepository " "(which is a subclass of System) that holds the Action. \n" "\n" "Note that this property, and the analogous property " "SystemName, do not represent propagated keys from an " "instance of the class System. Instead, they are properties " "defined in the context of this class, which repeat the " "values from the instance of System to which this " "PolicyAction is related, either directly via the " "PolicyActionInPolicyRepository association or indirectly " "via the PolicyActionInPolicyRule aggregation."), MaxLen ( 256 )] string SystemCreationClassName; [Key, Description ( "The name of the System object in whose scope this " "PolicyAction is defined. \n" "\n" "This property completes the identification of the System " "object in whose scope this instance of PolicyAction exists. " "For a rule-specific PolicyAction, this is the System in " "whose context the PolicyRule is defined. For a reusable " "PolicyAction, this is the instance of PolicyRepository " "(which is a subclass of System) that holds the Action."), MaxLen ( 256 )] string SystemName; [Key, Description ( "For a rule-specific PolicyAction, the CreationClassName of " "the PolicyRule object with which this Action is associated. " "For a reusable PolicyAction, a special value, 'NO RULE', " "should be used to indicate that this Action is reusable and " "not associated with a single PolicyRule."), MaxLen ( 256 )] string PolicyRuleCreationClassName; [Key, Description ( "For a rule-specific PolicyAction, the name of the " "PolicyRule object with which this Action is associated. For " "a reusable PolicyAction, a special value, 'NO RULE', should " "be used to indicate that this Action is reusable and not " "associated with a single PolicyRule."), MaxLen ( 256 )] string PolicyRuleName; [Key, Description ( "CreationClassName indicates the name of the class or the " "subclass used in the creation of an instance. When used " "with the other key properties of this class, this property " "allows all instances of this class and its subclasses to be " "uniquely identified."), MaxLen ( 256 )] string CreationClassName; [Key, Description ( "A user-friendly name of this PolicyAction."), MaxLen ( 256 )] string PolicyActionName; [Description ( "DoActionLogging causes a log message to be generated when " "the action is performed.")] boolean DoActionLogging; }; // ================================================================== // VendorPolicyAction // ================================================================== [Version ( "2.6.0" ), Description ( "A class that provides a general extension mechanism for " "representing PolicyActions that have not been modeled with " "specific properties. Instead, the two properties ActionData " "and ActionEncoding are used to define the content and format " "of the Action, as explained below. \n" "\n" "As its name suggests, VendorPolicyAction is intended for " "vendor-specific extensions to the Policy Core Information " "Model. Standardized extensions are not expected to use this " "class.")] class CIM_VendorPolicyAction : CIM_PolicyAction { [Description ( "This property provides a general extension mechanism for " "representing PolicyActions that have not been modeled with " "specific properties. The format of the octet strings in the " "array is left unspecified in this definition. It is " "determined by the OID value stored in the property " "ActionEncoding. Since ActionEncoding is single-valued, all " "the values of ActionData share the same format and " "semantics."), OctetString, ModelCorrespondence { "CIM_VendorPolicyAction.ActionEncoding" }] string ActionData[]; [Description ( "An OID encoded as a string, identifying the format and " "semantics for this instance's ActionData property."), ModelCorrespondence { "CIM_VendorPolicyAction.ActionData" }] string ActionEncoding; }; // ================================================================== // CompoundPolicyAction // ================================================================== [Version ( "2.6.0" ), Description ( "CompoundPolicyAction is used to represent an expression " "consisting of an ordered sequence of action terms. Each action " "term is represented as a subclass of the PolicyAction class. " "Compound actions are constructed by associating dependent " "action terms together using the PolicyActionInPolicyAction " "aggregation.")] class CIM_CompoundPolicyAction : CIM_PolicyAction { [Description ( "This property gives a policy administrator a way of " "specifying how the ordering of the PolicyActions associated " "with this PolicyRule is to be interpreted. Three values are " "supported: \n" "o mandatory(1): Do the actions in the indicated order, or " "don't do them at all. \n" "o recommended(2): Do the actions in the indicated order if " "you can, but if you can't do them in this order, do them in " "another order if you can. \n" "o dontCare(3): Do them -- I don't care about the order. \n" "The default value is 3 (\"DontCare\")."), ValueMap { "1", "2", "3" }, Values { "Mandatory", "Recommended", "Dont Care" }] uint16 SequencedActions=3; [Description ( "ExecutionStrategy defines the strategy to be used in " "executing the sequenced actions aggregated by this " "CompoundPolicyAction. There are three execution strategies: " "\n\n" "Do Until Success - execute actions according to predefined " "order, until successful execution of a single action. \n" "Do All - execute ALL actions which are part of the modeled " "set, according to their predefined order. Continue doing " "this, even if one or more of the actions fails. \n" "Do Until Failure - execute actions according to predefined " "order, until the first failure in execution of an action " "instance. \n" "The default value is 2 (\"Do All\")."), ValueMap { "1", "2", "3" }, Values { "Do Until Success", "Do All", "Do Until Failure" }] uint16 ExecutionStrategy=2; }; // ================================================================== // NetworkPacketAction // ================================================================== [Version ( "2.8.0" ), Description ( "NetworkPacketAction standardizes different processing options " "that can be taken at the network packet level. The specific " "action is defined in the PacketAction enumerated property. " "Note that this property can be used in conjunction with other " "actions aggregated into a Rule, to fully define its effects. " "For example, when aggregated with the SAStaticAction class, " "NetworkPacketAction indicates whether a specific packet will " "be encrypted, bypassed or discarded for the lifetime of the " "Security Association.")] class CIM_NetworkPacketAction : CIM_PolicyAction { [Description ( "A network packet can be processed, bypassed for processing " "(i.e., allowed to continue without further processing, such " "as being forwarded in the clear versus being encrypted), or " "discarded. This enumeration indicates how a packet should " "be handled if a PolicyRule's PolicyConditions evaluate to " "TRUE."), ValueMap { "1", "2", "3", "4" }, Values { "Other", "Processed", "Bypassed", "Discarded" }, MappingStrings { "IPSP Policy Model.IETF|IPsecBypassAction", "IPSP Policy Model.IETF|IPsecDiscardAction" }, ModelCorrespondence { "CIM_NetworkPacketAction.OtherAction" }] uint16 PacketAction; [Description ( "Description of the action when the value 1 (\"Other\") is " "specified for the property, PacketAction."), ModelCorrespondence { "CIM_NetworkPacketAction.PacketAction" }] string OtherAction; }; // ================================================================== // RejectConnectionAction // ================================================================== [Version ( "2.8.0" ), Description ( "RejectConnectionAction is used to cause a connection or its " "negotiation to be terminated. For example, it can be used in " "conjunction with an address filter on UDP port 500 to reduce " "Denial of Service vulnerability. As another example, it can be " "specified as a low priority rule to explicitly define the " "default action for IKE key exchange negotiations - i.e., if " "the higher priority rules are not satisfied, then reject the " "connection negotiation."), MappingStrings { "IPSP Policy Model.IETF|IKERejectAction" }] class CIM_RejectConnectionAction : CIM_PolicyAction { }; // ================================================================== // PolicyRoleCollection // ================================================================== [Version ( "2.8.0" ), Description ( "PolicyRoleCollection is used to represent a collection of " "ManagedElements that share a common policy role, and the " "PolicySets that CAN BE applied to those elements. (Note that " "the PolicySets that are CURRENTLY applied are indicated via " "instances of the association, PolicySetAppliesToElement.) The " "PolicyRoleCollection always exists in the context of a System, " "specified using the PolicyRoleCollectionInSystem aggregation. " "The value of the PolicyRole property in this class specifies " "the role. It is defined as a free-form string. ManagedElements " "that share the role defined in this collection are aggregated " "into the Collection via the ElementInPolicyRoleCollection " "association.")] class CIM_PolicyRoleCollection : CIM_SystemSpecificCollection { [Required, Description ( "The PolicyRole name for the PolicySets and other " "ManagedElements that are identified and aggregated by the " "Collection. Note that the aggregated PolicySets define the " "rules and groups of rules that may be applied to the " "associated ManagedElements. \n" "\n" "Although not officially designated as 'role combinations', " "multiple roles may be specified using the form: \n" "[&&]* \n" "where the individual role names appear in alphabetical " "order (according to the collating sequence for UCS-2). " "Implementations may treat PolicyRole values that are " "specified as 'role combinations' as simple strings.")] string PolicyRole; [Description ( "Activates/applies the PolicySets aggregated into this " "Collection to the specified ManagedElement. The " "ManagedElement MUST be a member of the Collection, " "associated via ElementInPolicyRoleCollection. The result of " "this method, if it is successfully executed, is that the " "aggregated PolicySets are deployed and enforced for the " "Element. This is reflected by the instantiation of the " "PolicySetAppliesToElement association between the named " "Element and each PolicySet."), ValueMap { "0", "1", "2", "3", "4", "..", "0x8000.." }, Values { "Success", "Not Supported", "Unknown", "Timeout", "Failed", "DMTF Reserved", "Vendor Specific" }] uint32 ActivatePolicySet( [IN, Description ( "The ManagedElement to which the aggregated PolicySets of " "this Collection are applied.")] CIM_ManagedElement REF Element); [Description ( "Deactivates the aggregated PolicySets for the specified " "ManagedElement. The result of this method, if it is " "successfully executed, is that the aggregated PolicySets " "are NOT enforced for the Element. This is reflected by the " "removal of the PolicySetAppliesToElement association " "between the named Element and each PolicySet. If a " "PolicySet is not currently enforced for the ManagedElement, " "then this method has no effect for that Set."), ValueMap { "0", "1", "2", "3", "4", "..", "0x8000..0xFFFF" }, Values { "Success", "Not Supported", "Unknown", "Timeout", "Failed", "DMTF Reserved", "Vendor Specific" }] uint32 DeactivatePolicySet( [IN, Description ( "The ManagedElement to which the aggregated PolicySets of " "this Collection MUST NOT apply.")] CIM_ManagedElement