SNMP-VIEW-BASED-ACM-MIB DEFINITIONS ::= BEGIN

IMPORTS

MODULE-COMPLIANCE, OBJECT-GROUP       FROM SNMPv2-CONF
MODULE-IDENTITY, OBJECT-TYPE,
snmpModules                           FROM SNMPv2-SMI
TestAndIncr,
RowStatus, StorageType                FROM SNMPv2-TC
SnmpAdminString,
SnmpSecurityLevel,
SnmpSecurityModel                     FROM SNMP-FRAMEWORK-MIB;

snmpVacmMIB MODULE-IDENTITY

LAST-UPDATED "200210160000Z"          -- 16 Oct 2002, midnight
ORGANIZATION "SNMPv3 Working Group"
CONTACT-INFO "WG-email:   snmpv3@lists.tislabs.com
              Subscribe:  majordomo@lists.tislabs.com
                          In message body:  subscribe snmpv3

              Co-Chair:   Russ Mundy
                          Network Associates Laboratories
              postal:     15204 Omega Drive, Suite 300
                          Rockville, MD 20850-4601
                          USA
              email:      mundy@tislabs.com
              phone:      +1 301-947-7107

              Co-Chair:   David Harrington
                          Enterasys Networks
              Postal:     35 Industrial Way
                          P. O. Box 5004
                          Rochester, New Hampshire 03866-5005
                          USA
              EMail:      dbh@enterasys.com
              Phone:      +1 603-337-2614

              Co-editor:  Bert Wijnen
                          Lucent Technologies
              postal:     Schagen 33
                          3461 GL Linschoten
                          Netherlands
              email:      bwijnen@lucent.com
              phone:      +31-348-480-685

              Co-editor:  Randy Presuhn
                          BMC Software, Inc.

              postal:     2141 North First Street
                          San Jose, CA 95131
                          USA
              email:      randy_presuhn@bmc.com
              phone:      +1 408-546-1006

              Co-editor:  Keith McCloghrie
                          Cisco Systems, Inc.
              postal:     170 West Tasman Drive
                          San Jose, CA  95134-1706
                          USA
              email:      kzm@cisco.com
              phone:      +1-408-526-5260
             "
DESCRIPTION  "The management information definitions for the
              View-based Access Control Model for SNMP.

              Copyright (C) The Internet Society (2002). This
              version of this MIB module is part of RFC 3415;
              see the RFC itself for full legal notices.
             "

– Revision history

REVISION     "200210160000Z"          -- 16 Oct 2002, midnight
DESCRIPTION  "Clarifications, published as RFC3415"

REVISION     "199901200000Z"          -- 20 Jan 1999, midnight
DESCRIPTION  "Clarifications, published as RFC2575"

REVISION     "199711200000Z"          -- 20 Nov 1997, midnight
DESCRIPTION  "Initial version, published as RFC2275"
::= { snmpModules 16 }

– Administrative assignments ****************************************

vacmMIBObjects OBJECT IDENTIFIER ::= { snmpVacmMIB 1 } vacmMIBConformance OBJECT IDENTIFIER ::= { snmpVacmMIB 2 }

– Information about Local Contexts **********************************

vacmContextTable OBJECT-TYPE

SYNTAX       SEQUENCE OF VacmContextEntry
MAX-ACCESS   not-accessible
STATUS       current
DESCRIPTION "The table of locally available contexts.

             This table provides information to SNMP Command

             Generator applications so that they can properly
             configure the vacmAccessTable to control access to
             all contexts at the SNMP entity.

             This table may change dynamically if the SNMP entity
             allows that contexts are added/deleted dynamically
             (for instance when its configuration changes).  Such
             changes would happen only if the management
             instrumentation at that SNMP entity recognizes more
             (or fewer) contexts.

             The presence of entries in this table and of entries
             in the vacmAccessTable are independent.  That is, a
             context identified by an entry in this table is not
             necessarily referenced by any entries in the
             vacmAccessTable; and the context(s) referenced by an
             entry in the vacmAccessTable does not necessarily
             currently exist and thus need not be identified by an
             entry in this table.

             This table must be made accessible via the default
             context so that Command Responder applications have
             a standard way of retrieving the information.

