-- =============================================================================
-- ITU-T Rec. X.741 (1995) | ISO/IEC 10164-9 : 1995
-- =============================================================================
--<GDMO.Alias "ITU-T Rec. X.741 (1995) | ISO/IEC 10164-9 : 1995"
-- "CCITT Rec. X.741 (1995) | ISO/IEC 10164-9 : 1995",
-- "ITU-T Rec. X.741 | ISO/IEC 10164-9">--
-- =========================================================
-- =============================================================================
-- ITU-T Rec. X.741 (1995) | ISO/IEC 10164-9 : 1995
-- =============================================================================
--<GDMO.Document "ITU-T Rec. X.741 (1995) | ISO/IEC 10164-9 : 1995">--
-- "Imported" Alises - references to other documents with non-standard names
--<GDMO.Alias "ITU-T Rec. X.721 (1992) | ISO/IEC 10165-2 : 1992"
-- "CCITT Rec. X.721 | ISO/IEC 10165-2",
-- "CCITT Rec. X.721 | ISO/IEC 10165-2:1992",
-- "CCITT Rec. X.721 | ISO 10165-2:1992",
-- "Rec. X.721 | ISO/IEC 10165-2 : 1992">--
--<GDMO.Alias "ITU-T Rec. X.740 (1992) | ISO/IEC 10164-8 : 1993"
-- "Rec. X.740 | ISO/IEC 10164-8:1992">--
accessControl MANAGED OBJECT CLASS
DERIVED FROM "CCITT Rec. X.721 | ISO/IEC 10165-2:1992":top;
CHARACTERIZED BY accessControlPackage PACKAGE
BEHAVIOUR accessControlBehaviour BEHAVIOUR
DEFINED AS
! The access control managed object class shall emit the object
creation and object deletion notifications. Specializations of the
access control managed object class shall define the conditions under
which attribute value change notifications are to be emitted. ! ;;
ATTRIBUTES accessControlObjectName GET;
NOTIFICATIONS "CCITT Rec. X.721 | ISO/IEC 10165-2:1992": attributeValueChange,
"CCITT Rec. X.721 | ISO/IEC 10165-2:1992": objectCreation,
"CCITT Rec. X.721 | ISO/IEC 10165-2:1992": objectDeletion;;;
REGISTERED AS { joint-iso-itu-t(2) ms(9) function(2) part9(9)
managedObjectClass(3) accessControl(1) };
accessControlRules MANAGED OBJECT CLASS
DERIVED FROM accessControl;
CHARACTERIZED BY accessControlRulesPackage PACKAGE
BEHAVIOUR accessControlRulesBehaviour BEHAVIOUR
DEFINED AS
! An access control rules managed object may contain rule managed
objects, each of which represents a global or an item rule. It shall use
those rules in the application of the procedures of 7.4 in accordance
with the policy of the access control domain.
An attribute value change notification shall be emitted when any
attribute of this object class is modified.
NOTE - An access control rules managed object may contain rule managed
objects which are in conflict for a given initiator, target pair. The
procedures of 7.4.3.1 ensure that the principle of least privilege applies. ! ;;
ATTRIBUTES
defaultAccess REPLACE-WITH-DEFAULT
DEFAULT VALUE AccessControl-ASN1Module.denyAll GET-REPLACE,
domainIdentity GET-REPLACE,
denialGranularity GET-REPLACE,
defaultDenialResponse GET-REPLACE;;;
REGISTERED AS { joint-iso-itu-t(2) ms(9) function(2) part9(9)
managedObjectClass(3) accessControlRules(2) };
rule MANAGED OBJECT CLASS
DERIVED FROM accessControl;
CHARACTERIZED BY rulePackage PACKAGE
BEHAVIOUR ruleBehaviour BEHAVIOUR
DEFINED AS
! Each rule identifies its nature - to grant or deny access. In the
case where the enforcement action attribute has a value of allow, then
access is permitted, else the enforcement action attribute defines the
type of denial response made to the initiator of the management operation.
A rule managed object may include characteristics to represent a context
for the rule.
One such context is a scheduling capability. When included, the
scheduling packages control the value of the availability status
attribute which shall exhibit the value { off duty } when the schedule
requires that the rule not be available and the value {} otherwise.
Another context is the state of other managed objects. When included,
the state conditions package identifies managed objects and filters upon
their attributes. This rule shall only pertain if the managed objects
exist and the filters evaluate to TRUE.
The initiator list attribute identifies initiator managed objects which
identify initiators within the context of one or more access control
schemes. If the list is empty, the rule shall apply to all initiators.
The targets list attribute identifies the target managed objects which
specify the targets to which the rule pertains. If the list is empty,
the rule is a global rule otherwise it is an item rule.
The creation and deletion of rules shall be signalled by object creation
and object deletion notifications respectively.
An attribute value change notification shall be emitted when any
attribute of this object class is modified. !;;
ATTRIBUTES
enforcementAction REPLACE-WITH-DEFAULT
DEFAULT VALUE AccessControl-ASN1Module.deny GET-REPLACE,
initiatorsList GET-REPLACE ADD-REMOVE,
targetsList GET-REPLACE ADD-REMOVE;;;
CONDITIONAL PACKAGES
"CCITT Rec. X.721 | ISO/IEC 10165-2:1992": availabilityStatusPackage
PRESENT IF ! Any of the scheduling packages (duration, daily, weekly,
external) are present. !,
stateConditionsPackage PACKAGE
BEHAVIOUR stateConditionsBehaviour BEHAVIOUR
DEFINED AS
! When this package is present in a rule managed object, the filters
identified by the state conditions attribute shall be evaluated for
the managed objects identified by that attribute. If the managed
objects are not available or the filters evaluates to FALSE then the
rule shall evaluate to FALSE. If the filters evaluate to TRUE, then
the rule shall evaluate to TRUE. ! ;;
ATTRIBUTES stateConditions GET-REPLACE ADD-REMOVE;
REGISTERED AS
{ joint-iso-itu-t(2) ms(9) function(2) part9(9) package(4)
stateConditionsPackage(1) };
PRESENT IF ! The state of another managed object provides a context for
this rule. !,
authenticationContextPackage PACKAGE
BEHAVIOUR authenticationContextBehaviour BEHAVIOUR
DEFINED AS
! When this package is present in a rule managed object, then the
authentication requirements specified by the authentication context
attribute shall be satisfied before any further evaluation of the
access rights of an initiator is performed.
