1-- ********************************************************************* 2-- CISCO-COMMON-ROLES-MIB.my: Common Roles Mib 3-- 4-- March 2003, Vinay Gaonkar 5-- 6-- Copyright (c) 2003, 2008 by cisco Systems Inc. 7-- All rights reserved. 8-- 9-- ********************************************************************* 10 11CISCO-COMMON-ROLES-MIB DEFINITIONS ::= BEGIN 12 13IMPORTS 14 MODULE-IDENTITY, 15 OBJECT-TYPE, 16 Unsigned32 17 FROM SNMPv2-SMI 18 MODULE-COMPLIANCE, 19 OBJECT-GROUP 20 FROM SNMPv2-CONF 21 RowStatus, 22 TEXTUAL-CONVENTION, 23 TruthValue 24 FROM SNMPv2-TC 25 SnmpAdminString 26 FROM SNMP-FRAMEWORK-MIB 27 ciscoMgmt 28 FROM CISCO-SMI; 29 30 31ciscoCommonRolesMIB MODULE-IDENTITY 32 LAST-UPDATED "200802150000Z" 33 ORGANIZATION "Cisco Systems Inc." 34 CONTACT-INFO 35 "Cisco Systems 36 Customer Service 37 Postal: 170 W Tasman Drive 38 San Jose, CA 95134 39 USA 40 Tel: +1 800 553 -NETS 41 E-mail: cs-san@cisco.com" 42 DESCRIPTION 43 "MIB module for managing the common roles between 44 access methods like Command Line Interface (CLI), SNMP 45 and XML interfaces. 46 Every user on a device is associated with a role. 47 A user role defines access rights afforded to the users 48 that belog to this role. A role specifies which 49 commands/operations a user is able to perform on what 50 information. 51 SNMP uses VACM (View-based Access Control Model) group 52 to define access rights. Both SNMPv1/v2c community and 53 SNMPv3 user have to belong to a group in order to access 54 information. 55 CLI uses proprietary mechanisms to define the access 56 rights. Most of them depend on the underlying operating 57 system. 58 Groups created from SNMP are not same as the roles 59 created from CLI unless they are synchronized. In 60 addition to this, views make up the roles in VACM where 61 was some kind of internal rules make the roles in the 62 CLI. This MIB describes a framework in which a role 63 defined independent of access methods. It is up to the 64 the particular access method to convert this 65 framework information into the native information. For 66 example, SNMP needs to convert common role framework to 67 VACM. 68 Note that this framework could be also used for any 69 other access methods other than SNMP and CLI. 70 The framework needs a list of features and list of 71 operations they can support. Features provide the data 72 context and are system dependent. Operations are the 73 actions that can be done on the data. The role are 74 defined in terms of rules. Rules are essentially access 75 rights which specify if a certain operation on a feature 76 is permitted or not. 77 An extension to this MIB module has been defined in 78 CISCO-COMMON-ROLES-EXT-MIB to provide support for a 79 framework which has compound features, i.e., features 80 defined as group of other features, and also to 81 provide another option for how a user's access can 82 be restricted." 83 REVISION "200802150000Z" 84 DESCRIPTION 85 "Added two new types to commonRoleSupportedOperation. 86 Added commonRoleSupportedOperation to 87 ciscoCommonRolesMIBCompliance, to indicate that a device 88 implementing this MIB need not support the two new types. 89 Added ciscoCommonRolesExtMIBCompliance and 90 ccrmConfigurationExtGroup, defining compliance is for 91 entities that implement the CISCO-COMMON-ROLES-EXT-MIB" 92 REVISION "200309150000Z" 93 DESCRIPTION 94 "Added DEFVAL to commonRoleRuleFeatureName. Also, removed 95 commonRoleRuleFeatureName from mandatory object list while 96 creating row in the commonRoleRuleTable." 97 REVISION "200306300000Z" 98 DESCRIPTION 99 "Initial version of this MIB module." 