805 lines
33 KiB
Plaintext
805 lines
33 KiB
Plaintext
|
SNMP-VIEW-BASED-ACM-MIB DEFINITIONS ::= BEGIN
|
||
|
|
||
|
IMPORTS
|
||
|
MODULE-COMPLIANCE, OBJECT-GROUP FROM SNMPv2-CONF
|
||
|
MODULE-IDENTITY, OBJECT-TYPE,
|
||
|
snmpModules FROM SNMPv2-SMI
|
||
|
TestAndIncr,
|
||
|
RowStatus, StorageType FROM SNMPv2-TC
|
||
|
SnmpAdminString,
|
||
|
SnmpSecurityLevel,
|
||
|
SnmpSecurityModel FROM SNMP-FRAMEWORK-MIB;
|
||
|
|
||
|
snmpVacmMIB MODULE-IDENTITY
|
||
|
LAST-UPDATED "9901200000Z" -- 20 Jan 1999, midnight
|
||
|
ORGANIZATION "SNMPv3 Working Group"
|
||
|
CONTACT-INFO "WG-email: snmpv3@lists.tislabs.com
|
||
|
Subscribe: majordomo@lists.tislabs.com
|
||
|
In message body: subscribe snmpv3
|
||
|
|
||
|
Chair: Russ Mundy
|
||
|
Trusted Information Systems
|
||
|
postal: 3060 Washington Rd
|
||
|
Glenwood MD 21738
|
||
|
USA
|
||
|
email: mundy@tislabs.com
|
||
|
phone: +1-301-854-6889
|
||
|
|
||
|
Co-editor: Bert Wijnen
|
||
|
IBM T.J. Watson Research
|
||
|
postal: Schagen 33
|
||
|
3461 GL Linschoten
|
||
|
Netherlands
|
||
|
email: wijnen@vnet.ibm.com
|
||
|
phone: +31-348-432-794
|
||
|
|
||
|
Co-editor: Randy Presuhn
|
||
|
BMC Software, Inc
|
||
|
postal: 965 Stewart Drive
|
||
|
Sunnyvale, CA 94086
|
||
|
USA
|
||
|
email: randy_presuhn@bmc.com
|
||
|
phone: +1-408-616-3100
|
||
|
|
||
|
Co-editor: Keith McCloghrie
|
||
|
Cisco Systems, Inc.
|
||
|
postal: 170 West Tasman Drive
|
||
|
San Jose, CA 95134-1706
|
||
|
USA
|
||
|
email: kzm@cisco.com
|
||
|
phone: +1-408-526-5260
|
||
|
"
|
||
|
DESCRIPTION "The management information definitions for the
|
||
|
View-based Access Control Model for SNMP.
|
||
|
"
|
||
|
-- Revision history
|
||
|
REVISION "9901200000Z" -- 20 Jan 1999, midnight
|
||
|
DESCRIPTION "Clarifications, published as RFC2575"
|
||
|
|
||
|
REVISION "9711200000Z" -- 20 Nov 1997, midnight
|
||
|
DESCRIPTION "Initial version, published as RFC2275"
|
||
|
|
||
|
::= { snmpModules 16 }
|
||
|
|
||
|
-- Administrative assignments ****************************************
|
||
|
|
||
|
vacmMIBObjects OBJECT IDENTIFIER ::= { snmpVacmMIB 1 }
|
||
|
vacmMIBConformance OBJECT IDENTIFIER ::= { snmpVacmMIB 2 }
|
||
|
|
||
|
-- Information about Local Contexts **********************************
|
||
|
|
||
|
vacmContextTable OBJECT-TYPE
|
||
|
SYNTAX SEQUENCE OF VacmContextEntry
|
||
|
MAX-ACCESS not-accessible
|
||
|
STATUS current
|
||
|
DESCRIPTION "The table of locally available contexts.
|
||
|
|
||
|
This table provides information to SNMP Command
|
||
|
Generator applications so that they can properly
|
||
|
configure the vacmAccessTable to control access to
|
||
|
all contexts at the SNMP entity.
|
||
|
|
||
|
This table may change dynamically if the SNMP entity
|
||
|
allows that contexts are added/deleted dynamically
|
||
|
(for instance when its configuration changes). Such
|
||
|
changes would happen only if the management
|
||
|
instrumentation at that SNMP entity recognizes more
|
||
|
(or fewer) contexts.
|
||
|
|
||
|
The presence of entries in this table and of entries
|
||
|
in the vacmAccessTable are independent. That is, a
|
||
|
context identified by an entry in this table is not
|
||
|
necessarily referenced by any entries in the
|
||
|
vacmAccessTable; and the context(s) referenced by an
|
||
|
entry in the vacmAccessTable does not necessarily
|
||
|
currently exist and thus need not be identified by an
|
||
|
entry in this table.