REF Element); }; // ================================================================== // === Association classes === // ================================================================== // ================================================================== // PolicyComponent // ================================================================== [Association, Abstract, Aggregation, Version ( "2.6.0" ), Description ( "CIM_PolicyComponent is a generic association used to establish " "'part of' relationships between the subclasses of CIM_Policy. " "For example, the PolicyConditionInPolicyRule association " "defines that PolicyConditions are part of a PolicyRule.")] class CIM_PolicyComponent : CIM_Component { [Aggregate, Override ( "GroupComponent" ), Description ( "The parent Policy in the association.")] CIM_Policy REF GroupComponent; [Override ( "PartComponent" ), Description ( "The child/part Policy in the association.")] CIM_Policy REF PartComponent; }; // ================================================================== // PolicyInSystem // ================================================================== [Association, Abstract, Version ( "2.8.0" ), Description ( "CIM_PolicyInSystem is a generic association used to establish " "dependency relationships between Policies and the Systems that " "host them. These Systems may be ComputerSystems where Policies " "are 'running' or they may be Policy Repositories where " "Policies are stored. This relationship is similar to the " "concept of CIM_Services being dependent on CIM_Systems as " "defined by the HostedService association. \n" "\n" "Cardinality is Max (1) for the Antecedent/System reference " "since Policies can only be hosted in at most one System " "context. Some subclasses of the association will further " "refine this definition to make the Policies Weak to Systems. " "Other subclasses of PolicyInSystem will define an optional " "hosting relationship. Examples of each of these are the " "PolicyRuleInSystem and PolicyConditionIn PolicyRepository " "associations, respectively.")] class CIM_PolicyInSystem : CIM_HostedDependency { [Override ( "Antecedent" ), Max ( 1 ), Description ( "The hosting System.")] CIM_System REF Antecedent; [Override ( "Dependent" ), Description ( "The hosted Policy.")] CIM_Policy REF Dependent; }; // ================================================================== // PolicySetInSystem // ================================================================== [Association, Abstract, Version ( "2.6.0" ), Description ( "PolicySetInSystem is an abstract association class that " "represents a relationship between a System and a PolicySet " "used in the administrative scope of that system (e.g., " "AdminDomain, ComputerSystem). The Priority property is used to " "assign a relative priority to a PolicySet within the " "administrative scope in contexts where it is not a component " "of another PolicySet.")] class CIM_PolicySetInSystem : CIM_PolicyInSystem { [Override ( "Antecedent" ), Min ( 1 ), Max ( 1 ), Description ( "The System in whose scope a PolicySet is defined.")] CIM_System REF Antecedent; [Override ( "Dependent" ), Description ( "A PolicySet named within the scope of a System.")] CIM_PolicySet REF Dependent; [Description ( "The Priority property is used to specify the relative " "priority of the referenced PolicySet when there are more " "than one PolicySet instances applied to a managed resource " "that are not PolicySetComponents and, therefore, have no " "other relative priority defined. The priority is a " "non-negative integer; a larger value indicates a higher " "priority.")] uint16 Priority; }; // ================================================================== // PolicyGroupInSystem // ================================================================== [Association, Version ( "2.6.0" ), Description ( "An association that links a PolicyGroup to the System in whose " "scope the Group is defined.")] class CIM_PolicyGroupInSystem : CIM_PolicySetInSystem { [Override ( "Antecedent" ), Min ( 1 ), Max ( 1 ), Description ( "The System in whose scope a PolicyGroup is defined.")] CIM_System REF Antecedent; [Override ( "Dependent" ), Weak, Description ( "A PolicyGroup named within the scope of a System.")] CIM_PolicyGroup REF Dependent; }; // ================================================================== // PolicyRuleInSystem // ================================================================== [Association, Version ( "2.6.0" ), Description ( "An association that links a PolicyRule to the System in whose " "scope the Rule is defined.")] class CIM_PolicyRuleInSystem : CIM_PolicySetInSystem { [Override ( "Antecedent" ), Min ( 1 ), Max ( 1 ), Description ( "The System in whose scope a PolicyRule is defined.")] CIM_System REF Antecedent; [Override ( "Dependent" ), Weak, Description ( "A PolicyRule named within the scope of a System.")] CIM_PolicyRule REF Dependent; }; // ================================================================== // PolicySetComponent // ================================================================== [Association, Aggregation, Version ( "2.6.0" ), Description ( "PolicySetComponent is a concrete aggregation that collects " "instances of the subclasses of PolicySet (i.e., PolicyGroups " "and PolicyRules). Instances are collected in sets that use the " "same decision strategy. They are prioritized relative to each " "other, within the set, using the Priority property of this " "aggregation. \n" "\n" "Together, the PolicySet.PolicyDecisionStrategy and PolicySet " "Component.Priority properties determine the processing for the " "groups and rules contained in a PolicySet. A larger priority " "value represents a higher priority. Note that the Priority " "property MUST