100 ::= { ciscoMgmt 361 } 101 102 103ciscoCommonRolesNotifications OBJECT IDENTIFIER 104 ::= { ciscoCommonRolesMIB 0 } 105 106ciscoCommonRolesMIBObjects OBJECT IDENTIFIER 107 ::= { ciscoCommonRolesMIB 1 } 108 109ciscoCommonRolesMIBConformance OBJECT IDENTIFIER 110 ::= { ciscoCommonRolesMIB 2 } 111 112ccrInfo OBJECT IDENTIFIER 113 ::= { ciscoCommonRolesMIBObjects 1 } 114 115ccrRoleConfig OBJECT IDENTIFIER 116 ::= { ciscoCommonRolesMIBObjects 2 } 117 118ccrRuleConfig OBJECT IDENTIFIER 119 ::= { ciscoCommonRolesMIBObjects 3 } 120 121 122-- Textual Conventions 123 124CommonRoleOperation ::= TEXTUAL-CONVENTION 125 STATUS current 126 DESCRIPTION 127 "Operations allowed for a common role. 128 clear - Clear operation 129 config - Config/Set operation 130 debug - Debug operation 131 show - Show/Get operation 132 exec - Exec/Set Operation 133 134 Note that if an operation is not supported by an access 135 method, then it does not apply to that access method." 136 SYNTAX INTEGER { 137 clear(1), 138 config(2), 139 debug(3), 140 show(4), 141 exec(5) 142 } 143-- commonRoleFeatureTable 144 145commonRoleFeatureTable OBJECT-TYPE 146 SYNTAX SEQUENCE OF CommonRoleFeatureEntry 147 MAX-ACCESS not-accessible 148 STATUS current 149 DESCRIPTION 150 "This table lists all the features and the operations 151 supported by the features on the system." 152 ::= { ccrInfo 1 } 153 154commonRoleFeatureEntry OBJECT-TYPE 155 SYNTAX CommonRoleFeatureEntry 156 MAX-ACCESS not-accessible 157 STATUS current 158 DESCRIPTION 159 "An entry (conceptual row) in the 160 commonRoleFeatureTable containing information about 161 features and the operations supported by each of the 162 features." 163 INDEX { commonRoleFeatureIndex } 164 ::= { commonRoleFeatureTable 1 } 165 166CommonRoleFeatureEntry ::= SEQUENCE { 167 commonRoleFeatureIndex Unsigned32, 168 commonRoleFeatureName SnmpAdminString, 169 commonRoleFeatureOperation CommonRoleOperation 170} 171 172commonRoleFeatureIndex OBJECT-TYPE 173 SYNTAX Unsigned32 (1..4294967295 ) 174 MAX-ACCESS not-accessible 175 STATUS current 176 DESCRIPTION 177 "An arbitrary index for this entry." 178 ::= { commonRoleFeatureEntry 1 } 179 180commonRoleFeatureName OBJECT-TYPE 181 SYNTAX SnmpAdminString (SIZE (1..32)) 182 MAX-ACCESS read-only 183 STATUS current 184 DESCRIPTION 185 "Name of the feature. For example, strings like 'ip', 186 'snmp-server' and 'vsan' are valid feature names." 187 ::= { commonRoleFeatureEntry 2 } 188 189commonRoleFeatureOperation OBJECT-TYPE 190 SYNTAX CommonRoleOperation 191 MAX-ACCESS read-only 192 STATUS current 193 DESCRIPTION 194 "The operation associated with this feature." 195 ::= { commonRoleFeatureEntry 3 } 196 197 198-- commonRoleSupportedOperTable 199 200commonRoleSupportedOperTable OBJECT-TYPE 201 SYNTAX SEQUENCE OF CommonRoleSupportedOperEntry 202 MAX-ACCESS not-accessible 203 STATUS current 204 DESCRIPTION 205 "This table lists all the access methods supported on 206 device and the operations supported by each of the 207 access methods. 208 The operations listed in CommonRoleOperation may not 209 be supported by all the access methods. For example, 210 suppose that in the future, a new operation 'create' is 211 added to CommonRoleOperation. CLI may not support it; 212 but may be supported by XML. So this operation would not 213 apply to CLI. This table captures the supported 214 operations for each of the access methods." 215 ::= { ccrInfo 2 } 216 217commonRoleSupportedOperEntry OBJECT-TYPE 218 SYNTAX CommonRoleSupportedOperEntry 219 MAX-ACCESS not-accessible 220 STATUS current 221 DESCRIPTION 222 "An entry (conceptual row) in the 223 commonRoleSupportedOperTable which lists the operations 224 supported by the local device for a particular access 225 method." 