1 karl 1.1 // ===================================================================
2 // Title: Policy Model
3 // $State: Preliminary $
4 // $Date: 2004/07/06 16:47:21 $
5 // $Source: /home/dmtf2/dotorg/var/cvs/repositories/dev/Schema/MOF/CIM_Policy.mof,v $
6 // $Revision: 1.6 $
7 // ===================================================================
8 //#pragma inLine ("Includes/copyright.inc")
9 // Copyright 1998-2004 Distributed Management Task Force, Inc. (DMTF).
10 // All rights reserved.
11 // DMTF is a not-for-profit association of industry members dedicated
12 // to promoting enterprise and systems management and interoperability.
13 // DMTF specifications and documents may be reproduced for uses
14 // consistent with this purpose by members and non-members,
15 // provided that correct attribution is given.
16 // As DMTF specifications may be revised from time to time,
17 // the particular version and release date should always be noted.
18 //
19 // Implementation of certain elements of this standard or proposed
20 // standard may be subject to third party patent rights, including
21 // provisional patent rights (herein "patent rights"). DMTF makes
22 karl 1.1 // no representations to users of the standard as to the existence
23 // of such rights, and is not responsible to recognize, disclose, or
24 // identify any or all such third party patent right, owners or
25 // claimants, nor for any incomplete or inaccurate identification or
26 // disclosure of such rights, owners or claimants. DMTF shall have no
27 // liability to any party, in any manner or circumstance, under any
28 // legal theory whatsoever, for failure to recognize, disclose, or
29 // identify any such third party patent rights, or for such party's
30 // reliance on the standard or incorporation thereof in its product,
31 // protocols or testing procedures. DMTF shall have no liability to
32 // any party implementing such standard, whether such implementation
33 // is foreseeable or not, nor to any patent owner or claimant, and shall
34 // have no liability or responsibility for costs or losses incurred if
35 // a standard is withdrawn or modified after publication, and shall be
36 // indemnified and held harmless by any party implementing the
37 // standard from any and all claims of infringement by a patent owner
38 // for such implementations.
39 //
40 // For information about patents held by third-parties which have
41 // notified the DMTF that, in their opinion, such patent may relate to
42 // or impact implementations of DMTF standards, visit
43 karl 1.1 // http://www.dmtf.org/about/policies/disclosures.php.
44 //#pragma inLine
45 // ===================================================================
46 // Description: The Policy Model provides a framework for specifying
47 // configuration and operational information in a scalable
48 // way using rules composed of conditions and actions.
49 //
50 // The object classes below are listed in an order that
51 // avoids forward references. Required objects, defined
52 // by other working groups, are omitted.
53 // ===================================================================
54 // CIM V2.9 Changes (Preliminary)
55 // DMTFCR1342 -
56 // Provides a PrivilegePropagationRule in support of the
57 // Change/ShowAccess methods.
58 // DMTFCR1337 -
59 // AuthorizationRule is the corollary to AuthenticationRule
60 // DMTFCR1303 -
61 // Add match 'all' to the CIM_PolicySet.PolicyDecisionStrategy
62 // DMTFCR1393 -
63 // Define QueryConditions and Actions, removing any dependency
64 karl 1.1 // on query result
65 // implementation
66 //
67 // CIM V2.8 Changes (Final)
68 // DMTFCR1213 -
69 // Keep Experimental for 2.8.1000
70 // PolicyRoleCollection.ActivatePolicySet(),
71 // PolicyRoleCollection.DeactivatePolicySet()
72 // PolicySetInRoleCollection
73 // DMTFCR1212 -
74 // Remove the property, FilterEvaluation, from
75 // PacketFilterCondition. It specifies whether the filters
76 // are applied at ingress, egress or both, but this is
77 // already defined by the FilterList.Direction property.
78 // Property to be taken Final, and the class Version qualifier
79 // to be updated to "2.8.0": PolicyAction.DoActionLogging
80 // Classes to be promoted to FINAL status and their Version
81 // qualifiers set to "2.8.0": PacketFilterCondition,
82 // NetworkPacketAction, RejectConnectionAction,
83 // FilterOfPacketCondition (ties the FilterList to the
84 // PacketFilterCondition), AcceptCredentialFrom
85 karl 1.1 // DMTFCR1211 -
86 // Delete the class, ChallengeQuestionAuthentication,
87 // since it is just a kind of SharedSecret.
88 // Add "identifier" properties to DocumentAuthentication,
89 // PhysicalCredentialAuthentication and
90 // BiometricAuthentication.
91 // Classes to be promoted to FINAL status, and their Version
92 // qualifiers updated to "2.8.0":
93 //
94 // CIM V2.8 Changes (Company Review)
95 // DMTFCR1104 -Replace the class definition of
96 // AuthenticationCondition
97 // Add the following class defintions:
98 // SharedSecretAuthentication, AccountAuthentication,
99 // BiometricAuthentication, NetworkingIDAuthentication,
100 // PublicPrivateKeyAuthentication, KerberosAuthentication,
101 // DocumentAuthentication, ChallengeQuestionAuthentication
102 // (Deleted in Final),
103 // and PhysicalCredentialAuthentication
104 // DMTFCR1105 - Generalize the SACondition class (from the Networks)
105 // to be PacketFilterCondition and defined here in Policy.
106 karl 1.1 // Add FilterOfPacketCondition and AcceptCredentialFrom
107 // class definitions.
108 // Move FilterOfPacketCondition to Network_IPsecPolicy to
109 // avoid a forward reference.
110 // DMTFCR1106 - Add DoActionLogging property to PolicyAction
111 // Add NetworkPacketAction class definition
112 // Add RejectConnectionAction class definition
113 // DMTFCR1128 - Change subclassing of PolicyInSystem from
114 // Dependency to HostedDependency.
115 //
116 // CIM V2.8 Changes
117 // DMTFCR1057 - Explicit declaration of PolicySets that apply to
118 // ManagedElements, via PolicyRoleCollections
119 // DMTFCR1058 - Activate/deactivate PolicySets which match a
120 // particular PolicyRole on a particular ManagedElement
121 // DMTFCR1060 - Add AuthenticationCondition and AuthenticationRule
122 // subclasses of PolicyCondition/PolicyRule
123 //
124 // CIM V2.7 Changes
125 // DMTFCR985 - Promote Deprecations to V2.7 Final
126 // DMTFCR960 - Remove Weak Qualifier from PolicyRoleCollection and
127 karl 1.1 // derive from SystemSpecificCollection instead of Collection
128 // DMTFCR930 - Implementation Experience with the Policy 2.7 Model
129 // - Move PolicyRule.Enabled to PolicySet.Enabled
130 // - Move PolicyTimePeriodCondition up to PolicySet and
131 // make clear how to specify global time period with respect
132 // a given time zone
133 // - Deprecate policy role combinations
134 // - Add Unconditional to PolicyRule.ConditionListType
135 // - Deprecate PolicyRule.Mandatory
136 // CIMCR914 - Added propagated keys in PolicyRoleCollection
137 // CIMCR906 - Add text to PolicySetComponent's Description and the
138 // class' Priority property to indicate that the values
139 // of Priority must be unique
140 // With promotion of Component to ManagedElement,
141 // added CIM_Component as superclass of CIM_PolicyComponent
142 // (there is no other change to the semantics or syntax)
143 // CIMCR625 - Add CompoundPolicyCondition as PolicyCondition
144 // subclass
145 // - Add PolicyConditionStructure abstract aggregation as a
146 // subclass of PolicyComponent
147 // - Change derivation of PolicyConditionInPolicyRule from
148 karl 1.1 // PolicyComponent to PolicyConditionStructure and move
149 // GroupNumber and ConditionNegated properties up to parent
150 // class
151 // - Add PolicyConditionInPolicyCondition aggregation as a
152 // subclass of PolicyConditionStructure
153 // - Add PolicyRoleCollection as Collection subclass
154 // - Add ElementInPolicyRoleCollection as MemberOfCollection
155 // subclass
156 // - Add PolicyRoleCollectionInSystem as Dependency subclass
157 //
158 // CIM V2.6 Changes
159 // CIMCR614 - Add CompoundPolicyAction
160 // - Add CompoundPolicyAction as a subclass of PolicyAction
161 // - Add PolicyActionStructure abstract aggregation as a
162 // subclass of PolicyComponent
163 // - Change derivation of PolicyActionInPolicyRule from
164 // PolicyComponent to PolicyActionStructure and, thus,
165 // move ActionOrder property up to parent class
166 // - Add PolicyActionInPolicyAction aggregation as a
167 // subclass of PolicyActionStructure
168 // CIMCR597a - PCIMe updates
169 karl 1.1 // - Edit Policy description
170 // - Add PolicySet & derive PolicyGroup & PolicyRule
171 // - Deprecate PolicyRule.Priority for
172 // PolicySetComponent.Priority
173 // - Remove PolicyRule.PolicyRoles (it's in PolicySet)
174 // - Add PolicyRule.ExecutionStrategy
175 // - Deprecate PolicyRepository & replace with
176 // ReusablePolicyContainer
177 // - Add PolicySetInSystem
178 // - Add PolicySetComponent & deprecate ...InPolicyGroup
179 // & derive PolicyGroupInSystem & PolicyRuleInSystem
180 // - Add ContainedDomain (to Core)
181 // & deprecate PolicyRepositoryInPolicyRepository
182 // - Add ReusablePolicy & deprecate ...InPolicyRepository
183 // ==================================================================
184
185 #pragma Locale ("en-US")
186
187
188 // ==================================================================
189 // Compile prerequisite: Core, Network and User MOFs
190 karl 1.1 // Network MOF is needed for FilterList, and the User MOF for
191 // CredentialManagementService
192 // ==================================================================
193
194
195 // ==================================================================
196 // Policy
197 // ==================================================================
198 [Abstract, Version ( "2.6.0" ), Description (
199 "An abstract class defining the common properties of the policy "
200 "managed elements derived from CIM_Policy. The subclasses are "
201 "used to create rules and groups of rules that work together to "
202 "form a coherent set of policies within an administrative "
203 "domain or set of domains.")]
204 class CIM_Policy : CIM_ManagedElement {
205
206 [Description (
207 "A user-friendly name of this policy-related object.")]
208 string CommonName;
209
210 [Description (
211 karl 1.1 "An array of keywords for characterizing / categorizing "
212 "policy objects. Keywords are of one of two types: \n"
213 "- Keywords defined in this and other MOFs, or in DMTF white "
214 "papers. These keywords provide a vendor- independent, "
215 "installation-independent way of characterizing policy "
216 "objects. \n"
217 "- Installation-dependent keywords for characterizing policy "
218 "objects. Examples include 'Engineering', 'Billing', and "
219 "'Review in December 2000'. \n"
220 "This MOF defines the following keywords: 'UNKNOWN', "
221 "'CONFIGURATION', 'USAGE', 'SECURITY', 'SERVICE', "
222 "'MOTIVATIONAL', 'INSTALLATION', and 'EVENT'. These concepts "
223 "are self-explanatory and are further discussed in the "
224 "SLA/Policy White Paper. One additional keyword is defined: "
225 "'POLICY'. The role of this keyword is to identify "
226 "policy-related instances that may not be otherwise "
227 "identifiable, in some implementations. The keyword 'POLICY' "
228 "is NOT mutually exclusive of the other keywords specified "
229 "above.")]
230 string PolicyKeywords[];
231 };
232 karl 1.1
233
234 // ==================================================================
235 // PolicySet
236 // ==================================================================
237 [Abstract, Version ( "2.8.0" ), Description (
238 "PolicySet is an abstract class that represents a set of "
239 "policies that form a coherent set. The set of contained "
240 "policies has a common decision strategy and a common set of "
241 "policy roles (defined via the PolicySetInRole Collection "
242 "association). Subclasses include PolicyGroup and PolicyRule.")]
243 class CIM_PolicySet : CIM_Policy {
244 [Description (
245 "PolicyDecisionStrategy defines the evaluation method used "
246 "for policies contained in the PolicySet. There are two "
247 "values currently defined: \n"
248 "- 'First Matching' (1) executes the actions of the first "
249 "rule whose conditions evaluate to TRUE. The concept of "
250 "'first' is determined by examining the priority of the rule "
251 "within the policy set (i.e., by examining the property, "
252 "PolicySetComponent.Priority). Note that this ordering "
253 karl 1.1 "property MUST be maintained when processing the "
254 "PolicyDecisionStrategy. \n"
255 "- 'All' (2) executes the actions of ALL rules whose "
256 "conditions evaluate to TRUE, in the set. As noted above, "
257 "the order of processing of the rules is defined by the "
258 "property, PolicySetComponent.Priority (and within a rule, "
259 "the ordering of the actions is defined by the property, "
260 "PolicyActionStructure.ActionOrder). Note that when this "
261 "strategy is defined, processing MUST be completed of ALL "
262 "rules whose conditions evaluate to TRUE, regardless of "
263 "errors in the execution of the rule actions."),
264 ValueMap { "1", "2" },
265 Values { "First Matching", "All" }]
266 uint16 PolicyDecisionStrategy;
267
268 [Deprecated { "CIM_PolicySetInRoleCollection" }, Description (
269 "The PolicyRoles property represents the roles associated "
270 "with a PolicySet. All contained PolicySet instances inherit "
271 "the values of the PolicyRoles of the aggregating PolicySet "
272 "but the values are not copied. A contained PolicySet "
273 "instance may, however, add additional PolicyRoles to those "
274 karl 1.1 "it inherits from its aggregating PolicySet(s). Each value "
275 "in PolicyRoles multi-valued property represents a role for "
276 "which the PolicySet applies, i.e., the PolicySet should be "
277 "used by any enforcement point that assumes any of the "
278 "listed PolicyRoles values. \n"
279 "\n"
280 "Although not officially designated as 'role combinations', "
281 "multiple roles may be specified using the form: \n"
282 "<RoleName>[&&<RoleName>]* \n"
283 "where the individual role names appear in alphabetical "
284 "order (according to the collating sequence for UCS-2). "
285 "Implementations may treat PolicyRoles values that are "
286 "specified as 'role combinations' as simple strings. \n"
287 "\n"
288 "This property is deprecated in lieu of the use of an "
289 "association, CIM_PolicySetInRoleCollection. The latter is a "
290 "more explicit and less error-prone approach to modeling "
291 "that a PolicySet has one or more PolicyRoles.")]
292 string PolicyRoles[];
293
294 [Description (
295 karl 1.1 "Indicates whether this PolicySet is administratively "
296 "enabled, administratively disabled, or enabled for debug. "
297 "The \"EnabledForDebug\" property value is deprecated and, "
298 "when it or any value not understood by the receiver is "
299 "specified, the receiving enforcement point treats the "
300 "PolicySet as \"Disabled\". To determine if a PolicySet is "
301 "\"Enabled\", the containment hierarchy specified by the "
302 "PolicySetComponent aggregation is examined and the Enabled "
303 "property values of the hierarchy are ANDed together. Thus, "
304 "for example, everything aggregated by a PolicyGroup may be "
305 "disabled by setting the Enabled property in the PolicyGroup "
306 "instance to \"Disabled\" without changing the Enabled "
307 "property values of any of the aggregated instances. The "
308 "default value is 1 (\"Enabled\")."),
309 ValueMap { "1", "2", "3" },
310 Values { "Enabled", "Disabled", "Enabled For Debug" }]
311 uint16 Enabled = 1;
312 };
313
314
315 // ==================================================================
316 karl 1.1 // PolicyGroup
317 // ==================================================================
318 [Version ( "2.6.0" ), Description (
319 "An aggregation of PolicySet instances (PolicyGroups and/or "
320 "PolicyRules) that have the same decision strategy and inherit "
321 "policy roles. PolicyGroup instances are defined and named "
322 "relative to the CIM_System that provides their context.")]
