Reviewed all uses of 'id' and '*-id' to make sure the name is correct. …

…Resolves #691.
usnistgov · Dec 21, 2020 · b0927c8 · b0927c8
1 parent b7e8bf2
commit b0927c8
Show file tree

Hide file tree

Showing 7 changed files with 69 additions and 51 deletions.
diff --git a/src/metaschema/oscal_assessment-common_metaschema.xml b/src/metaschema/oscal_assessment-common_metaschema.xml
@@ -154,6 +154,7 @@
       <formal-name>Assessment-specific Control Objective</formal-name>
       <description>A local definition of a control objective for this assessment. Uses catalog syntax for control objective and assessment actions.</description>
       <define-flag name="id" required="yes" as-type="NCName" >
+         <!-- This is an id to sync with control syntax -->
          <formal-name>Control Objective Identifier</formal-name>
          <description>A unique identifier for the assessment-specific control objective instance. This identifier's uniqueness is document scoped and is intended to be consistent for the same role across minor revisions of the document.</description>
          <remarks>
@@ -1060,6 +1061,7 @@
       </constraint>
    </define-field>
    <define-field name="threat-id">
+      <!-- This is an id because it is an externally provided identifier -->
       <formal-name>Threat ID</formal-name>
       <description>A pointer, by ID, to an externally-defined threat.</description>
       <define-flag name="system" required="yes">
@@ -1461,6 +1463,7 @@
       <description>Points to an implementation statement in the SSP.</description>
    </define-flag>
    <define-flag name="objective-id" as-type="NCName">
+      <!-- This is an id to sync with control syntax -->
       <formal-name>Objective ID</formal-name>
       <description>Points to an assessment objective.</description>
    </define-flag>

diff --git a/src/metaschema/oscal_catalog_metaschema.xml b/src/metaschema/oscal_catalog_metaschema.xml
@@ -64,6 +64,7 @@
       <formal-name>Control Group</formal-name>
       <description>A group of controls, or of groups of controls.</description>
       <define-flag name="id" as-type="NCName">
+         <!-- This is an id because the idenfier is managed externally. -->
          <formal-name>Group Identifier</formal-name>
          <description>A unique identifier for a specific group instance that can be used to reference the group within this and in other OSCAL documents. This identifier's uniqueness is document scoped and is intended to be consistent for the same group across minor revisions of the document.</description>
       </define-flag>
@@ -125,6 +126,7 @@
       <formal-name>Control</formal-name>
       <description>A structured information object representing a security or privacy control. Each security or privacy control within the Catalog is defined by a distinct control instance.</description>
       <define-flag name="id" as-type="NCName" required="yes">
+         <!-- This is an id because the idenfier is managed externally. -->
          <formal-name>Control Identifier</formal-name>
          <description>A unique identifier for a specific control instance that can be used to reference the control in other OSCAL documents. This identifier's uniqueness is document scoped and is intended to be consistent for the same control across minor revisions of the document.</description>
       </define-flag>

diff --git a/src/metaschema/oscal_control-common_metaschema.xml b/src/metaschema/oscal_control-common_metaschema.xml
@@ -20,6 +20,7 @@
       <formal-name>Part</formal-name>
       <description>A partition or component of a control or part</description>
       <define-flag name="id" as-type="NCName">
+         <!-- This is an id because the idenfier is intended to be human-raadable. -->
          <formal-name>Part Identifier</formal-name>
          <description>A unique identifier for a specific part instance. This identifier's uniqueness is document scoped and is intended to be consistent for the same part across minor revisions of the document.</description>
       </define-flag>
@@ -121,6 +122,7 @@
       <formal-name>Parameter</formal-name>
       <description>Parameters provide a mechanism for the dynamic assignment of value(s) in a control.</description>
       <define-flag name="id" as-type="NCName" required="yes">
+         <!-- This is an id because the idenfier is intended to be human-raadable. -->
          <formal-name>Parameter Identifier</formal-name>
          <description>A unique identifier for a specific parameter instance. This identifier's uniqueness is document scoped and is intended to be consistent for the same parameter across minor revisions of the document.</description>
       </define-flag>

