Name | Type | Multiplicity | Description |
---|---|---|---|
markRef |
reference ObjectReferenceType |
[0,1] | Object mark representing policy, which is APPLIED or EXCLUDED |
type |
property PolicyStatementTypeType |
[1,1] | Type of policy statement. |
metadata |
container MetadataType |
[0,1] | Meta-data about data creation, modification, etc. |
Flags: RAM
Multiplicity: [0,1]
Display order:
Flags: RAM,runtime,AVals:2
Multiplicity: [1,1]
Display order:
Flags: RAM,runtime,oper
Multiplicity: [0,1]
Display order:
Meta-data about data creation, modification, etc.
It may apply to objects but also parts of the object (e.g. assignments).
Meta-data only apply to successful operations. That is obvious for create, but it also applies
to modify. For obvious reasons there are no metadata about delete.
We keep no metadata about reading. That would be a huge performance hit.
Meta-data only describe the last operation of its kind. E.g. there is a record of last
modification, last approval, etc. There is no history. The last operation overwrites data
about the previous operation.
These data are informational only. They should not be used for security purposes (use auditing
subsystem for that). But presence of metadata simplifies system administration and may provide
some basic information "at the glance" which may be later confirmed by the audit logs.
Meta-data are also supposed to be searchable. Therefore they may be used to quickly find
"candidate" objects for a closer examination.