|
||
|
|
||
|
This table must be made accessible via the default
|
||
|
context so that Command Responder applications have
|
||
|
a standard way of retrieving the information.
|
||
|
|
||
|
This table is read-only. It cannot be configured via
|
||
|
SNMP.
|
||
|
"
|
||
|
::= { vacmMIBObjects 1 }
|
||
|
|
||
|
vacmContextEntry OBJECT-TYPE
|
||
|
SYNTAX VacmContextEntry
|
||
|
MAX-ACCESS not-accessible
|
||
|
STATUS current
|
||
|
DESCRIPTION "Information about a particular context."
|
||
|
INDEX {
|
||
|
vacmContextName
|
||
|
}
|
||
|
::= { vacmContextTable 1 }
|
||
|
|
||
|
VacmContextEntry ::= SEQUENCE
|
||
|
{
|
||
|
vacmContextName SnmpAdminString
|
||
|
}
|
||
|
|
||
|
vacmContextName OBJECT-TYPE
|
||
|
SYNTAX SnmpAdminString (SIZE(0..32))
|
||
|
MAX-ACCESS read-only
|
||
|
STATUS current
|
||
|
DESCRIPTION "A human readable name identifying a particular
|
||
|
context at a particular SNMP entity.
|
||
|
|
||
|
The empty contextName (zero length) represents the
|
||
|
default context.
|
||
|
"
|
||
|
::= { vacmContextEntry 1 }
|
||
|
|
||
|
-- Information about Groups ******************************************
|
||
|
|
||
|
vacmSecurityToGroupTable OBJECT-TYPE
|
||
|
SYNTAX SEQUENCE OF VacmSecurityToGroupEntry
|
||
|
MAX-ACCESS not-accessible
|
||
|
STATUS current
|
||
|
DESCRIPTION "This table maps a combination of securityModel and
|
||
|
securityName into a groupName which is used to define
|
||
|
an access control policy for a group of principals.
|
||
|
"
|
||
|
::= { vacmMIBObjects 2 }
|
||
|
|
||
|
vacmSecurityToGroupEntry OBJECT-TYPE
|
||
|
SYNTAX VacmSecurityToGroupEntry
|
||
|
MAX-ACCESS not-accessible
|
||
|
STATUS current
|
||
|
DESCRIPTION "An entry in this table maps the combination of a
|
||
|
securityModel and securityName into a groupName.
|
||
|
"
|
||
|
INDEX {
|
||
|
vacmSecurityModel,
|
||
|
vacmSecurityName
|
||
|
}
|
||
|
::= { vacmSecurityToGroupTable 1 }
|
||
|
|
||
|
VacmSecurityToGroupEntry ::= SEQUENCE
|
||
|
{
|
||
|
vacmSecurityModel SnmpSecurityModel,
|
||
|
vacmSecurityName SnmpAdminString,
|
||
|
vacmGroupName SnmpAdminString,
|
||
|
vacmSecurityToGroupStorageType StorageType,
|
||
|
vacmSecurityToGroupStatus RowStatus
|
||
|
}
|
||
|
|
||
|
vacmSecurityModel OBJECT-TYPE
|
||
|
SYNTAX SnmpSecurityModel(1..2147483647)
|
||
|
MAX-ACCESS not-accessible
|
||
|
STATUS current
|
||
|
DESCRIPTION "The Security Model, by which the vacmSecurityName
|
||
|
referenced by this entry is provided.
|
||
|
|
||
|
Note, this object may not take the 'any' (0) value.
|
||
|
"
|
||
|
::= { vacmSecurityToGroupEntry 1 }
|
||
|
|
||
|
vacmSecurityName OBJECT-TYPE
|
||
|
SYNTAX SnmpAdminString (SIZE(1..32))
|
||
|
MAX-ACCESS not-accessible
|
||
|
STATUS current
|
||
|
DESCRIPTION "The securityName for the principal, represented in a
|
||
|
Security Model independent format, which is mapped by
|
||
|
this entry to a groupName.
|
||
|
"
|
||
|
::= { vacmSecurityToGroupEntry 2 }
|
||
|
|
||
|
vacmGroupName OBJECT-TYPE
|
||
|
SYNTAX SnmpAdminString (SIZE(1..32))
|
||
|
MAX-ACCESS read-create
|
||
|
STATUS current
|
||
|
DESCRIPTION "The name of the group to which this entry (e.g., the
|
||
|
combination of securityModel and securityName)
|
||
|
belongs.
|
||
|
|
||
|
This groupName is used as index into the
|
||
|
vacmAccessTable to select an access control policy.
|
||
|
However, a value in this table does not imply that an
|
||
|
instance with the value exists in table vacmAccesTable.
|
||
|
"
|
||
|
::= { vacmSecurityToGroupEntry 3 }
|
||
|
|
||
|
vacmSecurityToGroupStorageType OBJECT-TYPE
|
||
|
SYNTAX StorageType
|
||
|
MAX-ACCESS read-create
|
||
|
STATUS current
|
||
|
DESCRIPTION "The storage type for this conceptual row.