diff --git a/src/metaschema/oscal_implementation-common_metaschema.xml b/src/metaschema/oscal_implementation-common_metaschema.xml
@@ -88,6 +88,7 @@
             <enum value="virtual">Identifies if the component is virtualized (yes/no)</enum>
             <enum value="vlan-id">Virtual LAN identifier of the component.</enum>
             <enum value="asset-tag">An asset tag that is unique within the organization for the component.</enum>
+
             <enum value="isa-title">Title of the Interconnection Security Agreement (ISA).</enum>
             <enum value="isa-date">Date of the Interconnection Security Agreement (ISA).</enum>
             <enum value="isa-remote-system-name">The name of the remote interconnected system.</enum>
@@ -340,13 +341,7 @@
             <enum value="no-logical-access">TODO</enum>
          </allowed-values>
          <allowed-values target="role-id" allow-other="yes">
-            <enum value="asset-owner">Accountable for ensuring the asset is managed in accordance with organizational policies and procedures.</enum>
-            <enum value="asset-administrator">Responsible for administering a set of assets.</enum>
-            <enum value="soc">Members of the security operations center (SOC).</enum>
-            <enum value="noc">Members of the network operations center (NOC).</enum>
-            <enum value="incident-response">Members of the incident response team.</enum>
-            <enum value="help-desk">Members of the help desk.</enum>
-            <enum value="configuration-management-lead">Responsible for the configuration management processes governing changes to the asset.</enum>
+            &allowed-values-responsible-roles-operations;
          </allowed-values>
       </constraint>
       <remarks>
@@ -387,6 +382,7 @@
          <description>A globally unique identifier that can be used to reference this inventory item entry elsewhere in an OSCAL document. A UUID should be consistantly used for a given resource across revisions of the document.</description>
       </define-flag>
       <define-flag name="asset-id" required="yes">
+         <!-- This is an id because the idenfier is assigned and managed externally. -->
          <formal-name>Asset Identifier</formal-name>
          <description>Organizational asset identifier that is unique in the context of the system. This may be a reference to the identifier used in an asset tracking system or a vulnerability scanning tool.</description>
       </define-flag>
@@ -417,16 +413,18 @@
          <allowed-values target="prop/@name" allow-other="yes">
             <enum value="public">Identifies whether the asset is publicly accessible (yes/no)</enum>
             <enum value="virtual">Identifies whether the asset is virtualized (yes/no)</enum>
+            <enum value="vlan-id">Virtual LAN identifier of the asset.</enum>
+            <enum value="asset-tag">An asset tag that is unique within the organization for the component.</enum>
+
             <enum value="ipv4-address">The Internet Protocol v4 Address of the asset.</enum>
             <enum value="ipv6-address">The Internet Protocol v6 Address of the asset.</enum>
-            <enum value="vlan-id">Virtual LAN identifier of the asset.</enum>
             <enum value="network-id">The network identifier of the asset.</enum>
             <enum value="fqdn">The full-qualified domain name (FQDN) of the asset.</enum>
             <enum value="uri">A Uniform Resource Identifier (URI) for the asset.</enum>
             <enum value="serial-number">A serial number for the asset.</enum>
-            <enum value="asset-tag">An asset tag that is unique within the organization for the asset.</enum>
             <enum value="netbios-name">The NetBIOS name for the asset.</enum>
             <enum value="mac-address">The media access control (MAC) address for the asset.</enum>
+
             <!-- This is "name" in the context of a component -->
             <enum value="os-name">The name of the operating system used by the asset.</enum>
             <!-- This is "version" in the context of a component -->
@@ -455,21 +453,19 @@
          </allowed-values>
          <!-- TODO: constrain link href values based on rel -->
          <allowed-values target="responsible-party/@role-id" allow-other="yes">
-            <enum value="asset-owner">Accountable for ensuring the asset is managed in accordance with organizational policies and procedures.</enum>
-            <enum value="asset-administrator">Responsible for administering a set of assets.</enum>
-            <enum value="soc">Members of the security operations center (SOC).</enum>
-            <enum value="noc">Members of the network operations center (NOC).</enum>
-            <enum value="incident-response">Members of the incident response team.</enum>
-            <enum value="help-desk">Members of the help desk.</enum>
-            <enum value="configuration-management-lead">Responsible for the configuration management processes governing changes to the asset.</enum>
-            <enum value="maintainer">Organization responsible for the creation and maintenance of the component.</enum>
-            <enum value="provider">Organization responsible for providing the component, if this is different from the "maintainer" (e.g., a reseller).</enum>
+            &allowed-values-responsible-roles-operations;
+            &allowed-values-responsible-roles-component-production;
          </allowed-values>
-         <!-- TODO: constrain role-id references to roles defined in the document. -->
-         <!-- TODO: constrain party-id references to parties defined in the document. -->
+         <index-has-key name="index-metadata-role-id" target="responsible-party">
+            <key-field target="@role-id"></key-field>
+         </index-has-key>
+         <index-has-key name="index-metadata-party-uuid" target="responsible-party">
+            <key-field target="@party-uuid"></key-field>
+         </index-has-key>
       </constraint>
    </define-assembly>
    <define-assembly name="implemented-component">
+      <!-- TODO: Sync constraints with system-component; maybe remove this? -->
       <formal-name>Implemented Component</formal-name>
       <description>The set of componenets that are implemented in a given system inventory item.</description>
       <json-key flag-name="component-uuid"/>
@@ -603,7 +599,7 @@
       <formal-name>Responsible Role</formal-name>
       <description>A reference to one or more roles with responsibility for performing a function relative to the containing object.</description>
       <json-key flag-name="role-id"/>
-      <define-flag required="yes" name="role-id" as-type="NCName">
+      <define-flag name="role-id" as-type="NCName" required="yes">
          <formal-name>Responsible Role ID</formal-name>
          <description>The role that is responsible for the business function.</description>
       </define-flag>
@@ -639,8 +635,28 @@
          </define-field>
       </model>
    </define-assembly>
+
+   <!-- ===== FIELDS ===== -->
+   <define-field name="system-id" as-type="string">
+      <!-- This is an id because the idenfier is assigned and managed by humans. -->
+      <formal-name>System Identification</formal-name>
+      <description>A unique identifier for the system described by this system security plan.</description>
+      <json-value-key>id</json-value-key>
+      <define-flag name="identifier-type" as-type="uri">
+         <formal-name>Identification System Type</formal-name>
+         <description>Identifies the identification system from which the provided identifier was assigned.</description>
+         <constraint>
+            <allowed-values allow-other="yes">
+               <enum value="https://fedramp.gov">The identifier was assigned by FedRAMP.</enum>
+               <enum value="https://ietf.org/rfc/rfc4122">A Universally Unique IDentifier (UUID) as defined by RFC4122.</enum>
+            </allowed-values>
+         </constraint>
+      </define-flag>
+   </define-field>
+
    <!-- ===== FLAGS ===== -->
    <define-flag name="param-id" as-type="NCName">
+      <!-- This is an id because the idenfier is assigned and managed by humans. -->
       <formal-name>Parameter ID</formal-name>
       <description>A reference to a parameter within a control, who's catalog has been imported into the current implementation context.</description>
       <example>

