-- ********************************************************************* -- CISCO-COMMON-ROLES-MIB.my: Common Roles Mib -- -- March 2003, Vinay Gaonkar -- -- Copyright (c) 2003, 2008 by cisco Systems Inc. -- All rights reserved. -- -- ********************************************************************* CISCO-COMMON-ROLES-MIB DEFINITIONS ::= BEGIN IMPORTS MODULE-IDENTITY, OBJECT-TYPE, Unsigned32 FROM SNMPv2-SMI MODULE-COMPLIANCE, OBJECT-GROUP FROM SNMPv2-CONF RowStatus, TEXTUAL-CONVENTION, TruthValue FROM SNMPv2-TC SnmpAdminString FROM SNMP-FRAMEWORK-MIB ciscoMgmt FROM CISCO-SMI; ciscoCommonRolesMIB MODULE-IDENTITY LAST-UPDATED "200802150000Z" ORGANIZATION "Cisco Systems Inc." CONTACT-INFO "Cisco Systems Customer Service Postal: 170 W Tasman Drive San Jose, CA 95134 USA Tel: +1 800 553 -NETS E-mail: cs-san@cisco.com" DESCRIPTION "MIB module for managing the common roles between access methods like Command Line Interface (CLI), SNMP and XML interfaces. Every user on a device is associated with a role. A user role defines access rights afforded to the users that belog to this role. A role specifies which commands/operations a user is able to perform on what information. SNMP uses VACM (View-based Access Control Model) group to define access rights. Both SNMPv1/v2c community and SNMPv3 user have to belong to a group in order to access information. CLI uses proprietary mechanisms to define the access rights. Most of them depend on the underlying operating system. Groups created from SNMP are not same as the roles created from CLI unless they are synchronized. In addition to this, views make up the roles in VACM where was some kind of internal rules make the roles in the CLI. This MIB describes a framework in which a role defined independent of access methods. It is up to the the particular access method to convert this framework information into the native information. For example, SNMP needs to convert common role framework to VACM. Note that this framework could be also used for any other access methods other than SNMP and CLI. The framework needs a list of features and list of operations they can support. Features provide the data context and are system dependent. Operations are the actions that can be done on the data. The role are defined in terms of rules. Rules are essentially access rights which specify if a certain operation on a feature is permitted or not. An extension to this MIB module has been defined in CISCO-COMMON-ROLES-EXT-MIB to provide support for a framework which has compound features, i.e., features defined as group of other features, and also to provide another option for how a user's access can be restricted." REVISION "200802150000Z" DESCRIPTION "Added two new types to commonRoleSupportedOperation. Added commonRoleSupportedOperation to ciscoCommonRolesMIBCompliance, to indicate that a device implementing this MIB need not support the two new types. Added ciscoCommonRolesExtMIBCompliance and ccrmConfigurationExtGroup, defining compliance is for entities that implement the CISCO-COMMON-ROLES-EXT-MIB" REVISION "200309150000Z" DESCRIPTION "Added DEFVAL to commonRoleRuleFeatureName. Also, removed commonRoleRuleFeatureName from mandatory object list while creating row in the commonRoleRuleTable." REVISION "200306300000Z" DESCRIPTION "Initial version of this MIB module." ::= { ciscoMgmt 361 } ciscoCommonRolesNotifications OBJECT IDENTIFIER ::= { ciscoCommonRolesMIB 0 } ciscoCommonRolesMIBObjects OBJECT IDENTIFIER ::= { ciscoCommonRolesMIB 1 } ciscoCommonRolesMIBConformance OBJECT IDENTIFIER ::= { ciscoCommonRolesMIB 2 } ccrInfo OBJECT IDENTIFIER ::= { ciscoCommonRolesMIBObjects 1 } ccrRoleConfig OBJECT IDENTIFIER ::= { ciscoCommonRolesMIBObjects 2 } ccrRuleConfig OBJECT IDENTIFIER ::= { ciscoCommonRolesMIBObjects 3 } -- Textual Conventions CommonRoleOperation ::= TEXTUAL-CONVENTION STATUS current DESCRIPTION "Operations allowed for a common role. clear - Clear operation config - Config/Set operation debug - Debug operation show - Show/Get operation exec - Exec/Set Operation Note that if an operation is not supported