|
||
|
Conceptual rows having the value 'permanent' need not
|
||
|
allow write-access to any columnar objects in the row.
|
||
|
"
|
||
|
DEFVAL { nonVolatile }
|
||
|
::= { vacmSecurityToGroupEntry 4 }
|
||
|
|
||
|
vacmSecurityToGroupStatus OBJECT-TYPE
|
||
|
SYNTAX RowStatus
|
||
|
MAX-ACCESS read-create
|
||
|
STATUS current
|
||
|
DESCRIPTION "The status of this conceptual row.
|
||
|
|
||
|
Until instances of all corresponding columns are
|
||
|
appropriately configured, the value of the
|
||
|
corresponding instance of the vacmSecurityToGroupStatus
|
||
|
column is 'notReady'.
|
||
|
|
||
|
In particular, a newly created row cannot be made
|
||
|
active until a value has been set for vacmGroupName.
|
||
|
|
||
|
The RowStatus TC [RFC2579] requires that this
|
||
|
DESCRIPTION clause states under which circumstances
|
||
|
other objects in this row can be modified:
|
||
|
|
||
|
The value of this object has no effect on whether
|
||
|
other objects in this conceptual row can be modified.
|
||
|
"
|
||
|
::= { vacmSecurityToGroupEntry 5 }
|
||
|
|
||
|
-- Information about Access Rights ***********************************
|
||
|
|
||
|
vacmAccessTable OBJECT-TYPE
|
||
|
SYNTAX SEQUENCE OF VacmAccessEntry
|
||
|
MAX-ACCESS not-accessible
|
||
|
STATUS current
|
||
|
DESCRIPTION "The table of access rights for groups.
|
||
|
|
||
|
Each entry is indexed by a groupName, a contextPrefix,
|
||
|
a securityModel and a securityLevel. To determine
|
||
|
whether access is allowed, one entry from this table
|
||
|
needs to be selected and the proper viewName from that
|
||
|
entry must be used for access control checking.
|
||
|
|
||
|
To select the proper entry, follow these steps:
|
||
|
|
||
|
1) the set of possible matches is formed by the
|
||
|
intersection of the following sets of entries:
|
||
|
the set of entries with identical vacmGroupName
|
||
|
the union of these two sets:
|
||
|
- the set with identical vacmAccessContextPrefix
|
||
|
- the set of entries with vacmAccessContextMatch
|
||
|
value of 'prefix' and matching
|
||
|
vacmAccessContextPrefix
|
||
|
intersected with the union of these two sets:
|
||
|
- the set of entries with identical
|
||
|
vacmSecurityModel
|
||
|
- the set of entries with vacmSecurityModel
|
||
|
value of 'any'
|
||
|
intersected with the set of entries with
|
||
|
vacmAccessSecurityLevel value less than or equal
|
||
|
to the requested securityLevel
|
||
|
|
||
|
2) if this set has only one member, we're done
|
||
|
otherwise, it comes down to deciding how to weight
|
||
|
the preferences between ContextPrefixes,
|
||
|
SecurityModels, and SecurityLevels as follows:
|
||
|
a) if the subset of entries with securityModel
|
||
|
matching the securityModel in the message is
|
||
|
not empty, then discard the rest.
|
||
|
b) if the subset of entries with
|
||
|
vacmAccessContextPrefix matching the contextName
|
||
|
in the message is not empty,
|
||
|
then discard the rest
|
||
|
c) discard all entries with ContextPrefixes shorter
|
||
|
than the longest one remaining in the set
|
||
|
d) select the entry with the highest securityLevel
|
||
|
|
||
|
Please note that for securityLevel noAuthNoPriv, all
|
||
|
groups are really equivalent since the assumption that
|
||
|
the securityName has been authenticated does not hold.
|
||
|
"
|
||
|
::= { vacmMIBObjects 4 }
|
||
|
|
||
|
vacmAccessEntry OBJECT-TYPE
|
||
|
SYNTAX VacmAccessEntry
|
||
|
MAX-ACCESS not-accessible
|
||
|
STATUS current
|
||
|
DESCRIPTION "An access right configured in the Local Configuration
|
||
|
Datastore (LCD) authorizing access to an SNMP context.
|
||
|
|
||
|
Entries in this table can use an instance value for
|
||
|
object vacmGroupName even if no entry in table
|
||
|
vacmAccessSecurityToGroupTable has a corresponding
|
||
|
value for object vacmGroupName.