323 class CIM_PolicyGroup : CIM_PolicySet {
324
325 [Key, Propagated ( "CIM_System.CreationClassName" ),
326 Description (
327 "The scoping System's CreationClassName."),
328 MaxLen ( 256 )]
329 string SystemCreationClassName;
330
331 [Key, Propagated ( "CIM_System.Name" ), Description (
332 "The scoping System's Name."),
333 MaxLen ( 256 )]
334 string SystemName;
335
336 [Key, Description (
337 karl 1.1 "CreationClassName indicates the name of the class or the "
338 "subclass used in the creation of an instance. When used "
339 "with the other key properties of this class, this property "
340 "allows all instances of this class and its subclasses to be "
341 "uniquely identified."),
342 MaxLen ( 256 )]
343 string CreationClassName;
344
345 [Key, Description (
346 "A user-friendly name of this PolicyGroup."),
347 MaxLen ( 256 )]
348 string PolicyGroupName;
349 };
350
351
352 // ==================================================================
353 // PolicyRule
354 // ==================================================================
355 [Version ( "2.7.0" ), Description (
356 "The central class used for representing the 'If Condition then "
357 "Action' semantics of a policy rule. A PolicyRule condition, in "
358 karl 1.1 "the most general sense, is represented as either an ORed set "
359 "of ANDed conditions (Disjunctive Normal Form, or DNF) or an "
360 "ANDed set of ORed conditions (Conjunctive Normal Form, or "
361 "CNF). Individual conditions may either be negated (NOT C) or "
362 "unnegated (C). The actions specified by a PolicyRule are to be "
363 "performed if and only if the PolicyRule condition (whether it "
364 "is represented in DNF or CNF) evaluates to TRUE. \n"
365 "\n"
366 "The conditions and actions associated with a PolicyRule are "
367 "modeled, respectively, with subclasses of PolicyCondition and "
368 "PolicyAction. These condition and action objects are tied to "
369 "instances of PolicyRule by the PolicyConditionInPolicyRule and "
370 "PolicyActionInPolicyRule aggregations. \n"
371 "\n"
372 "A PolicyRule may also be associated with one or more policy "
373 "time periods, indicating the schedule according to which the "
374 "policy rule is active and inactive. In this case it is the "
375 "PolicySetValidityPeriod aggregation that provides this "
376 "linkage. \n"
377 "\n"
378 "The PolicyRule class uses the property ConditionListType, to "
379 karl 1.1 "indicate whether the conditions for the rule are in DNF "
380 "(disjunctive normal form), CNF (conjunctive normal form) or, "
381 "in the case of a rule with no conditions, as an "
382 "UnconditionalRule. The PolicyConditionInPolicyRule aggregation "
383 "contains two additional properties to complete the "
384 "representation of the Rule's conditional expression. The first "
385 "of these properties is an integer to partition the referenced "
386 "PolicyConditions into one or more groups, and the second is a "
387 "Boolean to indicate whether a referenced Condition is negated. "
388 "An example shows how ConditionListType and these two "
389 "additional properties provide a unique representation of a set "
390 "of PolicyConditions in either DNF or CNF. \n"
391 "\n"
392 "Suppose we have a PolicyRule that aggregates five "
393 "PolicyConditions C1 through C5, with the following values in "
394 "the properties of the five PolicyConditionInPolicyRule "
395 "associations: \n"
396 "C1: GroupNumber = 1, ConditionNegated = FALSE \n"
397 "C2: GroupNumber = 1, ConditionNegated = TRUE \n"
398 "C3: GroupNumber = 1, ConditionNegated = FALSE \n"
399 "C4: GroupNumber = 2, ConditionNegated = FALSE \n"
400 karl 1.1 "C5: GroupNumber = 2, ConditionNegated = FALSE \n"
401 "\n"
402 "If ConditionListType = DNF, then the overall condition for the "
403 "PolicyRule is: \n"
404 "(C1 AND (NOT C2) AND C3) OR (C4 AND C5) \n"
405 "\n"
406 "On the other hand, if ConditionListType = CNF, then the "
407 "overall condition for the PolicyRule is: \n"
408 "(C1 OR (NOT C2) OR C3) AND (C4 OR C5) \n"
409 "\n"
410 "In both cases, there is an unambiguous specification of the "
411 "overall condition that is tested to determine whether to "
412 "perform the PolicyActions associated with the PolicyRule. \n"
413 "\n"
414 "PolicyRule instances may also be used to aggregate other "
415 "PolicyRules and/or PolicyGroups. When used in this way to "
416 "implement nested rules, the conditions of the aggregating rule "
417 "apply to the subordinate rules as well. However, any side "
418 "effects of condition evaluation or the execution of actions "
419 "MUST NOT affect the result of the evaluation of other "
420 "conditions evaluated by the rule engine in the same evaluation "
421 karl 1.1 "pass. That is, an implementation of a rule engine MAY evaluate "
422 "all conditions in any order before applying the priority and "
423 "determining which actions are to be executed.")]
424 class CIM_PolicyRule : CIM_PolicySet {
425
426 [Key, Propagated ( "CIM_System.CreationClassName" ),
427 Description (
428 "The scoping System's CreationClassName."),
429 MaxLen ( 256 )]
430 string SystemCreationClassName;
431
432 [Key, Propagated ( "CIM_System.Name" ), Description (
433 "The scoping System's Name."),
434 MaxLen ( 256 )]
435 string SystemName;
436
437 [Key, Description (
438 "CreationClassName indicates the name of the class or the "
439 "subclass used in the creation of an instance. When used "
440 "with the other key properties of this class, this property "
441 "allows all instances of this class and its subclasses to be "
442 karl 1.1 "uniquely identified."),
443 MaxLen ( 256 )]
444 string CreationClassName;
445
446 [Key, Description (
447 "A user-friendly name of this PolicyRule."),
448 MaxLen ( 256 )]
449 string PolicyRuleName;
450
451 [Description (
452 "Indicates whether the list of PolicyConditions associated "
453 "with this PolicyRule is in disjunctive normal form (DNF), "
454 "conjunctive normal form (CNF), or has no conditions (i.e., "
455 "is an UnconditionalRule) and is automatically evaluated to "
456 "\"True.\" The default value is 1 (\"DNF\")."),
457 ValueMap { "0", "1", "2" },
458 Values { "Unconditional Rule", "DNF", "CNF" }]
459 uint16 ConditionListType = 1;
460
461 [Description (
462 "A free-form string that can be used to provide guidelines "
463 karl 1.1 "on how this PolicyRule should be used.")]
464 string RuleUsage;
465
466 [Deprecated { "CIM_PolicySetComponent.Priority" }, Description (
467 "PolicyRule.Priority is deprecated and replaced by providing "
468 "the priority for a rule (and a group) in the context of the "
469 "aggregating PolicySet instead of the priority being used "
470 "for all aggregating PolicySet instances. Thus, the "
471 "assignment of priority values is much simpler. \n"
472 "\n"
473 "A non-negative integer for prioritizing this Policy Rule "
474 "relative to other Rules. A larger value indicates a higher "
475 "priority. The default value is 0.")]
476 uint16 Priority=0;
477
478 [Deprecated { "No Value" }, Description (
479 "A flag indicating that the evaluation of the Policy "
480 "Conditions and execution of PolicyActions (if the "
481 "Conditions evaluate to TRUE) is required. The evaluation of "
482 "a PolicyRule MUST be attempted if the Mandatory property "
483 "value is TRUE. If the Mandatory property is FALSE, then the "
484 karl 1.1 "evaluation of the Rule is 'best effort' and MAY be ignored.")]
485 boolean Mandatory;
486
487 [Description (
488 "This property gives a policy administrator a way of "
489 "specifying how the ordering of the PolicyActions associated "
490 "with this PolicyRule is to be interpreted. Three values are "
491 "supported: \n"
492 "o mandatory(1): Do the actions in the indicated order, or "
493 "don't do them at all. \n"
494 "o recommended(2): Do the actions in the indicated order if "
495 "you can, but if you can't do them in this order, do them in "
496 "another order if you can. \n"
497 "o dontCare(3): Do them -- I don't care about the order. \n"
498 "The default value is 3 (\"DontCare\")."),
499 ValueMap { "1", "2", "3" },
500 Values { "Mandatory", "Recommended", "Dont Care" }]
501 uint16 SequencedActions = 3;
502
503 [Description (
504 "ExecutionStrategy defines the strategy to be used in "
505 karl 1.1 "executing the sequenced actions aggregated by this "
506 "PolicyRule. There are three execution strategies: \n"
507 "\n"
508 "Do Until Success - execute actions according to predefined "
509 "order, until successful execution of a single action. \n"
510 "Do All - execute ALL actions which are part of the modeled "
511 "set, according to their predefined order. Continue doing "
512 "this, even if one or more of the actions fails. \n"
513 "Do Until Failure - execute actions according to predefined "
514 "order, until the first failure in execution of an action "
515 "instance."),
516 ValueMap { "1", "2", "3" },
517 Values { "Do Until Success", "Do All", "Do Until Failure" }]
518 uint16 ExecutionStrategy;
519 };
520
521
522 // ==================================================================
523 // AuthenticationRule
524 // ==================================================================
525 [Version ( "2.8.0" ), Description (
526 karl 1.1 "A class representing a company's and/or administrator's "
527 "authentication requirements for a CIM_Identity. The "
528 "PolicyConditions collected by an instance of "
529 "AuthenticationRule describe the various requirements under "
530 "which a CIM_Identity's CurrentlyAuthenticated Boolean is set "
531 "to TRUE. Note that the CIM_Identities which are authenticated "
532 "are tied to the Rule by the association, PolicySet "
533 "AppliesToElement. \n"
534 "\n"
535 "At this time, there are no actions associated with this "
536 "PolicyRule. This is because the actions are implicit. When the "
537 "conditions of the rule are met, then the "
538 "CurrentlyAuthenticated Boolean properties of the associated "
539 "instances of CIM_Identity are set to TRUE.")]
540 class CIM_AuthenticationRule : CIM_PolicyRule {
541 };
542
543
544 // ==================================================================
545 // ReusablePolicyContainer
546 // ==================================================================
547 karl 1.1 [Version ( "2.6.0" ), Description (
548 "A class representing an administratively defined container for "
549 "reusable policy-related information. This class does not "
550 "introduce any additional properties beyond those in its "
551 "superclass AdminDomain. It does, however, participate in a "
552 "unique association for containing policy elements. \n"
553 "\n"
554 "An instance of this class uses the NameFormat value "
555 "\"ReusablePolicyContainer\".")]
556 class CIM_ReusablePolicyContainer : CIM_AdminDomain {
557 };
558
559
560 // ==================================================================
561 // PolicyRepository *** deprecated
562 // ==================================================================
563 [Deprecated { "CIM_ReusablePolicyContainer" }, Version ( "2.7.0" ),
564 Description (
565 "The term 'PolicyRepository' has been confusing to both "
566 "developers and users of the model. The replacement class name "
567 "describes model element properly and is less likely to be "
568 karl 1.1 "confused with a data repository. \n"
569 "\n"
570 "A class representing an administratively defined container for "
571 "reusable policy-related information. This class does not "
572 "introduce any additional properties beyond those in its "
573 "superclass AdminDomain. It does, however, participate in a "
574 "number of unique associations. \n"
575 "\n"
576 "An instance of this class uses the NameFormat value "
577 "\"PolicyRepository\".")]
578 class CIM_PolicyRepository : CIM_AdminDomain {
579 };
580
581
582 // ==================================================================
583 // PolicyCondition
584 // ==================================================================
585 [Abstract, Version ( "2.6.0" ), Description (
586 "A class representing a rule-specific or reusable policy "
587 "condition to be evaluated in conjunction with a Policy Rule. "
588 "Since all operational details of a PolicyCondition are "
589 karl 1.1 "provided in subclasses of this object, this class is abstract.")]
590 class CIM_PolicyCondition : CIM_Policy {
591
592 [Key, Description (
593 "The name of the class or the subclass used in the creation "
594 "of the System object in whose scope this PolicyCondition is "
595 "defined. \n"
596 "\n"
597 "This property helps to identify the System object in whose "
598 "scope this instance of PolicyCondition exists. For a "
599 "rule-specific PolicyCondition, this is the System in whose "
600 "context the PolicyRule is defined. For a reusable "
601 "PolicyCondition, this is the instance of PolicyRepository "
602 "(which is a subclass of System) that holds the Condition. \n"
603 "\n"
604 "Note that this property, and the analogous property "
605 "SystemName, do not represent propagated keys from an "
606 "instance of the class System. Instead, they are properties "
607 "defined in the context of this class, which repeat the "
608 "values from the instance of System to which this "
609 "PolicyCondition is related, either directly via the "
610 karl 1.1 "PolicyConditionInPolicyRepository association or indirectly "
611 "via the PolicyConditionInPolicyRule aggregation."),
612 MaxLen ( 256 )]
613 string SystemCreationClassName;
614
615 [Key, Description (
616 "The name of the System object in whose scope this "
617 "PolicyCondition is defined. \n"
618 "\n"
619 "This property completes the identification of the System "
620 "object in whose scope this instance of PolicyCondition "
621 "exists. For a rule-specific PolicyCondition, this is the "
622 "System in whose context the PolicyRule is defined. For a "
623 "reusable PolicyCondition, this is the instance of "
624 "PolicyRepository (which is a subclass of System) that holds "
625 "the Condition."),
626 MaxLen ( 256 )]
627 string SystemName;
628
629 [Key, Description (
630 "For a rule-specific PolicyCondition, the CreationClassName "
631 karl 1.1 "of the PolicyRule object with which this Condition is "
632 "associated. For a reusable Policy Condition, a special "
633 "value, 'NO RULE', should be used to indicate that this "
634 "Condition is reusable and not associated with a single "
635 "PolicyRule."),
636 MaxLen ( 256 )]
637 string PolicyRuleCreationClassName;
638
639 [Key, Description (
640 "For a rule-specific PolicyCondition, the name of the "
641 "PolicyRule object with which this Condition is associated. "
642 "For a reusable PolicyCondition, a special value, 'NO RULE', "
643 "should be used to indicate that this Condition is reusable "
644 "and not associated with a single PolicyRule."),
645 MaxLen ( 256 )]
646 string PolicyRuleName;
647
648 [Key, Description (
649 "CreationClassName indicates the name of the class or the "
650 "subclass used in the creation of an instance. When used "
651 "with the other key properties of this class, this property "
652 karl 1.1 "allows all instances of this class and its subclasses to be "
653 "uniquely identified."),
654 MaxLen ( 256 )]
655 string CreationClassName;
656
657 [Key, Description (
658 "A user-friendly name of this PolicyCondition."),
659 MaxLen ( 256 )]
660 string PolicyConditionName;
661 };
662
663
664 // ==================================================================
665 // PolicyTimePeriodCondition
666 // ==================================================================
667 [Version ( "2.7.0" ), Description (
668 "This class provides a means of representing the time periods "
669 "during which a PolicySet is valid, i.e., active. At all times "
670 "that fall outside these time periods, the PolicySet has no "
671 "effect. A PolicySet is treated as valid at ALL times, if it "
672 "does not specify a PolicyTimePeriodCondition. \n"
673 karl 1.1 "\n"
674 "In some cases a Policy Consumer may need to perform certain "
675 "setup / cleanup actions when a PolicySet becomes active / "
676 "inactive. For example, sessions that were established while a "
677 "PolicySet was active might need to be taken down when the "
678 "PolicySet becomes inactive. In other cases, however, such "
679 "sessions might be left up. In this case, the effect of "
680 "deactivating the PolicySet would just be to prevent the "
681 "establishment of new sessions. \n"
682 "\n"
683 "Setup / cleanup behaviors on validity period transitions are "
684 "not currently addressed by the Policy Model, and must be "
685 "specified in 'guideline' documents or via subclasses of "
686 "CIM_PolicySet, CIM_PolicyTimePeriod Condition or other "
687 "concrete subclasses of CIM_Policy. If such behaviors need to "
688 "be under the control of the policy administrator, then a "
689 "mechanism to allow this control must also be specified in the "
690 "subclasses. \n"
691 "\n"
692 "PolicyTimePeriodCondition is defined as a subclass of "
693 "PolicyCondition. This is to allow the inclusion of time-based "
694 karl 1.1 "criteria in the AND/OR condition definitions for a PolicyRule. "
695 "\n\n"
696 "Instances of this class may have up to five properties "
697 "identifying time periods at different levels. The values of "
698 "all the properties present in an instance are ANDed together "
699 "to determine the validity period(s) for the instance. For "
700 "example, an instance with an overall validity range of January "
701 "1, 2000 through December 31, 2000; a month mask that selects "
702 "March and April; a day-of-the-week mask that selects Fridays; "
703 "and a time of day range of 0800 through 1600 would be "
704 "represented using the following time periods: \n"
705 "Friday, March 5, 2000, from 0800 through 1600; \n"
706 "Friday, March 12, 2000, from 0800 through 1600; \n"
707 "Friday, March 19, 2000, from 0800 through 1600; \n"
708 "Friday, March 26, 2000, from 0800 through 1600; \n"
709 "Friday, April 2, 2000, from 0800 through 1600; \n"
710 "Friday, April 9, 2000, from 0800 through 1600; \n"
711 "Friday, April 16, 2000, from 0800 through 1600; \n"
712 "Friday, April 23, 2000, from 0800 through 1600; \n"
713 "Friday, April 30, 2000, from 0800 through 1600. \n"
714 "\n"
715 karl 1.1 "Properties not present in an instance of "
716 "PolicyTimePeriodCondition are implicitly treated as having "
717 "their value 'always enabled'. Thus, in the example above, the "
718 "day-of-the-month mask is not present, and so the validity "
719 "period for the instance implicitly includes a day-of-the-month "
720 "mask that selects all days of the month. If this 'missing "
721 "property' rule is applied to its fullest, we see that there is "
722 "a second way to indicate that a PolicySet is always enabled: "
723 "associate with it an instance of PolicyTimePeriodCondition "
724 "whose only properties with specific values are its key "
725 "properties.")]