If the authentication requirements are not satisfied, then the rule
shall evaluate to FALSE. !;;
ATTRIBUTES authenticationContext GET-REPLACE;
REGISTERED AS { joint-iso-itu-t(2) ms(9) function(2) part9(9) package(4)
authenticationContextPackage(2) };
PRESENT IF ! The authentication context is required. !;
REGISTERED AS { joint-iso-itu-t(2) ms(9) function(2) part9(9)
managedObjectClass(3) rule(3) };
notificationEmitter MANAGED OBJECT CLASS
DERIVED FROM accessControl;
CHARACTERIZED BY accessControlNotificationEmitterPkg PACKAGE
BEHAVIOUR accessControlNotificationEmitterDefinition BEHAVIOUR
DEFINED AS
! This managed object class enables an access control scheme to report
on potential or actual attacks on the security of management
applications and management information. An instance of this managed
object class shall support at least one of the conditional packages
defined below. ! ;;;;
CONDITIONAL PACKAGES
securityViolationAlarmPkg PACKAGE
BEHAVIOUR securityViolationAlarmBehaviour BEHAVIOUR
DEFINED AS
! This package enables a security alarm notification of type
'Security service or mechanism violation' and cause 'unauthorized
access attempt' to be emitted if access control checks should fail. ! ;;
NOTIFICATIONS
"Rec. X.721 | ISO/IEC 10165-2:1992": securityServiceOrMechanismViolation;
REGISTERED AS
{ joint-iso-itu-t(2) ms(9) function(2) part9(9) package(4)
securityViolationAlarmPkg(3) };
PRESENT IF ! the security policy requires that this security alarm type
shall be emitted if the access PRESENT IF control checks fail. !,
timeViolationAlarmPkg PACKAGE
BEHAVIOUR timeViolationAlarmBehaviour BEHAVIOUR
DEFINED AS
! This package enables a security alarm notification of type 'Time
domain violation' and causes 'Key expired' and 'out of hours activity'
to be emitted if access control checks should fail. The cause 'key
expired' shall be used when the key identified by the access control
certificate seal is out of date. The 'out of hours activity' cause
shall be used when contextual time checks fail. ! ;;
NOTIFICATIONS
"Rec. X.721 | ISO/IEC 10165-2:1992": timeDomainViolation;
REGISTERED AS
{ joint-iso-itu-t(2) ms(9) function(2) part9(9) package(4)
timeViolationAlarmPkg(4) };
PRESENT IF ! the security policy requires that this security alarm type
shall be emitted when either PRESENT IF out of hours activity is detected
or an expired key has been used. !,
operationalViolationAlarmPkg PACKAGE
BEHAVIOUR operationalViolationAlarmBehaviour BEHAVIOUR
DEFINED AS
! This package enables a security alarm notification of type
'operational violation' and causes 'out of service' and 'unspecified
reason' to be emitted if access control checks should fail. The cause
'out of service' shall be used when the access control mechanism
identified is not available. The 'unspecified reason' cause shall be
used in other cases. ! ;;
NOTIFICATIONS
"Rec. X.721 | ISO/IEC 10165-2:1992": operationalViolation;
REGISTERED AS
{ joint-iso-itu-t(2) ms(9) function(2) part9(9) package(4)
operationalViolationAlarmPkg(5) };
PRESENT IF ! the security policy requires that this security alarm type
shall be emitted when either PRESENT IF the access control mechanism is
unavailable or the security policy identifies further PRESENT IF causes. !,
accessControlUsagePkg PACKAGE
BEHAVIOUR accessControlUsagePkgBehaviour BEHAVIOUR
DEFINED AS
! This package is used to count the number of valid and invalid
access attempts and to enable usage reports containing this
information to be sent to a security audit trail log. The usage report
is sent at a time interval defined by the security policy. The
additional information field is used to convey the counter values. ! ;;
ATTRIBUTES
validAccessAttempts,
invalidAccessAttempts;
NOTIFICATIONS
"Rec. X.740 | ISO/IEC 10164-8:1992":usageReport;
REGISTERED AS
{ joint-iso-itu-t(2) ms(9) function(2) part9(9) package(4)
accessControlUsagePkg(6) };
PRESENT IF ! the security policy requires that the number of valid and
invalid access attempts are PRESENT IF logged. !,
accessControlServiceReportPkg PACKAGE
BEHAVIOUR accessControlServiceReportPkgBehaviour BEHAVIOUR
DEFINED AS
! This package allows security audit trail notifications of type
'service report' to be emitted for possible inclusion in a
security audit trail log. ! ;;
NOTIFICATIONS
"Rec. X.740 | ISO/IEC 10164-8:1992": serviceReport;
REGISTERED AS
{ joint-iso-itu-t(2) ms(9) function(2) part9(9) package(4)
accessControlServiceReportPkg(7) };
PRESENT IF ! the security policy requires that service reports are logged. !;
REGISTERED AS { joint-iso-itu-t(2) ms(9) function(2) part9(9)
managedObjectClass(3) notificationEmitter(4) };
targets MANAGED OBJECT CLASS
DERIVED FROM accessControl;
CHARACTERIZED BY
targetsPackage PACKAGE
BEHAVIOUR targetsBehaviour BEHAVIOUR
DEFINED AS
! Targets identify managed objects within the security domain. These
managed objects are identified according to the following rules:
a) all managed objects within the security domain and belonging to the
managed object classes identified by the managed object classes
attribute are identified with specified name bindings;
b) all managed objects within the security domain identified
explicitly by the managed object instances attribute are identified;
c) each managed object selected according to a) and b) shall be
regarded as a base managed object for selecting managed objects
according to the scope and filter attributes; and
d) all managed objects selected according to c) shall be regarded as
the target managed objects.
Unless the targets managed object contains operations managed objects,
the targets managed object identifies all operations upon the selected
managed objects.
