RFC 2265 (rfc2265) - Page 3 of 36
View-based Access Control Model (VACM) for the Simple Network Management Protocol (SNMP)
Alternative Format: Original Text Document
RFC 2265 VACM for SNMPv3 January 1998
application applies Access Control when processing requests that it
received from a Command Generator application. These requests
include these types of operations: GetRequest, GetNextRequest,
GetBulkRequest, and SetRequest operations.
Access Control also occurs in an SNMP entity when an SNMP
notification message is generated (by a Notification Originator
application). These notification messages include these types of
operations: InformRequest and SNMPv2-Trap operations.
The View-based Access Control Model defines a set of services that an
application (such as a Command Responder or a Notification Originator
application) can use for checking access rights. It is the
responsibility of the application to make the proper service calls
for access checking.
1.3. Local Configuration Datastore
To implement the model described in this document, an SNMP entity
needs to retain information about access rights and policies. This
information is part of the SNMP engine's Local Configuration
Datastore (LCD). See [RFC 2261] for the definition of LCD.
In order to allow an SNMP entity's LCD to be remotely configured,
portions of the LCD need to be accessible as managed objects. A MIB
module, the View-based Access Control Model Configuration MIB, which
defines these managed object types is included in this document.
2. Elements of the Model
This section contains definitions to realize the access control
service provided by the View-based Access Control Model.
2.1. Groups
A group is a set of zero or more tuples
on whose behalf SNMP management objects can be accessed. A group
defines the access rights afforded to all securityNames which belong
to that group. The combination of a securityModel and a securityName
maps to at most one group. A group is identified by a groupName.
The Access Control module assumes that the securityName has already
been authenticated as needed and provides no further authentication
of its own.
The View-based Access Control Model uses the securityModel and the
securityName as inputs to the Access Control module when called to
check for access rights. It determines the groupName as a function
Wijnen, et. al. Standards Track