|
||
|
"
|
||
|
INDEX { vacmGroupName,
|
||
|
vacmAccessContextPrefix,
|
||
|
vacmAccessSecurityModel,
|
||
|
vacmAccessSecurityLevel
|
||
|
}
|
||
|
::= { vacmAccessTable 1 }
|
||
|
|
||
|
VacmAccessEntry ::= SEQUENCE
|
||
|
{
|
||
|
vacmAccessContextPrefix SnmpAdminString,
|
||
|
vacmAccessSecurityModel SnmpSecurityModel,
|
||
|
vacmAccessSecurityLevel SnmpSecurityLevel,
|
||
|
vacmAccessContextMatch INTEGER,
|
||
|
vacmAccessReadViewName SnmpAdminString,
|
||
|
vacmAccessWriteViewName SnmpAdminString,
|
||
|
vacmAccessNotifyViewName SnmpAdminString,
|
||
|
vacmAccessStorageType StorageType,
|
||
|
vacmAccessStatus RowStatus
|
||
|
}
|
||
|
|
||
|
vacmAccessContextPrefix OBJECT-TYPE
|
||
|
SYNTAX SnmpAdminString (SIZE(0..32))
|
||
|
MAX-ACCESS not-accessible
|
||
|
STATUS current
|
||
|
DESCRIPTION "In order to gain the access rights allowed by this
|
||
|
conceptual row, a contextName must match exactly
|
||
|
(if the value of vacmAccessContextMatch is 'exact')
|
||
|
or partially (if the value of vacmAccessContextMatch
|
||
|
is 'prefix') to the value of the instance of this
|
||
|
object.
|
||
|
"
|
||
|
::= { vacmAccessEntry 1 }
|
||
|
|
||
|
vacmAccessSecurityModel OBJECT-TYPE
|
||
|
SYNTAX SnmpSecurityModel
|
||
|
MAX-ACCESS not-accessible
|
||
|
STATUS current
|
||
|
DESCRIPTION "In order to gain the access rights allowed by this
|
||
|
conceptual row, this securityModel must be in use.
|
||
|
"
|
||
|
::= { vacmAccessEntry 2 }
|
||
|
|
||
|
vacmAccessSecurityLevel OBJECT-TYPE
|
||
|
SYNTAX SnmpSecurityLevel
|
||
|
MAX-ACCESS not-accessible
|
||
|
STATUS current
|
||
|
DESCRIPTION "The minimum level of security required in order to
|
||
|
gain the access rights allowed by this conceptual
|
||
|
row. A securityLevel of noAuthNoPriv is less than
|
||
|
authNoPriv which in turn is less than authPriv.
|
||
|
|
||
|
If multiple entries are equally indexed except for
|
||
|
this vacmAccessSecurityLevel index, then the entry
|
||
|
which has the highest value for
|
||
|
vacmAccessSecurityLevel is selected.
|
||
|
"
|
||
|
::= { vacmAccessEntry 3 }
|
||
|
|
||
|
vacmAccessContextMatch OBJECT-TYPE
|
||
|
SYNTAX INTEGER
|
||
|
{ exact (1), -- exact match of prefix and contextName
|
||
|
prefix (2) -- Only match to the prefix
|
||
|
}
|
||
|
MAX-ACCESS read-create
|
||
|
STATUS current
|
||
|
DESCRIPTION "If the value of this object is exact(1), then all
|
||
|
rows where the contextName exactly matches
|
||
|
vacmAccessContextPrefix are selected.
|
||
|
|
||
|
If the value of this object is prefix(2), then all
|
||
|
rows where the contextName whose starting octets
|
||
|
exactly match vacmAccessContextPrefix are selected.
|
||
|
This allows for a simple form of wildcarding.
|
||
|
"
|
||
|
DEFVAL { exact }
|
||
|
::= { vacmAccessEntry 4 }
|
||
|
|
||
|
vacmAccessReadViewName OBJECT-TYPE
|
||
|
SYNTAX SnmpAdminString (SIZE(0..32))
|
||
|
MAX-ACCESS read-create
|
||
|
STATUS current
|
||
|
DESCRIPTION "The value of an instance of this object identifies
|
||
|
the MIB view of the SNMP context to which this
|
||
|
conceptual row authorizes read access.
|
||
|
|
||
|
The identified MIB view is that one for which the
|
||
|
vacmViewTreeFamilyViewName has the same value as the
|
||
|
instance of this object; if the value is the empty
|
||
|
string or if there is no active MIB view having this
|
||
|
value of vacmViewTreeFamilyViewName, then no access
|
||
|
is granted.
|
||
|
"
|
||
|
DEFVAL { ''H } -- the empty string
|
||
|
::= { vacmAccessEntry 5 }
|
||
|
|
||
|
vacmAccessWriteViewName OBJECT-TYPE
|
||
|
SYNTAX SnmpAdminString (SIZE(0..32))
|
||
|
MAX-ACCESS read-create
|
||
|
STATUS current
|
||
|
DESCRIPTION "The value of an instance of this object identifies
|
||
|
the MIB view of the SNMP context to which this
|
||
|
conceptual row authorizes write access.