226 INDEX { commonRoleAccessMethod } 227 ::= { commonRoleSupportedOperTable 1 } 228 229CommonRoleSupportedOperEntry ::= SEQUENCE { 230 commonRoleAccessMethod INTEGER , 231 commonRoleSupportedOperation BITS 232} 233 234commonRoleAccessMethod OBJECT-TYPE 235 SYNTAX INTEGER { 236 cli(1), 237 snmp(2) 238 } 239 MAX-ACCESS not-accessible 240 STATUS current 241 DESCRIPTION 242 "Access method supported on this system." 243 ::= { commonRoleSupportedOperEntry 1 } 244 245commonRoleSupportedOperation OBJECT-TYPE 246 SYNTAX BITS { 247 clear(0), 248 config(1), 249 debug(2), 250 show(3), 251 exec(4), 252 read(5), 253 readWrite(6) 254 } 255 MAX-ACCESS read-only 256 STATUS current 257 DESCRIPTION 258 "Operations supported by the access method. 259 clear - Clear operation 260 config - Config/Set operation 261 debug - Debug operation 262 show - Show/Get operation 263 exec - Exec/Set Operation 264 read - Read operation 265 readWrite - Read/Write operation 266 ." 267 ::= { commonRoleSupportedOperEntry 2 } 268 269 270 271-- commonRoleMaxRoles 272 273commonRoleMaxRoles OBJECT-TYPE 274 SYNTAX Unsigned32 (1..65535 ) 275 MAX-ACCESS read-only 276 STATUS current 277 DESCRIPTION 278 "Maximum number of common roles that can be configured 279 this device. i.e., the maximum number of entries in the 280 commonRoleTable." 281 ::= { ccrRoleConfig 1 } 282-- commonRoleTable 283 284commonRoleTable OBJECT-TYPE 285 SYNTAX SEQUENCE OF CommonRoleEntry 286 MAX-ACCESS not-accessible 287 STATUS current 288 DESCRIPTION 289 "This table lists all the common roles configured on this 290 device.Common roles are the user roles which are common 291 across SNMP and CLI." 292 ::= { ccrRoleConfig 2 } 293 294commonRoleEntry OBJECT-TYPE 295 SYNTAX CommonRoleEntry 296 MAX-ACCESS not-accessible 297 STATUS current 298 DESCRIPTION 299 "An entry (conceptual row) in the commonRoleTable." 300 INDEX { commonRoleName } 301 ::= { commonRoleTable 1 } 302 303CommonRoleEntry ::= SEQUENCE { 304 commonRoleName SnmpAdminString, 305 commonRoleDescription SnmpAdminString, 306 commonRoleScopeRestriction INTEGER , 307 commonRoleScope1 OCTET STRING, 308 commonRoleScope2 OCTET STRING, 309 commonRoleRowStatus RowStatus 310} 311 312commonRoleName OBJECT-TYPE 313 SYNTAX SnmpAdminString (SIZE (1..16)) 314 MAX-ACCESS not-accessible 315 STATUS current 316 DESCRIPTION 317 "Name of the common role." 318 ::= { commonRoleEntry 1 } 319 320commonRoleDescription OBJECT-TYPE 321 SYNTAX SnmpAdminString (SIZE (0..64)) 322 MAX-ACCESS read-create 323 STATUS current 324 DESCRIPTION 325 "Description of the common role." 326 DEFVAL { ''H } 327 ::= { commonRoleEntry 2 } 328 329commonRoleScopeRestriction OBJECT-TYPE 330 SYNTAX INTEGER { 331 none(1), 332 vsan(2) 333 } 334 MAX-ACCESS read-create 335 STATUS current 336 DESCRIPTION 337 "This object indicates if there is a scope restriction 338 for this role. 339 340 If the value of this object is 'none', then there no 341 scope restriction. 342 343 If it is 'vsan', the two objects commonRoleScope1 and 344 commonRoleScope2 provide the list of Virtual Storage 345 Area Networks (VSANs) which this role can access. The 346 object commonRoleScope1 provides list of VSANs from 0 347 through 2047 and commonRoleScope2 provides from 2048 348 through 4095. Each octet within the value of the the two 349 objects specifies a set of eight VSANs. The first octet 350 specifies VSANs 0 through 7 for commonRoleScope1 and 351 VSANs 2048 through 2054 for commonRoleScope2. Similarly, 352 the second octet specifies VSANs 8 through 15 and VSANs 353 2055 through 2062 for commonRoleScope2, etc. Within each 354 octet, the most significant bit represents the lowest 355 numbered VSAN, and the least significant bit represents 356 the highest numbered VSAN. Thus, each VSAN, is 357 represented by a single bit within the value of this 358 object. A role can access a VSAN if and only if that bit 359 has a value of '1'. If these objects have a value which 360 are less than 256 bytes long, then the VSANs which are 361 not represented are not considered to be in these list. 362 If both the scope objects are zero-length strings, then 363 this role can not access any VSANs if this object is 364 `vsan'. The role can access all the VSANs if the this 365 object is 'none'. Also, both commonRoleScope1 and 366 commonRoleScope2 are invalid if this object is 'none'. 