have a unique value when compared with others " "defined for the same aggregating PolicySet. Thus, the " "evaluation of rules within a set is deterministically " "specified.")] class CIM_PolicySetComponent : CIM_PolicyComponent { [Aggregate, Override ( "GroupComponent" ), Description ( "A PolicySet that aggregates other PolicySet instances.")] CIM_PolicySet REF GroupComponent; [Override ( "PartComponent" ), Description ( "A PolicySet aggregated into a PolicySet.")] CIM_PolicySet REF PartComponent; [Description ( "A non-negative integer for prioritizing this PolicySet " "component relative to other elements of the same PolicySet. " "A larger value indicates a higher priority. The Priority " "property MUST have a unique value when compared with others " "defined for the same aggregating PolicySet.")] uint16 Priority; }; // ================================================================== // PolicyGroupInPolicyGroup *** deprecated // ================================================================== [Association, Deprecated { "CIM_PolicySetComponent" }, Aggregation, Version ( "2.7.0" ), Description ( "PolicySetComponent provides a more general mechanism for " "aggregating both PolicyGroups and PolicyRules and doing so " "with the priority value applying only to the aggregated set " "rather than policy wide. \n" "\n" "A relationship that aggregates one or more lower-level " "PolicyGroups into a higher-level Group. A Policy Group may " "aggregate PolicyRules and/or other Policy Groups.")] class CIM_PolicyGroupInPolicyGroup : CIM_PolicyComponent { [Deprecated { "CIM_PolicySetComponent.GroupComponent" }, Aggregate, Override ( "GroupComponent" ), Description ( "A PolicyGroup that aggregates other Groups.")] CIM_PolicyGroup REF GroupComponent; [Deprecated { "CIM_PolicySetComponent.PartComponent" }, Override ( "PartComponent" ), Description ( "A PolicyGroup aggregated by another Group.")] CIM_PolicyGroup REF PartComponent; }; // ================================================================== // PolicyRuleInPolicyGroup *** deprecated // ================================================================== [Association, Deprecated { "CIM_PolicySetComponent" }, Aggregation, Version ( "2.7.0" ), Description ( "PolicySetComponent provides a more general mechanism for " "aggregating both PolicyGroups and PolicyRules and doing so " "with the priority value applying only to the aggregated set " "rather than policy wide. \n" "\n" "A relationship that aggregates one or more PolicyRules into a " "PolicyGroup. A PolicyGroup may aggregate PolicyRules and/or " "other PolicyGroups.")] class CIM_PolicyRuleInPolicyGroup : CIM_PolicyComponent { [Deprecated { "CIM_PolicySetComponent.GroupComponent" }, Aggregate, Override ( "GroupComponent" ), Description ( "A PolicyGroup that aggregates one or more PolicyRules.")] CIM_PolicyGroup REF GroupComponent; [Deprecated { "CIM_PolicySetComponent.PartComponent" }, Override ( "PartComponent" ), Description ( "A PolicyRule aggregated by a PolicyGroup.")] CIM_PolicyRule REF PartComponent; }; // ================================================================== // PolicySetValidityPeriod // ================================================================== [Association, Aggregation, Version ( "2.7.0" ), Description ( "The PolicySetValidityPeriod aggregation represents scheduled " "activation and deactivation of a PolicySet. A PolicySet is " "considered \"active\" if it is both \"Enabled\" and in a valid " "time period. \n" "\n" "If a PolicySet is associated with multiple policy time periods " "via this association, then the Set is in a valid time period " "if at least one of the time periods evaluates to TRUE. If a " "PolicySet is contained in another PolicySet via the " "PolicySetComponent aggregation (e.g., a PolicyRule in a " "PolicyGroup), then the contained PolicySet (e.g., PolicyRule) " "is in a valid period if at least one of the aggregate's " "PolicyTimePeriodCondition instances evaluates to TRUE and at " "least one of its own PolicyTimePeriodCondition instances also " "evalutes to TRUE. (In other words, the " "PolicyTimePeriodConditions are ORed to determine whether the " "PolicySet is in a valid time period and then ANDed with the " "ORed PolicyTimePeriodConditions of each of PolicySet instances " "in the PolicySetComponent hierarchy to determine if the " "PolicySet is in a valid time period and, if also \"Enabled\", " "therefore, active, i.e., the hierachy ANDs the ORed " "PolicyTimePeriodConditions of the elements of the hierarchy. \n" "\n" "A Time Period may be aggregated by multiple PolicySets. A Set " "that does not point to a PolicyTimePeriodCondition via this " "association, from the point of view of scheduling, is always " "in a valid time period.")] class CIM_PolicySetValidityPeriod : CIM_PolicyComponent { [Aggregate, Override ( "GroupComponent" ), Description ( "This property contains the name of a PolicySet that " "contains one or more PolicyTimePeriodConditions.")] CIM_PolicySet REF GroupComponent; [Override ( "PartComponent" ), Description ( "This property contains the name of a " "PolicyTimePeriodCondition defining the valid time periods " "for one or more PolicySets.")] CIM_PolicyTimePeriodCondition REF PartComponent; }; // ================================================================== // PolicyRuleValidityPeriod ** deprecated // ================================================================== [Association, Deprecated { "CIM_PolicySetValidityPeriod" }, Aggregation, Version ( "2.7.0" ), Description ( "The PolicyRuleValidityPeriod aggregation represents scheduled " "activation and deactivation of a PolicyRule. If a PolicyRule " "is associated with multiple policy time periods via this " "association, then the Rule is active if at least one