An attribute value change notification shall be emitted when any
attribute of this managed object is modified. !;;
ATTRIBUTES
managedObjectClasses GET-REPLACE ADD-REMOVE,
managedObjectInstances GET-REPLACE ADD-REMOVE,
scope GET-REPLACE,
filter GET-REPLACE;;;
CONDITIONAL PACKAGES
operationsListPackage PACKAGE
BEHAVIOUR operationsListPackBehav BEHAVIOUR
DEFINED AS
! This package provides support for the operations list attribute as
an alternative to the operations managed object. It may only be
included in the targets managed object if the targets managed object
contains no instantiation of the operations managed object.!;;
ATTRIBUTES
operationsList GET-REPLACE ADD-REMOVE;
REGISTERED AS { joint-iso-itu-t(2) ms(9) function(2) part9(9) package(4)
operationsListPackage(15) };
PRESENT IF ! No contained Operations object!;
REGISTERED AS { joint-iso-itu-t(2) ms(9) function(2) part9(9)
managedObjectClass(3) targets(5) };
operations MANAGED OBJECT CLASS
DERIVED FROM "CCITT Rec. X.721 | ISO/IEC 10165-2 :1992": top;
CHARACTERIZED BY operationsPackage PACKAGE
BEHAVIOUR operationsBehaviour BEHAVIOUR
DEFINED AS
! The operations managed object identifies constraints on operation
types for managed objects identified by the containing targets managed object.
The operation type is specified by the operation type attribute, which
is also the naming attribute for the operations managed object class.
The constraints on the operation type, some of which are peculiar to the
operation type, are specified by other attributes contained in
conditional packages.
When a target managed object identifies the managed object specified in
the access request, and contains one or more operations managed objects,
then an access request shall satisfy the following conditions for the
containing rule to be satisfied:
a) the access request matches the operation type for one of the
operations managed objects contained in the target; and
b) the constraints specified for the operation type are satisfied.
The operations managed object shall emit the object creation
notification when it it is created and the object deletion notification
when it is deleted. An attribute value change notification shall be
emitted when any attribute of this managed object class is modified. !;;
ATTRIBUTES
operationType GET;
NOTIFICATIONS
"CCITT Rec. X.721 | ISO/IEC 10165-2:1992": attributeValueChange,
"CCITT Rec. X.721 | ISO/IEC 10165-2:1992": objectCreation,
"CCITT Rec. X.721 | ISO/IEC 10165-2:1992": objectDeletion;;;
CONDITIONAL PACKAGES
attributeIdsPackage PACKAGE
BEHAVIOUR attributeIdsBehaviour BEHAVIOUR
DEFINED AS
! The attributes identified by the attribute identifier list
attribute shall be part of the target. If the attribute identifier
list attribute is empty, then all attributes shall be part of the
target for the identified operation for the managed objects identified
by the containing targets managed object. ! ;;
ATTRIBUTES
"CCITT Rec. X.721 | ISO/IEC 10165-2:1992": attributeIdentifierList
GET-REPLACE ADD-REMOVE;
REGISTERED AS { joint-iso-itu-t(2) ms(9) function(2) part9(9) package(4)
attributeIdsPackage(8) };
PRESENT IF ! operation type is get, replace with default or filter !,
attributeModificationPackage PACKAGE
BEHAVIOUR attributeModificationBehaviour BEHAVIOUR
DEFINED AS
! The attribute values identified by the attribute filter list
attribute shall be part of the target. If the attribute filter list
attribute is empty, then all attributes and their values shall be part
of the target for the identified operation for the managed objects
identified by the containing targets managed object. If the attribute
filter list attribute identifies an attribute without constraining its
value, then all values of that attribute shall be part of the target
for the identified operation for the managed objects identified by the
containing targets managed object. ! ;;
ATTRIBUTES
attributeFilterList GET-REPLACE ADD-REMOVE;
REGISTERED AS
{ joint-iso-itu-t(2) ms(9) function(2) part9(9) package(4)
attributeModificationPackage(9) };
PRESENT IF ! operation type is replace, add, remove or create !,
actionsPackage PACKAGE
BEHAVIOUR actionsBehaviour BEHAVIOUR
DEFINED AS
! The action values identified by the action filter list attribute
shall be part of the target. If the action filter list attribute is
empty, then all actions and their information values shall be part of
the target for the identified operation for the managed objects
identified by the containing targets managed object. If the action
filter list attribute identifies an action without constraining its
information value, then all values of that action information shall be
part of the target for the identified operation for the managed
objects identified by the containing targets managed object.
NOTE - For the purposes of filtering, parameters of actions may be
identified as attributes using the parameter template defined in CCITT
Rec. X.722 | ISO/IEC 10165-4. ! ;;
ATTRIBUTES
actionFilterList GET-REPLACE ADD-REMOVE;
REGISTERED AS { joint-iso-itu-t(2) ms(9) function(2) part9(9) package(4)
actionsPackage(10) };
PRESENT IF ! operation type is action !,
scopePackage PACKAGE
BEHAVIOUR scopeBehaviour BEHAVIOUR
DEFINED AS
! The scope and synchronization values identified by the scope and
synchronization attributes shall be part of the target. ! ;;
ATTRIBUTES
scopeFilter GET-REPLACE,
synchronizationFilter GET-REPLACE;
REGISTERED AS { joint-iso-itu-t(2) ms(9) function(2) part9(9) package(4)
scopePackage(11) };
PRESENT IF ! operation type is multiple object selection !;
REGISTERED AS { joint-iso-itu-t(2) ms(9) function(2) part9(9)
managedObjectClass(3) operations(6) };
initiators MANAGED OBJECT CLASS
DERIVED FROM accessControl;
CHARACTERIZED BY initiatorsPackage PACKAGE
BEHAVIOUR initiatorsBehaviour BEHAVIOUR
DEFINED AS
! Initiators identify individual requestors of management operations in
accordance with the applicable access control schemes. The diversity of
possible schemes prohibits a single representation of initiators.
Specializations of the initiators managed object class provide
attributes to identify requestors in accordance with given access
control schemes.
Where a specialization identifies more than one access control scheme,
it shall also contain behaviour to resolve conflicts of rights
associated with the different schemes. ! ;;
ATTRIBUTES
initiatorACImandated REPLACE-WITH-DEFAULT
DEFAULT VALUE AccessControl-ASN1Module.false GET-REPLACE;;;
REGISTERED AS { joint-iso-itu-t(2) ms(9) function(2) part9(9)
managedObjectClass(3) initiators(7) };
aclInitiators MANAGED OBJECT CLASS
DERIVED FROM initiators;
CHARACTERIZED BY aclPackage PACKAGE
BEHAVIOUR aclInitiatorsBehaviour BEHAVIOUR
DEFINED AS
! This managed object class is used to support an ACL based access
control scheme.