726 class CIM_PolicyTimePeriodCondition : CIM_PolicyCondition {
727
728 [Description (
729 "This property identifies an overall range of calendar dates "
730 "and times over which a PolicySet is valid. It is formatted "
731 "as a string representing a start date and time, in which "
732 "the character 'T' indicates the beginning of the time "
733 "portion, followed by the solidus character '/', followed by "
734 "a similar string representing an end date and time. The "
735 "first date indicates the beginning of the range, while the "
736 karl 1.1 "second date indicates the end. Thus, the second date and "
737 "time must be later than the first. Date/times are expressed "
738 "as substrings of the form yyyymmddThhmmss. For example: \n"
739 "20000101T080000/20000131T120000 defines \n"
740 "January 1, 2000, 0800 through January 31, 2000, noon \n"
741 "\n"
742 "There are also two special cases in which one of the "
743 "date/time strings is replaced with a special string defined "
744 "in RFC 2445. \n"
745 "o If the first date/time is replaced with the string "
746 "'THISANDPRIOR', then the property indicates that a "
747 "PolicySet is valid [from now] until the date/time that "
748 "appears after the '/'. \n"
749 "o If the second date/time is replaced with the string "
750 "'THISANDFUTURE', then the property indicates that a "
751 "PolicySet becomes valid on the date/time that appears "
752 "before the '/', and remains valid from that point on."),
753 ModelCorrespondence {
754 "CIM_PolicyTimePeriodCondition.MonthOfYearMask",
755 "CIM_PolicyTimePeriodCondition.DayOfMonthMask",
756 "CIM_PolicyTimePeriodCondition.DayOfWeekMask",
757 karl 1.1 "CIM_PolicyTimePeriodCondition.TimeOfDayMask",
758 "CIM_PolicyTimePeriodCondition.LocalOrUtcTime" }]
759 string TimePeriod;
760
761 [Description (
762 "The purpose of this property is to refine the valid time "
763 "period that is defined by the TimePeriod property, by "
764 "explicitly specifying in which months the PolicySet is "
765 "valid. These properties work together, with the TimePeriod "
766 "used to specify the overall time period in which the "
767 "PolicySet is valid, and the MonthOfYearMask used to pick "
768 "out the months during which the PolicySet is valid. \n"
769 "\n"
770 "This property is formatted as an octet string, structured "
771 "as follows: \n"
772 "o a 4-octet length field, indicating the length of the "
773 "entire octet string; this field is always set to 0x00000006 "
774 "for this property; \n"
775 "o a 2-octet field consisting of 12 bits identifying the 12 "
776 "months of the year, beginning with January and ending with "
777 "December, followed by 4 bits that are always set to '0'. "
778 karl 1.1 "For each month, the value '1' indicates that the policy is "
779 "valid for that month, and the value '0' indicates that it "
780 "is not valid. \n"
781 "\n"
782 "The value 0x000000060830, for example, indicates that a "
783 "PolicySet is valid only in the months May, November, and "
784 "December. \n"
785 "\n"
786 "If a value for this property is not provided, then the "
787 "PolicySet is treated as valid for all twelve months, and "
788 "only restricted by its TimePeriod property value and the "
789 "other Mask properties."),
790 OctetString,
791 ModelCorrespondence {
792 "CIM_PolicyTimePeriodCondition.TimePeriod",
793 "CIM_PolicyTimePeriodCondition.LocalOrUtcTime" }]
794 uint8 MonthOfYearMask[];
795
796 [Description (
797 "The purpose of this property is to refine the valid time "
798 "period that is defined by the TimePeriod property, by "
799 karl 1.1 "explicitly specifying in which days of the month the "
800 "PolicySet is valid. These properties work together, with "
801 "the TimePeriod used to specify the overall time period in "
802 "which the PolicySet is valid, and the DayOfMonthMask used "
803 "to pick out the days of the month during which the "
804 "PolicySet is valid. \n"
805 "\n"
806 "This property is formatted as an octet string, structured "
807 "as follows: \n"
808 "o a 4-octet length field, indicating the length of the "
809 "entire octet string; this field is always set to 0x0000000C "
810 "for this property; \n"
811 "o an 8-octet field consisting of 31 bits identifying the "
812 "days of the month counting from the beginning, followed by "
813 "31 more bits identifying the days of the month counting "
814 "from the end, followed by 2 bits that are always set to "
815 "'0'. For each day, the value '1' indicates that the "
816 "PolicySet is valid for that day, and the value '0' "
817 "indicates that it is not valid. \n"
818 "\n"
819 "The value 0x0000000C8000000100000000, for example, "
820 karl 1.1 "indicates that a PolicySet is valid on the first and last "
821 "days of the month. \n"
822 "\n"
823 "For months with fewer than 31 days, the digits "
824 "corresponding to days that the months do not have (counting "
825 "in both directions) are ignored. \n"
826 "\n"
827 "If a value for this property is not provided, then the "
828 "PolicySet is treated as valid for all days of the month, "
829 "and only restricted by its TimePeriod property value and "
830 "the other Mask properties."),
831 OctetString,
832 ModelCorrespondence {
833 "CIM_PolicyTimePeriodCondition.TimePeriod",
834 "CIM_PolicyTimePeriodCondition.LocalOrUtcTime" }]
835 uint8 DayOfMonthMask[];
836
837 [Description (
838 "The purpose of this property is to refine the valid time "
839 "period that is defined by the TimePeriod property, by "
840 "explicitly specifying in which days of the week the "
841 karl 1.1 "PolicySet is valid. These properties work together, with "
842 "the TimePeriod used to specify the overall time period in "
843 "which the PolicySet is valid, and the DayOfWeekMask used to "
844 "pick out the days of the week during which the PolicySet is "
845 "valid. \n"
846 "\n"
847 "This property is formatted as an octet string, structured "
848 "as follows: \n"
849 "o a 4-octet length field, indicating the length of the "
850 "entire octet string; this field is always set to 0x00000005 "
851 "for this property; \n"
852 "o a 1-octet field consisting of 7 bits identifying the 7 "
853 "days of the week, beginning with Sunday and ending with "
854 "Saturday, followed by 1 bit that is always set to '0'. For "
855 "each day of the week, the value '1' indicates that the "
856 "PolicySet is valid for that day, and the value '0' "
857 "indicates that it is not valid. \n"
858 "\n"
859 "The value 0x000000057C, for example, indicates that a "
860 "PolicySet is valid Monday through Friday. \n"
861 "\n"
862 karl 1.1 "If a value for this property is not provided, then the "
863 "PolicySet is treated as valid for all days of the week, and "
864 "only restricted by its TimePeriod property value and the "
865 "other Mask properties."),
866 OctetString,
867 ModelCorrespondence {
868 "CIM_PolicyTimePeriodCondition.TimePeriod",
869 "CIM_PolicyTimePeriodCondition.LocalOrUtcTime" }]
870 uint8 DayOfWeekMask[];
871
872 [Description (
873 "The purpose of this property is to refine the valid time "
874 "period that is defined by the TimePeriod property, by "
875 "explicitly specifying a range of times in a day during "
876 "which the PolicySet is valid. These properties work "
877 "together, with the TimePeriod used to specify the overall "
878 "time period in which the PolicySet is valid, and the "
879 "TimeOfDayMask used to pick out the range of time periods in "
880 "a given day of during which the PolicySet is valid. \n"
881 "\n"
882 "This property is formatted in the style of RFC 2445: a time "
883 karl 1.1 "string beginning with the character 'T', followed by the "
884 "solidus character '/', followed by a second time string. "
885 "The first time indicates the beginning of the range, while "
886 "the second time indicates the end. Times are expressed as "
887 "substrings of the form 'Thhmmss'. \n"
888 "\n"
889 "The second substring always identifies a later time than "
890 "the first substring. To allow for ranges that span "
891 "midnight, however, the value of the second string may be "
892 "smaller than the value of the first substring. Thus, "
893 "'T080000/T210000' identifies the range from 0800 until "
894 "2100, while 'T210000/T080000' identifies the range from "
895 "2100 until 0800 of the following day. \n"
896 "\n"
897 "When a range spans midnight, it by definition includes "
898 "parts of two successive days. When one of these days is "
899 "also selected by either the MonthOfYearMask, "
900 "DayOfMonthMask, and/or DayOfWeekMask, but the other day is "
901 "not, then the PolicySet is active only during the portion "
902 "of the range that falls on the selected day. For example, "
903 "if the range extends from 2100 until 0800, and the day of "
904 karl 1.1 "week mask selects Monday and Tuesday, then the PolicySet is "
905 "active during the following three intervals: \n"
906 "From midnight Sunday until 0800 Monday; \n"
907 "From 2100 Monday until 0800 Tuesday; \n"
908 "From 2100 Tuesday until 23:59:59 Tuesday. \n"
909 "\n"
910 "If a value for this property is not provided, then the "
911 "PolicySet is treated as valid for all hours of the day, and "
912 "only restricted by its TimePeriod property value and the "
913 "other Mask properties."),
914 ModelCorrespondence {
915 "CIM_PolicyTimePeriodCondition.TimePeriod",
916 "CIM_PolicyTimePeriodCondition.LocalOrUtcTime" }]
917 string TimeOfDayMask;
918
919 [Description (
920 "This property indicates whether the times represented in "
921 "the TimePeriod property and in the various Mask properties "
922 "represent local times or UTC times. There is no provision "
923 "for mixing of local times and UTC times: the value of this "
924 "property applies to all of the other time-related "
925 karl 1.1 "properties. TimePeriods are synchronized worldwide by using "
926 "the enumeration value 'UTCTime'. If the goal is to "
927 "synchronize worldwide on a particular local time (such as "
928 "0300 - 0500 in New York), then if the TimePeriod property "
929 "spans a Daylight Savings Time transition in New York, it "
930 "will be necessary to create multiple instances of "
931 "PolicyTimePeriodCondition, one based on the offset UTC-0500 "
932 "for the part of each year when standard time is used in New "
933 "York, and one based on the offset UTC-0400 for the part of "
934 "each year when Daylight Savings Time is used there."),
935 ValueMap { "1", "2" },
936 Values { "Local Time", "UTC Time" },
937 ModelCorrespondence {
938 "CIM_PolicyTimePeriodCondition.TimePeriod",
939 "CIM_PolicyTimePeriodCondition.MonthOfYearMask",
940 "CIM_PolicyTimePeriodCondition.DayOfMonthMask",
941 "CIM_PolicyTimePeriodCondition.DayOfWeekMask",
942 "CIM_PolicyTimePeriodCondition.TimeOfDayMask" }]
943 uint16 LocalOrUtcTime;
944 };
945
946 karl 1.1
947 // ==================================================================
948 // CompoundPolicyCondition
949 // ==================================================================
950 [Version ( "2.7.0" ), Description (
951 "CompoundPolicyCondition is used to represent compound "
952 "conditions formed by aggregating simpler policy conditions. "
953 "Compound conditions are constructed by associating subordinate "
954 "condition terms together using the "
955 "PolicyConditionInPolicyCondition aggregation.")]
956 class CIM_CompoundPolicyCondition : CIM_PolicyCondition {
957
958 [Description (
959 "Indicates whether the list of CompoundPolicyConditions "
960 "associated with this PolicyRule is in disjunctive normal "
961 "form (DNF) or conjunctive normal form (CNF). The default "
962 "value is 1 (\"DNF\")."),
963 ValueMap { "1", "2" },
964 Values { "DNF", "CNF" }]
965 uint16 ConditionListType;
966 };
967 karl 1.1
968 // ====================================================================
969 // QueryCondition
970 // ====================================================================
971 [Experimental, Version ( "2.8.1000" ), Description (
972 "QueryCondition defines the criteria for generating a set of "
973 "query results that are accessible to other QueryConditions or "
974 "MethodActions of the same PolicyRule. If there are no results "
975 "returned from the query, then the Condition evaluates to "
976 "false; otherwise, true. \n"
977 "\n"
978 "QueryConditions are assumed to be constantly evaluated "
979 "whenever precursor PolicyConditions are met. Actual "
980 "implementations may evaluate conditions dynamically, via "
981 "polling, or via other means. \n"
982 "\n"
983 "QueryCondition instances are viewed as clients of query. The "
984 "QueryCondition implementation takes the query results and "
985 "makes them available by the name specified in QueryResultName "
986 "to the FROM clause in the Query property of other "
987 "QueryConditions or MethodActions. (The details of how this is "
988 karl 1.1 "accomplished are implementation dependent.) These results are "
989 "not available via CIM Operations, do not create lifecycle "
990 "indications, and do not persist beyond a single evaluation of "
991 "the associated PolicyRule.")]