of the " "time periods indicates that it is active. (In other words, the " "PolicyTimePeriodConditions are ORed to determine whether the " "Rule is active.) A Time Period may be aggregated by multiple " "PolicyRules. A Rule that does not point to a " "PolicyTimePeriodCondition via this association is, from the " "point of view of scheduling, always active. It may, however, " "be inactive for other reasons. For example, the Rule's Enabled " "property may be set to \"disabled\" (value=2).")] class CIM_PolicyRuleValidityPeriod : CIM_PolicyComponent { [Deprecated { "CIM_PolicySetValidityPeriod.GroupComponent" }, Aggregate, Override ( "GroupComponent" ), Description ( "This property contains the name of a PolicyRule that " "contains one or more PolicyTimePeriodConditions.")] CIM_PolicyRule REF GroupComponent; [Deprecated { "CIM_PolicySetValidityPeriod.PartComponent" }, Override ( "PartComponent" ), Description ( "This property contains the name of a " "PolicyTimePeriodCondition defining the valid time periods " "for one or more PolicyRules.")] CIM_PolicyTimePeriodCondition REF PartComponent; }; // ================================================================== // PolicyConditionStructure // ================================================================== [Association, Abstract, Aggregation, Version ( "2.7.0" ), Description ( "PolicyConditions may be aggregated into rules and into " "compound conditions. PolicyConditionStructure is the abstract " "aggregation class for the structuring of policy conditions. \n" "\n" "The Conditions aggregated by a PolicyRule or " "CompoundPolicyCondition are grouped into two levels of lists: " "either an ORed set of ANDed sets of conditions (DNF, the " "default) or an ANDed set of ORed sets of conditions (CNF). " "Individual PolicyConditions in these lists may be negated. The " "property ConditionListType specifies which of these two " "grouping schemes applies to a particular PolicyRule or " "CompoundPolicyCondition instance. \n" "\n" "One or more PolicyTimePeriodConditions may be among the " "conditions associated with a PolicyRule or " "CompoundPolicyCondition via the PolicyConditionStructure " "subclass association. In this case, the time periods are " "simply additional Conditions to be evaluated along with any " "others that are specified.")] class CIM_PolicyConditionStructure : CIM_PolicyComponent { [Aggregate, Override ( "GroupComponent" ), Description ( "This property represents the Policy that contains one or " "more PolicyConditions.")] CIM_Policy REF GroupComponent; [Override ( "PartComponent" ), Description ( "This property holds the name of a PolicyCondition contained " "by one or more PolicyRule or CompoundPolicyCondition " "instances.")] CIM_PolicyCondition REF PartComponent; [Description ( "Unsigned integer indicating the group to which the " "contained PolicyCondition belongs. This integer segments " "the Conditions into the ANDed sets (when the " "ConditionListType is \"DNF\") or, similarly, into the ORed " "sets (when the ConditionListType is \"CNF\").")] uint16 GroupNumber; [Description ( "Indication of whether the contained PolicyCondition is " "negated. TRUE indicates that the PolicyCondition IS " "negated, FALSE indicates that it IS NOT negated.")] boolean ConditionNegated; }; // ================================================================== // PolicyConditionInPolicyRule // ================================================================== [Association, Aggregation, Version ( "2.7.0" ), Description ( "A PolicyRule aggregates zero or more instances of the " "PolicyCondition class, via the PolicyConditionInPolicyRule " "association. A Rule that aggregates zero Conditions is not " "valid; it may, however, be in the process of being defined. " "Note that a PolicyRule should have no effect until it is " "valid.")] class CIM_PolicyConditionInPolicyRule : CIM_PolicyConditionStructure { [Aggregate, Override ( "GroupComponent" ), Description ( "This property represents the PolicyRule that contains one " "or more PolicyConditions.")] CIM_PolicyRule REF GroupComponent; [Override ( "PartComponent" ), Description ( "This property holds the name of a PolicyCondition contained " "by one or more PolicyRules.")] CIM_PolicyCondition REF PartComponent; }; // ================================================================== // PolicyConditionInPolicyCondition // ================================================================== [Association, Aggregation, Version ( "2.7.0" ), Description ( "A CompoundPolicyCondition aggregates zero or more instances of " "the PolicyCondition class, via the " "PolicyConditionInPolicyCondition association. A " "CompoundPolicyCondition that aggregates zero Conditions is not " "valid; it may, however, be in the process of being defined. " "Note that a CompoundPolicyCondition should have no effect " "until it is valid.")] class CIM_PolicyConditionInPolicyCondition : CIM_PolicyConditionStructure { [Aggregate, Override ( "GroupComponent" ), Description ( "This property represents the CompoundPolicyCondition that " "contains one or more PolicyConditions.")] CIM_CompoundPolicyCondition REF GroupComponent; [Override ( "PartComponent" ), Description ( "This property holds the name of a PolicyCondition contained " "by one or more PolicyRules.")] CIM_PolicyCondition REF PartComponent; }; // ================================================================== // PolicyActionStructure // ================================================================== [Association, Abstract, Aggregation, Version ( "2.6.0" ), Description ( "PolicyActions may be aggregated into rules and into compound " "actions. PolicyActionStructure is the abstract aggregation " "class for the structuring of policy actions.")] class CIM_PolicyActionStructure : CIM_PolicyComponent { [Aggregate, Override ( "GroupComponent" ), Description ( "PolicyAction instances may be aggregated into either " "PolicyRule instances or CompoundPolicyAction instances.")] CIM_Policy REF GroupComponent; [Override ( "PartComponent" ), Description ( "A PolicyAction aggregated by a PolicyRule or " "CompoundPolicyAction.")] CIM_PolicyAction REF PartComponent; [Description ( "ActionOrder is an unsigned integer 'n' that indicates the " "relative position of a PolicyAction in the sequence of " "actions associated with a PolicyRule or " "CompoundPolicyAction. When 'n' is a positive integer, it " "indicates a place in the sequence of actions to be " "performed, with smaller integers indicating earlier " "positions in the sequence. The special value '0' indicates " "'don't care'. If two or more PolicyActions have the same " "non-zero sequence number, they may be performed in any " "order, but they must all be performed at the appropriate " "place in the overall action sequence. \n" "\n" "A series of examples will make ordering of PolicyActions " "clearer: \n" "o If all actions have the same sequence number, regardless " "of whether it is '0' or non-zero, any order is acceptable. " "\no The values: \n" "1:ACTION A \n" "2:ACTION B \n" "1:ACTION C \n" "3:ACTION D \n" "indicate two acceptable orders: A,C,B,D or C,A,B,D, \n" "since A and C can be performed in either order, but only at " "the '1' position. \n" "o The values: \n" "0:ACTION A \n" "2:ACTION B \n" "3:ACTION C \n" "3:ACTION D \n" "require that B,C, and D occur either as B,C,D or as B,D,C. " "Action A may appear at any point relative to B, C, and D. " "Thus the complete set of acceptable orders is: A,B,C,D; " "B,A,C,D; B,C,A,D; B,C,D,A; A,B,D,C; B,A,D,C; B,D,A,C; " "B,D,C,A. \n" "\n" "Note that the non-zero sequence numbers need not start with " "'1', and they need not be consecutive. All that matters is " "their relative magnitude.")] uint16 ActionOrder; }; // ================================================================== // PolicyActionInPolicyRule // ================================================================== [Association, Aggregation, Version ( "2.6.0" ), Description ( "A PolicyRule aggregates zero or more instances of the " "PolicyAction class, via the PolicyActionInPolicyRule " "association. A Rule that aggregates zero Actions is not " "valid--it may, however, be in the process of being entered " "into a PolicyRepository or being defined for a System. " "Alternately, the actions of the policy may be explicit in the " "definition of the PolicyRule. Note that a PolicyRule should " "have no effect until it is valid. \n" "\n" "The Actions associated with a PolicyRule may be given a " "required order, a recommended order, or no order at all. For " "Actions represented as separate objects, the " "PolicyActionInPolicyRule aggregation can be used to express an " "order. \n" "\n" "This aggregation does not indicate whether a specified action " "order is required, recommended, or of no significance; the " "property SequencedActions in the aggregating instance of " "PolicyRule provides this indication.")] class CIM_PolicyActionInPolicyRule : CIM_PolicyActionStructure { [Aggregate, Override ( "GroupComponent" ), Description ( "This property represents the PolicyRule that contains one " "or more PolicyActions.")] CIM_PolicyRule REF GroupComponent; [Override ( "PartComponent" ), Description ( "This property holds the name of a PolicyAction contained by " "one or more PolicyRules.")] CIM_PolicyAction REF PartComponent; }; // ================================================================== // PolicyActionInPolicyAction // ================================================================== [Association, Aggregation, Version ( "2.6.0" ), Description ( "PolicyActionInPolicyAction is used to represent the " "compounding of policy actions into a higher-level policy " "action.")] class CIM_PolicyActionInPolicyAction : CIM_PolicyActionStructure { [Aggregate, Override ( "GroupComponent" ), Description ( "This property represents the CompoundPolicyAction that " "contains one or more PolicyActions.")] CIM_CompoundPolicyAction REF GroupComponent; [Override ( "PartComponent" ), Description ( "This property holds the name of a PolicyAction contained by " "one or more CompoundPolicyActions.")] CIM_PolicyAction REF PartComponent; }; // ================================================================== // PolicyContainerInPolicyContainer // ================================================================== [Association, Aggregation, Version ( "2.6.0" ), Description ( "A relationship that aggregates one or more lower-level " "ReusablePolicyContainer instances into a higher-level " "ReusablePolicyContainer.")] class CIM_PolicyContainerInPolicyContainer : CIM_SystemComponent { [Aggregate, Override ( "GroupComponent" ), Description ( "A ReusablePolicyContainer that aggregates other " "ReusablePolicyContainers.")] CIM_ReusablePolicyContainer REF GroupComponent; [Override ( "PartComponent" ), Description ( "A ReusablePolicyContainer aggregated by another " "ReusablePolicyContainer.")] CIM_ReusablePolicyContainer REF PartComponent; }; // ================================================================== // PolicyRepositoryInPolicyRepository *** deprecated // ================================================================== [Association, Deprecated { "CIM_PolicyContainerInPolicyContainer" }, Aggregation, Version ( "2.7.0" ), Description ( "The term 'PolicyRepository' has been confusing to both " "developers and users of the model. The replacement class name " "describes model element properly and is less likely to be " "confused with a data repository. ContainedDomain is a general " "purpose mechanism for expressing