View-based Access Control Model (VACM) for the Simple Network Management Protocol (SNMP)
RFC 2275

Document Type RFC - Proposed Standard (January 1998; No errata)
Obsoleted by RFC 2575
Obsoletes RFC 2265
Last updated 2013-03-02
Stream Legacy stream
Formats plain text html pdf htmlized (tools) htmlized bibtex
Stream Legacy state (None)
Consensus Boilerplate Unknown
RFC Editor Note (None)
IESG IESG state RFC 2275 (Proposed Standard)
Telechat date
Responsible AD (None)
Send notices to (None)
Network Working Group                                          B. Wijnen
Request for Comments: 2275                     IBM T. J. Watson Research
Obsoletes: 2265                                               R. Presuhn
Category: Standards Track                             BMC Software, Inc.
                                                           K. McCloghrie
                                                     Cisco Systems, Inc.
                                                            January 1998

             View-based Access Control Model (VACM) for the
               Simple Network Management Protocol (SNMP)

Status of this Memo

   This document specifies an Internet standards track protocol for the
   Internet community, and requests discussion and suggestions for
   improvements.  Please refer to the current edition of the "Internet
   Official Protocol Standards" (STD 1) for the standardization state
   and status of this protocol.  Distribution of this memo is unlimited.

Copyright Notice

   Copyright (C) The Internet Society (1998).  All Rights Reserved.


   Due to a clerical error in the assignment of the snmpModules in this
   memo, this RFC provides the corrected number assignment for this
   protocol.  This memo obsoletes RFC 2265.


   This document describes the View-based Access Control Model for use
   in the SNMP architecture [RFC2271].  It defines the Elements of
   Procedure for controlling access to management information.  This
   document also includes a MIB for remotely managing the configuration
   parameters for the View-based Access Control Model.

Table of Contents

   1.  Introduction                                             2
   1.2.  Access Control                                         3
   1.3.  Local Configuration Datastore                          3
   2.  Elements of the Model                                    3
   2.1.  Groups                                                 3
   2.2.  securityLevel                                          4
   2.3.  Contexts                                               4
   2.4.  MIB Views and View Families                            4
   2.4.1.  View Subtree                                         5

Wijnen, et. al.             Standards Track                     [Page 1]
RFC 2275                    VACM for SNMPv3                 January 1998

   2.4.2.  ViewTreeFamily                                       5
   2.5.  Access Policy                                          6
   3.  Elements of Procedure                                    6
   3.1.  Overview  of isAccessAllowed Process                   8
   3.2.  Processing the isAccessAllowed Service Request         9
   4.  Definitions                                             10
   5.  Intellectual Property                                   26
   6.  Acknowledgements                                        27
   7.  Security Considerations                                 28
   7.1.  Recommended Practices                                 28
   7.2.  Defining Groups                                       29
   7.3.  Conformance                                           29
   8.  References                                              29
   9.  Editors' Addresses                                      30
   A.1.  Installation Parameters                               31
   B.  Full Copyright Statement                                36

1.  Introduction

   The Architecture for describing Internet Management Frameworks
   [RFC2271] describes that an SNMP engine is composed of:

     1) a Dispatcher
     2) a Message Processing Subsystem,
     3) a Security Subsystem, and
     4) an Access Control Subsystem.

   Applications make use of the services of these subsystems.

   It is important to understand the SNMP architecture and its
   terminology to understand where the View-based Access Control Model
   described in this document fits into the architecture and interacts
   with other subsystems within the architecture.  The reader is
   expected to have read and understood the description and terminology
   of the SNMP architecture, as defined in [RFC2271].

   The Access Control Subsystem of an SNMP engine has the responsibility
   for checking whether a specific type of access (read, write, notify)
   to a particular object (instance) is allowed.

   It is the purpose of this document to define a specific model of the
   Access Control Subsystem, designated the View-based Access Control
   Model. Note that this is not necessarily the only Access Control

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   document are to be interpreted as described in [RFC2119].

Wijnen, et. al.             Standards Track                     [Page 2]
RFC 2275                    VACM for SNMPv3                 January 1998

1.2.  Access Control

   Access Control occurs (either implicitly or explicitly) in an SNMP
Show full document text