|
||
|
|
||
|
The identified MIB view is that one for which the
|
||
|
vacmViewTreeFamilyViewName has the same value as the
|
||
|
instance of this object; if the value is the empty
|
||
|
string or if there is no active MIB view having this
|
||
|
value of vacmViewTreeFamilyViewName, then no access
|
||
|
is granted.
|
||
|
"
|
||
|
DEFVAL { ''H } -- the empty string
|
||
|
::= { vacmAccessEntry 6 }
|
||
|
|
||
|
vacmAccessNotifyViewName OBJECT-TYPE
|
||
|
SYNTAX SnmpAdminString (SIZE(0..32))
|
||
|
MAX-ACCESS read-create
|
||
|
STATUS current
|
||
|
DESCRIPTION "The value of an instance of this object identifies
|
||
|
the MIB view of the SNMP context to which this
|
||
|
conceptual row authorizes access for notifications.
|
||
|
|
||
|
The identified MIB view is that one for which the
|
||
|
vacmViewTreeFamilyViewName has the same value as the
|
||
|
instance of this object; if the value is the empty
|
||
|
string or if there is no active MIB view having this
|
||
|
value of vacmViewTreeFamilyViewName, then no access
|
||
|
is granted.
|
||
|
"
|
||
|
DEFVAL { ''H } -- the empty string
|
||
|
::= { vacmAccessEntry 7 }
|
||
|
|
||
|
vacmAccessStorageType OBJECT-TYPE
|
||
|
SYNTAX StorageType
|
||
|
MAX-ACCESS read-create
|
||
|
STATUS current
|
||
|
DESCRIPTION "The storage type for this conceptual row.
|
||
|
|
||
|
Conceptual rows having the value 'permanent' need not
|
||
|
allow write-access to any columnar objects in the row.
|
||
|
"
|
||
|
DEFVAL { nonVolatile }
|
||
|
::= { vacmAccessEntry 8 }
|
||
|
|
||
|
vacmAccessStatus OBJECT-TYPE
|
||
|
SYNTAX RowStatus
|
||
|
MAX-ACCESS read-create
|
||
|
STATUS current
|
||
|
DESCRIPTION "The status of this conceptual row.
|
||
|
|
||
|
The RowStatus TC [RFC2579] requires that this
|
||
|
DESCRIPTION clause states under which circumstances
|
||
|
other objects in this row can be modified:
|
||
|
|
||
|
The value of this object has no effect on whether
|
||
|
other objects in this conceptual row can be modified.
|
||
|
"
|
||
|
::= { vacmAccessEntry 9 }
|
||
|
|
||
|
-- Information about MIB views ***************************************
|
||
|
|
||
|
-- Support for instance-level granularity is optional.
|
||
|
--
|
||
|
-- In some implementations, instance-level access control
|
||
|
-- granularity may come at a high performance cost. Managers
|
||
|
-- should avoid requesting such configurations unnecessarily.
|
||
|
|
||
|
vacmMIBViews OBJECT IDENTIFIER ::= { vacmMIBObjects 5 }
|
||
|
|
||
|
vacmViewSpinLock OBJECT-TYPE
|
||
|
SYNTAX TestAndIncr
|
||
|
MAX-ACCESS read-write
|
||
|
STATUS current
|
||
|
DESCRIPTION "An advisory lock used to allow cooperating SNMP
|
||
|
Command Generator applications to coordinate their
|
||
|
use of the Set operation in creating or modifying
|
||
|
views.
|
||
|
|
||
|
When creating a new view or altering an existing
|
||
|
view, it is important to understand the potential
|
||
|
interactions with other uses of the view. The
|
||
|
vacmViewSpinLock should be retrieved. The name of
|
||
|
the view to be created should be determined to be
|
||
|
unique by the SNMP Command Generator application by
|
||
|
consulting the vacmViewTreeFamilyTable. Finally,
|
||
|
the named view may be created (Set), including the
|
||
|
advisory lock.
|
||
|
If another SNMP Command Generator application has
|
||
|
altered the views in the meantime, then the spin
|
||
|
lock's value will have changed, and so this creation
|
||
|
will fail because it will specify the wrong value for
|
||
|
the spin lock.
|
||
|
|
||
|
Since this is an advisory lock, the use of this lock
|
||
|
is not enforced.
|
||
|
"
|
||
|
::= { vacmMIBViews 1 }
|
||
|
|
||
|
vacmViewTreeFamilyTable OBJECT-TYPE
|
||
|
SYNTAX SEQUENCE OF VacmViewTreeFamilyEntry
|
||
|
MAX-ACCESS not-accessible
|
||
|
STATUS current
|
||
|
DESCRIPTION "Locally held information about families of subtrees
|
||
|
within MIB views.
|
||
|
|
||
|
Each MIB view is defined by two sets of view subtrees:
|
||
|
- the included view subtrees, and
|
||
|
- the excluded view subtrees.