992 class CIM_QueryCondition : CIM_PolicyCondition {
993
994 [Required, Description (
995 "In the context of the associated PolicyRule, "
996 "QueryResultName defines a unique alias for the query "
997 "results that MAY be used in subsequent QueryConditions or "
998 "MethodActions of the same PolicyRule. This string is "
999 "treated as a class name, in a query statement."),
1000 ModelCorrespondence { "CIM_QueryCondition.Query",
1001 "CIM_MethodAction.Query" }]
1002 string QueryResultName;
1003
1004 [Required, Description (
1005 "A query expression that MAY be evaluated and that defines "
1006 "the query results that MAY be generated. Note that the "
1007 "query's FROM clause MAY reference any class, including "
1008 "those named by the QueryResultName of other QueryCondition "
1009 karl 1.1 "instances associated to the same PolicyRule."),
1010 ModelCorrespondence { "CIM_QueryCondition.QueryLanguage",
1011 "CIM_QueryCondition.QueryResultName" }]
1012 string Query;
1013
1014 [Required, Description (
1015 "The language in which the Query string is expressed."),
1016 ValueMap { "2", "..", "0x8000.." },
1017 Values { "CQL", "DMTF Reserved", "Vendor Reserved" },
1018 ModelCorrespondence { "CIM_QueryCondition.Query" }]
1019 uint16 QueryLanguage = 2;
1020
1021 [Required, Description (
1022 "If Trigger = true, and with the exception of any "
1023 "PolicyTimePeriodConditions, PolicyConditions of this Policy "
1024 "are not evaluated until this 'triggering' condition query "
1025 "is true. There MUST be no more than one QueryCondition with "
1026 "Trigger = true associated with a particular Policy.")]
1027 boolean Trigger = false;
1028 };
1029
1030 karl 1.1 // ==================================================================
1031 // AuthenticationCondition
1032 // ==================================================================
1033 [Abstract, Version ( "2.8.0" ), Description (
1034 "An abstract class whose subclasses describe one of a company's "
1035 "and/or administrator's credential requirements, and/or other "
1036 "information that should be authenticated in order to "
1037 "establish/trust a CIM_Identity. The PolicyConditions collected "
1038 "by an instance of AuthenticationRule describe the various "
1039 "requirements under which a CIM_Identity's "
1040 "CurrentlyAuthenticated Boolean is set to TRUE. Note that the "
1041 "CIM_Identities which are authenticated are specified through "
1042 "the AuthenticationRule, using the PolicySet AppliesToElement "
1043 "association.")]
1044 class CIM_AuthenticationCondition : CIM_PolicyCondition {
1045 };
1046
1047
1048 // ==================================================================
1049 // SharedSecretAuthentication
1050 // ==================================================================
1051 karl 1.1 [Version ( "2.8.0" ), Description (
1052 "A class describing a company's and/or administrator's "
1053 "credential requirements that should be authenticated in order "
1054 "to establish/trust a CIM_Identity. This class defines a "
1055 "specific identity whose shared secret should be authenticated.")]
1056 class CIM_SharedSecretAuthentication : CIM_AuthenticationCondition {
1057
1058 [Description (
1059 "String defining the principal's ID whose secret is "
1060 "authenticated.")]
1061 string IDOfPrincipal;
1062
1063 [Description (
1064 "String defining a hostname, URI or service/application "
1065 "name. It defines the specific system or service which "
1066 "provides the context for the shared secret.")]
1067 string ContextOfSecret;
1068 };
1069
1070
1071 // ==================================================================
1072 karl 1.1 // AccountAuthentication
1073 // ==================================================================
1074 [Version ( "2.8.0" ), Description (
1075 "A class describing a company's and/or administrator's "
1076 "credential requirements that should be authenticated in order "
1077 "to establish/trust a CIM_Identity. This class defines a "
1078 "specific identity whose account credentials should be "
1079 "authenticated.")]
1080 class CIM_AccountAuthentication : CIM_AuthenticationCondition {
1081
1082 [Description (
1083 "String defining the account's ID which is authenticated.")]
1084 string AccountID;
1085
1086 [Description (
1087 "String defining a hostname, URI or other information "
1088 "identifying the system where the Account resides.")]
1089 string AccountContext;
1090 };
1091
1092
1093 karl 1.1 // ==================================================================
1094 // BiometricAuthentication
1095 // ==================================================================
1096 [Version ( "2.8.0" ), Description (
1097 "A class describing a company's and/or administrator's "
1098 "credential requirements that should be authenticated in order "
1099 "to establish/trust a CIM_Identity. This class defines specific "
1100 "biometric data that should be authenticated.")]
1101 class CIM_BiometricAuthentication : CIM_AuthenticationCondition {
1102
1103 [Description (
1104 "Integer enumeration identifying the biometric data that "
1105 "should be authenticated."),
1106 ValueMap { "1", "2", "3", "4", "5", "6","7", "8" },
1107 Values { "Other", "Facial", "Retina", "Mark", "Finger", "Voice",
1108 "DNA-RNA", "EEG" },
1109 ModelCorrespondence {
1110 "CIM_BiometricAuthentication.OtherBiometric" }]
1111 uint16 TypeOfBiometric;
1112
1113 [Description (
1114 karl 1.1 "String specifying the biometric when the TypeOfBiometric "
1115 "property is set to 1, \"Other\"."),
1116 ModelCorrespondence {
1117 "CIM_BiometricAuthentication.TypeOfBiometric" }]
1118 string OtherBiometric;
1119
1120 [Description (
1121 "String defining a specific biometric code, which may be "
1122 "validated by the security infrastructure. If this property "
1123 "is left blank, it is the responsibility of the "
1124 "infrastructure to verify the biometric (which MUST be of a "
1125 "type specified by the TypeOfBiometric property).")]
1126 string PersonalIdentifier;
1127 };
1128
1129
1130 // ==================================================================
1131 // NetworkingIDAuthentication
1132 // ==================================================================
1133 [Version ( "2.8.0" ), Description (
1134 "A class describing a company's and/or administrator's "
1135 karl 1.1 "credential requirements that should be authenticated in order "
1136 "to establish/trust a CIM_Identity. This class specifies that a "
1137 "networking ID or address should be verified.")]
1138 class CIM_NetworkingIDAuthentication : CIM_AuthenticationCondition {
1139
1140 [Description (
1141 "A string defining the specific type/subclass of "
1142 "CIM_Identity which specifies the networking information. "
1143 "For example, CIM_StorageHardwareID would be entered in this "
1144 "property to identify that a 'known' port should be "
1145 "observed.")]
1146 string NetworkingIdentityClassName;
1147 };
1148
1149
1150 // ==================================================================
1151 // PublicPrivateKeyAuthentication
1152 // ==================================================================
1153 [Version ( "2.8.0" ), Description (
1154 "A class describing a company's and/or administrator's "
1155 "credential requirements that should be authenticated in order "
1156 karl 1.1 "to establish/trust a CIM_Identity. This class defines the "
1157 "specific public/private key pair that should be authenticated.")]
1158 class CIM_PublicPrivateKeyAuthentication : CIM_AuthenticationCondition {
1159
1160 [Description (
1161 "Boolean indicating whether the key pair is self-issued "
1162 "(TRUE) or issued by a Certificate Authority (FALSE).")]
1163 boolean SelfIssuedKey;
1164
1165 [Description (
1166 "String holding the user's (distinguished) name.")]
1167 string DistinguishedName;
1168
1169 [Description (
1170 "String holding the public key data.")]
1171 string PublicKey;
1172 };
1173
1174
1175 // ==================================================================
1176 // KerberosAuthentication
1177 karl 1.1 // ==================================================================
1178 [Version ( "2.8.0" ), Description (
1179 "A class describing a company's and/or administrator's "
1180 "credential requirements that should be authenticated in order "
1181 "to establish/trust a CIM_Identity. This class defines a user "
1182 "whose Kerberos ticket should be authenticated.")]
1183 class CIM_KerberosAuthentication : CIM_AuthenticationCondition {
1184
1185 [Description (
1186 "String holding the user name for which the ticket is "
1187 "issued.")]
1188 string UserName;
1189 };
1190
1191
1192 // ==================================================================
1193 // DocumentAuthentication
1194 // ==================================================================
1195 [Version ( "2.8.0" ), Description (
1196 "A class describing a company's and/or administrator's "
1197 "credential requirements that should be authenticated in order "
1198 karl 1.1 "to establish/trust a CIM_Identity. This class defines the "
1199 "specific document that should be authenticated.")]
1200 class CIM_DocumentAuthentication : CIM_AuthenticationCondition {
1201
1202 [Description (
1203 "Integer enumeration identifying the document that should be "
1204 "authenticated."),
1205 ValueMap { "1", "2", "3", "4", "5", "6","7" },
1206 Values { "Other", "Passport", "Birth Certificate",
1207 "Credit Card", "Drivers License", "Membership Card",
1208 "Social Security Card" },
1209 ModelCorrespondence { "CIM_DocumentAuthentication.OtherDocument"
1210 }]
1211 uint16 TypeOfDocument;
1212
1213 [Description (
1214 "String specifying the document when the TypeOfDocument "
1215 "property is set to 1, \"Other\"."),
1216 ModelCorrespondence {
1217 "CIM_DocumentAuthentication.TypeOfDocument" }]
1218 string OtherDocument;
1219 karl 1.1
1220 [Description (
1221 "String defining a particular document which may be used in "
1222 "the authentication process for example, a specific driver's "
1223 "license or passport number. If left blank, then any valid "
1224 "document matching the category specified by the "
1225 "TypeOfDocument property, can be accepted.")]
1226 string DocumentIdentifier;
1227 };
1228
1229
1230 // ==================================================================
1231 // PhysicalCredentialAuthentication
1232 // ==================================================================
1233 [Version ( "2.8.0" ), Description (
1234 "A class describing a company's and/or administrator's "
1235 "credential requirements that should be authenticated in order "
1236 "to establish/trust a CIM_Identity. This class defines the "
1237 "specific type of physical credential that should be "
1238 "authenticated.")]
1239 class CIM_PhysicalCredentialAuthentication : CIM_AuthenticationCondition {
1240 karl 1.1
1241 [Description (
1242 "Integer enumeration identifying the credential that should "
1243 "be authenticated."),
1244 ValueMap { "1", "2", "3", "4" },
1245 Values { "Other", "Magnetic Stripe Card", "Smart Card",
1246 "Password Generator Card" },
1247 ModelCorrespondence {
1248 "CIM_PhysicalCredentialAuthentication.OtherCredential" }]
1249 uint16 TypeOfCredential;
1250
1251 [Description (
1252 "String specifying the credential when the TypeOfCredential "
1253 "property is set to 1, \"Other\"."),
1254 ModelCorrespondence {
1255 "CIM_PhysicalCredentialAuthentication.TypeOfCredential" }]
1256 string OtherCredential;
1257
1258 [Description (
1259 "String defining a character or binary sequence, which is "
1260 "built into the physical credential to identify it. If left "
1261 karl 1.1 "blank, it is the responsibility of the security "
1262 "infrastructure to verify that a valid credential (of the "
1263 "specified type) has been used.")]
1264 string PhysicalIdentifier;
1265 };
1266
1267 // ==================================================================
1268 // AuthorizationRule
1269 // ==================================================================
1270 [Experimental, Version ( "2.8.1000" ), Description (
1271 "A class representing a company's and/or administrator's rules "
1272 "with respect to authorizing Identities (subjects), for access "
1273 "of target elements, based on associated Privileges/Roles. This "
1274 "includes dynamically permitting and denying access, statically "
1275 "adding or removing Identities (i.e., Subjects) and Targets "
1276 "to/from Roles via the MemberOfCollection and "
1277 "RoleLimitedToTarget associations, and adding or removing "
1278 "AuthorizedSubject and AuthorizedTarget associations when "
1279 "AuthorizedPrivilege classes are implemented. \n"
1280 "\n"
1281 "Explaining this in more detail: If a request is made to access "
1282 karl 1.1 "a target element associated to this AuthorizationRule via "
1283 "AuthorizationRuleAppliesToTarget, the rights to execute the "
1284 "request are verified by searching for matching Privilege "
1285 "instances and an associated Identity that is tied to the "
1286 "requestor. An Identity is associated to the rule using "
1287 "AuthorizationRuleAppliesToSubject. The associations of "
1288 "Privileges to an AuthorizationRule are either individually "
1289 "using AuthorizationRuleAppliesToPrivilege, or via collection "
1290 "into a Role class (where the Role is associated to the rule "
1291 "using AuthorizationRuleAppliesToRole). If the Identity's "
1292 "CurrentlyAuthorized property is TRUE and a corresponding "
1293 "'granting' Privilege is defined, then the request for access "
1294 "is authorized. If any of the preceding conditions do not hold, "
1295 "then the request is denied. \n"
1296 "\n"
1297 "Note that the evaluation of the AuthorizationRule's conditions "
1298 "MAY result in the 'static' instantiation of associations to "
1299 "AuthorizedPrivilege or Role - that are then traversed to "
1300 "determine access. Targets MAY be statically associated to "
1301 "Privileges or Roles using the AuthorizedTarget and "
1302 "RoleLimitedToTarget relationships, respectively. Identities "
1303 karl 1.1 "MAY be statically associated to Privileges or Roles using the "
1304 "AuthorizedSubject and MemberOfCollection relationships, "
1305 "respectively.")]
1306 class CIM_AuthorizationRule : CIM_PolicyRule {
1307 };
1308
1309 // ==================================================================
1310 // PrivilegePropagationRule
1311 // ==================================================================
1312 [Experimental, Version ( "2.8.1000" ), Description (
1313 "A class representing a company's and/or administrator's rules "
1314 "with respect to propagating Privileges across Subjects (i.e., "
1315 "delegation) or Targets. The Subjects/ Targets are identified "
1316 "within the PolicyConditions and PolicyActions, and/or using "
1317 "the association, PolicySetAppliesToElement. An example of a "
1318 "Privilege PropagationRule is the propagation of privileges "
1319 "granted to access a directory that then applies to all the "
1320 "files within the directory.")]
1321 class CIM_PrivilegePropagationRule : CIM_PolicyRule {
1322 };
1323
1324 karl 1.1
1325
1326 // ==================================================================
1327 // VendorPolicyCondition
1328 // ==================================================================
1329 [Version ( "2.6.0" ), Description (
1330 "A class that provides a general extension mechanism for "
1331 "representing PolicyConditions that have not been modeled with "
1332 "specific properties. Instead, the two properties Constraint "
1333 "and ConstraintEncoding are used to define the content and "
1334 "format of the Condition, as explained below. \n"
1335 "\n"
1336 "As its name suggests, VendorPolicyCondition is intended for "
1337 "vendor-specific extensions to the Policy Core Information "
1338 "Model. Standardized extensions are not expected to use this "
1339 "class.")]
