1-- ********************************************************************
2-- CISCO-SNMP-VACM-EXT-MIB.my : Extension to SNMP-VIEW-BASED-ACM-MIB
3--
4-- April 2004, Keith McCloghrie, Sanjeev C Joshi, Vinay Gaonkar
5--
6-- Copyright (c) 2004 by cisco Systems, Inc.
7-- All rights reserved.
8--
9-- ********************************************************************
10
11CISCO-SNMP-VACM-EXT-MIB DEFINITIONS ::= BEGIN
12
13IMPORTS
14        MODULE-IDENTITY,
15        OBJECT-TYPE
16                FROM SNMPv2-SMI
17        MODULE-COMPLIANCE,
18        OBJECT-GROUP
19                FROM SNMPv2-CONF
20        RowStatus,
21        StorageType
22                FROM SNMPv2-TC
23        SnmpAdminString
24                FROM SNMP-FRAMEWORK-MIB
25        vacmSecurityModel,
26        vacmSecurityName
27                FROM SNMP-VIEW-BASED-ACM-MIB
28        ciscoMgmt
29                FROM CISCO-SMI;
30
31ciscoSnmpVacmExtMIB MODULE-IDENTITY
32        LAST-UPDATED        "200405190000Z"
33        ORGANIZATION        "Cisco Systems, Inc."
34        CONTACT-INFO
35                "       Cisco Systems
36                        Customer Service
37
38                Postal: 170 W Tasman Drive
39                        San Jose, CA  95134
40                        USA
41
42                   Tel: +1 800 553-NETS
43
44                E-mail:  cs-snmp@cisco.com"
45        DESCRIPTION
46                "The management information definitions to extend
47                 the View-based Access Control Model (RFC3415) for
48                 SNMP.
49
50                 This MIB extends the 'SNMP-VIEW-BASED-ACM-MIB' to
51                 allow each combination of a 'securityModel' and a
52                 'securityName' to be mapped into additional
53                 groupNames. The groups identified by these mappings
54                 are in addition to those identified by
55                 'vacmGroupName' of the 'vacmSecurityToGroupTable'.
56                 "
57
58        REVISION  "200405190000Z"
59        DESCRIPTION
60                "Initial version of this MIB."
61        ::= { ciscoMgmt 409 }
62
63--
64-- CISCO-SNMP-VACM-EXT-MIB administrative assignments
65--
66
67ciscoSnmpVacmExtMIBObjects        OBJECT IDENTIFIER
68                                  ::= { ciscoSnmpVacmExtMIB 1 }
69ciscoSnmpVacmExtMIBConformance    OBJECT IDENTIFIER
70                                  ::= { ciscoSnmpVacmExtMIB 2 }
71
72--
73--  VACM  Group Extension - Extension of vacmSecurityToGroupTable
74--
75
76cvacmSecurityToGroupTable       OBJECT-TYPE
77        SYNTAX         SEQUENCE OF CvacmSecurityToGroupEntry
78        MAX-ACCESS     not-accessible
79        STATUS         current
80        DESCRIPTION
81           "An Extension table to the 'vacmSecurityToGroupTable'
82            defined in 'SNMP-VIEW-BASED-ACM-MIB.
83
84            This table provides a mechanism to map a combination
85            of 'securityModel' and 'securityName' into one or more
86            groups in addition to the 'vacmGroupName' mapped in
87            the 'vacmSecurityToGroupTable'. These groups provide
88            additional access control policies for a principal.
89
90            The agent must allow the same group mapping entry to be
91            present in both  the 'cvacmSecurityToGroupTable' and the
92            'vacmSecurityToGroupTable'.
93
94            A row in this table can not exist without a corresponding
95            row for the same combination of 'securityModel' and
96            'securityName in the 'vacmSecurityToGroupTable'.
97
98            While creating a row in this table, if there is no
99            corresponding row for the same combination of
100            'securityModel' and 'securityName in the
101            'vacmSecurityToGroupTable', the same  mapping entry in
102            is created in the  'vacmSecurityToGroupTable' by the
103            agent using the values of instance variables of the entry
104            in this table.
105
106            The deletion of a row in the 'vacmSecurityToGroupTable'
107            also causes the deletion of all the group mapping
108            entries for the same combination of  'vacmSecurityModel'
109            and 'vacmSecurityName' in the 'cvacmSecurityToGroupTable'.
110            The deletion of a row in this table does not affect
111            'vacmSecurityToGroupTable'entries.