             This table is read-only.  It cannot be configured via
             SNMP.
            "
::= { vacmMIBObjects 1 }

vacmContextEntry OBJECT-TYPE

SYNTAX       VacmContextEntry
MAX-ACCESS   not-accessible
STATUS       current
DESCRIPTION "Information about a particular context."
INDEX       {
              vacmContextName
            }
::= { vacmContextTable 1 }

VacmContextEntry ::= SEQUENCE

{
    vacmContextName SnmpAdminString
}

vacmContextName OBJECT-TYPE

SYNTAX       SnmpAdminString (SIZE(0..32))
MAX-ACCESS   read-only
STATUS       current
DESCRIPTION "A human readable name identifying a particular
             context at a particular SNMP entity.

             The empty contextName (zero length) represents the
             default context.
            "
::= { vacmContextEntry 1 }

– Information about Groups ******************************************

vacmSecurityToGroupTable OBJECT-TYPE

SYNTAX       SEQUENCE OF VacmSecurityToGroupEntry
MAX-ACCESS   not-accessible
STATUS       current
DESCRIPTION "This table maps a combination of securityModel and
             securityName into a groupName which is used to define
             an access control policy for a group of principals.
            "
::= { vacmMIBObjects 2 }

vacmSecurityToGroupEntry OBJECT-TYPE

SYNTAX       VacmSecurityToGroupEntry
MAX-ACCESS   not-accessible
STATUS       current
DESCRIPTION "An entry in this table maps the combination of a
             securityModel and securityName into a groupName.
            "
INDEX       {
              vacmSecurityModel,
              vacmSecurityName
            }
::= { vacmSecurityToGroupTable 1 }

VacmSecurityToGroupEntry ::= SEQUENCE

{
    vacmSecurityModel               SnmpSecurityModel,
    vacmSecurityName                SnmpAdminString,
    vacmGroupName                   SnmpAdminString,
    vacmSecurityToGroupStorageType  StorageType,
    vacmSecurityToGroupStatus       RowStatus
}

vacmSecurityModel OBJECT-TYPE

SYNTAX       SnmpSecurityModel(1..2147483647)
MAX-ACCESS   not-accessible
STATUS       current
DESCRIPTION "The Security Model, by which the vacmSecurityName
             referenced by this entry is provided.

             Note, this object may not take the 'any' (0) value.
            "
::= { vacmSecurityToGroupEntry 1 }

vacmSecurityName OBJECT-TYPE

SYNTAX       SnmpAdminString (SIZE(1..32))
MAX-ACCESS   not-accessible
STATUS       current
DESCRIPTION "The securityName for the principal, represented in a
             Security Model independent format, which is mapped by
             this entry to a groupName.
            "
::= { vacmSecurityToGroupEntry 2 }

vacmGroupName OBJECT-TYPE

SYNTAX       SnmpAdminString (SIZE(1..32))
MAX-ACCESS   read-create
STATUS       current
DESCRIPTION "The name of the group to which this entry (e.g., the
             combination of securityModel and securityName)
             belongs.

             This groupName is used as index into the
             vacmAccessTable to select an access control policy.
             However, a value in this table does not imply that an
             instance with the value exists in table vacmAccesTable.
            "
::= { vacmSecurityToGroupEntry 3 }

vacmSecurityToGroupStorageType OBJECT-TYPE

SYNTAX       StorageType
MAX-ACCESS   read-create
STATUS       current
DESCRIPTION "The storage type for this conceptual row.
             Conceptual rows having the value 'permanent' need not
             allow write-access to any columnar objects in the row.
            "
DEFVAL      { nonVolatile }
::= { vacmSecurityToGroupEntry 4 }

vacmSecurityToGroupStatus OBJECT-TYPE

SYNTAX       RowStatus
MAX-ACCESS   read-create
STATUS       current
DESCRIPTION "The status of this conceptual row.

             Until instances of all corresponding columns are
             appropriately configured, the value of the

             corresponding instance of the vacmSecurityToGroupStatus
             column is 'notReady'.

             In particular, a newly created row cannot be made
             active until a value has been set for vacmGroupName.