1340 class CIM_VendorPolicyCondition : CIM_PolicyCondition {
1341
1342 [Description (
1343 "This property provides a general extension mechanism for "
1344 "representing PolicyConditions that have not been modeled "
1345 karl 1.1 "with specific properties. The format of the octet strings "
1346 "in the array is left unspecified in this definition. It is "
1347 "determined by the OID value stored in the property "
1348 "ConstraintEncoding. Since ConstraintEncoding is "
1349 "single-valued, all the values of Constraint share the same "
1350 "format and semantics."),
1351 OctetString,
1352 ModelCorrespondence {
1353 "CIM_VendorPolicyCondition.ConstraintEncoding" }]
1354 string Constraint[];
1355
1356 [Description (
1357 "An OID encoded as a string, identifying the format and "
1358 "semantics for this instance's Constraint property."),
1359 ModelCorrespondence { "CIM_VendorPolicyCondition.Constraint" }]
1360 string ConstraintEncoding;
1361 };
1362
1363
1364 // ==================================================================
1365 // PacketFilterCondition
1366 karl 1.1 // ==================================================================
1367 [Version ( "2.8.0" ), Description (
1368 "PacketFilterCondition specifies packet selection criteria (via "
1369 "association to FilterLists) for firewall policies, IPsec "
1370 "policies and similar uses. It is used as an anchor point to "
1371 "associate various types of filters with policy rules via the "
1372 "FilterOfPacketCondition association. By definition, policy "
1373 "rules that aggregate PacketFilterCondition are assumed to "
1374 "operate against every packet received and/or transmitted from "
1375 "an ingress and/or egress point. (Whether policy condition "
1376 "evaluation occurs at ingress or egress is specified by the "
1377 "Direction property in the associated FilterList.) "
1378 "PacketFilterCondition MAY also be used to define the specific "
1379 "CredentialManagementService that validates the credentials "
1380 "carried in a packet. This is accomplished using the "
1381 "association, AcceptCredentialFrom. \n"
1382 "\n"
1383 "Associated objects (such as FilterListsor Credential "
1384 "ManagementServices) represent components of the condition that "
1385 "MAY or MAY NOT apply at a given rule evaluation. For example, "
1386 "an AcceptCredentialFrom evaluation is only performed when a "
1387 karl 1.1 "credential is available to be evaluated and compared against "
1388 "the list of trusted credential management services. Similarly, "
1389 "a PeerIDPayloadFilterEntry MAY only be evaluated when an ID "
1390 "payload is available for checking. Condition components that "
1391 "do not have applicability at rule evaluation time, MUST be "
1392 "evaluated to TRUE."),
1393 MappingStrings { "IPSP Policy Model.IETF|SACondition" }]
1394 class CIM_PacketFilterCondition : CIM_PolicyCondition {
1395
1396 };
1397
1398 // ==================================================================
1399 // PolicyAction
1400 // ==================================================================
1401 [Abstract, Version ( "2.8.0" ), Description (
1402 "A class representing a rule-specific or reusable policy action "
1403 "to be performed if the PolicyConditions for a Policy Rule "
1404 "evaluate to TRUE. Since all operational details of a "
1405 "PolicyAction are provided in subclasses of this object, this "
1406 "class is abstract.")]
1407 class CIM_PolicyAction : CIM_Policy {
1408 karl 1.1
1409 [Key, Description (
1410 "The name of the class or the subclass used in the creation "
1411 "of the System object in whose scope this PolicyAction is "
1412 "defined. \n"
1413 "\n"
1414 "This property helps to identify the System object in whose "
1415 "scope this instance of PolicyAction exists. For a "
1416 "rule-specific PolicyAction, this is the System in whose "
1417 "context the PolicyRule is defined. For a reusable "
1418 "PolicyAction, this is the instance of PolicyRepository "
1419 "(which is a subclass of System) that holds the Action. \n"
1420 "\n"
1421 "Note that this property, and the analogous property "
1422 "SystemName, do not represent propagated keys from an "
1423 "instance of the class System. Instead, they are properties "
1424 "defined in the context of this class, which repeat the "
1425 "values from the instance of System to which this "
1426 "PolicyAction is related, either directly via the "
1427 "PolicyActionInPolicyRepository association or indirectly "
1428 "via the PolicyActionInPolicyRule aggregation."),
1429 karl 1.1 MaxLen ( 256 )]
1430 string SystemCreationClassName;
1431
1432 [Key, Description (
1433 "The name of the System object in whose scope this "
1434 "PolicyAction is defined. \n"
1435 "\n"
1436 "This property completes the identification of the System "
1437 "object in whose scope this instance of PolicyAction exists. "
1438 "For a rule-specific PolicyAction, this is the System in "
1439 "whose context the PolicyRule is defined. For a reusable "
1440 "PolicyAction, this is the instance of PolicyRepository "
1441 "(which is a subclass of System) that holds the Action."),
1442 MaxLen ( 256 )]
1443 string SystemName;
1444
1445 [Key, Description (
1446 "For a rule-specific PolicyAction, the CreationClassName of "
1447 "the PolicyRule object with which this Action is associated. "
1448 "For a reusable PolicyAction, a special value, 'NO RULE', "
1449 "should be used to indicate that this Action is reusable and "
1450 karl 1.1 "not associated with a single PolicyRule."),
1451 MaxLen ( 256 )]
1452 string PolicyRuleCreationClassName;
1453
1454 [Key, Description (
1455 "For a rule-specific PolicyAction, the name of the "
1456 "PolicyRule object with which this Action is associated. For "
1457 "a reusable PolicyAction, a special value, 'NO RULE', should "
1458 "be used to indicate that this Action is reusable and not "
1459 "associated with a single PolicyRule."),
1460 MaxLen ( 256 )]
1461 string PolicyRuleName;
1462
1463 [Key, Description (
1464 "CreationClassName indicates the name of the class or the "
1465 "subclass used in the creation of an instance. When used "
1466 "with the other key properties of this class, this property "
1467 "allows all instances of this class and its subclasses to be "
1468 "uniquely identified."),
1469 MaxLen ( 256 )]
1470 string CreationClassName;
1471 karl 1.1
1472 [Key, Description (
1473 "A user-friendly name of this PolicyAction."),
1474 MaxLen ( 256 )]
1475 string PolicyActionName;
1476
1477 [Description (
1478 "DoActionLogging causes a log message to be generated when "
1479 "the action is performed.")]
1480 boolean DoActionLogging;
1481 };
1482
1483 // ====================================================================
1484 // MethodAction
1485 // ====================================================================
1486 [Experimental, Version ( "2.8.1000" ), Description (
1487 "MethodAction is a PolicyAction that MAY invoke methods as "
1488 "defined by a query. If there are no results returned from the "
1489 "query, then no methods are called, otherwise each query result "
1490 "row defines the method to call and its parameters. The called "
1491 "method MAY be either an intrinsic method of a CIM Namespace or "
1492 karl 1.1 "an extrinsic method of a CIM_ManagedElement. \n"
1493 "\n"
1494 "In order to correlate between this MethodAction and any "
1495 "invoked Methods, the method calls that result from this "
1496 "PolicyAction are identified by the name specified in the "
1497 "property, MethodCallName. Also, this name MAY be specified in "
1498 "the FROM clause in the Query property of other MethodActions. "
1499 "(The details of how this is accomplished are implementation "
1500 "dependent.) \n"
1501 "\n"
1502 "The input parameters to the method are defined by the query "
1503 "and MAY be fixed values defined by literals or MAY be defined "
1504 "by reference to one or more properties of classes named in the "
1505 "FROM clause of the query. The referenced objects MAY be those "
1506 "produced by QueryConditions or MethodActions instances "
1507 "associated to the same PolicyRule instance.")]
1508 class CIM_MethodAction : CIM_PolicyAction {
1509
1510
1511 [Required, Description (
1512 "In the context of the associated PolicyRule, MethodCallName "
1513 karl 1.1 "defines a unique name for the query results that invoke the "
1514 "method specified in the Query string. It may be used in "
1515 "subsequent MethodActions of the same PolicyRule. This "
1516 "string is treated as a class name, in a query statement."),
1517 ModelCorrespondence { "CIM_MethodAction.Query" }]
1518 string MethodCallName;
1519
1520 [Required, Description (
1521 "A query expression that defines the method to invoke and "
1522 "its input parameters. These are defined by the first and "
1523 "subsequent select-list entries in the Query string's "
1524 "select-criteria. The FROM clause MAY reference any object, "
1525 "including those named by the QueryResultName and "
1526 "MethodCallName produced by QueryConditions or MethodActions "
1527 "of the same PolicyRule. \n"
1528 "\n"
1529 "Note that both intrinsic and extrinsic methods MAY be "
1530 "called. The first select-list entry MUST be an object Path "
1531 "to a method. For consistency it SHOULD be called "
1532 "MethodName. However, if there is a conflict with existing "
1533 "parameter names, it MAY be called something else. The "
1534 karl 1.1 "remaining select list entries are not positional and MUST "
1535 "use the name of the corresponding method parameter."),
1536 ModelCorrespondence { "CIM_MethodAction.MethodCallName",
1537 "CIM_MethodAction.QueryLanguage" }]
1538 string Query;
1539
1540 [Required, Description (
1541 "The language in which the Query string is expressed."),
1542 ValueMap { "2", "..", "0x8000.." },
1543 Values { "CQL", "DMTF Reserved", "Vendor Reserved" },
1544 ModelCorrespondence { "CIM_MethodAction.Query" }]
1545 uint16 QueryLanguage = 2;
1546
1547 };
1548
1549
1550 // ==================================================================
1551 // VendorPolicyAction
1552 // ==================================================================
1553 [Version ( "2.6.0" ), Description (
1554 "A class that provides a general extension mechanism for "
1555 karl 1.1 "representing PolicyActions that have not been modeled with "
1556 "specific properties. Instead, the two properties ActionData "
1557 "and ActionEncoding are used to define the content and format "
1558 "of the Action, as explained below. \n"
1559 "\n"
1560 "As its name suggests, VendorPolicyAction is intended for "
1561 "vendor-specific extensions to the Policy Core Information "
1562 "Model. Standardized extensions are not expected to use this "
1563 "class.")]
1564 class CIM_VendorPolicyAction : CIM_PolicyAction {
1565
1566 [Description (
1567 "This property provides a general extension mechanism for "
1568 "representing PolicyActions that have not been modeled with "
1569 "specific properties. The format of the octet strings in the "
1570 "array is left unspecified in this definition. It is "
1571 "determined by the OID value stored in the property "
1572 "ActionEncoding. Since ActionEncoding is single-valued, all "
1573 "the values of ActionData share the same format and "
1574 "semantics."),
1575 OctetString,
1576 karl 1.1 ModelCorrespondence { "CIM_VendorPolicyAction.ActionEncoding" }]
1577 string ActionData[];
1578
1579 [Description (
1580 "An OID encoded as a string, identifying the format and "
1581 "semantics for this instance's ActionData property."),
1582 ModelCorrespondence { "CIM_VendorPolicyAction.ActionData" }]
1583 string ActionEncoding;
1584 };
1585
1586
1587 // ==================================================================
1588 // CompoundPolicyAction
1589 // ==================================================================
1590 [Version ( "2.6.0" ), Description (
1591 "CompoundPolicyAction is used to represent an expression "
1592 "consisting of an ordered sequence of action terms. Each action "
1593 "term is represented as a subclass of the PolicyAction class. "
1594 "Compound actions are constructed by associating dependent "
1595 "action terms together using the PolicyActionInPolicyAction "
1596 "aggregation.")]
1597 karl 1.1 class CIM_CompoundPolicyAction : CIM_PolicyAction {
1598
1599 [Description (
1600 "This property gives a policy administrator a way of "
1601 "specifying how the ordering of the PolicyActions associated "
1602 "with this PolicyRule is to be interpreted. Three values are "
1603 "supported: \n"
1604 "o mandatory(1): Do the actions in the indicated order, or "
1605 "don't do them at all. \n"
1606 "o recommended(2): Do the actions in the indicated order if "
1607 "you can, but if you can't do them in this order, do them in "
1608 "another order if you can. \n"
1609 "o dontCare(3): Do them -- I don't care about the order. \n"
1610 "The default value is 3 (\"DontCare\")."),
1611 ValueMap { "1", "2", "3" },
1612 Values { "Mandatory", "Recommended", "Dont Care" }]
1613 uint16 SequencedActions=3;
1614
1615 [Description (
1616 "ExecutionStrategy defines the strategy to be used in "
1617 "executing the sequenced actions aggregated by this "
1618 karl 1.1 "CompoundPolicyAction. There are three execution strategies: "
1619 "\n\n"
1620 "Do Until Success - execute actions according to predefined "
1621 "order, until successful execution of a single action. \n"
1622 "Do All - execute ALL actions which are part of the modeled "
1623 "set, according to their predefined order. Continue doing "
1624 "this, even if one or more of the actions fails. \n"
1625 "Do Until Failure - execute actions according to predefined "
1626 "order, until the first failure in execution of an action "
1627 "instance. \n"
1628 "The default value is 2 (\"Do All\")."),
1629 ValueMap { "1", "2", "3" },
1630 Values { "Do Until Success", "Do All", "Do Until Failure" }]
1631 uint16 ExecutionStrategy=2;
1632 };
1633
1634
1635 // ==================================================================
1636 // NetworkPacketAction
1637 // ==================================================================
1638 [Version ( "2.8.0" ), Description (
1639 karl 1.1 "NetworkPacketAction standardizes different processing options "
1640 "that can be taken at the network packet level. The specific "
1641 "action is defined in the PacketAction enumerated property. "
1642 "Note that this property can be used in conjunction with other "
1643 "actions aggregated into a Rule, to fully define its effects. "
1644 "For example, when aggregated with the SAStaticAction class, "
1645 "NetworkPacketAction indicates whether a specific packet will "
1646 "be encrypted, bypassed or discarded for the lifetime of the "
1647 "Security Association.")]
1648 class CIM_NetworkPacketAction : CIM_PolicyAction {
1649
1650 [Description (
1651 "A network packet can be processed, bypassed for processing "
1652 "(i.e., allowed to continue without further processing, such "
1653 "as being forwarded in the clear versus being encrypted), or "
1654 "discarded. This enumeration indicates how a packet should "
1655 "be handled if a PolicyRule's PolicyConditions evaluate to "
1656 "TRUE."),
1657 ValueMap { "1", "2", "3", "4" },
1658 Values { "Other", "Processed", "Bypassed", "Discarded" },
1659 MappingStrings { "IPSP Policy Model.IETF|IPsecBypassAction",
1660 karl 1.1 "IPSP Policy Model.IETF|IPsecDiscardAction" },
1661 ModelCorrespondence { "CIM_NetworkPacketAction.OtherAction" }]
1662 uint16 PacketAction;
1663
1664 [Description (
1665 "Description of the action when the value 1 (\"Other\") is "
1666 "specified for the property, PacketAction."),
1667 ModelCorrespondence { "CIM_NetworkPacketAction.PacketAction" }]
1668 string OtherAction;
1669 };
1670
1671
1672 // ==================================================================
1673 // RejectConnectionAction
1674 // ==================================================================
1675 [Version ( "2.8.0" ), Description (
1676 "RejectConnectionAction is used to cause a connection or its "
1677 "negotiation to be terminated. For example, it can be used in "
1678 "conjunction with an address filter on UDP port 500 to reduce "
1679 "Denial of Service vulnerability. As another example, it can be "
1680 "specified as a low priority rule to explicitly define the "
1681 karl 1.1 "default action for IKE key exchange negotiations - i.e., if "
1682 "the higher priority rules are not satisfied, then reject the "
1683 "connection negotiation."),
1684 MappingStrings { "IPSP Policy Model.IETF|IKERejectAction" }]
1685 class CIM_RejectConnectionAction : CIM_PolicyAction {
1686 };
1687
1688
1689 // ==================================================================
1690 // PolicyRoleCollection
1691 // ==================================================================
1692 [Version ( "2.8.0" ), Description (
1693 "PolicyRoleCollection is used to represent a collection of "
1694 "ManagedElements that share a common policy role, and the "
1695 "PolicySets that CAN BE applied to those elements. (Note that "
1696 "the PolicySets that are CURRENTLY applied are indicated via "
1697 "instances of the association, PolicySetAppliesToElement.) The "
1698 "PolicyRoleCollection always exists in the context of a System, "
1699 "specified using the PolicyRoleCollectionInSystem aggregation. "
1700 "The value of the PolicyRole property in this class specifies "
1701 "the role. It is defined as a free-form string. ManagedElements "
1702 karl 1.1 "that share the role defined in this collection are aggregated "
1703 "into the Collection via the ElementInPolicyRoleCollection "
1704 "association.")]
