IF condition THEN action
In other words, when the set of conditions referred to by a policy rule are TRUE, then the policy actions associated with the policy rule are executed.
C1: Group Number = 1, Condition Negated = FALSE
C2: Group Number = 1, Condition Negated = TRUE
C3: Group Number = 1, Condition Negated = FALSE
C4: Group Number = 2, Condition Negated = FALSE
C5: Group Number = 2, Condition Negated = FALSE
If the conditions are to be evaluated using DNF, then the overall condition for the policy rule is:
(C1 AND (NOT C2) AND C3) OR (C4 AND C5)
On the other hand, if CNF is used to evaluate the conditions, then the overall condition for the policy rule is:
(C1 OR (NOT C2) OR C3) AND (C4 OR C5)
Complex rules can be split into multiple simple rules. Negated conditions are not allowed in a rule if explosion is to be performed. Consider the following set of conditions for a policy rule:
C1: Group Number = 1, Condition Negated = FALSE
C2: Group Number = 1, Condition Negated = FALSE
C3: Group Number = 1, Condition Negated = FALSE
C4: Group Number = 2, Condition Negated = FALSE
C5: Group Number = 2, Condition Negated = FALSE
If DNF is used to evaluate the conditions, splitting the complex rule produces the following simple rules:
Simple Rule 1: C1 AND C2 AND C3
Simple Rule 2: C4 AND C5
If CNF is used to evaluate the conditions, splitting the complex rule produces the following simple rules:
Simple Rule 1: C1 AND C4
Simple Rule 2: C1 AND C5
Simple Rule 3: C2 AND C4
Simple Rule 4: C2 AND C5
Simple Rule 5: C3 AND C4
Simple Rule 6: C3 AND C5
Policy actions specify actions to take when the set of conditions for a policy rule evaluate to TRUE. The policy model allows multiple actions for a policy rule. Many policy rules typically use only a single action, but multiple actions make sense for some policy types.
Policy conditions and actions can either be specific to a single rule, or be reusable among several policy rules. To allow either type of conditions and actions, and to specify related information such as condition group number and negation indicator, several other policy objects are required. First are policy condition association and policy action association objects. These objects contain condition and action related attributes, respectively, and may directly contain policy conditions and actions (rule-specific).
The policy association objects alternatively may refer to conditions and actions (reusable). Policy condition instance and policy action instance objects are used to represent reusable policy conditions and actions, respectively.
Primarily for administrative grouping of policy rules, the policy group object is used. Policy groups can refer either to policy rules or to policy groups. This allows related policy rules to be grouped together, and also allows policy groups to be grouped to any needed level of nesting.