RFC 2265 (rfc2265) - Page 3 of 36

View-based Access Control Model (VACM) for the Simple Network Management Protocol (SNMP)

Alternative Format: Original Text Document
< Previous
Next >
RFC 2265                    VACM for SNMPv3                 January 1998


   application applies Access Control when processing requests that it
   received from a Command Generator application.  These requests
   include these types of operations: GetRequest, GetNextRequest,
   GetBulkRequest, and SetRequest operations.

   Access Control also occurs in an SNMP entity when an SNMP
   notification message is generated (by a Notification Originator
   application).  These notification messages include these types of
   operations: InformRequest and SNMPv2-Trap operations.

   The View-based Access Control Model defines a set of services that an
   application (such as a Command Responder or a Notification Originator
   application) can use for checking access rights.  It is the
   responsibility of the application to make the proper service calls
   for access checking.

1.3.  Local Configuration Datastore

   To implement the model described in this document, an SNMP entity
   needs to retain information about access rights and policies.  This
   information is part of the SNMP engine's Local Configuration
   Datastore (LCD). See [RFC 2261] for the definition of LCD.

   In order to allow an SNMP entity's LCD to be remotely configured,
   portions of the LCD need to be accessible as managed objects.  A MIB
   module, the View-based Access Control Model Configuration MIB, which
   defines these managed object types is included in this document.

2.  Elements of the Model

   This section contains definitions to realize the access control
   service provided by the View-based Access Control Model.

2.1.  Groups

   A group is a set of zero or more  tuples
   on whose behalf SNMP management objects can be accessed.  A group
   defines the access rights afforded to all securityNames which belong
   to that group. The combination of a securityModel and a securityName
   maps to at most one group.  A group is identified by a groupName.

   The Access Control module assumes that the securityName has already
   been authenticated as needed and provides no further authentication
   of its own.

   The View-based Access Control Model uses the securityModel and the
   securityName as inputs to the Access Control module when called to
   check for access rights.  It determines the groupName as a function



Wijnen, et. al.             Standards Track
< Previous
Next >