The ACL initiators managed object class contains a list of names or
other identities that together form an access control list. The identity
of a management operation requestor shall be matched with the entries of
an access control list to evaluate whether the requestor is an
authorized initiator.
Multiple ACL initiators managed objects may be instantiated within a
rule managed object.
An attribute value change notification shall be emitted when any
attribute of this object class is modified. !;;
ATTRIBUTES
accessControlList GET-REPLACE ADD-REMOVE;
REGISTERED AS { joint-iso-itu-t(2) ms(9) function(2) part9(9) package(4)
aclPackage(12) };;
REGISTERED AS { joint-iso-itu-t(2) ms(9) function(2) part9(9)
managedObjectClass(3) aclInitiators(8) };
capabilityInitiators MANAGED OBJECT CLASS
DERIVED FROM initiators;
CHARACTERIZED BY capabilityPackage PACKAGE
BEHAVIOUR capabilityInitiatorsBehaviour BEHAVIOUR
DEFINED AS
! The capability initiators managed object class contains a list of
identities that are used to determine whether the security capability
associated with the access request is allowed to be used by the
initiator of the request.
The identity associated with the access request is matched with the
contents of the capability identity list attribute to evaluate whether
the security capability associated with the access request is allowed to
be used by the initiator of the request.
The identities may be an individual name, group name, role name, or
application name which may be associated with an optional set of
security domain authority name and operation type pairs; or, the
identity may be of a form unspecified within this Recommendation |
International Standard.
NOTE - When a capability scheme is used, rule managed objects that
specify deny permission are not required. The absence of the identity in
the capability identities list attribute results in the capability not
being valid. In addition, targets managed objects and associated
operations managed objects are not required, unless further access
constraints are required to enforce local security policy refinements of
the containing security domain policy.
An attribute value change notification shall be emitted when any
attribute of this object class is modified. ! ;;
ATTRIBUTES
capabilityIdentitiesList GET-REPLACE;
REGISTERED AS { joint-iso-itu-t(2) ms(9) function(2) part9(9) package(4)
capabilityPackage(13) };;
REGISTERED AS { joint-iso-itu-t(2) ms(9) function(2) part9(9)
managedObjectClass(3) capabilityInitiators(9) };
labelInitiators MANAGED OBJECT CLASS
DERIVED FROM initiators;
CHARACTERIZED BY labelPackage PACKAGE
BEHAVIOUR labelInitiatorsBehaviour BEHAVIOUR
DEFINED AS
! The labels initiators managed object may be used to specify
constraints on management operations that are in addition to the
constraint of requiring a compatibility match between the security label
associated with the initiator and the security label associated with the target.
Access shall be granted or denied to an initiator in accordance with the
containing rule only if the initiator's security label is a member of
the set of security labels identified by the security label attribute,
the operation on the target conforms to the conditions specified by the
relevant targets managed object and operations managed objects
associated with the rule, and the security label of the initiator is
compatible with the security label assigned to the target.
NOTE - Association of a security label with a target must have occurred
prior to the use of that label in the above procedure. Security labels
are associated with targets using the assigned labels, attribute label,
instance label, and class label managed objects and associated
procedures described in 7.4.
An attribute value change notification shall be emitted when any
attribute of this object class is modified. ! ;;
ATTRIBUTES
securityLabel GET-REPLACE;
REGISTERED AS { joint-iso-itu-t(2) ms(9) function(2) part9(9) package(4)
labelPackage(14) };;
REGISTERED AS { joint-iso-itu-t(2) ms(9) function(2) part9(9)
managedObjectClass(3) labelInitiators(10) };
assignedLabels MANAGED OBJECT CLASS
DERIVED FROM "CCITT Rec. X.721 | ISO/IEC 10165-2:1992":top;
CHARACTERIZED BY assignedLabelsPackage PACKAGE
BEHAVIOUR assignedLabelsPkgBehav BEHAVIOUR
DEFINED AS
! This managed object contains the attribute label, instance label and
class label managed objects that, in combination with precedence
relationships, assign a single security label to targets.
There shall be only one managed object of this class per access control
decision function.
To assure association of a single security label with a target, a
precedence relationship is specified between and within attribute label,
instance label and class label managed objects classes as follows:
- Between class precedence relationships
Attribute label managed object > instance label managed object >
object label managed object
- Within class precedence relationships.
All attribute label, instance label, and class label managed objects
shall be considered to be ordered within their respective managed
object class according to the value of the naming attribute for the
managed object.
The value of the security label attribute within the attribute label,
instance label, or class label managed object which references the target,
either directly or indirectly, has the greatest class precedence, and is
first in the lexicographical order within the class, shall be associated
with the target.
If a security label is not associated with a target by an attribute label,
instance label, or class label managed object, the default security
label contained in the security label attribute of this managed object
shall be associated with the target.
The assigned labels managed object class shall emit the object creation
notification when a managed object of this class is created, and shall
emit the object deletion notification when a managed object of this
class is deleted. An attribute value change notification shall be
emitted when any attribute of this managed object class is modified. !;;
ATTRIBUTES
labelName GET,
securityLabel GET;
NOTIFICATIONS "CCITT Rec. X.721 | ISO/IEC 10165-2:1992": attributeValueChange,
"CCITT Rec. X.721 | ISO/IEC 10165-2:1992": objectCreation,
"CCITT Rec. X.721 | ISO/IEC 10165-2:1992": objectDeletion;;;
REGISTERED AS { joint-iso-itu-t(2) ms(9) function(2) part9(9)
managedObjectClass(3) assignedLabels(11) };
attributeLabel MANAGED OBJECT CLASS
DERIVED FROM assignedLabels;
CHARACTERIZED BY attributeLabelPackage PACKAGE
BEHAVIOUR attributeLabelPkgBehav BEHAVIOUR
DEFINED AS
! This managed object associates a security label with specific
attributes within a managed object. The security label is the value
contained in the security label attribute.
The attributes are the values contained in the attribute identifier list
attribute. The managed object is the value contained in the managed
object instance attribute. There may be multiple managed objects of this
class contained within an assigned labels managed object.
