Policy Based Management MIB
Draft of message to be sent after approval:
From: The IESG <email@example.com> To: IETF-Announce <firstname.lastname@example.org> Cc: Internet Architecture Board <email@example.com>, RFC Editor <firstname.lastname@example.org>, snmpconf mailing list <email@example.com>, snmpconf chair <firstname.lastname@example.org> Subject: Protocol Action: 'Policy Based Management MIB' to Proposed Standard The IESG has approved the following document: - 'Policy Based Management MIB ' <draft-ietf-snmpconf-pm-16.txt> as a Proposed Standard This document is the product of the Configuration Management with SNMP Working Group. The IESG contact persons are Bert Wijnen and Dan Romascanu. A URL of this Internet-Draft is: http://www.ietf.org/internet-drafts/draft-ietf-snmpconf-pm-16.txt
Technical Summary This memo defines a portion of the Management Information Base (MIB) for use with network management protocols in TCP/IP-based internets. In particular, this MIB defines objects that enable policy-based monitoring and management of SNMP infrastructures as well as a scripting language and a script execution environment. Working Group Summary The Working Group took a long time to discuss this document. There was also discussion about the fact that this document combines both a MIB module and a Scripting language specification, and some WG members proposed to split the document in two. However, in the end there was rough consensus to go forward with the combined specification and the WG supports this document as a standards track document. Protocol Quality The document has been reviewed for the IESG by Bert Wijnen. Patrik Faltstrom has reviewed the document for UTF-8 and for internationalization aspects. David Harrington did extensive review of revisions 9, 10 and 11 at the request of the Area Director back in mid 2002. RFC-Editor note: pls add the following text to the end of sect 13 "Security Considerations", so that is on page 126: This MIB allows the delegation of access rights so that a user ("Joe") can instruct a Policy MIB agent to execute remote operations on his behalf that are authorized by keys stored by "Joe" into the usmUserTable. Care needs to be taken to ensure that unauthorized users are unable to configure their policies to use Joe's keys. While there are theoretically many ways to configure SNMP security, users are advised to follow the most straightforward way outlined below to minimize complexity and the resulting opportunity for errors. Assume that Joe has credentials that give him authority to manage agents A, B, and C, as well as the Policy MIB agent "P". Joe will store credentials for Joe@A, Joe@B, Joe@C in the usmUserTable of the Policy MIB agent. Then the following VACM configuration will will be used: VACM securityToGroupTable A single entry mapping user Joe@P to group JoesGroup VACM accessTable A single entry mapping group JoesGroup to write view JoesView VACM viewTreeFamilyTable ViewName Subtree Type JoesView points to Joe@A in usmUserTable included JoesView points to Joe@B in usmUserTable included JoesView points to Joe@C in usmUserTable included In the preceding examples, the notation Joe@A represents the entry indexed by usmUserEngineID and usmUserName, where the SnmpEngineID is that of system A and the usmUserName is "Joe".