1705 class CIM_PolicyRoleCollection : CIM_SystemSpecificCollection {
1706
1707 [Required, Description (
1708 "The PolicyRole name for the PolicySets and other "
1709 "ManagedElements that are identified and aggregated by the "
1710 "Collection. Note that the aggregated PolicySets define the "
1711 "rules and groups of rules that may be applied to the "
1712 "associated ManagedElements. \n"
1713 "\n"
1714 "Although not officially designated as 'role combinations', "
1715 "multiple roles may be specified using the form: \n"
1716 "<RoleName>[&&<RoleName>]* \n"
1717 "where the individual role names appear in alphabetical "
1718 "order (according to the collating sequence for UCS-2). "
1719 "Implementations may treat PolicyRole values that are "
1720 "specified as 'role combinations' as simple strings.")]
1721 string PolicyRole;
1722
1723 karl 1.1 [Description (
1724 "Activates/applies the PolicySets aggregated into this "
1725 "Collection to the specified ManagedElement. The "
1726 "ManagedElement MUST be a member of the Collection, "
1727 "associated via ElementInPolicyRoleCollection. The result of "
1728 "this method, if it is successfully executed, is that the "
1729 "aggregated PolicySets are deployed and enforced for the "
1730 "Element. This is reflected by the instantiation of the "
1731 "PolicySetAppliesToElement association between the named "
1732 "Element and each PolicySet."),
1733 ValueMap { "0", "1", "2", "3", "4", "..", "0x8000.." },
1734 Values { "Success", "Not Supported", "Unknown", "Timeout",
1735 "Failed", "DMTF Reserved", "Vendor Specific" }]
1736 uint32 ActivatePolicySet(
1737
1738 [IN, Description (
1739 "The ManagedElement to which the aggregated PolicySets of "
1740 "this Collection are applied.")]
1741 CIM_ManagedElement REF Element);
1742
1743 [Description (
1744 karl 1.1 "Deactivates the aggregated PolicySets for the specified "
1745 "ManagedElement. The result of this method, if it is "
1746 "successfully executed, is that the aggregated PolicySets "
1747 "are NOT enforced for the Element. This is reflected by the "
1748 "removal of the PolicySetAppliesToElement association "
1749 "between the named Element and each PolicySet. If a "
1750 "PolicySet is not currently enforced for the ManagedElement, "
1751 "then this method has no effect for that Set."),
1752 ValueMap { "0", "1", "2", "3", "4", "..", "0x8000..0xFFFF" },
1753 Values { "Success", "Not Supported", "Unknown", "Timeout",
1754 "Failed", "DMTF Reserved", "Vendor Specific" }]
1755 uint32 DeactivatePolicySet(
1756 [IN, Description (
1757 "The ManagedElement to which the aggregated PolicySets of "
1758 "this Collection MUST NOT apply.")]
1759 CIM_ManagedElement REF Element);
1760 };
1761
1762
1763 // ==================================================================
1764 // === Association classes ===
1765 karl 1.1 // ==================================================================
1766
1767
1768 // ==================================================================
1769 // PolicyComponent
1770 // ==================================================================
1771 [Association, Abstract, Aggregation, Version ( "2.6.0" ),
1772 Description (
1773 "CIM_PolicyComponent is a generic association used to establish "
1774 "'part of' relationships between the subclasses of CIM_Policy. "
1775 "For example, the PolicyConditionInPolicyRule association "
1776 "defines that PolicyConditions are part of a PolicyRule.")]
1777 class CIM_PolicyComponent : CIM_Component {
1778
1779 [Aggregate, Override ( "GroupComponent" ), Description (
1780 "The parent Policy in the association.")]
1781 CIM_Policy REF GroupComponent;
1782
1783 [Override ( "PartComponent" ), Description (
1784 "The child/part Policy in the association.")]
1785 CIM_Policy REF PartComponent;
1786 karl 1.1 };
1787
1788
1789 // ==================================================================
1790 // PolicyInSystem
1791 // ==================================================================
1792 [Association, Abstract, Version ( "2.8.0" ), Description (
1793 "CIM_PolicyInSystem is a generic association used to establish "
1794 "dependency relationships between Policies and the Systems that "
1795 "host them. These Systems may be ComputerSystems where Policies "
1796 "are 'running' or they may be Policy Repositories where "
1797 "Policies are stored. This relationship is similar to the "
1798 "concept of CIM_Services being dependent on CIM_Systems as "
1799 "defined by the HostedService association. \n"
1800 "\n"
1801 "Cardinality is Max (1) for the Antecedent/System reference "
1802 "since Policies can only be hosted in at most one System "
1803 "context. Some subclasses of the association will further "
1804 "refine this definition to make the Policies Weak to Systems. "
1805 "Other subclasses of PolicyInSystem will define an optional "
1806 "hosting relationship. Examples of each of these are the "
1807 karl 1.1 "PolicyRuleInSystem and PolicyConditionIn PolicyRepository "
1808 "associations, respectively.")]
1809 class CIM_PolicyInSystem : CIM_HostedDependency {
1810
1811 [Override ( "Antecedent" ), Max ( 1 ), Description (
1812 "The hosting System.")]
1813 CIM_System REF Antecedent;
1814
1815 [Override ( "Dependent" ), Description (
1816 "The hosted Policy.")]
1817 CIM_Policy REF Dependent;
1818 };
1819
1820
1821 // ==================================================================
1822 // PolicySetInSystem
1823 // ==================================================================
1824 [Association, Abstract, Version ( "2.6.0" ), Description (
1825 "PolicySetInSystem is an abstract association class that "
1826 "represents a relationship between a System and a PolicySet "
1827 "used in the administrative scope of that system (e.g., "
1828 karl 1.1 "AdminDomain, ComputerSystem). The Priority property is used to "
1829 "assign a relative priority to a PolicySet within the "
1830 "administrative scope in contexts where it is not a component "
1831 "of another PolicySet.")]
1832 class CIM_PolicySetInSystem : CIM_PolicyInSystem {
1833
1834 [Override ( "Antecedent" ), Min ( 1 ), Max ( 1 ), Description (
1835 "The System in whose scope a PolicySet is defined.")]
1836 CIM_System REF Antecedent;
1837
1838 [Override ( "Dependent" ), Description (
1839 "A PolicySet named within the scope of a System.")]
1840 CIM_PolicySet REF Dependent;
1841
1842 [Description (
1843 "The Priority property is used to specify the relative "
1844 "priority of the referenced PolicySet when there are more "
1845 "than one PolicySet instances applied to a managed resource "
1846 "that are not PolicySetComponents and, therefore, have no "
1847 "other relative priority defined. The priority is a "
1848 "non-negative integer; a larger value indicates a higher "
1849 karl 1.1 "priority.")]
1850 uint16 Priority;
1851 };
1852
1853
1854 // ==================================================================
1855 // PolicyGroupInSystem
1856 // ==================================================================
1857 [Association, Version ( "2.6.0" ), Description (
1858 "An association that links a PolicyGroup to the System in whose "
1859 "scope the Group is defined.")]
1860 class CIM_PolicyGroupInSystem : CIM_PolicySetInSystem {
1861
1862 [Override ( "Antecedent" ), Min ( 1 ), Max ( 1 ), Description (
1863 "The System in whose scope a PolicyGroup is defined.")]
1864 CIM_System REF Antecedent;
1865
1866 [Override ( "Dependent" ), Weak, Description (
1867 "A PolicyGroup named within the scope of a System.")]
1868 CIM_PolicyGroup REF Dependent;
1869 };
1870 karl 1.1
1871
1872 // ==================================================================
1873 // PolicyRuleInSystem
1874 // ==================================================================
1875 [Association, Version ( "2.6.0" ), Description (
1876 "An association that links a PolicyRule to the System in whose "
1877 "scope the Rule is defined.")]
1878 class CIM_PolicyRuleInSystem : CIM_PolicySetInSystem {
1879
1880 [Override ( "Antecedent" ), Min ( 1 ), Max ( 1 ), Description (
1881 "The System in whose scope a PolicyRule is defined.")]
1882 CIM_System REF Antecedent;
1883
1884 [Override ( "Dependent" ), Weak, Description (
1885 "A PolicyRule named within the scope of a System.")]
1886 CIM_PolicyRule REF Dependent;
1887 };
1888
1889
1890 // ==================================================================
1891 karl 1.1 // PolicySetComponent
1892 // ==================================================================
1893 [Association, Aggregation, Version ( "2.6.0" ), Description (
1894 "PolicySetComponent is a concrete aggregation that collects "
1895 "instances of the subclasses of PolicySet (i.e., PolicyGroups "
1896 "and PolicyRules). Instances are collected in sets that use the "
1897 "same decision strategy. They are prioritized relative to each "
1898 "other, within the set, using the Priority property of this "
1899 "aggregation. \n"
1900 "\n"
1901 "Together, the PolicySet.PolicyDecisionStrategy and PolicySet "
1902 "Component.Priority properties determine the processing for the "
1903 "groups and rules contained in a PolicySet. A larger priority "
1904 "value represents a higher priority. Note that the Priority "
1905 "property MUST have a unique value when compared with others "
1906 "defined for the same aggregating PolicySet. Thus, the "
1907 "evaluation of rules within a set is deterministically "
1908 "specified.")]
1909 class CIM_PolicySetComponent : CIM_PolicyComponent {
1910
1911 [Aggregate, Override ( "GroupComponent" ), Description (
1912 karl 1.1 "A PolicySet that aggregates other PolicySet instances.")]
1913 CIM_PolicySet REF GroupComponent;
1914
1915 [Override ( "PartComponent" ), Description (
1916 "A PolicySet aggregated into a PolicySet.")]
1917 CIM_PolicySet REF PartComponent;
1918
1919 [Description (
1920 "A non-negative integer for prioritizing this PolicySet "
1921 "component relative to other elements of the same PolicySet. "
1922 "A larger value indicates a higher priority. The Priority "
1923 "property MUST have a unique value when compared with others "
1924 "defined for the same aggregating PolicySet.")]
1925 uint16 Priority;
1926 };
1927
1928
1929 // ==================================================================
1930 // PolicyGroupInPolicyGroup *** deprecated
1931 // ==================================================================
1932 [Association, Deprecated { "CIM_PolicySetComponent" }, Aggregation,
1933 karl 1.1 Version ( "2.7.0" ), Description (
1934 "PolicySetComponent provides a more general mechanism for "
1935 "aggregating both PolicyGroups and PolicyRules and doing so "
1936 "with the priority value applying only to the aggregated set "
1937 "rather than policy wide. \n"
1938 "\n"
1939 "A relationship that aggregates one or more lower-level "
1940 "PolicyGroups into a higher-level Group. A Policy Group may "
1941 "aggregate PolicyRules and/or other Policy Groups.")]
1942 class CIM_PolicyGroupInPolicyGroup : CIM_PolicyComponent {
1943
1944 [Deprecated { "CIM_PolicySetComponent.GroupComponent" },
1945 Aggregate, Override ( "GroupComponent" ), Description (
1946 "A PolicyGroup that aggregates other Groups.")]
1947 CIM_PolicyGroup REF GroupComponent;
1948
1949 [Deprecated { "CIM_PolicySetComponent.PartComponent" },
1950 Override ( "PartComponent" ), Description (
1951 "A PolicyGroup aggregated by another Group.")]
1952 CIM_PolicyGroup REF PartComponent;
1953 };
1954 karl 1.1
1955
1956 // ==================================================================
1957 // PolicyRuleInPolicyGroup *** deprecated
1958 // ==================================================================
1959 [Association, Deprecated { "CIM_PolicySetComponent" }, Aggregation,
1960 Version ( "2.7.0" ), Description (
1961 "PolicySetComponent provides a more general mechanism for "
1962 "aggregating both PolicyGroups and PolicyRules and doing so "
1963 "with the priority value applying only to the aggregated set "
1964 "rather than policy wide. \n"
1965 "\n"
1966 "A relationship that aggregates one or more PolicyRules into a "
1967 "PolicyGroup. A PolicyGroup may aggregate PolicyRules and/or "
1968 "other PolicyGroups.")]
1969 class CIM_PolicyRuleInPolicyGroup : CIM_PolicyComponent {
1970
1971 [Deprecated { "CIM_PolicySetComponent.GroupComponent" },
1972 Aggregate, Override ( "GroupComponent" ), Description (
1973 "A PolicyGroup that aggregates one or more PolicyRules.")]
1974 CIM_PolicyGroup REF GroupComponent;
1975 karl 1.1
1976 [Deprecated { "CIM_PolicySetComponent.PartComponent" },
1977 Override ( "PartComponent" ), Description (
1978 "A PolicyRule aggregated by a PolicyGroup.")]
1979 CIM_PolicyRule REF PartComponent;
1980 };
1981
1982
1983 // ==================================================================
1984 // PolicySetValidityPeriod
1985 // ==================================================================
1986 [Association, Aggregation, Version ( "2.7.0" ), Description (
1987 "The PolicySetValidityPeriod aggregation represents scheduled "
1988 "activation and deactivation of a PolicySet. A PolicySet is "
1989 "considered \"active\" if it is both \"Enabled\" and in a valid "
1990 "time period. \n"
1991 "\n"
1992 "If a PolicySet is associated with multiple policy time periods "
1993 "via this association, then the Set is in a valid time period "
1994 "if at least one of the time periods evaluates to TRUE. If a "
1995 "PolicySet is contained in another PolicySet via the "
1996 karl 1.1 "PolicySetComponent aggregation (e.g., a PolicyRule in a "
1997 "PolicyGroup), then the contained PolicySet (e.g., PolicyRule) "
1998 "is in a valid period if at least one of the aggregate's "
1999 "PolicyTimePeriodCondition instances evaluates to TRUE and at "
2000 "least one of its own PolicyTimePeriodCondition instances also "
2001 "evalutes to TRUE. (In other words, the "
2002 "PolicyTimePeriodConditions are ORed to determine whether the "
2003 "PolicySet is in a valid time period and then ANDed with the "
2004 "ORed PolicyTimePeriodConditions of each of PolicySet instances "
2005 "in the PolicySetComponent hierarchy to determine if the "
2006 "PolicySet is in a valid time period and, if also \"Enabled\", "
2007 "therefore, active, i.e., the hierachy ANDs the ORed "
2008 "PolicyTimePeriodConditions of the elements of the hierarchy. \n"
2009 "\n"
2010 "A Time Period may be aggregated by multiple PolicySets. A Set "
2011 "that does not point to a PolicyTimePeriodCondition via this "
2012 "association, from the point of view of scheduling, is always "
2013 "in a valid time period.")]
2014 class CIM_PolicySetValidityPeriod : CIM_PolicyComponent {
2015
2016 [Aggregate, Override ( "GroupComponent" ), Description (
2017 karl 1.1 "This property contains the name of a PolicySet that "
2018 "contains one or more PolicyTimePeriodConditions.")]