by an access method, then it does not apply to that access method." SYNTAX INTEGER { clear(1), config(2), debug(3), show(4), exec(5) } -- commonRoleFeatureTable commonRoleFeatureTable OBJECT-TYPE SYNTAX SEQUENCE OF CommonRoleFeatureEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "This table lists all the features and the operations supported by the features on the system." ::= { ccrInfo 1 } commonRoleFeatureEntry OBJECT-TYPE SYNTAX CommonRoleFeatureEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "An entry (conceptual row) in the commonRoleFeatureTable containing information about features and the operations supported by each of the features." INDEX { commonRoleFeatureIndex } ::= { commonRoleFeatureTable 1 } CommonRoleFeatureEntry ::= SEQUENCE { commonRoleFeatureIndex Unsigned32, commonRoleFeatureName SnmpAdminString, commonRoleFeatureOperation CommonRoleOperation } commonRoleFeatureIndex OBJECT-TYPE SYNTAX Unsigned32 (1..4294967295 ) MAX-ACCESS not-accessible STATUS current DESCRIPTION "An arbitrary index for this entry." ::= { commonRoleFeatureEntry 1 } commonRoleFeatureName OBJECT-TYPE SYNTAX SnmpAdminString (SIZE (1..32)) MAX-ACCESS read-only STATUS current DESCRIPTION "Name of the feature. For example, strings like 'ip', 'snmp-server' and 'vsan' are valid feature names." ::= { commonRoleFeatureEntry 2 } commonRoleFeatureOperation OBJECT-TYPE SYNTAX CommonRoleOperation MAX-ACCESS read-only STATUS current DESCRIPTION "The operation associated with this feature." ::= { commonRoleFeatureEntry 3 } -- commonRoleSupportedOperTable commonRoleSupportedOperTable OBJECT-TYPE SYNTAX SEQUENCE OF CommonRoleSupportedOperEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "This table lists all the access methods supported on device and the operations supported by each of the access methods. The operations listed in CommonRoleOperation may not be supported by all the access methods. For example, suppose that in the future, a new operation 'create' is added to CommonRoleOperation. CLI may not support it; but may be supported by XML. So this operation would not apply to CLI. This table captures the supported operations for each of the access methods." ::= { ccrInfo 2 } commonRoleSupportedOperEntry OBJECT-TYPE SYNTAX CommonRoleSupportedOperEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "An entry (conceptual row) in the commonRoleSupportedOperTable which lists the operations supported by the local device for a particular access method." INDEX { commonRoleAccessMethod } ::= { commonRoleSupportedOperTable 1 } CommonRoleSupportedOperEntry ::= SEQUENCE { commonRoleAccessMethod INTEGER , commonRoleSupportedOperation BITS } commonRoleAccessMethod OBJECT-TYPE SYNTAX INTEGER { cli(1), snmp(2) } MAX-ACCESS not-accessible STATUS current DESCRIPTION "Access method supported on this system." ::= { commonRoleSupportedOperEntry 1 } commonRoleSupportedOperation OBJECT-TYPE SYNTAX BITS { clear(0), config(1), debug(2), show(3), exec(4), read(5), readWrite(6) } MAX-ACCESS read-only STATUS current DESCRIPTION "Operations supported by the access method. clear - Clear operation config - Config/Set operation debug - Debug operation show - Show/Get operation exec - Exec/Set Operation read - Read operation readWrite - Read/Write operation ." ::= { commonRoleSupportedOperEntry 2 } -- commonRoleMaxRoles commonRoleMaxRoles OBJECT-TYPE SYNTAX Unsigned32 (1..65535 ) MAX-ACCESS read-only STATUS current DESCRIPTION "Maximum number of common roles that can be configured this device. i.e., the maximum number of entries in the commonRoleTable." ::= { ccrRoleConfig 1 } -- commonRoleTable commonRoleTable OBJECT-TYPE SYNTAX SEQUENCE OF CommonRoleEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "This table lists all the common roles configured on this device.Common roles are the user roles which are common across SNMP and CLI." ::= { ccrRoleConfig 2 } commonRoleEntry OBJECT-TYPE SYNTAX CommonRoleEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "An entry (conceptual row) in the commonRoleTable." INDEX { commonRoleName } ::= { commonRoleTable 1 } CommonRoleEntry ::= SEQUENCE { commonRoleName SnmpAdminString, commonRoleDescription SnmpAdminString, commonRoleScopeRestriction INTEGER , commonRoleScope1 OCTET STRING, commonRoleScope2 OCTET STRING, commonRoleRowStatus RowStatus } commonRoleName OBJECT-TYPE SYNTAX SnmpAdminString (SIZE (1..16)) MAX-ACCESS not-accessible STATUS current DESCRIPTION "Name of the common role." ::= { commonRoleEntry 1 } commonRoleDescription OBJECT-TYPE SYNTAX SnmpAdminString (SIZE (0..64)) MAX-ACCESS read-create STATUS current DESCRIPTION "Description of the common role." DEFVAL { ''H } ::= { commonRoleEntry 2 } commonRoleScopeRestriction OBJECT-TYPE SYNTAX INTEGER { none(1), vsan(2) } MAX-ACCESS read-create STATUS current DESCRIPTION "This object indicates if there is a scope restriction for this role. If the value of this object is 'none', then there no scope restriction. If it is 'vsan', the two objects commonRoleScope1 and commonRoleScope2 provide the list of Virtual Storage Area Networks (VSANs) which this role can access. The object commonRoleScope1 provides list of VSANs from 0 through 2047 and commonRoleScope2 provides from 2048 through 4095. Each octet within the value of the the two objects specifies a set of eight VSANs. The first octet specifies VSANs 0 through 7 for commonRoleScope1 and VSANs 2048 through 2054 for commonRoleScope2. Similarly, the second octet specifies VSANs 8 through 15 and VSANs 2055 through 2062 for commonRoleScope2, etc. Within each octet, the most significant bit represents the lowest numbered VSAN, and the least significant bit represents the highest numbered VSAN. Thus, each VSAN, is represented by a single bit within the value of this object. A role can access a VSAN if and only if that bit has a value of '1'. If these objects have a value which are less than 256 bytes long, then the VSANs which are not represented are not considered to be in these list. If both the scope objects are zero-length strings, then this role can not access any VSANs if this object is `vsan'. The role can access all the VSANs if the this object is 'none'. Also, both commonRoleScope1 and commonRoleScope2 are invalid if this object is 'none'. Other means of restricting the scope of a role can be defined in the future by extending this object with additional enumerations. Each such addition will define the restriction and any parameters it might have, which might or might not be specified via the corresponding values of commonRoleScope1 and commonRoleScope2." DEFVAL { none } ::= { commonRoleEntry 3 } commonRoleScope1 OBJECT-TYPE SYNTAX OCTET STRING MAX-ACCESS read-create STATUS current DESCRIPTION "This object provides the scope for the role. The actual meaning of this object depends the value of commonRoleScopeRestriction and is defined in that object." DEFVAL { ''H } ::= { commonRoleEntry 4 } commonRoleScope2 OBJECT-TYPE SYNTAX OCTET STRING MAX-ACCESS read-create STATUS current DESCRIPTION "This object provides the scope for the role. The actual meaning of this object depends the value of commonRoleScopeRestriction and is defined in that object." DEFVAL { ''H } ::= { commonRoleEntry 5 } commonRoleRowStatus OBJECT-TYPE SYNTAX RowStatus MAX-ACCESS read-create STATUS current DESCRIPTION "Status of this role." ::= { commonRoleEntry 6 } -- commonRoleMaxRulesPerRole commonRoleMaxRulesPerRole OBJECT-TYPE SYNTAX Unsigned32 (1..65535 ) MAX-ACCESS read-only STATUS current DESCRIPTION "Maximum number of rules that can be configured for a role." ::= { ccrRuleConfig 1 } -- commonRoleRuleTable commonRoleRuleTable OBJECT-TYPE SYNTAX SEQUENCE OF CommonRoleRuleEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "This table lists all the rules configured for roles defined in the commonRoleTable. Each rule defines a feature and related access-level which provides either permit or deny access to the feature information. Entries in this table are also created/deleted using commonRoleRuleRowStatus. A row in this table cannot be made 'active' until a value is explicitly provided for that row's instances of following objects : - commonRoleRuleOperation Also, the following