112            "
113        REFERENCE
114           " [RFC3415] View-based Access Control Model (VACM) for the
115             Simple Network Management Protocol (SNMP), STD 62 .
116           "
117        ::= { ciscoSnmpVacmExtMIBObjects 1 }
118
119cvacmSecurityToGroupEntry OBJECT-TYPE
120        SYNTAX         CvacmSecurityToGroupEntry
121        MAX-ACCESS     not-accessible
122        STATUS         current
123        DESCRIPTION
124           "An entry (conceptual row) in the
125            'cvacmSecurityToGroupTable'. Each row represents one
126            groupName mapping for the combination of 'securityModel'
127            and 'securityName' in the system.
128           "
129        INDEX          { vacmSecurityModel,
130                         vacmSecurityName,
131                         cvacmSecurityGrpName }
132        ::= { cvacmSecurityToGroupTable 1}
133
134CvacmSecurityToGroupEntry ::=
135        SEQUENCE {
136            cvacmSecurityGrpName                SnmpAdminString,
137            cvacmSecurityGrpStorageType         StorageType,
138            cvacmSecurityGrpStatus              RowStatus
139}
140
141cvacmSecurityGrpName OBJECT-TYPE
142        SYNTAX         SnmpAdminString(SIZE(1..32))
143        MAX-ACCESS     not-accessible
144        STATUS         current
145        DESCRIPTION
146           "The name of the group for the mapping represented by
147            this row. This is in addition to the 'vacmGroupName'
148            mapped in the 'vacmSecurityToGroupTable'. For example
149            a user principal  represented by 'securityName' maps
150            to a group represented by 'cvacmSecurityGrpName' under
151            a security model represented by 'securityModel'.
152
153            This groupName is used as index into the
154            'vacmAccessTable' to select an access control policy.
155            However, a value in this table does not imply that an
156            instance with the value exists in table 'vacmAccesTable'.
157            "
158	    ::= { cvacmSecurityToGroupEntry 1 }
159
160cvacmSecurityGrpStorageType OBJECT-TYPE
161        SYNTAX         StorageType
162        MAX-ACCESS     read-create
163        STATUS         current
164        DESCRIPTION
165           "The storage type for this conceptual row.
166            Conceptual rows having the value 'permanent' need not
167            allow write-access to any columnar objects in the row.
168            "
169        DEFVAL         { nonVolatile }
170	    ::= { cvacmSecurityToGroupEntry 2 }
171
172cvacmSecurityGrpStatus OBJECT-TYPE
173        SYNTAX         RowStatus
174        MAX-ACCESS     read-create
175        STATUS         current
176        DESCRIPTION
177           "The status of this conceptual row. The value of
178            this object has no effect on whether other objects
179            in this conceptual row can be modified.
180            "
181	    ::= { cvacmSecurityToGroupEntry 3 }
182
183--
184-- Conformance information
185--
186
187ciscoSnmpVacmExtMIBCompliances OBJECT IDENTIFIER
188                               ::= { ciscoSnmpVacmExtMIBConformance 1 }
189ciscoSnmpVacmExtMIBGroups      OBJECT IDENTIFIER
190                               ::= { ciscoSnmpVacmExtMIBConformance 2 }
191
192ciscoSnmpVacmExtMIBCompliance MODULE-COMPLIANCE
193        STATUS         current
194        DESCRIPTION
195           "The compliance statement for SNMP engines which
196            implement the CISCO-SNMP-VACM-EXT-MIB."
197        MODULE
198           MANDATORY-GROUPS { ciscoSnmpVacmExtGroup }
199
200        OBJECT cvacmSecurityGrpStatus
201        SYNTAX      INTEGER { active (1),
202                              createAndGo (4),
203                              destroy (6)
204                            }
205        DESCRIPTION
206           "Only 'active', 'createAndGo' and 'destroy' are needed to be
207            supported."
208        ::= { ciscoSnmpVacmExtMIBCompliances 1 }
209--
210-- Units of Conformance
211--
212
213ciscoSnmpVacmExtGroup  OBJECT-GROUP
214        OBJECTS        { cvacmSecurityGrpStorageType,
215                         cvacmSecurityGrpStatus }
216        STATUS         current
217        DESCRIPTION
218           "A collection of objects providing for remote
219            configuration of an SNMP engine which extends
220            the SNMP View-based Access Control Model."
221        ::= { ciscoSnmpVacmExtMIBGroups 1 }
222
223END
224
225