The behaviour of attribute label managed objects relative to others
within its class, and managed objects within the instance label and
class label managed object classes, shall be as defined in the assigned
labels managed object behaviour. ! ;;
ATTRIBUTES
"CCITT Rec. X.721 | ISO 10165-2:1992":managedObjectInstance GET,
"CCITT Rec. X.721 | ISO 10165-2:1992": attributeIdentifierList GET;;;
REGISTERED AS { joint-iso-itu-t(2) ms(9) function(2) part9(9)
managedObjectClass(3) attributeLabel(12) };
instanceLabel MANAGED OBJECT CLASS
DERIVED FROM assignedLabels;
CHARACTERIZED BY instanceLabelPackage PACKAGE
BEHAVIOUR instanceLabelPkgBehav BEHAVIOUR
DEFINED AS
! This managed object associates a security label with specific managed
objects. The security label is the value contained in the security label
attribute. The managed object identifiers are contained in the managed
object instances attribute. There may be multiple managed objects of
this class contained within an assigned labels managed object.
The behaviour of instance label managed objects relative to others
within its class, and managed objects within the attribute label and
class label managed object classes, shall be as defined in the assigned
labels managed object behaviour. ! ;;
ATTRIBUTES
managedObjectInstances GET;;;
REGISTERED AS { joint-iso-itu-t(2) ms(9) function(2) part9(9)
managedObjectClass(3) instanceLabel(13) };
classLabel MANAGED OBJECT CLASS
DERIVED FROM assignedLabels;
CHARACTERIZED BY classLabelPackage PACKAGE
BEHAVIOUR classLabelPkgBehav BEHAVIOUR
DEFINED AS
! This managed object associates a security label with specific managed
object classes. The security label is the value contained in the
security label attribute. The managed object class identifiers are
contained in the managed object classes attribute. There may be multiple
managed objects of this class contained within an assigned labels
managed object.
The behaviour of class label managed objects relative to others within
its class, and managed objects within the attribute label and instance
label managed object classes, shall be as defined in the assigned labels
managed object behaviour. ! ;;
ATTRIBUTES
managedObjectClasses GET;;;
REGISTERED AS { joint-iso-itu-t(2) ms(9) function(2) part9(9)
managedObjectClass(3) classLabel(14) };
rule-accessControlRules NAME BINDING
SUBORDINATE OBJECT CLASS rule AND SUBCLASSES;
NAMED BY
SUPERIOR OBJECT CLASS accessControlRules AND SUBCLASSES;
WITH ATTRIBUTE accessControlObjectName;
CREATE WITH-AUTOMATIC-INSTANCE-NAMING, WITH-REFERENCE-OBJECT;
DELETE ONLY-IF-NO-CONTAINED-OBJECTS;
REGISTERED AS { joint-iso-itu-t(2) ms(9) function(2) part9(9) nameBinding(6)
rule-accessControlRules(1) };
operations-targets NAME BINDING
SUBORDINATE OBJECT CLASS operations AND SUBCLASSES;
NAMED BY
SUPERIOR OBJECT CLASS targets AND SUBCLASSES;
WITH ATTRIBUTE operationType;
CREATE WITH-REFERENCE-OBJECT;
DELETE ONLY-IF-NO-CONTAINED-OBJECTS;
REGISTERED AS { joint-iso-itu-t(2) ms(9) function(2) part9(9) nameBinding(6)
operations-targets(2) };
notificationEmitter-accessControlRules NAME BINDING
SUBORDINATE OBJECT CLASS notificationEmitter AND SUBCLASSES;
NAMED BY
SUPERIOR OBJECT CLASS accessControlRules AND SUBCLASSES;
WITH ATTRIBUTE accessControlObjectName;
CREATE WITH-AUTOMATIC-INSTANCE-NAMING;
DELETE ONLY-IF-NO-CONTAINED-OBJECTS;
REGISTERED AS
{ joint-iso-itu-t(2) ms(9) function(2) part9(9) nameBinding(6)
notificationEmitter-accessControlRules(3) };
attributeLabel-assignedLabels NAME BINDING
SUBORDINATE OBJECT CLASS attributeLabel AND SUBCLASSES;
NAMED BY
SUPERIOR OBJECT CLASS assignedLabels AND SUBCLASSES;
WITH ATTRIBUTE labelName;
CREATE;
DELETE ONLY-IF-NO-CONTAINED-OBJECTS;
REGISTERED AS { joint-iso-itu-t(2) ms(9) function(2) part9(9) nameBinding(6)
attributeLabel-assignedLabels(4) };
instanceLabel-assignedLabels NAME BINDING
SUBORDINATE OBJECT CLASS instanceLabel AND SUBCLASSES;
NAMED BY
SUPERIOR OBJECT CLASS assignedLabels AND SUBCLASSES;
WITH ATTRIBUTE labelName;
CREATE;
DELETE;
REGISTERED AS { joint-iso-itu-t(2) ms(9) function(2) part9(9) nameBinding(6)
instanceLabel-assignedLabels(5) };
classLabel-assignedLabels NAME BINDING
SUBORDINATE OBJECT CLASS classLabel AND SUBCLASSES;
NAMED BY
SUPERIOR OBJECT CLASS assignedLabels AND SUBCLASSES;
WITH ATTRIBUTE labelName;
CREATE;
DELETE;
REGISTERED AS { joint-iso-itu-t(2) ms(9) function(2) part9(9) nameBinding(6)
classLabel-assignedLabels(6) };
invalidAccessControlFilter PARAMETER
CONTEXT SPECIFIC-ERROR;
WITH SYNTAX AccessControl-ASN1Module.InvalidAccessControlFilter;
BEHAVIOUR invalidAccessControlFilterBehaviour BEHAVIOUR
DEFINED AS
! This CMIS processing failure specific error reports an error in a
proposed access control filter element. Its value shall be a sequence of
an error id, taking one of the values duplicateId, heterogeneousId, or
invalidId, and an optional CMIS Filter containing the filter in error. ! ;;
REGISTERED AS { joint-iso-itu-t(2) ms(9) function(2) part9(9) parameter(5)
invalidAccessControlFilter(1) };
accessControlList ATTRIBUTE
WITH ATTRIBUTE SYNTAX AccessControl-ASN1Module.AccessControlList;
MATCHES FOR EQUALITY, SET-COMPARISON, SET-INTERSECTION;
BEHAVIOUR aclBehaviour BEHAVIOUR
DEFINED AS
! This attribute is used to specify a list of initiators for use in an
access control list based scheme. Initiators are identified by individual
name, anonymous reference or by group name, roles or application entity
titles. Initiators may be associated with specified applications.