objects cannot be modified when 'commonRoleRuleRowStatus' is 'active' : - commonRoleRuleFeatureName - commonRoleRuleOperation - commonRoleRuleOperPermitted To modify the above objects, the entry must be deleted and re-created with new value of above objects." ::= { ccrRuleConfig 2 } commonRoleRuleEntry OBJECT-TYPE SYNTAX CommonRoleRuleEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "An entry (conceptual row) in the commonRoleRuleTable." INDEX { commonRoleName, commonRoleRuleIndex } ::= { commonRoleRuleTable 1 } CommonRoleRuleEntry ::= SEQUENCE { commonRoleRuleIndex Unsigned32, commonRoleRuleFeatureName SnmpAdminString, commonRoleRuleOperation CommonRoleOperation, commonRoleRuleOperPermitted TruthValue, commonRoleRuleRowStatus RowStatus } commonRoleRuleIndex OBJECT-TYPE SYNTAX Unsigned32 (1..4294967295 ) MAX-ACCESS not-accessible STATUS current DESCRIPTION "A sequential number starting from 1, and less than or equal to commonRoleMaxRulesPerRole, which identifies a rule." ::= { commonRoleRuleEntry 1 } commonRoleRuleFeatureName OBJECT-TYPE SYNTAX SnmpAdminString (SIZE (0..32)) MAX-ACCESS read-create STATUS current DESCRIPTION "Name of the feature. If this is a zero-length string, then this rule applies to all the features supported on the system as enumerated in commonRoleFeatureTable." DEFVAL { ''H } ::= { commonRoleRuleEntry 2 } commonRoleRuleOperation OBJECT-TYPE SYNTAX CommonRoleOperation MAX-ACCESS read-create STATUS current DESCRIPTION "The operation permitted for this rule." ::= { commonRoleRuleEntry 3 } commonRoleRuleOperPermitted OBJECT-TYPE SYNTAX TruthValue MAX-ACCESS read-create STATUS current DESCRIPTION "This object tells if the operation `commonRoleRuleOperation' is permitted on the feature `commonRoleFeatureName'. The operation is permitted if the value of this object is `true'. If the value of the object is 'false', the operation is not permitted." DEFVAL { true } ::= { commonRoleRuleEntry 4 } commonRoleRuleRowStatus OBJECT-TYPE SYNTAX RowStatus MAX-ACCESS read-create STATUS current DESCRIPTION "Status of this rule." ::= { commonRoleRuleEntry 5 } -- Conformance ciscoCommonRolesMIBCompliances OBJECT IDENTIFIER ::= { ciscoCommonRolesMIBConformance 1 } ciscoCommonRolesMIBGroups OBJECT IDENTIFIER ::= { ciscoCommonRolesMIBConformance 2 } ciscoCommonRolesMIBCompliance MODULE-COMPLIANCE STATUS current DESCRIPTION "The compliance statement for entities which implement the CISCO-COMMON-ROLES-MIB (but not the CISCO-COMMON-ROLES-EXT-MIB)." MODULE -- this module MANDATORY-GROUPS { ccrmConfigurationGroup } OBJECT commonRoleRowStatus SYNTAX INTEGER { active(1), createAndGo(4), destroy(6) } DESCRIPTION "Only 'createAndGo', 'destroy' and 'active' need to be supported." OBJECT commonRoleSupportedOperation SYNTAX BITS { clear(0), config(1), debug(2), show(3), exec(4) } DESCRIPTION "Only 'clear', 'config', 'debug', 'show' and 'exec' need to be supported." ::= { ciscoCommonRolesMIBCompliances 1 } ciscoCommonRolesExtMIBCompliance MODULE-COMPLIANCE STATUS current DESCRIPTION "The compliance statement for entities that implement the CISCO-COMMON-ROLES-EXT-MIB." MODULE -- this module MANDATORY-GROUPS { ccrmConfigurationExtGroup } ::= { ciscoCommonRolesMIBCompliances 2 } -- Units of Conformance ccrmConfigurationGroup OBJECT-GROUP OBJECTS { commonRoleFeatureName, commonRoleFeatureOperation, commonRoleSupportedOperation, commonRoleMaxRoles, commonRoleDescription, commonRoleScopeRestriction, commonRoleScope1, commonRoleScope2, commonRoleRowStatus, commonRoleMaxRulesPerRole, commonRoleRuleFeatureName, commonRoleRuleOperation, commonRoleRuleOperPermitted, commonRoleRuleRowStatus } STATUS current DESCRIPTION "A collection of objects for Common Roles configuration." ::= { ciscoCommonRolesMIBGroups 1 } ccrmConfigurationExtGroup OBJECT-GROUP OBJECTS { commonRoleMaxRoles, commonRoleSupportedOperation, commonRoleMaxRulesPerRole } STATUS current DESCRIPTION "A collection of objects for Common Roles configuration that need to be implemented by a device when the device implements the CISCO-COMMON-ROLES-EXT-MIB." ::= { ciscoCommonRolesMIBGroups 2 } END