2019 CIM_PolicySet REF GroupComponent;
2020
2021 [Override ( "PartComponent" ), Description (
2022 "This property contains the name of a "
2023 "PolicyTimePeriodCondition defining the valid time periods "
2024 "for one or more PolicySets.")]
2025 CIM_PolicyTimePeriodCondition REF PartComponent;
2026 };
2027
2028
2029 // ==================================================================
2030 // PolicyRuleValidityPeriod ** deprecated
2031 // ==================================================================
2032 [Association, Deprecated { "CIM_PolicySetValidityPeriod" },
2033 Aggregation, Version ( "2.7.0" ), Description (
2034 "The PolicyRuleValidityPeriod aggregation represents scheduled "
2035 "activation and deactivation of a PolicyRule. If a PolicyRule "
2036 "is associated with multiple policy time periods via this "
2037 "association, then the Rule is active if at least one of the "
2038 karl 1.1 "time periods indicates that it is active. (In other words, the "
2039 "PolicyTimePeriodConditions are ORed to determine whether the "
2040 "Rule is active.) A Time Period may be aggregated by multiple "
2041 "PolicyRules. A Rule that does not point to a "
2042 "PolicyTimePeriodCondition via this association is, from the "
2043 "point of view of scheduling, always active. It may, however, "
2044 "be inactive for other reasons. For example, the Rule's Enabled "
2045 "property may be set to \"disabled\" (value=2).")]
2046 class CIM_PolicyRuleValidityPeriod : CIM_PolicyComponent {
2047
2048 [Deprecated { "CIM_PolicySetValidityPeriod.GroupComponent" },
2049 Aggregate, Override ( "GroupComponent" ), Description (
2050 "This property contains the name of a PolicyRule that "
2051 "contains one or more PolicyTimePeriodConditions.")]
2052 CIM_PolicyRule REF GroupComponent;
2053
2054 [Deprecated { "CIM_PolicySetValidityPeriod.PartComponent" },
2055 Override ( "PartComponent" ), Description (
2056 "This property contains the name of a "
2057 "PolicyTimePeriodCondition defining the valid time periods "
2058 "for one or more PolicyRules.")]
2059 karl 1.1 CIM_PolicyTimePeriodCondition REF PartComponent;
2060 };
2061
2062
2063 // ==================================================================
2064 // PolicyConditionStructure
2065 // ==================================================================
2066 [Association, Abstract, Aggregation, Version ( "2.7.0" ),
2067 Description (
2068 "PolicyConditions may be aggregated into rules and into "
2069 "compound conditions. PolicyConditionStructure is the abstract "
2070 "aggregation class for the structuring of policy conditions. \n"
2071 "\n"
2072 "The Conditions aggregated by a PolicyRule or "
2073 "CompoundPolicyCondition are grouped into two levels of lists: "
2074 "either an ORed set of ANDed sets of conditions (DNF, the "
2075 "default) or an ANDed set of ORed sets of conditions (CNF). "
2076 "Individual PolicyConditions in these lists may be negated. The "
2077 "property ConditionListType specifies which of these two "
2078 "grouping schemes applies to a particular PolicyRule or "
2079 "CompoundPolicyCondition instance. \n"
2080 karl 1.1 "\n"
2081 "One or more PolicyTimePeriodConditions may be among the "
2082 "conditions associated with a PolicyRule or "
2083 "CompoundPolicyCondition via the PolicyConditionStructure "
2084 "subclass association. In this case, the time periods are "
2085 "simply additional Conditions to be evaluated along with any "
2086 "others that are specified.")]
2087 class CIM_PolicyConditionStructure : CIM_PolicyComponent {
2088
2089 [Aggregate, Override ( "GroupComponent" ), Description (
2090 "This property represents the Policy that contains one or "
2091 "more PolicyConditions.")]
2092 CIM_Policy REF GroupComponent;
2093
2094 [Override ( "PartComponent" ), Description (
2095 "This property holds the name of a PolicyCondition contained "
2096 "by one or more PolicyRule or CompoundPolicyCondition "
2097 "instances.")]
2098 CIM_PolicyCondition REF PartComponent;
2099
2100 [Description (
2101 karl 1.1 "Unsigned integer indicating the group to which the "
2102 "contained PolicyCondition belongs. This integer segments "
2103 "the Conditions into the ANDed sets (when the "
2104 "ConditionListType is \"DNF\") or, similarly, into the ORed "
2105 "sets (when the ConditionListType is \"CNF\").")]
2106 uint16 GroupNumber;
2107
2108 [Description (
2109 "Indication of whether the contained PolicyCondition is "
2110 "negated. TRUE indicates that the PolicyCondition IS "
2111 "negated, FALSE indicates that it IS NOT negated.")]
2112 boolean ConditionNegated;
2113 };
2114
2115
2116 // ==================================================================
2117 // PolicyConditionInPolicyRule
2118 // ==================================================================
2119 [Association, Aggregation, Version ( "2.7.0" ), Description (
2120 "A PolicyRule aggregates zero or more instances of the "
2121 "PolicyCondition class, via the PolicyConditionInPolicyRule "
2122 karl 1.1 "association. A Rule that aggregates zero Conditions is not "
2123 "valid; it may, however, be in the process of being defined. "
2124 "Note that a PolicyRule should have no effect until it is "
2125 "valid.")]
2126 class CIM_PolicyConditionInPolicyRule : CIM_PolicyConditionStructure {
2127
2128 [Aggregate, Override ( "GroupComponent" ), Description (
2129 "This property represents the PolicyRule that contains one "
2130 "or more PolicyConditions.")]
2131 CIM_PolicyRule REF GroupComponent;
2132
2133 [Override ( "PartComponent" ), Description (
2134 "This property holds the name of a PolicyCondition contained "
2135 "by one or more PolicyRules.")]
2136 CIM_PolicyCondition REF PartComponent;
2137 };
2138
2139
2140 // ==================================================================
2141 // PolicyConditionInPolicyCondition
2142 // ==================================================================
2143 karl 1.1 [Association, Aggregation, Version ( "2.7.0" ), Description (
2144 "A CompoundPolicyCondition aggregates zero or more instances of "
2145 "the PolicyCondition class, via the "
2146 "PolicyConditionInPolicyCondition association. A "
2147 "CompoundPolicyCondition that aggregates zero Conditions is not "
2148 "valid; it may, however, be in the process of being defined. "
2149 "Note that a CompoundPolicyCondition should have no effect "
2150 "until it is valid.")]
2151 class CIM_PolicyConditionInPolicyCondition : CIM_PolicyConditionStructure {
2152
2153 [Aggregate, Override ( "GroupComponent" ), Description (
2154 "This property represents the CompoundPolicyCondition that "
2155 "contains one or more PolicyConditions.")]
2156 CIM_CompoundPolicyCondition REF GroupComponent;
2157
2158 [Override ( "PartComponent" ), Description (
2159 "This property holds the name of a PolicyCondition contained "
2160 "by one or more PolicyRules.")]
2161 CIM_PolicyCondition REF PartComponent;
2162 };
2163
2164 karl 1.1
2165 // ==================================================================
2166 // PolicyActionStructure
2167 // ==================================================================
2168 [Association, Abstract, Aggregation, Version ( "2.6.0" ),
2169 Description (
2170 "PolicyActions may be aggregated into rules and into compound "
2171 "actions. PolicyActionStructure is the abstract aggregation "
2172 "class for the structuring of policy actions.")]
2173 class CIM_PolicyActionStructure : CIM_PolicyComponent {
2174
2175 [Aggregate, Override ( "GroupComponent" ), Description (
2176 "PolicyAction instances may be aggregated into either "
2177 "PolicyRule instances or CompoundPolicyAction instances.")]
2178 CIM_Policy REF GroupComponent;
2179
2180 [Override ( "PartComponent" ), Description (
2181 "A PolicyAction aggregated by a PolicyRule or "
2182 "CompoundPolicyAction.")]
2183 CIM_PolicyAction REF PartComponent;
2184
2185 karl 1.1 [Description (
2186 "ActionOrder is an unsigned integer 'n' that indicates the "
2187 "relative position of a PolicyAction in the sequence of "
2188 "actions associated with a PolicyRule or "
2189 "CompoundPolicyAction. When 'n' is a positive integer, it "
2190 "indicates a place in the sequence of actions to be "
2191 "performed, with smaller integers indicating earlier "
2192 "positions in the sequence. The special value '0' indicates "
2193 "'don't care'. If two or more PolicyActions have the same "
2194 "non-zero sequence number, they may be performed in any "
2195 "order, but they must all be performed at the appropriate "
2196 "place in the overall action sequence. \n"
2197 "\n"
2198 "A series of examples will make ordering of PolicyActions "
2199 "clearer: \n"
2200 "o If all actions have the same sequence number, regardless "
2201 "of whether it is '0' or non-zero, any order is acceptable. "
2202 "\no The values: \n"
2203 "1:ACTION A \n"
2204 "2:ACTION B \n"
2205 "1:ACTION C \n"
2206 karl 1.1 "3:ACTION D \n"
2207 "indicate two acceptable orders: A,C,B,D or C,A,B,D, \n"
2208 "since A and C can be performed in either order, but only at "
2209 "the '1' position. \n"
2210 "o The values: \n"
2211 "0:ACTION A \n"
2212 "2:ACTION B \n"
2213 "3:ACTION C \n"
2214 "3:ACTION D \n"
2215 "require that B,C, and D occur either as B,C,D or as B,D,C. "
2216 "Action A may appear at any point relative to B, C, and D. "
2217 "Thus the complete set of acceptable orders is: A,B,C,D; "
2218 "B,A,C,D; B,C,A,D; B,C,D,A; A,B,D,C; B,A,D,C; B,D,A,C; "
2219 "B,D,C,A. \n"
2220 "\n"
2221 "Note that the non-zero sequence numbers need not start with "
2222 "'1', and they need not be consecutive. All that matters is "
2223 "their relative magnitude.")]
2224 uint16 ActionOrder;
2225 };
2226
2227 karl 1.1
2228 // ==================================================================
2229 // PolicyActionInPolicyRule
2230 // ==================================================================
2231 [Association, Aggregation, Version ( "2.6.0" ), Description (
2232 "A PolicyRule aggregates zero or more instances of the "
2233 "PolicyAction class, via the PolicyActionInPolicyRule "
2234 "association. A Rule that aggregates zero Actions is not "
2235 "valid--it may, however, be in the process of being entered "
2236 "into a PolicyRepository or being defined for a System. "
2237 "Alternately, the actions of the policy may be explicit in the "
2238 "definition of the PolicyRule. Note that a PolicyRule should "
2239 "have no effect until it is valid. \n"
2240 "\n"
2241 "The Actions associated with a PolicyRule may be given a "
2242 "required order, a recommended order, or no order at all. For "
2243 "Actions represented as separate objects, the "
2244 "PolicyActionInPolicyRule aggregation can be used to express an "
2245 "order. \n"
2246 "\n"
2247 "This aggregation does not indicate whether a specified action "
2248 karl 1.1 "order is required, recommended, or of no significance; the "
2249 "property SequencedActions in the aggregating instance of "
2250 "PolicyRule provides this indication.")]
2251 class CIM_PolicyActionInPolicyRule : CIM_PolicyActionStructure {
2252
2253 [Aggregate, Override ( "GroupComponent" ), Description (
2254 "This property represents the PolicyRule that contains one "
2255 "or more PolicyActions.")]
2256 CIM_PolicyRule REF GroupComponent;
2257
2258 [Override ( "PartComponent" ), Description (
2259 "This property holds the name of a PolicyAction contained by "
2260 "one or more PolicyRules.")]
2261 CIM_PolicyAction REF PartComponent;
2262 };
2263
2264
2265 // ==================================================================
2266 // PolicyActionInPolicyAction
2267 // ==================================================================
2268 [Association, Aggregation, Version ( "2.6.0" ), Description (
2269 karl 1.1 "PolicyActionInPolicyAction is used to represent the "
2270 "compounding of policy actions into a higher-level policy "
2271 "action.")]
2272 class CIM_PolicyActionInPolicyAction : CIM_PolicyActionStructure {
2273
2274 [Aggregate, Override ( "GroupComponent" ), Description (
2275 "This property represents the CompoundPolicyAction that "
2276 "contains one or more PolicyActions.")]
2277 CIM_CompoundPolicyAction REF GroupComponent;
2278
2279 [Override ( "PartComponent" ), Description (
2280 "This property holds the name of a PolicyAction contained by "
2281 "one or more CompoundPolicyActions.")]
2282 CIM_PolicyAction REF PartComponent;
2283 };
2284
2285
2286 // ==================================================================
2287 // PolicyContainerInPolicyContainer
2288 // ==================================================================
2289 [Association, Aggregation, Version ( "2.6.0" ), Description (
2290 karl 1.1 "A relationship that aggregates one or more lower-level "
2291 "ReusablePolicyContainer instances into a higher-level "
2292 "ReusablePolicyContainer.")]
2293 class CIM_PolicyContainerInPolicyContainer : CIM_SystemComponent {
2294
2295 [Aggregate, Override ( "GroupComponent" ), Description (
2296 "A ReusablePolicyContainer that aggregates other "
2297 "ReusablePolicyContainers.")]
2298 CIM_ReusablePolicyContainer REF GroupComponent;
2299
2300 [Override ( "PartComponent" ), Description (
2301 "A ReusablePolicyContainer aggregated by another "
2302 "ReusablePolicyContainer.")]
2303 CIM_ReusablePolicyContainer REF PartComponent;
2304 };
2305
2306
2307 // ==================================================================
2308 // PolicyRepositoryInPolicyRepository *** deprecated
2309 // ==================================================================
2310 [Association, Deprecated { "CIM_PolicyContainerInPolicyContainer" },
2311 karl 1.1 Aggregation, Version ( "2.7.0" ), Description (
2312 "The term 'PolicyRepository' has been confusing to both "
2313 "developers and users of the model. The replacement class name "
2314 "describes model element properly and is less likely to be "
2315 "confused with a data repository. ContainedDomain is a general "
2316 "purpose mechanism for expressing domain hierarchy. \n"
2317 "\n"
2318 "A relationship that aggregates one or more lower-level "
2319 "PolicyRepositories into a higher-level Repository.")]
2320 class CIM_PolicyRepositoryInPolicyRepository : CIM_SystemComponent {
2321
2322 [Deprecated {
2323 "CIM_PolicyContainerInPolicyContainer.GroupComponent" },
2324 Aggregate, Override ( "GroupComponent" ), Description (
2325 "A PolicyRepository that aggregates other Repositories.")]
2326 CIM_PolicyRepository REF GroupComponent;
2327
2328 [Deprecated {
2329 "CIM_PolicyContainerInPolicyContainer.PartComponent" },
2330 Override ( "PartComponent" ), Description (
2331 "A PolicyRepository aggregated by another Repository.")]
2332 karl 1.1 CIM_PolicyRepository REF PartComponent;
2333 };
2334
2335
2336 // ==================================================================
2337 // ReusablePolicy
2338 // ==================================================================
2339 [Association, Version ( "2.6.0" ), Description (
2340 "The ReusablePolicy association provides for the reuse of any "
2341 "subclass of Policy in a ReusablePolicyContainer.")]
2342 class CIM_ReusablePolicy : CIM_PolicyInSystem {
2343
2344 [Override ( "Antecedent" ), Max ( 1 ), Description (
2345 "This property identifies a ReusablePolicyContainer that "
2346 "provides the administrative scope for the reuse of the "
2347 "referenced policy element.")]