diff --git a/src/metaschema/oscal_metadata_metaschema.xml b/src/metaschema/oscal_metadata_metaschema.xml
@@ -237,6 +237,7 @@
             <description>A short common name, abbreviation, or acronym for the party.</description>
          </define-field>
          <define-field name="external-id" max-occurs="unbounded">
+            <!-- This is an id because the idenfier is assigned and managed externally by humans. -->
             <formal-name>Party External Identifier</formal-name>
             <description>An identifier for a person or organization using a designated scheme. e.g. an Open Researcher and Contributor ID (ORCID)</description>
             <json-value-key>id</json-value-key>
@@ -281,20 +282,9 @@
             <assembly ref="address" max-occurs="unbounded">
                <group-as name="addresses" in-json="ARRAY"/>
             </assembly>
-            <define-field name="location-uuid" as-type="uuid" max-occurs="unbounded">
-               <formal-name>Location Reference</formal-name>
-               <description>References a <code>location</code> defined in <code>metadata</code>.</description>
-               <!-- QUESTION: What is the json value key? -->
+            <field ref="location-uuid" max-occurs="unbounded">
                <group-as name="location-uuids" in-json="ARRAY"/>
-               <flag ref="location-type">
-                  <use-name>type</use-name>
-               </flag>
-               <constraint>
-                  <index-has-key name="index-metadata-location-uuid" target=".">
-                     <key-field target="value()"/>
-                  </index-has-key>
-               </constraint>
-            </define-field>
+            </field>
          </choice>
          <define-field name="member-of-organization" as-type="uuid" max-occurs="unbounded">
             <formal-name>Organizational Affiliation</formal-name>
@@ -328,6 +318,7 @@
       <formal-name>Role</formal-name>
       <description>Defines a function assumed or expected to be assumed by a party in a specific situation.</description>
       <define-flag name="id" as-type="NCName" required="yes">
+         <!-- This is an id because the idenfier is assigned and managed by humans. -->
          <formal-name>Role Identifier</formal-name>
          <description>A unique identifier for a specific role instance. This identifier's uniqueness is document scoped and is intended to be consistent for the same role across minor revisions of the document.</description>
          <remarks>
@@ -479,6 +470,16 @@
                <any/>
             </model>
             <constraint>
+               <allowed-values target="prop/@name">
+                  <enum value="type">TODO: (Brian)</enum>
+                  <enum value="version">TODO: (Brian)</enum>
+                  <enum value="published">TODO: (Brian)</enum>
+               </allowed-values>
+               <matches target="prop[@name='published' and (not(exists(@ns)) or @ns='http://csrc.nist.gov/ns/oscal')]/value()" datatype="dateTime"/>
+               <allowed-values target="prop[@name='type']/value()">
+                  <!-- TODO: (brian) add values from spreadsheet -->
+                  <enum value="policy">TODO: (Brian)</enum>
+               </allowed-values>
                <has-cardinality target="rlink|base64" min-occurs="1"/>
                <is-unique name="unique-resource-rlink-href" target="rlink">
                   <key-field target="@href"/>
@@ -863,6 +864,7 @@
    </define-flag>
 