|
||
|
Every such view subtree, both the included and the
|
||
|
excluded ones, is defined in this table.
|
||
|
|
||
|
To determine if a particular object instance is in
|
||
|
a particular MIB view, compare the object instance's
|
||
|
OBJECT IDENTIFIER with each of the MIB view's active
|
||
|
entries in this table. If none match, then the
|
||
|
object instance is not in the MIB view. If one or
|
||
|
more match, then the object instance is included in,
|
||
|
or excluded from, the MIB view according to the
|
||
|
value of vacmViewTreeFamilyType in the entry whose
|
||
|
value of vacmViewTreeFamilySubtree has the most
|
||
|
sub-identifiers. If multiple entries match and have
|
||
|
the same number of sub-identifiers (when wildcarding
|
||
|
is specified with the value of vacmViewTreeFamilyMask),
|
||
|
then the lexicographically greatest instance of
|
||
|
vacmViewTreeFamilyType determines the inclusion or
|
||
|
exclusion.
|
||
|
|
||
|
An object instance's OBJECT IDENTIFIER X matches an
|
||
|
active entry in this table when the number of
|
||
|
sub-identifiers in X is at least as many as in the
|
||
|
value of vacmViewTreeFamilySubtree for the entry,
|
||
|
and each sub-identifier in the value of
|
||
|
vacmViewTreeFamilySubtree matches its corresponding
|
||
|
sub-identifier in X. Two sub-identifiers match
|
||
|
either if the corresponding bit of the value of
|
||
|
vacmViewTreeFamilyMask for the entry is zero (the
|
||
|
'wild card' value), or if they are equal.
|
||
|
|
||
|
A 'family' of subtrees is the set of subtrees defined
|
||
|
by a particular combination of values of
|
||
|
vacmViewTreeFamilySubtree and vacmViewTreeFamilyMask.
|
||
|
In the case where no 'wild card' is defined in the
|
||
|
vacmViewTreeFamilyMask, the family of subtrees reduces
|
||
|
to a single subtree.
|
||
|
|
||
|
When creating or changing MIB views, an SNMP Command
|
||
|
Generator application should utilize the
|
||
|
vacmViewSpinLock to try to avoid collisions. See
|
||
|
DESCRIPTION clause of vacmViewSpinLock.
|
||
|
|
||
|
When creating MIB views, it is strongly advised that
|
||
|
first the 'excluded' vacmViewTreeFamilyEntries are
|
||
|
created and then the 'included' entries.
|
||
|
|
||
|
When deleting MIB views, it is strongly advised that
|
||
|
first the 'included' vacmViewTreeFamilyEntries are
|
||
|
deleted and then the 'excluded' entries.
|
||
|
|
||
|
If a create for an entry for instance-level access
|
||
|
control is received and the implementation does not
|
||
|
support instance-level granularity, then an
|
||
|
inconsistentName error must be returned.
|
||
|
"
|
||
|
::= { vacmMIBViews 2 }
|
||
|
|
||
|
vacmViewTreeFamilyEntry OBJECT-TYPE
|
||
|
SYNTAX VacmViewTreeFamilyEntry
|
||
|
MAX-ACCESS not-accessible
|
||
|
STATUS current
|
||
|
DESCRIPTION "Information on a particular family of view subtrees
|
||
|
included in or excluded from a particular SNMP
|
||
|
context's MIB view.
|
||
|
|
||
|
Implementations must not restrict the number of
|
||
|
families of view subtrees for a given MIB view,
|
||
|
except as dictated by resource constraints on the
|
||
|
overall number of entries in the
|
||
|
vacmViewTreeFamilyTable.
|
||
|
|
||
|
If no conceptual rows exist in this table for a given
|
||
|
MIB view (viewName), that view may be thought of as
|
||
|
consisting of the empty set of view subtrees.
|
||
|
"
|
||
|
INDEX { vacmViewTreeFamilyViewName,
|
||
|
vacmViewTreeFamilySubtree
|
||
|
}
|
||
|
::= { vacmViewTreeFamilyTable 1 }
|
||
|
|
||
|
VacmViewTreeFamilyEntry ::= SEQUENCE
|
||
|
{
|
||
|
vacmViewTreeFamilyViewName SnmpAdminString,
|
||
|
vacmViewTreeFamilySubtree OBJECT IDENTIFIER,
|
||
|
vacmViewTreeFamilyMask OCTET STRING,
|
||
|
vacmViewTreeFamilyType INTEGER,
|
||
|
vacmViewTreeFamilyStorageType StorageType,
|
||
|
vacmViewTreeFamilyStatus RowStatus
|
||
|
}
|
||
|
|
||
|
vacmViewTreeFamilyViewName OBJECT-TYPE
|
||
|
SYNTAX SnmpAdminString (SIZE(1..32))
|
||
|
MAX-ACCESS not-accessible
|
||
|
STATUS current
|
||
|
DESCRIPTION "The human readable name for a family of view subtrees.
