-- ********************************************************************* -- CISCO-COMMON-ROLES-EXT-MIB.my: Common Roles Extension Mib -- -- February 2008, Mukul Chauhan -- -- Copyright (c) 2003, 2008 by Cisco Systems Inc. -- All rights reserved. -- -- ********************************************************************* CISCO-COMMON-ROLES-EXT-MIB DEFINITIONS ::= BEGIN IMPORTS MODULE-IDENTITY, OBJECT-TYPE, Unsigned32, Integer32 FROM SNMPv2-SMI MODULE-COMPLIANCE, OBJECT-GROUP FROM SNMPv2-CONF RowStatus, TEXTUAL-CONVENTION, TruthValue FROM SNMPv2-TC SnmpAdminString FROM SNMP-FRAMEWORK-MIB ccrmConfigurationExtGroup FROM CISCO-COMMON-ROLES-MIB ciscoMgmt FROM CISCO-SMI; ciscoCommonRolesExtMIB MODULE-IDENTITY LAST-UPDATED "200802150000Z" ORGANIZATION "Cisco Systems Inc." CONTACT-INFO "Cisco Systems Customer Service Postal: 170 W Tasman Drive San Jose, CA 95134 USA Tel: +1 800 553 -NETS E-mail: cs-san@cisco.com" DESCRIPTION "A MIB Module for managing the roles that are common between access methods like Command Line Interface (CLI), SNMP and XML interface. This MIB is an extension to the CISCO-COMMON-ROLES-MIB, which is for managing Common Roles on a device with fixed feature. Terminology: Commands are the basic operations that can be performed on a device. For example 'show aaa *', 'clear aaa *', 'config t; ip arp *'. Commands can be organized into groups called Features. Features can be organized into groups called Feature Groups. The constituents of a Feature (i.e. Commands) and the constituents of a Feature Group (i.e. Features) are collectively referred to as Feature Elements. This MIB extends the CISCO-COMMON-ROLES-MIB by adding the following. Features can be organized into groups called feature groups. Access privileges can be assigned to feature group(s) associated with a Role. The five access privileges (clear, config, debug, show & exec) are replaced by two access privileges ('read' and 'readWrite'). These two privileges have no relation to the replaced five privileges. The types of objects to which access can be restricted is extended to include VLANs and Interfaces. A device implementing this MIB need not implement CISCO-COMMON-ROLES-MIB." REVISION "200802150000Z" DESCRIPTION "Initial version of this MIB module." ::= { ciscoMgmt 651 } ciscoCommonRolesExtNotifications OBJECT IDENTIFIER ::= { ciscoCommonRolesExtMIB 0 } ciscoCommonRolesExtMIBObjects OBJECT IDENTIFIER ::= { ciscoCommonRolesExtMIB 1 } ciscoCommonRolesExtMIBConformance OBJECT IDENTIFIER ::= { ciscoCommonRolesExtMIB 2 } ccreInfo OBJECT IDENTIFIER ::= { ciscoCommonRolesExtMIBObjects 1 } ccreRoleConfig OBJECT IDENTIFIER ::= { ciscoCommonRolesExtMIBObjects 2 } ccreRuleConfig OBJECT IDENTIFIER ::= { ciscoCommonRolesExtMIBObjects 3 } -- Textual Conventions CcreOperation ::= TEXTUAL-CONVENTION STATUS current DESCRIPTION "Privileges allowed for a common role. read - Read opeation readWrite - Read-Write operation Note that if a privilege is not supported by an access method, then it does not apply to that access method. There privileges are not related to the privileges defined in 'CommonRoleOperation'" SYNTAX INTEGER { read(1), readWrite(2) } CcreResourceAccess ::= TEXTUAL-CONVENTION STATUS current DESCRIPTION "A User can be restricted from accessing resources, in addition to being restricted from performing certain operations. For e.g. a user assigned a role can be restricted from accessing all VLANs configured on the device except VLAN 1 and 4, or a user can be allowed to access all VSANs configured on the device except VSAN 5 and 10, or a User can be allowed to access Interface 1, 5, 10, 15 and 20 and restricted from accessing all other interfaces. This Bit mask lists the types of resources to which user access can be controlled. vsan(0) Bit value of 0 indicates that the user has access to no VSANs. However a user can be selectively assigned access to VSANs and each such accessible VSAN will have an entry in the 'ccreRoleScopeTable'. Bit value of 1 indicates that the user has access to all VSANs. In this case there are no VSAN entries in the 'ccreRoleScopeTable'. Setting the bit to 1 results in deletion of all VSAN entries from the ccreRoleScopeTable, for the role identified by 'ccreRoleName'. vlan(1) Bit value of 0 indicates that the user has access to no VLANs. However a user can be selectively assigned access to VLANs and each such accessible VLAN will have an entry in the 'ccreRoleScopeTable'. Bit value of 1 indicates that the user has access to all VLANs. In this case there are no VLAN entries in the 'ccreRoleScopeTable'. Setting the bit to 1 results in deletion of all VLAN entries from the ccreRoleScopeTable, for the role identified by 'ccreRoleName'. interface(2) Bit value of 0 indicates that the user has access to no interfaces. However a user can be selectively assigned access to interfaces and each such accessible interface will have an entry in the 'ccreRoleScopeTable'. Bit value of 1 indicates that the user has access to all interfaces. In this case there are no interface entries in the 'ccreRoleScopeTable'. Setting the bit to 1 results in deletion of all interface entries from the ccreRoleScopeTable, for the role identified by 'ccreRoleName'." SYNTAX BITS { vsan(0), vlan(1), interface(2) } -- ccreFeatureElementTable ccreFeatureElementTable OBJECT-TYPE