rfc2575.View-based Access Control Model (VACM) for

NetworkWorkingGroupB.WijnenRequestforComments:2575IBMT.J.WatsonResearchObsoletes:2275R.PresuhnCategory:StandardsTrackBMCSoftware,Inc.K.McCloghrieCiscoSystems,Inc.April1999View-basedAccessControlModel(VACM)fortheSimpleNetworkManagementProtocol(SNMP)StatusofthisMemoThisdocumentspecifiesanInternetstandardstrackprotocolfortheInternetcommunity,andrequestsdiscussionandsuggestionsforimprovements.PleaserefertothecurrenteditionoftheInternetOfficialProtocolStandards(STD1)forthestandardizationstateandstatusofthisprotocol.Distributionofthismemoisunlimited.CopyrightNoticeCopyright(C)TheInternetSociety(1999).AllRightsReserved.AbstractThisdocumentdescribestheView-basedAccessControlModelforuseintheSNMParchitecture[RFC2571].ItdefinestheElementsofProcedureforcontrollingaccesstomanagementinformation.ThisdocumentalsoincludesaMIBforremotelymanagingtheconfigurationparametersfortheView-basedAccessControlModel.TableofContents1.Introduction21.2.AccessControl31.3.LocalConfigurationDatastore32.ElementsoftheModel32.1.Groups32.2.securityLevel42.3.Contexts42.4.MIBViewsandViewFamilies42.4.1.ViewSubtree52.4.2.ViewTreeFamily52.5.AccessPolicy63.ElementsofProcedure63.1.OverviewofisAccessAllowedProcess83.2.ProcessingtheisAccessAllowedServiceRequest9Wijnen,etal.StandardsTrack[Page1]RFC2575VACMforSNMPApril19994.Definitions105.IntellectualProperty276.Acknowledgements287.SecurityConsiderations297.1.RecommendedPractices297.2.DefiningGroups307.3.Conformance307.4.AccesstotheSNMP-VIEW-BASED-ACM-MIB308.References319.Editors’Addresses32A.1.InstallationParameters33B.ChangeLog37C.FullCopyrightStatement381.IntroductionTheArchitecturefordescribingInternetManagementFrameworks[RFC2571]describesthatanSNMPengineiscomposedof:1)aDispatcher2)aMessageProcessingSubsystem,3)aSecuritySubsystem,and4)anAccessControlSubsystem.Applicationsmakeuseoftheservicesofthesesubsystems.ItisimportanttounderstandtheSNMParchitectureanditsterminologytounderstandwheretheView-basedAccessControlModeldescribedinthisdocumentfitsintothearchitectureandinteractswithothersubsystemswithinthearchitecture.ThereaderisexpectedtohavereadandunderstoodthedescriptionandterminologyoftheSNMParchitecture,asdefinedin[RFC2571].TheAccessControlSubsystemofanSNMPenginehastheresponsibilityforcheckingwhetheraspecifictypeofaccess(read,write,notify)toaparticularobject(instance)isallowed.ItisthepurposeofthisdocumenttodefineaspecificmodeloftheAccessControlSubsystem,designatedtheView-basedAccessControlModel.NotethatthisisnotnecessarilytheonlyAccessControlModel.ThekeywordsMUST,MUSTNOT,REQUIRED,SHALL,SHALLNOT,SHOULD,SHOULDNOT,RECOMMENDED,MAY,andOPTIONALinthisdocumentaretobeinterpretedasdescribedin[RFC2119].Wijnen,etal.StandardsTrack[Page2]RFC2575VACMforSNMPApril19991.2.AccessControlAccessControloccurs(eitherimplicitlyorexplicitly)inanSNMPentitywhenprocessingSNMPretrievalormodificationrequestmessagesfromanSNMPentity.ForexampleaCommandResponderapplicationappliesAccessControlwhenprocessingrequeststhatitreceivedfromaCommandGeneratorapplication.TheserequestscontainReadClassandWriteClassPDUsasdefinedin[RFC2571].AccessControlalsooccursinanSNMPentitywhenanSNMPnotificationmessageisgenerated(byaNotificationOriginatorapplication).ThesenotificationmessagescontainNotificationClassPDUsasdefinedin[RFC2571].TheView-basedAccessControlModeldefinesasetofservicesthatanapplication(suchasaCommandResponderoraNotificationOriginatorapplication)canuseforcheckingaccessrights.Itistheresponsibilityoftheapplicationtomaketheproperservicecallsforaccesschecking.1.3.LocalConfigurationDatastoreToimplementthemodeldescribedinthisdocument,anSNMPentityneedstoretaininformationaboutaccessrightsandpolicies.ThisinformationispartoftheSNMPengine’sLocalConfigurationDatastore(LCD).See[RFC2571]forthedefinitionofLCD.InordertoallowanSNMPentity’sLCDtoberemotelyconfigured,portionsoftheLCDneedtobeaccessibleasmanagedobjects.AMIBmodule,theView-basedAccessControlModelConfigurationMIB,whichdefinesthesemanagedobjecttypesisincludedinthisdocument.2.ElementsoftheModelThissectioncontainsdefinitionstorealizetheaccesscontrolserviceprovidedbytheView-basedAccessControlModel.2.1.GroupsAgroupisasetofzeroormoresecurityModel,securityNametuplesonwhosebehalfSNMPmanagementobjectscanbeaccessed.AgroupdefinestheaccessrightsaffordedtoallsecurityNameswhichbelongtothatgroup.ThecombinationofasecurityModelandasecurityNamemapstoatmostonegroup.AgroupisidentifiedbyagroupName.TheAccessControlmoduleassumesthatthesecurityNamehasalreadybeenauthenticatedasneededandprovidesnofurtherauthenticationofitsown.Wijnen,etal.StandardsTrack[Page3]RFC2575VACMforSNMPApril1999TheView-basedAccessControlModelusesthesecurityModelandthesecurityNameasinputstotheAccessControlmodulewhencalledtocheckforaccessrights.ItdeterminesthegroupNameasafunctionofsecurityModelandsecurityName.2.2.securityLevelDifferentaccessrightsformembersofagroupcanbedefinedfordifferentlevelsofsecurity,i.e.,noAuthNoPriv,authNoPriv,andauthPriv.ThesecurityLevelidentifiesthelevelofsecuritythatwillbeassumedwhencheckingforaccessrights.SeetheSNMPArchitectured