|
||
|
"
|
||
|
::= { vacmViewTreeFamilyEntry 1 }
|
||
|
|
||
|
vacmViewTreeFamilySubtree OBJECT-TYPE
|
||
|
SYNTAX OBJECT IDENTIFIER
|
||
|
MAX-ACCESS not-accessible
|
||
|
STATUS current
|
||
|
DESCRIPTION "The MIB subtree which when combined with the
|
||
|
corresponding instance of vacmViewTreeFamilyMask
|
||
|
defines a family of view subtrees.
|
||
|
"
|
||
|
::= { vacmViewTreeFamilyEntry 2 }
|
||
|
|
||
|
vacmViewTreeFamilyMask OBJECT-TYPE
|
||
|
SYNTAX OCTET STRING (SIZE (0..16))
|
||
|
MAX-ACCESS read-create
|
||
|
STATUS current
|
||
|
DESCRIPTION "The bit mask which, in combination with the
|
||
|
corresponding instance of vacmViewTreeFamilySubtree,
|
||
|
defines a family of view subtrees.
|
||
|
|
||
|
Each bit of this bit mask corresponds to a
|
||
|
sub-identifier of vacmViewTreeFamilySubtree, with the
|
||
|
most significant bit of the i-th octet of this octet
|
||
|
string value (extended if necessary, see below)
|
||
|
corresponding to the (8*i - 7)-th sub-identifier, and
|
||
|
the least significant bit of the i-th octet of this
|
||
|
octet string corresponding to the (8*i)-th
|
||
|
sub-identifier, where i is in the range 1 through 16.
|
||
|
|
||
|
Each bit of this bit mask specifies whether or not
|
||
|
the corresponding sub-identifiers must match when
|
||
|
determining if an OBJECT IDENTIFIER is in this
|
||
|
family of view subtrees; a '1' indicates that an
|
||
|
exact match must occur; a '0' indicates 'wild card',
|
||
|
i.e., any sub-identifier value matches.
|
||
|
|
||
|
Thus, the OBJECT IDENTIFIER X of an object instance
|
||
|
is contained in a family of view subtrees if, for
|
||
|
each sub-identifier of the value of
|
||
|
vacmViewTreeFamilySubtree, either:
|
||
|
|
||
|
the i-th bit of vacmViewTreeFamilyMask is 0, or
|
||
|
|
||
|
the i-th sub-identifier of X is equal to the i-th
|
||
|
sub-identifier of the value of
|
||
|
vacmViewTreeFamilySubtree.
|
||
|
|
||
|
If the value of this bit mask is M bits long and
|
||
|
there are more than M sub-identifiers in the
|
||
|
corresponding instance of vacmViewTreeFamilySubtree,
|
||
|
then the bit mask is extended with 1's to be the
|
||
|
required length.
|
||
|
|
||
|
Note that when the value of this object is the
|
||
|
zero-length string, this extension rule results in
|
||
|
a mask of all-1's being used (i.e., no 'wild card'),
|
||
|
and the family of view subtrees is the one view
|
||
|
subtree uniquely identified by the corresponding
|
||
|
instance of vacmViewTreeFamilySubtree.
|
||
|
|
||
|
Note that masks of length greater than zero length
|
||
|
do not need to be supported. In this case this
|
||
|
object is made read-only.
|
||
|
"
|
||
|
DEFVAL { ''H }
|
||
|
::= { vacmViewTreeFamilyEntry 3 }
|
||
|
|
||
|
vacmViewTreeFamilyType OBJECT-TYPE
|
||
|
SYNTAX INTEGER { included(1), excluded(2) }
|
||
|
MAX-ACCESS read-create
|
||
|
STATUS current
|
||
|
DESCRIPTION "Indicates whether the corresponding instances of
|
||
|
vacmViewTreeFamilySubtree and vacmViewTreeFamilyMask
|
||
|
define a family of view subtrees which is included in
|
||
|
or excluded from the MIB view.
|
||
|
"
|
||
|
DEFVAL { included }
|
||
|
::= { vacmViewTreeFamilyEntry 4 }
|
||
|
|
||
|
vacmViewTreeFamilyStorageType OBJECT-TYPE
|
||
|
SYNTAX StorageType
|
||
|
MAX-ACCESS read-create
|
||
|
STATUS current
|
||
|
DESCRIPTION "The storage type for this conceptual row.
|
||
|
|
||
|
Conceptual rows having the value 'permanent' need not
|
||
|
allow write-access to any columnar objects in the row.
|
||
|
"
|
||
|
DEFVAL { nonVolatile }
|
||
|
::= { vacmViewTreeFamilyEntry 5 }
|
||
|
|
||
|
vacmViewTreeFamilyStatus OBJECT-TYPE
|
||
|
SYNTAX RowStatus
|
||
|
MAX-ACCESS read-create
|
||
|
STATUS current
|
||
|
DESCRIPTION "The status of this conceptual row.
