The Policy Management Library (PML) implements key components of a well-known policy management architecture, and provides a generalized policy model able to support arbitrary policy languages. Details are provided in the section below. The library fully supports the Java binding for CIM-SPL (PDF, 858 KB) policies, a recently approved standard from the Distributed Management Task Force. PML provides conflict, coverage, and dominance analysis building on the Apache Imperius project, which provides the parser, Java-binding, and policy evaluation engine. Finally, policies written in Groovy are also supported, although without the policy analysis feature that is available for those written in CIM-SPL.

How does it work?

The Policy Management Library builds on a common model for policy run-times and includes the following components and capabilities:

• Managed Environment: A platform that requires the dynamic configuration and deployment of decision making. This might include the ability to change how a network fire wall is configured, who has access to a file system, or to downgrade information for a specific user. This is the application into which this library is deployed.
• Policy: A condition specification and an optional action to execute when the condition evaluates to true. The condition is defined over a set of run-time data (often referred to as sensors) provided to the policy at evaluation time by the managed environment. The decision is defined over a set of run-time data (often referred to as affectors) also provide at evaluation time.
• Policy Enforcement Point (PEP): A point in the Managed Environment that needs to have a decision made, for example, to decide whether access to a secured resource should be granted. It requests the answer to this decision from the Policy Decision Point. One implements such points tin the Managed Environment as PEP instead of a hard-coded decision so that the decisions can be configured with policy. There may be any number of PEP in the Managed Environment.
• Policy Decision Point (PDP): Provides for the execution of policies and provides results of the execution (e.g. an access rights decision) are returned to the PEP for action based on the decision (e.g., allowing or denying access). It decides which policies in the Policy Repository apply to the decision request.
• Policy Repository: Holds the policies that are available for execution by the PDP. Policies may be activated or deactivated within the repository.
• Policy Analysis: Provides a set of specialized algorithms that supports policy authors in assessing the interaction between policies. The operations supported by the policy analysis component are dominance checks, coverage checks, simultaneous applicability check and conflict detection/resolution.
• Policy Transformation: Enables rule-based transformation of abstract policies to concrete managed environment resource models.

The Policy Authoring and Management Tool (PAMT) is a Web-based tool used to author, analyze and manage policies within the management environment. The policies are authored in a controlled natural language format based on templates. The templates are defined by an administrator prior to authoring of the policies. The analysis operations check whether there are any conflicts, uncovered regions or dominated policies among the set of authored policies. Once authored and analyzed, policies can be deployed or removed from the managed environment. Policies may also be deactivated and left deployed within the environment.

The Policy Management Library was developed by the Policy Lifecycle Technologies group at IBM Research, as part of our partnership with the Army Research Lab and the International Technology Alliance program.

The group is investigating platform-independent policy frameworks to specify, analyze, and deploy security and networking policies. The goal is to provide easy-to-use mechanisms for refining high-level user-specified goals into low-level controls.