             The  RowStatus TC [RFC2579] requires that this
             DESCRIPTION clause states under which circumstances
             other objects in this row can be modified:

             The value of this object has no effect on whether
             other objects in this conceptual row can be modified.
            "
::= { vacmSecurityToGroupEntry 5 }

– Information about Access Rights ***********************************

vacmAccessTable OBJECT-TYPE

SYNTAX       SEQUENCE OF VacmAccessEntry
MAX-ACCESS   not-accessible
STATUS       current
DESCRIPTION "The table of access rights for groups.

             Each entry is indexed by a groupName, a contextPrefix,
             a securityModel and a securityLevel.  To determine
             whether access is allowed, one entry from this table
             needs to be selected and the proper viewName from that
             entry must be used for access control checking.

             To select the proper entry, follow these steps:

             1) the set of possible matches is formed by the
                intersection of the following sets of entries:

                  the set of entries with identical vacmGroupName
                  the union of these two sets:
                   - the set with identical vacmAccessContextPrefix
                   - the set of entries with vacmAccessContextMatch
                     value of 'prefix' and matching
                     vacmAccessContextPrefix
                  intersected with the union of these two sets:
                   - the set of entries with identical
                     vacmSecurityModel
                   - the set of entries with vacmSecurityModel
                     value of 'any'
                  intersected with the set of entries with
                  vacmAccessSecurityLevel value less than or equal
                  to the requested securityLevel

             2) if this set has only one member, we're done
                otherwise, it comes down to deciding how to weight
                the preferences between ContextPrefixes,
                SecurityModels, and SecurityLevels as follows:
                a) if the subset of entries with securityModel
                   matching the securityModel in the message is
                   not empty, then discard the rest.
                b) if the subset of entries with
                   vacmAccessContextPrefix matching the contextName
                   in the message is not empty,
                   then discard the rest
                c) discard all entries with ContextPrefixes shorter
                   than the longest one remaining in the set
                d) select the entry with the highest securityLevel

             Please note that for securityLevel noAuthNoPriv, all
             groups are really equivalent since the assumption that
             the securityName has been authenticated does not hold.
            "
::= { vacmMIBObjects 4 }

vacmAccessEntry OBJECT-TYPE

SYNTAX       VacmAccessEntry
MAX-ACCESS   not-accessible
STATUS       current
DESCRIPTION "An access right configured in the Local Configuration
             Datastore (LCD) authorizing access to an SNMP context.

             Entries in this table can use an instance value for
             object vacmGroupName even if no entry in table
             vacmAccessSecurityToGroupTable has a corresponding
             value for object vacmGroupName.
            "
INDEX       { vacmGroupName,
              vacmAccessContextPrefix,
              vacmAccessSecurityModel,
              vacmAccessSecurityLevel
            }
::= { vacmAccessTable 1 }

VacmAccessEntry ::= SEQUENCE

{
    vacmAccessContextPrefix    SnmpAdminString,
    vacmAccessSecurityModel    SnmpSecurityModel,
    vacmAccessSecurityLevel    SnmpSecurityLevel,
    vacmAccessContextMatch     INTEGER,
    vacmAccessReadViewName     SnmpAdminString,
    vacmAccessWriteViewName    SnmpAdminString,
    vacmAccessNotifyViewName   SnmpAdminString,
    vacmAccessStorageType      StorageType,
    vacmAccessStatus           RowStatus
}

vacmAccessContextPrefix OBJECT-TYPE

SYNTAX       SnmpAdminString (SIZE(0..32))
MAX-ACCESS   not-accessible
STATUS       current
DESCRIPTION "In order to gain the access rights allowed by this
             conceptual row, a contextName must match exactly
             (if the value of vacmAccessContextMatch is 'exact')
             or partially (if the value of vacmAccessContextMatch
             is 'prefix') to the value of the instance of this
             object.
            "
::= { vacmAccessEntry 1 }

vacmAccessSecurityModel OBJECT-TYPE

SYNTAX       SnmpSecurityModel
MAX-ACCESS   not-accessible
STATUS       current
DESCRIPTION "In order to gain the access rights allowed by this
             conceptual row, this securityModel must be in use.
            "
::= { vacmAccessEntry 2 }

vacmAccessSecurityLevel OBJECT-TYPE

SYNTAX       SnmpSecurityLevel
MAX-ACCESS   not-accessible
STATUS       current
DESCRIPTION "The minimum level of security required in order to
             gain the access rights allowed by this conceptual
             row.  A securityLevel of noAuthNoPriv is less than
             authNoPriv which in turn is less than authPriv.

