Policy object model overview

Policies consist of several related objects. The main object is the policy rule. A policy rule object refers to one or more policy condition, policy action, or policy time period condition objects, and also contains information on how these objects are to be used. Policy time period objects are used to determine when a given policy rule is active. Active policy objects are related in a way that is analogous to an 'IF' statement in a program. For example: 
IF condition THEN action

In other words, when the set of conditions referred to by a policy rule are TRUE, then the policy actions associated with the policy rule are executed.

Figure 1. Basic policy objects
Diagram showing basic policy structure; a policy rule and the objects to which the policy rule refers
Policy rules can refer to one or more policy conditions. A policy rule with a single policy condition is known as a simple rule, and one with more conditions is known as a complex rule. Complex policy rules can have their conditions evaluated according to one of two different methods. The first is Disjunctive Normal Form (DNF), which means an ORed set of ANDed conditions. The second is Conjunctive Normal Form (CNF), which means an ANDed set of ORed conditions. In order to accomplish these evaluations, individual policy conditions are assigned an arbitrary group number, and also an indication of whether or not the condition is negated. For example, consider the following set of conditions for a policy rule: 
C1:  Group Number = 1, Condition Negated = FALSE
C2:  Group Number = 1, Condition Negated = TRUE
C3:  Group Number = 1, Condition Negated = FALSE
C4:  Group Number = 2, Condition Negated = FALSE
C5:  Group Number = 2, Condition Negated = FALSE
Figure 2. Complex policy conditions
Diagram showing structure of a complex policy with a policy rule referring to five policy conditions in two groups

If the conditions are to be evaluated using DNF, then the overall condition for the policy rule is:

(C1 AND (NOT C2) AND C3) OR (C4 AND C5)

On the other hand, if CNF is used to evaluate the conditions, then the overall condition for the policy rule is:

(C1 OR (NOT C2) OR C3) AND (C4 OR C5)

Complex rules can be split into multiple simple rules. Negated conditions are not allowed in a rule if explosion is to be performed. Consider the following set of conditions for a policy rule:

C1:  Group Number = 1, Condition Negated = FALSE
C2:  Group Number = 1, Condition Negated = FALSE
C3:  Group Number = 1, Condition Negated = FALSE
C4:  Group Number = 2, Condition Negated = FALSE
C5:  Group Number = 2, Condition Negated = FALSE
Figure 3. Complex policy conditions before explosion
Shows a complex policy; a policy rule referring to 5 non-negated policy conditions in 2 groups before explosion

If DNF is used to evaluate the conditions, splitting the complex rule produces the following simple rules:

Simple Rule 1:  C1 AND C2 AND C3
Simple Rule 2:  C4 AND C5

If CNF is used to evaluate the conditions, splitting the complex rule produces the following simple rules:

Simple Rule 1:  C1 AND C4
Simple Rule 2:  C1 AND C5
Simple Rule 3:  C2 AND C4
Simple Rule 4:  C2 AND C5
Simple Rule 5:  C3 AND C4
Simple Rule 6:  C3 AND C5

Policy actions specify actions to take when the set of conditions for a policy rule evaluate to TRUE. The policy model allows multiple actions for a policy rule. Many policy rules typically use only a single action, but multiple actions make sense for some policy types.

Policy conditions and actions can either be specific to a single rule, or be reusable among several policy rules. To allow either type of conditions and actions, and to specify related information such as condition group number and negation indicator, several other policy objects are required. First are policy condition association and policy action association objects. These objects contain condition and action related attributes, respectively, and may directly contain policy conditions and actions (rule-specific).

Figure 4. Rule-specific conditions and actions
2 rules with condition association and action association objects together with condition and action objects

The policy association objects alternatively may refer to conditions and actions (reusable). Policy condition instance and policy action instance objects are used to represent reusable policy conditions and actions, respectively.

Figure 5. Reusable conditions and actions
2 rules with condition association and action association referring to instance objects to represent reusable policy

Primarily for administrative grouping of policy rules, the policy group object is used. Policy groups can refer either to policy rules or to policy groups. This allows related policy rules to be grouped together, and also allows policy groups to be grouped to any needed level of nesting.

Figure 6. Policy groups
Hierarchy of policy group with its children policy groups referring to policy rules
Parent topic: Using an LDAP server for policy definitions