2348 CIM_ReusablePolicyContainer REF Antecedent;
2349
2350 [Override ( "Dependent" ), Description (
2351 "A reusable policy element.")]
2352 CIM_Policy REF Dependent;
2353 karl 1.1 };
2354
2355
2356 // ==================================================================
2357 // ElementInPolicyRoleCollection
2358 // ==================================================================
2359 [Association, Aggregation, Version ( "2.8.0" ), Description (
2360 "An ElementInPolicyRoleCollection aggregates zero or more "
2361 "ManagedElement subclass instances into a PolicyRoleCollection "
2362 "object, representing a role played by these ManagedElements. "
2363 "This Collection indicates that the aggregated PolicySets "
2364 "(aggregated by CIM_PolicySetInRoleCollection) MAY BE applied "
2365 "to the referenced elements. To indicate that the PolicySets "
2366 "ARE being enforced for the element, use the "
2367 "PolicySetAppliesToElement association.")]
2368 class CIM_ElementInPolicyRoleCollection : CIM_MemberOfCollection {
2369
2370 [Aggregate, Override ( "Collection" ), Description (
2371 "The PolicyRoleCollection.")]
2372 CIM_PolicyRoleCollection REF Collection;
2373
2374 karl 1.1 [Override ( "Member" ), Description (
2375 "The ManagedElement that plays the role represented by the "
2376 "PolicyRoleCollection.")]
2377 CIM_ManagedElement REF Member;
2378 };
2379
2380
2381 // ==================================================================
2382 // PolicyRoleCollectionInSystem
2383 // ==================================================================
2384 [Association, Version ( "2.7.0" ), Description (
2385 "PolicyRoleCollectionInSystem is an association used to "
2386 "establish a relationship between a collection and an 'owning' "
2387 "System such as an AdminDomain or ComputerSystem.")]
2388 class CIM_PolicyRoleCollectionInSystem : CIM_HostedCollection {
2389
2390 [Override ( "Antecedent" ), Min ( 1 ), Max ( 1 ), Description (
2391 "The parent system responsible for the collection.")]
2392 CIM_System REF Antecedent;
2393
2394 [Override ( "Dependent" ), Description (
2395 karl 1.1 "The Collection.")]
2396 CIM_PolicyRoleCollection REF Dependent;
2397 };
2398
2399
2400 // ==================================================================
2401 // PolicyConditionInPolicyRepository *** deprecated
2402 // ==================================================================
2403 [Association, Deprecated { "CIM_ReusablePolicy" },
2404 Version ( "2.7.0" ), Description (
2405 "The ReusablePolicy association is a more general relationship "
2406 "that incorporates both Conditions and Actions as well as any "
2407 "other policy subclass. \n"
2408 "\n"
2409 "This class represents the hosting of reusable PolicyConditions "
2410 "by a PolicyRepository. A reusable Policy Condition is always "
2411 "related to a single PolicyRepository, via this association. \n"
2412 "\n"
2413 "Note, that an instance of PolicyCondition can be either "
2414 "reusable or rule-specific. When the Condition is rule- "
2415 "specific, it shall not be related to any PolicyRepository via "
2416 karl 1.1 "the PolicyConditionInPolicyRepository association.")]
2417 class CIM_PolicyConditionInPolicyRepository : CIM_PolicyInSystem {
2418
2419 [Deprecated { "CIM_ReusablePolicy.Antecedent" },
2420 Override ( "Antecedent" ), Max ( 1 ), Description (
2421 "This property identifies a PolicyRepository hosting one or "
2422 "more PolicyConditions. A reusable PolicyCondition is always "
2423 "related to exactly one PolicyRepository via the "
2424 "PolicyConditionInPolicyRepository association. The [0..1] "
2425 "cardinality for this property covers the two types of "
2426 "PolicyConditions: 0 for a rule-specific PolicyCondition, 1 "
2427 "for a reusable one.")]
2428 CIM_PolicyRepository REF Antecedent;
2429
2430 [Deprecated { "CIM_ReusablePolicy.Dependent" },
2431 Override ( "Dependent" ), Description (
2432 "This property holds the name of a PolicyCondition hosted in "
2433 "the PolicyRepository.")]
2434 CIM_PolicyCondition REF Dependent;
2435 };
2436
2437 karl 1.1
2438 // ==================================================================
2439 // PolicyActionInPolicyRepository *** deprecated
2440 // ==================================================================
2441 [Association, Deprecated { "CIM_ReusablePolicy" },
2442 Version ( "2.7.0" ), Description (
2443 "The ReusablePolicy association is a more general relationship "
2444 "that incorporates both Conditions and Actions as well as any "
2445 "other policy subclass. \n"
2446 "\n"
2447 "This class represents the hosting of reusable PolicyActions by "
2448 "a PolicyRepository. A reusable Policy Action is always related "
2449 "to a single PolicyRepository, via this association. \n"
2450 "\n"
2451 "Note, that an instance of PolicyAction can be either reusable "
2452 "or rule-specific. When the Action is rule- specific, it shall "
2453 "not be related to any PolicyRepository via the "
2454 "PolicyActionInPolicyRepository association.")]
2455 class CIM_PolicyActionInPolicyRepository : CIM_PolicyInSystem {
2456
2457 [Deprecated { "CIM_ReusablePolicy.Antecedent" },
2458 karl 1.1 Override ( "Antecedent" ), Max ( 1 ), Description (
2459 "This property represents a PolicyRepository hosting one or "
2460 "more PolicyActions. A reusable PolicyAction is always "
2461 "related to exactly one PolicyRepository via the "
2462 "PolicyActionInPolicyRepository association. The [0..1] "
2463 "cardinality for this property covers the two types of "
2464 "PolicyActions: 0 for a rule-specific PolicyAction, 1 for a "
2465 "reusable one.")]
2466 CIM_PolicyRepository REF Antecedent;
2467
2468 [Deprecated { "CIM_ReusablePolicy.Dependent" },
2469 Override ( "Dependent" ), Description (
2470 "This property holds the name of a PolicyAction hosted in "
2471 "the PolicyRepository.")]
2472 CIM_PolicyAction REF Dependent;
2473 };
2474
2475
2476 // ==================================================================
2477 // PolicySetInRoleCollection
2478 // ==================================================================
2479 karl 1.1 [Association, Aggregation, Version ( "2.8.0" ), Description (
2480 "PolicySetInRoleCollection aggregates zero or more PolicyRules "
2481 "and PolicyGroups (i.e., the subclasses of PolicySet) into a "
2482 "PolicyRoleCollection object, representing a role "
2483 "supported/enforced by the PolicySet.")]
2484 class CIM_PolicySetInRoleCollection : CIM_MemberOfCollection {
2485
2486 [Aggregate, Override ( "Collection" ), Description (
2487 "The PolicyRoleCollection.")]
2488 CIM_PolicyRoleCollection REF Collection;
2489
2490 [Override ( "Member" ), Description (
2491 "The PolicySet that supports/enforces the PolicyRole for the "
2492 "elements in the PolicyRoleCollection.")]
2493 CIM_PolicySet REF Member;
2494 };
2495
2496
2497 // ==================================================================
2498 // PolicySetAppliesToElement
2499 // ==================================================================
2500 karl 1.1 [Association, Version ( "2.8.0" ), Description (
2501 "PolicySetAppliesToElement makes explicit which PolicySets "
2502 "(i.e., policy rules and groups of rules) ARE CURRENTLY applied "
2503 "to a particular Element. This association indicates that the "
2504 "PolicySets that are appropriate for a ManagedElement "
2505 "(specified using the PolicyRoleCollection aggregation) have "
2506 "actually been deployed in the policy management "
2507 "infrastructure. Note that if the named Element refers to a "
2508 "Collection, then the PolicySet is assumed to be applied to all "
2509 "the members of the Collection.")]
2510 class CIM_PolicySetAppliesToElement {
2511
2512 [Key, Description (
2513 "The PolicyRules and/or groups of rules that are currently "
2514 "applied to an Element.")]
2515 CIM_PolicySet REF PolicySet;
2516
2517 [Key, Description (
2518 "The ManagedElement to which the PolicySet applies.")]
2519 CIM_ManagedElement REF ManagedElement;
2520 };
2521 karl 1.1
2522
2523 // ==================================================================
2524 // FilterOfPacketCondition
2525 // ==================================================================
2526 [Association, Version ( "2.8.0" ), Description (
2527 "FilterOfPacketCondition associates a network traffic "
2528 "specification (i.e., a FilterList) with a PolicyRule's "
2529 "PacketFilterCondition."),
2530 MappingStrings { "IPSP Policy Model.IETF|FilterOfSACondition" }]
2531 class CIM_FilterOfPacketCondition : CIM_Dependency {
2532
2533 [Override ( "Antecedent" ), Min ( 1 ), Max ( 1 ), Description (
2534 "A FilterList describes the traffic selected by the "
2535 "PacketFilterCondition. A PacketFilterCondition is "
2536 "associated with one and only one FilterList, but that "
2537 "filter list may aggregate many filter entries."),
2538 MappingStrings { "IPSP Policy Model.IETF|"
2539 "FilterOfSACondition.Antecedent" }]
2540 CIM_FilterList REF Antecedent;
2541
2542 karl 1.1 [Override ( "Dependent" ), Description (
2543 "The PacketFilterCondition that uses the FilterList as part "
2544 "of a PolicyRule."),
2545 MappingStrings { "IPSP Policy Model.IETF|"
2546 "FilterOfSACondition.Dependent" }]
2547 CIM_PacketFilterCondition REF Dependent;
2548 };
2549
2550
2551 // ==================================================================
2552 // AcceptCredentialFrom
2553 // ==================================================================
2554 [Association, Version ( "2.8" ), Description (
2555 "This association specifies that a credential management "
2556 "service (e.g., CertificateAuthority or Kerberos key "
2557 "distribution service) is to be trusted to certify credentials, "
2558 "presented at the packet level. The association defines an "
2559 "'approved' CredentialManagementService that is used for "
2560 "validation. \n"
2561 "\n"
2562 "The use of this class is best explained via an example: \n"
2563 karl 1.1 "If a CertificateAuthority is specified using this association, "
2564 "and a corresponding X509CredentialFilterEntry is also "
2565 "associated with a PacketFilterCondition (via the relationship, "
2566 "FilterOfPacketCondition), then the credential MUST match the "
2567 "FilterEntry data AND be certified by that CA (or one of the "
2568 "CredentialManagementServices in its trust hierarchy). "
2569 "Otherwise, the X509CredentialFilterEntry is deemed not to "
2570 "match. If a credential is certified by a "
2571 "CredentialManagementService associated with the "
2572 "PacketFilterCondition through the AcceptCredentialFrom "
2573 "relationship, but there is no corresponding "
2574 "CredentialFilterEntry, then all credentials from the related "
2575 "service are considered to match."),
2576 MappingStrings { "IPSP Policy Model.IETF|AcceptCredentialFrom" }]
2577 class CIM_AcceptCredentialFrom : CIM_Dependency {
2578
2579 [Override ( "Antecedent" ), Description (
2580 "The CredentialManagementService that is issuing the "
2581 "credential to be matched in the PacketFilterCondition."),
2582 MappingStrings { "IPSP Policy "
2583 "Model.IETF|AcceptCredentialFrom.Antecedent" }]
2584 karl 1.1 CIM_CredentialManagementService REF Antecedent;
2585
2586 [Override ( "Dependent" ), Description (
2587 "The PacketFilterCondition that associates the "
2588 "CredentialManagementService and any "
2589 "FilterLists/FilterEntries."),
2590 MappingStrings { "IPSP Policy "
2591 "Model.IETF|AcceptCredentialFrom.Dependent" }]
2592 CIM_PacketFilterCondition REF Dependent;
2593 };
2594
2595
2596 // ==================================================================
2597 // AuthorizationRuleAppliesToRole
2598 // ==================================================================
2599 [Association, Experimental, Version ( "2.8.1000" ), Description (
2600 "AuthorizationRuleAppliesToRole makes explicit that an "
2601 "AuthorizationRule is CURRENTLY applied to a particular Role. "
2602 "The Role defines the relevant Privileges, since these are "
2603 "collected into the Role via MemberOfCollection.")]
2604 class CIM_AuthorizationRuleAppliesToRole : CIM_PolicySetAppliesToElement {
2605 karl 1.1
2606 [Key, Override ( "PolicySet" ), Description (
2607 "The AuthenticationRule that is currently applied to this "
2608 "Role.")]
2609 CIM_AuthorizationRule REF PolicySet;
2610
2611 [Key, Override ( "ManagedElement" ), Description (
2612 "An Role to which this AuthorizationRule applies.")]
2613 CIM_Role REF ManagedElement;
2614 };
2615
2616 // ==================================================================
2617 // AuthorizationRuleAppliesToPrivilege
2618 // ==================================================================
2619 [Association, Experimental, Version ( "2.8.1000" ), Description (
2620 "AuthorizationRuleAppliesToRole makes explicit that an "
2621 "AuthorizationRule is CURRENTLY applied to a particular "
2622 "Privilege.")]
2623 class CIM_AuthorizationRuleAppliesToPrivilege : CIM_PolicySetAppliesToElement {
2624
2625 [Key, Override ( "PolicySet" ), Description (
2626 karl 1.1 "The AuthenticationRule that is currently applied to this "
2627 "Privilege.")]
2628 CIM_AuthorizationRule REF PolicySet;
2629
2630 [Key, Override ( "ManagedElement" ), Description (
2631 "An Privilege to which this AuthorizationRule applies.")]
2632 CIM_Privilege REF ManagedElement;
2633 };
2634
2635 // ==================================================================
2636 // AuthorizationRuleAppliesToIdentity
2637 // ==================================================================
2638 [Association, Experimental, Version ( "2.8.1000" ), Description (
2639 "AuthorizationRuleAppliesToRole makes explicit that an "
2640 "AuthorizationRule is CURRENTLY applied to a particular "
2641 "Identity that is to be considered an authorized subject.")]
2642 class CIM_AuthorizationRuleAppliesToIdentity : CIM_PolicySetAppliesToElement {
2643
2644 [Key, Override ( "PolicySet" ), Description (
2645 "The AuthenticationRule that is currently applied to this "
2646 "Identity.")]
2647 karl 1.1 CIM_AuthorizationRule REF PolicySet;
2648
2649 [Key, Override ( "ManagedElement" ), Description (
2650 "An Identity to which this AuthorizationRule applies.")]
2651 CIM_Identity REF ManagedElement;
2652 };
2653
2654 // ==================================================================
2655 // AuthorizationRuleAppliesToTarget
2656 // ==================================================================
2657 [Association, Experimental, Version ( "2.8.1000" ), Description (
2658 "AuthorizationRuleAppliesToRole makes explicit that an "
2659 "AuthorizationRule is CURRENTLY applied to a particular element "
2660 "that is to be considered an authorizated target.")]
2661 class CIM_AuthorizationRuleAppliesToTarget : CIM_PolicySetAppliesToElement {
2662
2663 [Key, Override ( "PolicySet" ), Description (
2664 "The AuthenticationRule that is currently applied to the "
2665 "target element.")]
2666 CIM_AuthorizationRule REF PolicySet;
2667
2668 karl 1.1 [Key, Override ( "ManagedElement" ), Description (
2669 "A target element to which the AuthorizationRule applies.")]
2670 CIM_ManagedElement REF ManagedElement;
2671 };
2672
2673
2674
2675 // ===================================================================
2676 // end of file
2677 // ===================================================================
2678
|