Individual group names may be used in conjunction with the OSI Directory.
The attribute enables either an initiator name or a proxy name to be used.
The initiator name form may be syntactically either a distinguished name
or an application entity title, whilst the proxy name takes the form of an
object identifier and value.
The distinguished name form may be used either to identify a specific
initiator, a group of initiators or a particular role.
The application entity title name form identifies the application entity
title, and by reference the system that initiated the request.
The proxy name form is used when the name form is not a specific
initiator, a group of initiators, a role or an application entity title.
The proxy therefore allows the initiator to be anonymous. ! ;;
REGISTERED AS { joint-iso-itu-t(2) ms(9) function(2) part9(9) attribute(7)
accessControlList(1) };
accessControlFilter ATTRIBUTE
WITH ATTRIBUTE SYNTAX AccessControl-ASN1Module.FilterList;
MATCHES FOR EQUALITY, SET-COMPARISON, SET-INTERSECTION;
BEHAVIOUR accessControlFilterBehaviour BEHAVIOUR
DEFINED AS
! This set-valued attribute provides a set of CMIS filters for
constraining the parameters of management operations. If the set is empty,
the CMIS filter shall be regarded as identifying all possible targets
identifiable by the derived attribute.
For any given CMIS filter of the set, every CMIS filter item shall
identify the same attribute. Attempts to violate this constraint shall
result in the invalid access control filter specific error with error
identifier of heterogenousIds.
No attribute shall be associated with more than one CMIS filter. Attempts
to violate this constraint shall result in the invalid access control
filter specific error with error identifier of duplicateIds.
All values of the attribute identifier fields of CMIS filter items shall
identify management information that is valid for the given specialization
of this attribute. Any violation shall result in the invalid access
control filter specific error with the error identifier of invalid
identifier. ! ;;
PARAMETERS invalidAccessControlFilter;
REGISTERED AS { joint-iso-itu-t(2) ms(9) function(2) part9(9) attribute(7)
accessControlFilter(2) };
accessControlObjectName ATTRIBUTE
WITH ATTRIBUTE SYNTAX AccessControl-ASN1Module.AccessControlObjectName;
MATCHES FOR EQUALITY, SUBSTRINGS;
BEHAVIOUR accessControlObjectNameBehaviour BEHAVIOUR
DEFINED AS
! This attribute is used to identify instantiations of specializations of
the access control managed object class. ! ;;
REGISTERED AS { joint-iso-itu-t(2) ms(9) function(2) part9(9) attribute(7)
accessControlObjectName(3) };
actionFilterList ATTRIBUTE
WITH ATTRIBUTE SYNTAX AccessControl-ASN1Module.ActionFilterList;
MATCHES FOR EQUALITY, SET-INTERSECTION, SET-COMPARISON;
BEHAVIOUR actionFilterlistBehaviour BEHAVIOUR
DEFINED AS
! This set-valued attribute identifies actions and, optionally,
constraints upon their argument values by means of a CMIS filter.
For any given CMIS filter of the set, every CMIS filter item shall
identify the same attribute. Attempts to violate this constraint shall
result in the invalid access control filter specific error with error
identifier of heterogenousIds.
No attribute shall be associated with more than one CMIS filter. Attempts
to violate this constraint shall result in the invalid access control
filter specific error with error identifier of duplicateIds.
All values of the attribute identifier fields of CMIS filter items shall
identify management information that is valid for the given specialization
of this attribute. Any violation shall result in the invalid access
control filter specific error with the error identifier of invalid
identifier. !;;
PARAMETERS invalidAccessControlFilter;
REGISTERED AS { joint-iso-itu-t(2) ms(9) function(2) part9(9) attribute(7)
actionFilterList(4) };
attributeFilterList ATTRIBUTE
DERIVED FROM accessControlFilter;
BEHAVIOUR attributeFilterListBehaviour BEHAVIOUR
DEFINED AS
! This attribute identifies constraints upon the values of attributes. If
an attribute is identified without constraints upon its value e.g.
{ item : present : globalForm : accessControlList }
Then all values of the attribute are identified. If the set is empty, then
there are no constraints. ! ;;
REGISTERED AS { joint-iso-itu-t(2) ms(9) function(2) part9(9) attribute(7)
attributeFilterList(5) };
authenticationContext ATTRIBUTE
WITH ATTRIBUTE SYNTAX AccessControl-ASN1Module.AuthenticationContext;
BEHAVIOUR authenticationContextPackageBehaviour BEHAVIOUR
DEFINED AS
! The authentication context attribute is a sequence of authentication
policy identifier and the requirements identified thereby. ! ;;
REGISTERED AS { joint-iso-itu-t(2) ms(9) function(2) part9(9) attribute(7)
authenticationContext(6) };
capabilityIdentitiesList ATTRIBUTE
WITH ATTRIBUTE SYNTAX AccessControl-ASN1Module.CapabilityIdentitiesList;
MATCHES FOR EQUALITY, SET-COMPARISON, SET-INTERSECTION;
BEHAVIOUR capabilityBehaviour BEHAVIOUR
DEFINED AS
! The capability identities list attribute contains a set of identities.