domain hierarchy. \n" "\n" "A relationship that aggregates one or more lower-level " "PolicyRepositories into a higher-level Repository.")] class CIM_PolicyRepositoryInPolicyRepository : CIM_SystemComponent { [Deprecated { "CIM_PolicyContainerInPolicyContainer.GroupComponent" }, Aggregate, Override ( "GroupComponent" ), Description ( "A PolicyRepository that aggregates other Repositories.")] CIM_PolicyRepository REF GroupComponent; [Deprecated { "CIM_PolicyContainerInPolicyContainer.PartComponent" }, Override ( "PartComponent" ), Description ( "A PolicyRepository aggregated by another Repository.")] CIM_PolicyRepository REF PartComponent; }; // ================================================================== // ReusablePolicy // ================================================================== [Association, Version ( "2.6.0" ), Description ( "The ReusablePolicy association provides for the reuse of any " "subclass of Policy in a ReusablePolicyContainer.")] class CIM_ReusablePolicy : CIM_PolicyInSystem { [Override ( "Antecedent" ), Max ( 1 ), Description ( "This property identifies a ReusablePolicyContainer that " "provides the administrative scope for the reuse of the " "referenced policy element.")] CIM_ReusablePolicyContainer REF Antecedent; [Override ( "Dependent" ), Description ( "A reusable policy element.")] CIM_Policy REF Dependent; }; // ================================================================== // ElementInPolicyRoleCollection // ================================================================== [Association, Aggregation, Version ( "2.8.0" ), Description ( "An ElementInPolicyRoleCollection aggregates zero or more " "ManagedElement subclass instances into a PolicyRoleCollection " "object, representing a role played by these ManagedElements. " "This Collection indicates that the aggregated PolicySets " "(aggregated by CIM_PolicySetInRoleCollection) MAY BE applied " "to the referenced elements. To indicate that the PolicySets " "ARE being enforced for the element, use the " "PolicySetAppliesToElement association.")] class CIM_ElementInPolicyRoleCollection : CIM_MemberOfCollection { [Aggregate, Override ( "Collection" ), Description ( "The PolicyRoleCollection.")] CIM_PolicyRoleCollection REF Collection; [Override ( "Member" ), Description ( "The ManagedElement that plays the role represented by the " "PolicyRoleCollection.")] CIM_ManagedElement REF Member; }; // ================================================================== // PolicyRoleCollectionInSystem // ================================================================== [Association, Version ( "2.7.0" ), Description ( "PolicyRoleCollectionInSystem is an association used to " "establish a relationship between a collection and an 'owning' " "System such as an AdminDomain or ComputerSystem.")] class CIM_PolicyRoleCollectionInSystem : CIM_HostedCollection { [Override ( "Antecedent" ), Min ( 1 ), Max ( 1 ), Description ( "The parent system responsible for the collection.")] CIM_System REF Antecedent; [Override ( "Dependent" ), Description ( "The Collection.")] CIM_PolicyRoleCollection REF Dependent; }; // ================================================================== // PolicyConditionInPolicyRepository *** deprecated // ================================================================== [Association, Deprecated { "CIM_ReusablePolicy" }, Version ( "2.7.0" ), Description ( "The ReusablePolicy association is a more general relationship " "that incorporates both Conditions and Actions as well as any " "other policy subclass. \n" "\n" "This class represents the hosting of reusable PolicyConditions " "by a PolicyRepository. A reusable Policy Condition is always " "related to a single PolicyRepository, via this association. \n" "\n" "Note, that an instance of PolicyCondition can be either " "reusable or rule-specific. When the Condition is rule- " "specific, it shall not be related to any PolicyRepository via " "the PolicyConditionInPolicyRepository association.")] class CIM_PolicyConditionInPolicyRepository : CIM_PolicyInSystem { [Deprecated { "CIM_ReusablePolicy.Antecedent" }, Override ( "Antecedent" ), Max ( 1 ), Description ( "This property identifies a PolicyRepository hosting one or " "more PolicyConditions. A reusable PolicyCondition is always " "related to exactly one PolicyRepository via the " "PolicyConditionInPolicyRepository association. The [0..1] " "cardinality for this property covers the two types of " "PolicyConditions: 0 for a rule-specific PolicyCondition, 1 " "for a reusable one.")] CIM_PolicyRepository REF Antecedent; [Deprecated { "CIM_ReusablePolicy.Dependent" }, Override ( "Dependent" ), Description ( "This property holds the name of a PolicyCondition hosted in " "the PolicyRepository.")] CIM_PolicyCondition REF Dependent; }; // ================================================================== // PolicyActionInPolicyRepository *** deprecated // ================================================================== [Association, Deprecated { "CIM_ReusablePolicy" }, Version ( "2.7.0" ), Description ( "The ReusablePolicy association is a more general relationship " "that incorporates both Conditions and Actions as well as any " "other policy subclass. \n" "\n" "This class represents the hosting of reusable PolicyActions by " "a PolicyRepository. A reusable Policy Action is always related " "to a single PolicyRepository, via this association. \n" "\n" "Note, that an instance of PolicyAction can be either reusable " "or rule-specific. When the Action is rule- specific, it shall " "not be related to any PolicyRepository via the " "PolicyActionInPolicyRepository association.")] class CIM_PolicyActionInPolicyRepository : CIM_PolicyInSystem { [Deprecated { "CIM_ReusablePolicy.Antecedent" }, Override ( "Antecedent" ), Max ( 1 ), Description ( "This property represents a PolicyRepository hosting one or " "more PolicyActions. A reusable PolicyAction is always " "related to exactly one PolicyRepository via the " "PolicyActionInPolicyRepository association. The [0..1] " "cardinality for this property covers the two types of " "PolicyActions: 0 for a rule-specific PolicyAction, 1 for a " "reusable one.")] CIM_PolicyRepository REF Antecedent; [Deprecated { "CIM_ReusablePolicy.Dependent" }, Override ( "Dependent" ), Description ( "This property holds the name of a PolicyAction hosted in " "the PolicyRepository.")] CIM_PolicyAction REF Dependent; }; // ================================================================== // PolicySetInRoleCollection // ================================================================== [Association, Aggregation, Version ( "2.8.0" ), Description ( "PolicySetInRoleCollection aggregates zero or more PolicyRules " "and PolicyGroups (i.e., the subclasses of PolicySet) into a " "PolicyRoleCollection object, representing a role " "supported/enforced by the PolicySet.")] class CIM_PolicySetInRoleCollection : CIM_MemberOfCollection { [Aggregate, Override ( "Collection" ), Description ( "The PolicyRoleCollection.")] CIM_PolicyRoleCollection REF Collection; [Override ( "Member" ), Description ( "The PolicySet that supports/enforces the PolicyRole for the " "elements in the PolicyRoleCollection.")] CIM_PolicySet REF Member; }; // ================================================================== // PolicySetAppliesToElement // ================================================================== [Association, Version ( "2.8.0" ), Description ( "PolicySetAppliesToElement makes explicit which PolicySets " "(i.e., policy rules and groups of rules) ARE CURRENTLY applied " "to a particular Element. This association indicates that the " "PolicySets that are appropriate for a ManagedElement " "(specified using the PolicyRoleCollection aggregation) have " "actually been deployed in the policy management " "infrastructure. Note that if the named Element refers to a " "Collection, then the PolicySet is assumed to be applied to all " "the members of the Collection.")] class CIM_PolicySetAppliesToElement { [Key, Description ( "The PolicyRules and/or groups of rules that are currently " "applied to an Element.")] CIM_PolicySet REF PolicySet; [Key, Description ( "The ManagedElement to which the PolicySet applies.")] CIM_ManagedElement REF ManagedElement; }; // ================================================================== // FilterOfPacketCondition // ================================================================== [Association, Version ( "2.8.0" ), Description ( "FilterOfPacketCondition associates a network traffic " "specification (i.e., a FilterList) with a PolicyRule's " "PacketFilterCondition."), MappingStrings { "IPSP Policy Model.IETF|FilterOfSACondition" }] class CIM_FilterOfPacketCondition : CIM_Dependency { [Override ( "Antecedent" ), Min ( 1 ), Max ( 1 ), Description ( "A FilterList describes the traffic selected by the " "PacketFilterCondition. A PacketFilterCondition is " "associated with one and only one FilterList, but that " "filter list may aggregate many filter entries."), MappingStrings { "IPSP Policy Model.IETF|" "FilterOfSACondition.Antecedent" }] CIM_FilterList REF Antecedent; [Override ( "Dependent" ), Description ( "The PacketFilterCondition that uses the FilterList as part " "of a PolicyRule."), MappingStrings { "IPSP Policy Model.IETF|" "FilterOfSACondition.Dependent" }] CIM_PacketFilterCondition REF Dependent; }; // ================================================================== // AcceptCredentialFrom // ================================================================== [Association, Version ( "2.8" ), Description ( "This association specifies that a credential management " "service (e.g., CertificateAuthority or Kerberos key " "distribution service) is to be trusted to certify credentials, " "presented at the packet level. The association defines an " "'approved' CredentialManagementService that is used for " "validation. \n" "\n" "The use of this class is best explained via an example: \n" "If a CertificateAuthority is specified using this association, " "and a corresponding X509CredentialFilterEntry is also " "associated with a PacketFilterCondition (via the relationship, " "FilterOfPacketCondition), then the credential MUST match the " "FilterEntry data AND be certified by that CA (or one of the " "CredentialManagementServices in its trust hierarchy). " "Otherwise, the X509CredentialFilterEntry is deemed not to " "match. If a credential is certified by a " "CredentialManagementService associated with the " "PacketFilterCondition through the AcceptCredentialFrom " "relationship, but there is no corresponding " "CredentialFilterEntry, then all credentials from the related " "service are considered to match."), MappingStrings { "IPSP Policy Model.IETF|AcceptCredentialFrom" }] class CIM_AcceptCredentialFrom : CIM_Dependency { [Override ( "Antecedent" ), Description ( "The CredentialManagementService that is issuing the " "credential to be matched in the PacketFilterCondition."), MappingStrings { "IPSP Policy " "Model.IETF|AcceptCredentialFrom.Antecedent" }] CIM_CredentialManagementService REF Antecedent; [Override ( "Dependent" ), Description ( "The PacketFilterCondition that associates the " "CredentialManagementService and any " "FilterLists/FilterEntries."), MappingStrings { "IPSP Policy " "Model.IETF|AcceptCredentialFrom.Dependent" }] CIM_PacketFilterCondition REF Dependent; }; // =================================================================== // end of file // ===================================================================