Next: 4.2.5 Distribution Process
Up: 4.2 Policy Supporting Processes
Previous: 4.2.3 Delegation Process
  Contents
Insofar as policy refinement is concerned, only brief mention was made
in [MoSl 93b,Wies 95,Koch 97,Heil 98]. Refinement of policies is
usually necessary, because they are used to achieve a management
objective, which is almost always formulated on an abstract level.
The refinement process is the most critical process in the application
of policies for management, because it must be ensured that the
semantics of the high-level policy is not changed. The initial
high-level policy describing the principle is already formulated by
the delegation process.
In the refinement process, the policy has to become more concrete through
splitting it into several lower-level policies, which affect the same
domain of subjects and targets. Alternatively it can be split into
several lower level policies which partition these domains. Besides
having different enforcement contexts (e.g., affecting other domains),
these policies define (sub-)goals of their own. Together, they
attempt to fulfil the high-level objective.
The following outlines some points to show the complexity of the
refinement process:
- Relationships are introduced between newly created policies such as
sequence, concurrency, or exclusion. The side effects relating to
other policies can cause problems, because it is hard to predict what
these effects are and how they might change the semantics of a
high-level policy. Besides that, even ensuring that the lower level
policies fulfil the high-level policy is very difficult. The reason
for that is that refinement necessarily requires human intervention,
and each person often has a different understanding of the original
intention. The result might therefore be ambiguous.
- Refinement of policies also depends on external constraints like
costs and efficiency, which also leave room for interpretation. For
example, a high-level policy could be: ``Only authorised persons have
access to IT-systems.'' In this case several refinements are
possible. Take the word `authorised'. It implies the need to prove a
person's identity through authentication. Authentication can be done
in several ways, for instance with the help of biometrical methods,
with a smart card, or a login-password-combination. Which technique
to choose depends on external constraints, e.g., costs, availability,
legislation, common practice, and/or other policies governing
authentication.
- Because of the complexity, the refinement process will probably be
repeated several times before it is completed successfully. During
this period, it is not unlikely that a high-level policy has to be
changed because the refinement reveals it to be wrong, ambiguous, or
unenforceable.
- The refinement process must be well defined and documented to ensure
that it is possible to review the decisions taken. This requires that
the initial development of a policy, all changes, and the reasons for
them are stored within the management system.
- During the refinement process, the policy gets more concrete, in that
variables in constraints will be bound to objects, or to concepts
such as roles. In this process, an object can possibly be further
refined with the necessity to split an object into two parts. Thus,
the more abstract domain of the former object is not bound any longer
by the lowest level policies, which will be deployed. The existence
of the initial refined object or some of its properties have implied
the reason for the further refinement. In this case, a change or the
removal of the initial higher level object can lead to a false or
obsolete lower level policy.
As mentioned above, the refinement process creates new policy
descriptions, or policy objects. Despite of this, it also uses
existing policies for further refinement or for taking decisions
during the refinement phase. This is depicted in
figure .
Next: 4.2.5 Distribution Process
Up: 4.2 Policy Supporting Processes
Previous: 4.2.3 Delegation Process
  Contents
Copyright Munich Network Management Team