    <define-field name="document-id" scope="local">
+      <!-- This is an id because the idenfier is assigned and managed externally by humans. -->
       <formal-name>Document Identifier</formal-name>
       <description>A document identifier qualified by an identifier <code>type</code>.</description>
       <json-value-key>identifier</json-value-key>

diff --git a/src/metaschema/oscal_profile_metaschema.xml b/src/metaschema/oscal_profile_metaschema.xml
@@ -128,6 +128,7 @@
       <formal-name>Control group</formal-name>
       <description>A group of (selected) controls or of groups of controls</description>
       <define-flag name="id" as-type="NCName">
+         <!-- This is an id because the idenfier is assigned and managed externally by humans. -->
          <formal-name>Group Identifier</formal-name>
          <description>A unique identifier for a specific group instance that can be used to reference the group within this and in other OSCAL documents. This identifier's uniqueness is document scoped and is intended to be consistent for the same group across minor revisions of the document.</description>
       </define-flag>
@@ -262,6 +263,7 @@
       <description>A parameter setting, to be propagated to points of insertion</description>
       <json-key flag-name="param-id"/>
       <define-flag required="yes" name="param-id" as-type="NCName">
+         <!-- This is an id because the idenfier is assigned and managed by humans. -->
          <formal-name>Parameter ID</formal-name>
          <description>Indicates the value of the 'id' flag on a target parameter; i.e. which parameter to set</description>
       </define-flag>