|
||
|
|
||
|
The RowStatus TC [RFC2579] requires that this
|
||
|
DESCRIPTION clause states under which circumstances
|
||
|
other objects in this row can be modified:
|
||
|
|
||
|
The value of this object has no effect on whether
|
||
|
other objects in this conceptual row can be modified.
|
||
|
"
|
||
|
::= { vacmViewTreeFamilyEntry 6 }
|
||
|
|
||
|
-- Conformance information *******************************************
|
||
|
|
||
|
vacmMIBCompliances OBJECT IDENTIFIER ::= { vacmMIBConformance 1 }
|
||
|
vacmMIBGroups OBJECT IDENTIFIER ::= { vacmMIBConformance 2 }
|
||
|
|
||
|
-- Compliance statements *********************************************
|
||
|
|
||
|
vacmMIBCompliance MODULE-COMPLIANCE
|
||
|
STATUS current
|
||
|
DESCRIPTION "The compliance statement for SNMP engines which
|
||
|
implement the SNMP View-based Access Control Model
|
||
|
configuration MIB.
|
||
|
"
|
||
|
MODULE -- this module
|
||
|
MANDATORY-GROUPS { vacmBasicGroup }
|
||
|
|
||
|
OBJECT vacmAccessContextMatch
|
||
|
MIN-ACCESS read-only
|
||
|
DESCRIPTION "Write access is not required."
|
||
|
|
||
|
OBJECT vacmAccessReadViewName
|
||
|
MIN-ACCESS read-only
|
||
|
DESCRIPTION "Write access is not required."
|
||
|
|
||
|
OBJECT vacmAccessWriteViewName
|
||
|
MIN-ACCESS read-only
|
||
|
DESCRIPTION "Write access is not required."
|
||
|
|
||
|
OBJECT vacmAccessNotifyViewName
|
||
|
MIN-ACCESS read-only
|
||
|
DESCRIPTION "Write access is not required."
|
||
|
|
||
|
OBJECT vacmAccessStorageType
|
||
|
MIN-ACCESS read-only
|
||
|
DESCRIPTION "Write access is not required."
|
||
|
|
||
|
OBJECT vacmAccessStatus
|
||
|
MIN-ACCESS read-only
|
||
|
DESCRIPTION "Create/delete/modify access to the
|
||
|
vacmAccessTable is not required.
|
||
|
"
|
||
|
|
||
|
OBJECT vacmViewTreeFamilyMask
|
||
|
WRITE-SYNTAX OCTET STRING (SIZE (0))
|
||
|
MIN-ACCESS read-only
|
||
|
DESCRIPTION "Support for configuration via SNMP of subtree
|
||
|
families using wild-cards is not required.
|
||
|
"
|
||
|
|
||
|
OBJECT vacmViewTreeFamilyType
|
||
|
MIN-ACCESS read-only
|
||
|
DESCRIPTION "Write access is not required."
|
||
|
|
||
|
OBJECT vacmViewTreeFamilyStorageType
|
||
|
MIN-ACCESS read-only
|
||
|
DESCRIPTION "Write access is not required."
|
||
|
|
||
|
OBJECT vacmViewTreeFamilyStatus
|
||
|
MIN-ACCESS read-only
|
||
|
DESCRIPTION "Create/delete/modify access to the
|
||
|
vacmViewTreeFamilyTable is not required.
|
||
|
"
|
||
|
::= { vacmMIBCompliances 1 }
|
||
|
|
||
|
-- Units of conformance **********************************************
|
||
|
|
||
|
vacmBasicGroup OBJECT-GROUP
|
||
|
OBJECTS {
|
||
|
vacmContextName,
|
||
|
vacmGroupName,
|
||
|
vacmSecurityToGroupStorageType,
|
||
|
vacmSecurityToGroupStatus,
|
||
|
vacmAccessContextMatch,
|
||
|
vacmAccessReadViewName,
|
||
|
vacmAccessWriteViewName,
|
||
|
vacmAccessNotifyViewName,
|
||
|
vacmAccessStorageType,
|
||
|
vacmAccessStatus,
|
||
|
vacmViewSpinLock,
|
||
|
vacmViewTreeFamilyMask,
|
||
|
vacmViewTreeFamilyType,
|
||
|
vacmViewTreeFamilyStorageType,
|
||
|
vacmViewTreeFamilyStatus
|
||
|
}
|
||
|
STATUS current
|
||
|
DESCRIPTION "A collection of objects providing for remote
|
||
|
configuration of an SNMP engine which implements
|
||
|
the SNMP View-based Access Control Model.
|
||
|
"
|
||
|
::= { vacmMIBGroups 1 }
|
||
|
|
||
|
END
|