The identities may be an individual name, group name, role name, or
application name, each of which may be associated with an optional set of
security domain authority name and operation type pairs; or, the identity
may be of a form unspecified within this Recommendation | International
Standard. ! ;;
REGISTERED AS { joint-iso-itu-t(2) ms(9) function(2) part9(9) attribute(7)
capabilityIdentitiesList(7) };
defaultAccess ATTRIBUTE
WITH ATTRIBUTE SYNTAX AccessControl-ASN1Module.DefaultAccess;
MATCHES FOR EQUALITY;
BEHAVIOUR defaultAccessBehaviour BEHAVIOUR
DEFINED AS
! The default access attribute identifies, in accordance with 7.4.3.1.6,
the default access rights for each operation type. Its value is a sequence
enumerating the enforcement action for each operation type. The default
value of the attribute shall be to deny all operations with the access
denied response. ! ;;
REGISTERED AS { joint-iso-itu-t(2) ms(9) function(2) part9(9) attribute(7)
defaultAccess(8) };
defaultDenialResponse ATTRIBUTE
WITH ATTRIBUTE SYNTAX AccessControl-ASN1Module.DenialResponse;
MATCHES FOR EQUALITY;
BEHAVIOUR denialResponseBehaviour BEHAVIOUR
DEFINED AS
! This attribute defines the denial response to be returned in the event
that the denial has been made as a result of the default rule having been
satisfied. ! ;;
REGISTERED AS { joint-iso-itu-t(2) ms(9) function(2) part9(9) attribute(7)
defaultDenialResponse(9) };
denialGranularity ATTRIBUTE
WITH ATTRIBUTE SYNTAX AccessControl-ASN1Module.DenialGranularity;
MATCHES FOR EQUALITY;
BEHAVIOUR denialGranularityBehaviour BEHAVIOUR
DEFINED AS
! This attribute identifies the level at which denial of access shall be
exhibited, if at all. It shall take one of the values request, object, and
attribute. If the value is request, then the entire request shall be
denied if any target in that request is denied. If the value is object,
then the request for that managed object shall be denied if any target
within the request for that object is denied. If the value is attribute,
then the request shall be denied at the attribute level. ! ;;
REGISTERED AS { joint-iso-itu-t(2) ms(9) function(2) part9(9) attribute(7)
denialGranularity(10) };
domainIdentity ATTRIBUTE
WITH ATTRIBUTE SYNTAX AccessControl-ASN1Module.DomainIdentity;
MATCHES FOR EQUALITY;
BEHAVIOUR domainNameBehaviour BEHAVIOUR
DEFINED AS
! This attribute identifies the access control domain governing these
access control rules. ! ;;
REGISTERED AS { joint-iso-itu-t(2) ms(9) function(2) part9(9) attribute(7)
domainIdentity(11) };
enforcementAction ATTRIBUTE
WITH ATTRIBUTE SYNTAX AccessControl-ASN1Module.EnforcementAction;
MATCHES FOR EQUALITY;
BEHAVIOUR enforcementActionBehaviour BEHAVIOUR
DEFINED AS
! This attribute identifies the action to be taken by the enforcement
function if the rule is satisfied. It shall take one of the values, deny
with response (the default value), deny without response, abort association,
deny with false response and allow. ! ;;
REGISTERED AS { joint-iso-itu-t(2) ms(9) function(2) part9(9) attribute(7)
enforcementAction(12) };
filter ATTRIBUTE
DERIVED FROM "CCITT Rec. X.721 | ISO/IEC 10165-2:1992": discriminatorConstruct;
BEHAVIOUR filterBehaviour BEHAVIOUR
DEFINED AS
! This attribute identifies a filter to be applied to managed objects
identified by the other attributes of the targets managed object to
determine their inclusion as a protected managed object. ! ;;
REGISTERED AS { joint-iso-itu-t(2) ms(9) function(2) part9(9) attribute(7) filter(13) };
initiatorACImandated ATTRIBUTE
WITH ATTRIBUTE SYNTAX AccessControl-ASN1Module.Boolean;
MATCHES FOR EQUALITY;
BEHAVIOUR initiatorACImandatedBehaviour BEHAVIOUR
DEFINED AS
! The initiator ACI mandated attribute is of type boolean. The attribute
is used to indicate whether, to satisfy the access control scheme in use,
initiator ACI is required with each individual management operation
request. An attribute value of TRUE indicates that initiator ACI is
required in each management operation request, whilst a value of FALSE
indicates that no initiator ACI is required. In the event that the
attribute has a value of TRUE and the management operation request does
not contain initiator ACI, then access will be denied. ! ;;
REGISTERED AS { joint-iso-itu-t(2) ms(9) function(2) part9(9) attribute(7)
initiatorACImandated(14) };
initiatorsList ATTRIBUTE
DERIVED FROM "CCITT Rec. X.721 | ISO/IEC 10165-2:1992": member;
BEHAVIOUR initiatorsListBehaviour BEHAVIOUR
DEFINED AS
! This set-valued attribute identifies the sub-classes of initiator
managed objects which specify the initiators to which the rule pertains.
It shall be an error to attempt to include a value in the initiators list
attribute that is not the name of an initiators managed object. ! ;;
REGISTERED AS { joint-iso-itu-t(2) ms(9) function(2) part9(9) attribute(7)
initiatorsList(15) };
invalidAccessAttempts ATTRIBUTE
DERIVED FROM "Rec. X.721 | ISO/IEC 10165-2:1992": counter;
BEHAVIOUR invalidAccessAttemptBehaviourPkg BEHAVIOUR
DEFINED AS
! This attribute is used to count the number of occasions that an access
control decision function has not authorized the access. The attribute
takes the form of a not-settable counter as defined by CCITT Rec. X.721 |
ISO/IEC 10165-2. ! ;;
REGISTERED AS { joint-iso-itu-t(2) ms(9) function(2) part9(9) attribute(7)
invalidAccessAttempts(16) };
labelName ATTRIBUTE
WITH ATTRIBUTE SYNTAX AccessControl-ASN1Module.LabelName;
MATCHES FOR EQUALITY, ORDERING;
BEHAVIOUR labelNameBehaviourPkg BEHAVIOUR
DEFINED AS
! This attribute assigns a name of type integer to security labels. This
enables a check for ordering to take place. ! ;;
REGISTERED AS { joint-iso-itu-t(2) ms(9) function(2) part9(9) attribute(7)
labelName(17) };
managedObjectClasses ATTRIBUTE
WITH ATTRIBUTE SYNTAX AccessControl-ASN1Module.ObjectClassList;
MATCHES FOR EQUALITY, SET-COMPARISON, SET-INTERSECTION;
BEHAVIOUR managedObjectClassesBehaviour BEHAVIOUR
DEFINED AS
! This set-valued attribute identifies protected managed object classes
and optional associated name bindings.