367 368 Other means of restricting the scope of a role can be 369 defined in the future by extending this object with 370 additional enumerations. Each such addition will 371 define the restriction and any parameters it might 372 have, which might or might not be specified via the 373 corresponding values of commonRoleScope1 and 374 commonRoleScope2." 375 DEFVAL { none } 376 ::= { commonRoleEntry 3 } 377 378commonRoleScope1 OBJECT-TYPE 379 SYNTAX OCTET STRING 380 MAX-ACCESS read-create 381 STATUS current 382 DESCRIPTION 383 "This object provides the scope for the role. The actual 384 meaning of this object depends the value of 385 commonRoleScopeRestriction and is defined in that 386 object." 387 DEFVAL { ''H } 388 ::= { commonRoleEntry 4 } 389 390commonRoleScope2 OBJECT-TYPE 391 SYNTAX OCTET STRING 392 MAX-ACCESS read-create 393 STATUS current 394 DESCRIPTION 395 "This object provides the scope for the role. The actual 396 meaning of this object depends the value of 397 commonRoleScopeRestriction and is defined in that 398 object." 399 DEFVAL { ''H } 400 ::= { commonRoleEntry 5 } 401 402commonRoleRowStatus OBJECT-TYPE 403 SYNTAX RowStatus 404 MAX-ACCESS read-create 405 STATUS current 406 DESCRIPTION 407 "Status of this role." 408 ::= { commonRoleEntry 6 } 409 410 411 412-- commonRoleMaxRulesPerRole 413 414commonRoleMaxRulesPerRole OBJECT-TYPE 415 SYNTAX Unsigned32 (1..65535 ) 416 MAX-ACCESS read-only 417 STATUS current 418 DESCRIPTION 419 "Maximum number of rules that can be configured for a 420 role." 421 ::= { ccrRuleConfig 1 } 422-- commonRoleRuleTable 423 424commonRoleRuleTable OBJECT-TYPE 425 SYNTAX SEQUENCE OF CommonRoleRuleEntry 426 MAX-ACCESS not-accessible 427 STATUS current 428 DESCRIPTION 429 "This table lists all the rules configured for roles 430 defined in the commonRoleTable. Each rule defines a 431 feature and related access-level which provides either 432 permit or deny access to the feature information. 433 434 Entries in this table are also created/deleted using 435 commonRoleRuleRowStatus. 436 437 A row in this table cannot be made 'active' until a 438 value is explicitly provided for that row's instances 439 of following objects : 440 - commonRoleRuleOperation 441 442 Also, the following objects cannot be modified when 443 'commonRoleRuleRowStatus' is 'active' : 444 - commonRoleRuleFeatureName 445 - commonRoleRuleOperation 446 - commonRoleRuleOperPermitted 447 448 To modify the above objects, the entry must be deleted 449 and re-created with new value of above objects." 450 ::= { ccrRuleConfig 2 } 451 452commonRoleRuleEntry OBJECT-TYPE 453 SYNTAX CommonRoleRuleEntry 454 MAX-ACCESS not-accessible 455 STATUS current 456 DESCRIPTION 457 "An entry (conceptual row) in the commonRoleRuleTable." 458 INDEX { 459 commonRoleName, 460 commonRoleRuleIndex 461 } 462 ::= { commonRoleRuleTable 1 } 463 464CommonRoleRuleEntry ::= SEQUENCE { 465 commonRoleRuleIndex Unsigned32, 466 commonRoleRuleFeatureName SnmpAdminString, 467 commonRoleRuleOperation CommonRoleOperation, 468 commonRoleRuleOperPermitted TruthValue, 469 commonRoleRuleRowStatus RowStatus 470} 471 472commonRoleRuleIndex OBJECT-TYPE 473 SYNTAX Unsigned32 (1..4294967295 ) 474 MAX-ACCESS not-accessible 475 STATUS current 476 DESCRIPTION 477 "A sequential number starting from 1, and less than or 478 equal to commonRoleMaxRulesPerRole, which identifies a 479 rule." 480 ::= { commonRoleRuleEntry 1 } 481 482commonRoleRuleFeatureName OBJECT-TYPE 483 SYNTAX SnmpAdminString (SIZE (0..32)) 484 MAX-ACCESS read-create 485 STATUS current 486 DESCRIPTION 487 "Name of the feature. 