The table of access rights for groups.
Each entry is indexed by a groupName, a contextPrefix, a securityModel and a securityLevel. To determine whether access is allowed, one entry from this table needs to be selected and the proper viewName from that entry must be used for access control checking.
To select the proper entry, follow these steps:
1) the set of possible matches is formed by the intersection of the following sets of entries: the set of entries with identical vacmGroupName the union of these two sets:
- the set with identical vacmAccessContextPrefix
- the set of entries with vacmAccessContextMatch value of 'prefix' and matching vacmAccessContextPrefix intersected with the union of these two sets:
- the set of entries with identical vacmSecurityModel
- the set of entries with vacmSecurityModel value of 'any'
intersected with the set of entries with vacmAccessSecurityLevel value less than or equal to the requested securityLevel
2) if this set has only one member, we're done otherwise, it comes down to deciding how to weight the preferences between ContextPrefixes, SecurityModels, and SecurityLevels as follows:
a) if the subset of entries with securityModel matching the securityModel in the message is not empty, then discard the rest.
b) if the subset of entries with vacmAccessContextPrefix matching the contextName in the message is not empty, then discard the rest
c) discard all entries with ContextPrefixes shorter than the longest one remaining in the set
d) select the entry with the highest securityLevel Please note that for securityLevel noAuthNoPriv, all groups are really equivalent since the assumption that the securityName has been authenticated does not hold.
The indexes of the table are vacmGroupName, vacmAccessContextPrefix, vacmAccessSecurityModel, vacmAccessSecurityLevel.
|
OID |
Object |
Syntax |
Max Access |
Description |
Implemented Specifications |
|---|---|---|---|---|---|
|
1.3.6.1.6.3.16.1.4.1.1 |
vacmAccessContextPrefix |
OCTET STRING{(0,32)} |
not-accessible |
In order to gain the access rights allowed by this conceptual row, a contextName must match exactly (if the value of vacmAccessContextMatch is 'exact') or partially (if the value of vacmAccessContextMatch is 'prefix') to the value of the instance of this object. |
This object is implemented as defined in the corresponding MIB files. |
|
1.3.6.1.6.3.16.1.4.1.2 |
vacmAccessSecurityModel |
INTEGER{(0,2147483647)} |
not-accessible |
In order to gain the access rights allowed by this conceptual row, this securityModel must be in use. |
This object is implemented as defined in the corresponding MIB files. |
|
1.3.6.1.6.3.16.1.4.1.3 |
vacmAccessSecurityLevel |
INTEGER{noAuthNoPriv(1),authNoPriv(2),authPriv(3)} |
not-accessible |
The minimum level of security required in order to gain the access rights allowed by this conceptual row. A securityLevel of noAuthNoPriv is less than authNoPriv which in turn is less than authPriv. If multiple entries are equally indexed except for this vacmAccessSecurityLevel index, then the entry which has the highest value for vacmAccessSecurityLevel is selected. |
This object is implemented as defined in the corresponding MIB files. |
|
1.3.6.1.6.3.16.1.4.1.4 |
vacmAccessContextMatch |
INTEGER{exact(1),prefix(2)} |
read-create |
If the value of this object is exact(1), then all rows where the contextName exactly matches vacmAccessContextPrefix are selected. If the value of this object is prefix(2), then all rows where the contextName whose starting octets exactly match vacmAccessContextPrefix are selected. This allows for a simple form of wildcarding. |
This object is implemented as defined in the corresponding MIB files. |
|
1.3.6.1.6.3.16.1.4.1.5 |
vacmAccessReadViewName |
OCTET STRING{(0,32)} |
read-create |
The value of an instance of this object identifies the MIB view of the SNMP context to which this conceptual row authorizes read access. The identified MIB view is that one for which the vacmViewTreeFamilyViewName has the same value as the instance of this object; if the value is the empty string or if there is no active MIB view having this value of vacmViewTreeFamilyViewName, then no access is granted. |
This object is implemented as defined in the corresponding MIB files. |
|
1.3.6.1.6.3.16.1.4.1.6 |
vacmAccessWriteViewName |
OCTET STRING{(0,32)} |
read-create |
The value of an instance of this object identifies the MIB view of the SNMP context to which this conceptual row authorizes write access. The identified MIB view is that one for which the vacmViewTreeFamilyViewName has the same value as the instance of this object; if the value is the empty string or if there is no active MIB view having this value of vacmViewTreeFamilyViewName, then no access is granted. |
This object is implemented as defined in the corresponding MIB files. |
|
1.3.6.1.6.3.16.1.4.1.7 |
vacmAccessNotifyViewName |
OCTET STRING{(0,32)} |
read-create |
The value of an instance of this object identifies the MIB view of the SNMP context to which this conceptual row authorizes access for notifications. The identified MIB view is that one for which the vacmViewTreeFamilyViewName has the same value as the instance of this object; if the value is the empty string or if there is no active MIB view having this value of vacmViewTreeFamilyViewName, then no access is granted. |
This object is implemented as defined in the corresponding MIB files. |
|
1.3.6.1.6.3.16.1.4.1.8 |
vacmAccessStorageType |
INTEGER{other(1),volatile(2),nonVolatile(3),permanent(4),readOnly(5)} |
read-create |
The storage type for this conceptual row. Conceptual rows having the value 'permanent' need not allow write-access to any columnar objects in the row. |
This object is implemented as defined in the corresponding MIB files. |
|
1.3.6.1.6.3.16.1.4.1.9 |
vacmAccessStatus |
INTEGER{active(1),notInService(2),notReady(3),createAndGo(4),createAndWait(5),destroy(6)} |
read-create |
The status of this conceptual row. The RowStatus TC [RFC2579] requires that this DESCRIPTION clause states under which circumstances other objects in this row can be modified: The value of this object has no effect on whether other objects in this conceptual row can be modified. |
This object is implemented as defined in the corresponding MIB files. |