Any attempt to include a value not known to be a managed object class
within the domain shall result in the CMIS invalid attribute value error. ! ;;
REGISTERED AS { joint-iso-itu-t(2) ms(9) function(2) part9(9) attribute(7)
managedObjectClasses(18) };
managedObjectInstances ATTRIBUTE
DERIVED FROM "CCITT Rec. X.721 | ISO/IEC 10165-2:1992": member;
BEHAVIOUR managedObjectInstancesBehaviourPkg BEHAVIOUR
DEFINED AS
! This set-valued attribute identifies protected managed objects. ! ;;
REGISTERED AS { joint-iso-itu-t(2) ms(9) function(2) part9(9) attribute(7)
managedObjectInstances(19) };
operationType ATTRIBUTE
WITH ATTRIBUTE SYNTAX AccessControl-ASN1Module.OperationType;
MATCHES FOR EQUALITY;
BEHAVIOUR operationTypeBehaviourPkg BEHAVIOUR
DEFINED AS
! This read-only attribute is used for naming operations managed objects.
It may take one of the values: get, replace, add member, remove member,
replace with default, multiple object selection, filter, create, delete,
and action. ! ;;
REGISTERED AS { joint-iso-itu-t(2) ms(9) function(2) part9(9) attribute(7)
operationType(20) };
operationsList ATTRIBUTE
WITH ATTRIBUTE SYNTAX AccessControl-ASN1Module.OperationsList;
MATCHES FOR EQUALITY, SET-COMPARISON, SET-INTERSECTION;
BEHAVIOUR operationsListBehaviourPkg BEHAVIOUR
DEFINED AS
! This set-valued attribute identifies operations that are to be granted
or denied, according to permissions in the containing rule managed object,
on targets identified by the targets managed object. Operations are
identified by the operation type. This attribute may be used when no
conditional constraints are imposed on the parameters of the operation. ! ;;
REGISTERED AS { joint-iso-itu-t(2) ms(9) function(2) part9(9) attribute(7)
operationsList(21) };
scope ATTRIBUTE
WITH ATTRIBUTE SYNTAX AccessControl-ASN1Module.Scope;
MATCHES FOR EQUALITY;
BEHAVIOUR scopeBehaviourPkg BEHAVIOUR
DEFINED AS
! The scope attribute identifies a scope for the selection of protected
managed objects. ! ;;
REGISTERED AS { joint-iso-itu-t(2) ms(9) function(2) part9(9) attribute(7) scope(22) };
scopeFilter ATTRIBUTE
DERIVED FROM accessControlFilter;
BEHAVIOUR scopeFilterBehaviour BEHAVIOUR
DEFINED AS
! For requests that select multiple managed objects the scope filter
specifies constraints on the scope parameter of the request, and the scope
attribute identifier is used for all the filter items in the filter.
This attribute identifies a filter upon the scope parameter of management
operations. It shall have none or one element. ! ;;
REGISTERED AS { joint-iso-itu-t(2) ms(9) function(2) part9(9) attribute(7)
scopeFilter(23) };
securityLabel ATTRIBUTE
WITH ATTRIBUTE SYNTAX AccessControl-ASN1Module.SecurityLabel;
MATCHES FOR EQUALITY, SET-COMPARISON, SET-INTERSECTION;
BEHAVIOUR securityLabelBehaviour BEHAVIOUR
DEFINED AS
! The security label attribute contains a security label. ! ;;
REGISTERED AS { joint-iso-itu-t(2) ms(9) function(2) part9(9) attribute(7)
securityLabel(24) };
stateConditions ATTRIBUTE
WITH ATTRIBUTE SYNTAX AccessControl-ASN1Module.StateConditions;
MATCHES FOR EQUALITY;
BEHAVIOUR stateConditionsPackageBehaviour BEHAVIOUR
DEFINED AS
! This attribute identifies a managed object and a filter upon the
attributes of that managed object. ! ;;
REGISTERED AS { joint-iso-itu-t(2) ms(9) function(2) part9(9) attribute(7)
stateConditions(25) };
synchronization ATTRIBUTE
WITH ATTRIBUTE SYNTAX AccessControl-ASN1Module.CMISSync;
BEHAVIOUR synchronizationBehaviour BEHAVIOUR
DEFINED AS
! This attribute value represents the synchronization parameter of
management operations. It is used to represent filters upon this parameter. ! ;;
REGISTERED AS { joint-iso-itu-t(2) ms(9) function(2) part9(9) attribute(7)
synchronization(26) };
synchronizationFilter ATTRIBUTE
DERIVED FROM accessControlFilter;
BEHAVIOUR synchronizationFilterBehaviour BEHAVIOUR
DEFINED AS
! For requests that select multiple managed objects the synchronization
filter specifies constraints on the synchronization parameter of the
request and the synchronization attribute identifier is used for all the
filter items in the filter.
This attribute identifies a filter upon the synchronization parameter of
management operations. It shall have none or one element. ! ;;
REGISTERED AS { joint-iso-itu-t(2) ms(9) function(2) part9(9) attribute(7)
synchronizationFilter(27) };
targetsList ATTRIBUTE
DERIVED FROM "Rec. X.721 | ISO/IEC 10165-2:1992": member;
BEHAVIOUR targetsListBehaviour BEHAVIOUR
DEFINED AS
! This set-valued attribute identifies the targets managed objects which
themselves specify the targets to which the item rule pertains. It shall
be an error to attempt to include a value which is not known to be the
name of a targets managed object. ! ;;
REGISTERED AS { joint-iso-itu-t(2) ms(9) function(2) part9(9) attribute(7)
targetsList(28) };
validAccessAttempts ATTRIBUTE
DERIVED FROM "Rec. X.721 | ISO/IEC 10165-2:1992": counter;
BEHAVIOUR validAccessAttemptBehaviourPkg BEHAVIOUR
DEFINED AS
! This attribute is used to count the number of occasions that an access
control decision function has authorized the access. The attribute takes
the form of a not-settable counter as defined by CCITT Rec. X.721 |
ISO/IEC 10165-2. ! ;;
REGISTERED AS { joint-iso-itu-t(2) ms(9) function(2) part9(9) attribute(7)
validAccessAttempts(29) };
--<GDMO.EndDocument>--
-- =============================================================================
-- Formatted by OpenT2 Version 5.5.1.34 on Wed Jul 28 08:34:55 2004
-- =============================================================================
-- Formatted by OpenT2 Version 5.5.6.34 on Fri Aug 20 11:20:49 2004