488 If this is a zero-length string, then this rule applies 489 to all the features supported on the system as 490 enumerated in commonRoleFeatureTable." 491 DEFVAL { ''H } 492 ::= { commonRoleRuleEntry 2 } 493 494commonRoleRuleOperation OBJECT-TYPE 495 SYNTAX CommonRoleOperation 496 MAX-ACCESS read-create 497 STATUS current 498 DESCRIPTION 499 "The operation permitted for this rule." 500 ::= { commonRoleRuleEntry 3 } 501 502commonRoleRuleOperPermitted OBJECT-TYPE 503 SYNTAX TruthValue 504 MAX-ACCESS read-create 505 STATUS current 506 DESCRIPTION 507 "This object tells if the operation 508 `commonRoleRuleOperation' is permitted on the feature 509 `commonRoleFeatureName'. The operation is permitted if 510 the value of this object is `true'. 511 If the value of the object is 'false', the operation is 512 not permitted." 513 DEFVAL { true } 514 ::= { commonRoleRuleEntry 4 } 515 516commonRoleRuleRowStatus OBJECT-TYPE 517 SYNTAX RowStatus 518 MAX-ACCESS read-create 519 STATUS current 520 DESCRIPTION 521 "Status of this rule." 522 ::= { commonRoleRuleEntry 5 } 523 524 525-- Conformance 526 527ciscoCommonRolesMIBCompliances OBJECT IDENTIFIER 528 ::= { ciscoCommonRolesMIBConformance 1 } 529 530ciscoCommonRolesMIBGroups OBJECT IDENTIFIER 531 ::= { ciscoCommonRolesMIBConformance 2 } 532 533 534ciscoCommonRolesMIBCompliance MODULE-COMPLIANCE 535 STATUS current 536 DESCRIPTION 537 "The compliance statement for entities which 538 implement the CISCO-COMMON-ROLES-MIB (but not 539 the CISCO-COMMON-ROLES-EXT-MIB)." 540 MODULE -- this module 541 MANDATORY-GROUPS { ccrmConfigurationGroup } 542 543 OBJECT commonRoleRowStatus 544 SYNTAX INTEGER { 545 active(1), 546 createAndGo(4), 547 destroy(6) 548 } 549 DESCRIPTION 550 "Only 'createAndGo', 'destroy' and 'active' need to be 551 supported." 552 553 OBJECT commonRoleSupportedOperation 554 SYNTAX BITS { 555 clear(0), 556 config(1), 557 debug(2), 558 show(3), 559 exec(4) 560 } 561 DESCRIPTION 562 "Only 'clear', 'config', 'debug', 'show' and 'exec' 563 need to be supported." 564 ::= { ciscoCommonRolesMIBCompliances 1 } 565 566ciscoCommonRolesExtMIBCompliance MODULE-COMPLIANCE 567 STATUS current 568 DESCRIPTION 569 "The compliance statement for entities that 570 implement the CISCO-COMMON-ROLES-EXT-MIB." 571 MODULE -- this module 572 MANDATORY-GROUPS { ccrmConfigurationExtGroup } 573 ::= { ciscoCommonRolesMIBCompliances 2 } 574 575-- Units of Conformance 576 577ccrmConfigurationGroup OBJECT-GROUP 578 OBJECTS { 579 commonRoleFeatureName, 580 commonRoleFeatureOperation, 581 commonRoleSupportedOperation, 582 commonRoleMaxRoles, 583 commonRoleDescription, 584 commonRoleScopeRestriction, 585 commonRoleScope1, 586 commonRoleScope2, 587 commonRoleRowStatus, 588 commonRoleMaxRulesPerRole, 589 commonRoleRuleFeatureName, 590 commonRoleRuleOperation, 591 commonRoleRuleOperPermitted, 592 commonRoleRuleRowStatus 593 } 594 STATUS current 595 DESCRIPTION 596 "A collection of objects for Common Roles 597 configuration." 598 ::= { ciscoCommonRolesMIBGroups 1 } 599 600ccrmConfigurationExtGroup OBJECT-GROUP 601 OBJECTS { 602 commonRoleMaxRoles, 603 commonRoleSupportedOperation, 604 commonRoleMaxRulesPerRole 605 } 606 STATUS current 607 DESCRIPTION 608 "A collection of objects for Common Roles configuration 609 that need to be implemented by a device when the device 610 implements the CISCO-COMMON-ROLES-EXT-MIB." 611 ::= { ciscoCommonRolesMIBGroups 2 } 612 613END 614 615