Object 1, DN: o=IBM, c=US
Object 2, DN: cn=group_1, o=IBM, c=US
Object 3, DN: cn=group_5, o=IBM, c=US
Object 4, DN: cn=group_1_sub_A, cn=group_1, o=IBM, c=US
This set of objects can be viewed as a tree, with Object 1 as the root. Objects 2 and 3 are branches under the root, with Object 4 a branch under Object 2. The names used are attributes of the objects they define. For example, Object 2, whose name starts with "cn=group_1" contains a cn attribute with the value group_1. See z/OS IBM Tivoli Directory Server Administration and Use for z/OS for more information on LDAP naming.
Object class names define the type of each LDAP object. The top object class is predefined and is the root of all other object classes.
The following object classes are recognized by the Policy Agent. The indentation defines subclasses. For example, ibm-policyGroup is a subclass of ibm-policy, and therefore inherits all of the attributes defined for ibm-policy.
Object class name | Purpose of object |
---|---|
Top | Used to anchor the LDAP hierarchical tree root. |
ibm-policy | Used as the root for all policy objects. |
ibm-policyGroup | Defines a policy group object. |
ibm-policyRule | Defines a policy rule object. |
ibm-policyRuleConditionAssociation | Defines an association between a policy rule object and a policy condition. |
ibm-policyRuleActionAssociation | Defines an association between a policy rule object and a policy action. |
ibm-PolicyInstance | Defines an instance of a reusable policy object. |
ibm-PolicyConditionInstance | Defines an instance of a reusable policy condition object. |
ibm-PolicyActionInstance | Defines an instance of a reusable policy action object. |
ibm-PolicyElementAuxClass | Defines an auxiliary class that can be used to tag non-policy objects as though they were policy objects. |
ibm-policyCondition | Defines a policy condition object. (schema version 2 — supported for migration) |
ibm-policyTimePeriodCondition | Defines an auxiliary class to represent time periods during which a policy rule is considered to be active. (schema version 2 — supported for migration) |
ibm-networkingpolicyCondition | Defines a subclass of ibm-PolicyCondition used to define networking policy conditions. (schema version 2 — supported for migration) |
ibm-policyAction | Defines a policy action object. (schema version 2 — supported for migration) |
ibm-serviceCategories | Defines an auxiliary class to represent a set of QoS attributes for a policy action. (schema version 2 — supported for migration) |
ibm-policyConditionAuxClass | Defines an auxiliary class for generic policy conditions. |
ibm-policyTimePeriodConditionAuxClass | Defines an auxiliary class to represent time periods during which a policy rule is considered to be active. |
ibm-networkingPolicyConditionAuxClass | Defines an auxiliary class used to define networking policy conditions. |
ibm-routeConditionAuxClass | Defines an auxiliary class to represent QoS routing conditions for a policy rule. |
ibm-hostConditionAuxClass | Defines an auxiliary class to represent QoS host (end-point) conditions for a policy rule. |
ibm-applicationConditionAuxClass | Defines an auxiliary class to represent QoS application and transport conditions for a policy rule. |
ibm-idsConditionAuxClass | Defines an auxiliary class to represent generic IDS conditions. |
ibm-idsAttackConditionAuxClass | Defines an auxiliary class to represent IDS attack conditions. |
ibm-idsIPAttackConditionAuxClass | Defines an auxiliary class to represent IDS IP attack conditions. |
ibm-idsTrafficRegulationConditionAuxClass | Defines an auxiliary class to represent IDS Traffic Regulation conditions. |
ibm-idsScanConditionAuxClass | Defines an auxiliary class to represent IDS global scan conditions. |
ibm-idsScanEventConditionAuxClass | Defines an auxiliary class to represent IDS scan event conditions. |
ibm-idsTransportConditionAuxClass | Defines an auxiliary class to represent IDS transport conditions. |
ibm-idsHostConditionAuxClass | Defines an auxiliary class to represent IDS host conditions. |
ibm-policyActionAuxClass | Defines an auxiliary class for generic policy actions. |
ibm-serviceCategoriesAuxClass | Defines an auxiliary class to represent a set of QoS attributes for a policy action. |
ibm-idsActionAuxClass | Defines an auxiliary class to represent generic IDS actions. |
ibm-idsNotificationAuxClass | Defines an auxiliary class to represent notification options for IDS actions. |
ibm-idsAttackActionsAuxClass | Defines an auxiliary class to represent attack attributes for IDS actions. |
ibm-idsFloodAttackActionsAuxClass | Defines an auxiliary class to represent flood-specific attack attributes for IDS actions. |
ibm-idsTrafficRegulationActionAuxClass | Defines an auxiliary class to represent generic Traffic Regulation attributes for IDS actions. |
ibm-idsTRtcpActionAuxClass | Defines an auxiliary class to represent Traffic Regulation TCP attributes for IDS actions. |
ibm-idsTRudpActionAuxClass | Defines an auxiliary class to represent Traffic Regulation UDP attributes for IDS actions. |
ibm-idsScanActionAuxClass | Defines an auxiliary class to represent global scan attributes for IDS actions. |
ibm-idsScanSensitivityActionAuxClass | Defines an auxiliary class to represent scan sensitivity attributes for IDS actions. |
ibm-idsScanExclusionActionAuxClass | Defines an auxiliary class to define scan exclusion lists for IDS actions. |
ibm-policyRepository | Defines a repository for generic reusable policy objects. |
ibm-policySubtreesPtrAuxClass | Defines an auxiliary class to represent pointers to subtrees in the LDAP directory tree to be retrieved by the Policy Agent. This allows entire subtrees to be retrieved at once, improving retrieval performance in some situations. |
ibm-policyGroupContainmentAuxClass | Defines an auxiliary class for binding a policy group object to another policy group. |
ibm-policyRuleContainmentAuxClass | Defines an auxiliary class for binding a policy rule object to another policy group. |
ibm-policyGroupLoadDistributionAuxClass | Defines an auxiliary class to represent load distribution attributes for policy groups. The load distribution attributes are applied to all policy rules that are pointed to by groups to which this auxiliary class has been attached. |
SetSubnetPrioTosMask | Defines a mapping of outbound IPv4 packet Type of Service (ToS) byte or IPv6 packet Traffic Class values to QDIO device priorities and Virtual LAN (VLAN) user priorities. |
Level 1: C1, NOT C2
Level 2: C3, C4, C5
(C1 AND NOT C2) OR (C3 AND C4 AND C5)
(C1 OR NOT C2) AND (C3 OR C4 OR C5)
This allows a wide variety of conditional logic to be defined for policy rules.