             If multiple entries are equally indexed except for
             this vacmAccessSecurityLevel index, then the entry
             which has the highest value for
             vacmAccessSecurityLevel is selected.
            "
::= { vacmAccessEntry 3 }

vacmAccessContextMatch OBJECT-TYPE

SYNTAX       INTEGER
            { exact (1), -- exact match of prefix and contextName
              prefix (2) -- Only match to the prefix
            }
MAX-ACCESS   read-create
STATUS       current
DESCRIPTION "If the value of this object is exact(1), then all
             rows where the contextName exactly matches
             vacmAccessContextPrefix are selected.

             If the value of this object is prefix(2), then all
             rows where the contextName whose starting octets
             exactly match vacmAccessContextPrefix are selected.
             This allows for a simple form of wildcarding.
            "
DEFVAL      { exact }
::= { vacmAccessEntry 4 }

vacmAccessReadViewName OBJECT-TYPE

SYNTAX       SnmpAdminString (SIZE(0..32))
MAX-ACCESS   read-create
STATUS       current
DESCRIPTION "The value of an instance of this object identifies
             the MIB view of the SNMP context to which this
             conceptual row authorizes read access.

             The identified MIB view is that one for which the
             vacmViewTreeFamilyViewName has the same value as the
             instance of this object; if the value is the empty
             string or if there is no active MIB view having this
             value of vacmViewTreeFamilyViewName, then no access
             is granted.
            "
DEFVAL      { ''H }   -- the empty string
::= { vacmAccessEntry 5 }

vacmAccessWriteViewName OBJECT-TYPE

SYNTAX       SnmpAdminString (SIZE(0..32))
MAX-ACCESS   read-create
STATUS       current
DESCRIPTION "The value of an instance of this object identifies
             the MIB view of the SNMP context to which this
             conceptual row authorizes write access.

             The identified MIB view is that one for which the
             vacmViewTreeFamilyViewName has the same value as the
             instance of this object; if the value is the empty
             string or if there is no active MIB view having this
             value of vacmViewTreeFamilyViewName, then no access
             is granted.
            "
DEFVAL      { ''H }   -- the empty string
::= { vacmAccessEntry 6 }

vacmAccessNotifyViewName OBJECT-TYPE

SYNTAX       SnmpAdminString (SIZE(0..32))
MAX-ACCESS   read-create
STATUS       current
DESCRIPTION "The value of an instance of this object identifies
             the MIB view of the SNMP context to which this
             conceptual row authorizes access for notifications.

             The identified MIB view is that one for which the
             vacmViewTreeFamilyViewName has the same value as the
             instance of this object; if the value is the empty
             string or if there is no active MIB view having this
             value of vacmViewTreeFamilyViewName, then no access
             is granted.
            "
DEFVAL      { ''H }   -- the empty string
::= { vacmAccessEntry 7 }

vacmAccessStorageType OBJECT-TYPE

SYNTAX       StorageType
MAX-ACCESS   read-create
STATUS       current
DESCRIPTION "The storage type for this conceptual row.

             Conceptual rows having the value 'permanent' need not
             allow write-access to any columnar objects in the row.
            "
DEFVAL      { nonVolatile }
::= { vacmAccessEntry 8 }

vacmAccessStatus OBJECT-TYPE

SYNTAX       RowStatus
MAX-ACCESS   read-create
STATUS       current
DESCRIPTION "The status of this conceptual row.

             The  RowStatus TC [RFC2579] requires that this
             DESCRIPTION clause states under which circumstances
             other objects in this row can be modified:

             The value of this object has no effect on whether
             other objects in this conceptual row can be modified.
            "
::= { vacmAccessEntry 9 }

– Information about MIB views ***************************************

– Support for instance-level granularity is optional.