SYNTAX SEQUENCE OF CcreFeatureElementEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "This table lists all the features and feature groups configured on a device. For each feature it lists all the command(s) contained in the feature. For each feature groups it lists all the features contained in the group. A feature element is either a feature or a feature group. A device may have some predefined features which may not be editable by a user. In addition, a device may allow a user to define new feature group. A device implementing this MIB need not implement the objects that form a conceptual row in the 'commonRolesFeatureTable' table defined in the CISCO-COMMON-ROLES MIB. The entries in this table are persistent across device reboots." ::= { ccreInfo 1 } ccreFeatureElementEntry OBJECT-TYPE SYNTAX CcreFeatureElementEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "An entry (conceptual row) in the ccreFeatureElementTable. Each row in this table represents an element (command or a feature) contained in a feature or a feature group. For example a 'radius' feature that contains three commands - 'radius-server', 'radius-cfs' and 'aaa group server radius', this table will have three entries, one each for the three commands. ccreFeatureName ccreFeatureIndex ccreFeatureElementName 'radius' 1 'radius-server' 'radius' 2 'radius-cfs' 'radius' 3 'aaa group server radius' 'arp' 1 'show arp' 'arp' 2 'clear ip arp'" INDEX { ccreFeatureName, ccreFeatureElementIndex } ::= { ccreFeatureElementTable 1 } CcreFeatureElementEntry ::= SEQUENCE { ccreFeatureName SnmpAdminString, ccreFeatureElementIndex Unsigned32, ccreFeatureElementName SnmpAdminString, ccreFeatureElementType INTEGER , ccreFeatureRowStatus RowStatus } ccreFeatureName OBJECT-TYPE SYNTAX SnmpAdminString (SIZE (1..32)) MAX-ACCESS not-accessible STATUS current DESCRIPTION "Identifies the feature or the feature group for which this entry represents an element. This object is the same as the commonRoleFeatureName." ::= { ccreFeatureElementEntry 1 } ccreFeatureElementIndex OBJECT-TYPE SYNTAX Unsigned32 (1..4294967295 ) MAX-ACCESS not-accessible STATUS current DESCRIPTION "An index value for this element which uniquely distinguishes it from all other elements of same feature." ::= { ccreFeatureElementEntry 2 } ccreFeatureElementName OBJECT-TYPE SYNTAX SnmpAdminString (SIZE (1..32)) MAX-ACCESS read-create STATUS current DESCRIPTION "Name of the feature element represented by this row." ::= { ccreFeatureElementEntry 3 } ccreFeatureElementType OBJECT-TYPE SYNTAX INTEGER { command(1), feature(2), none(3) } MAX-ACCESS read-create STATUS current DESCRIPTION "An indication of the type of element represented by this row. When this field has the value 'command', this row represents a command name. When this field has the value 'feature', this row represents a feature name. This field must have the value 'none' when a feature could not otherwise be represented in this table because the feature does not yet have any elements defined for it. When features are added to an empty feature-group, the row with element type 'none' is still maintained in this table. Deleting this row (with type as 'none') will delete the feature group and all other rows representing relationship between this feature group and its members. A feature should have at least one element, whereas a feature-group may have zero or more entries. All entries in this table are persistent across device reboots" ::= { ccreFeatureElementEntry 4 } ccreFeatureRowStatus OBJECT-TYPE SYNTAX RowStatus MAX-ACCESS read-create STATUS current DESCRIPTION "Status of this row." ::= { ccreFeatureElementEntry 5 } -- ccreRoleTable ccreRoleTable OBJECT-TYPE SYNTAX SEQUENCE OF CcreRoleEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "This table lists all the common roles configured on this device. Common roles are the user roles which are common across SNMP and CLI. A device implementing this MIB need not implement the objects that form a conceptual row in the 'commonRoleTable' defined in the CISCO-COMMON-ROLES MIB. This table and the 'commonRoleTable' table both have one entry per Role defined on the device. However unlike the 'commonRoleTable', this table does not contain any scope restriction information. The scope restriction information instead is contained in the 'ccreRoleScopeTable' Table. If a device implements this this table along with 'commonRoleTable' a row existing in 'commonRoleTable' should also exist in this table and vice versa. All entries in this table are persistent across device reboots." ::= { ccreRoleConfig 2 } ccreRoleEntry OBJECT-TYPE SYNTAX CcreRoleEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "An entry (conceptual row) in the ccreRoleTable. One entry per role defined on the device." INDEX { ccreRoleName } ::= { ccreRoleTable 1 } CcreRoleEntry ::= SEQUENCE { ccreRoleName SnmpAdminString, ccreRoleDescription SnmpAdminString, ccreRoleResourceAccess CcreResourceAccess, ccreRoleRowStatus RowStatus } ccreRoleName OBJECT-TYPE SYNTAX SnmpAdminString (SIZE (1..16)) MAX-ACCESS not-accessible STATUS current DESCRIPTION "Name of the common role. This is same as commonRoleName." ::= { ccreRoleEntry 1 } ccreRoleDescription OBJECT-TYPE SYNTAX SnmpAdminString (SIZE (0..64)) MAX-ACCESS read-create STATUS current DESCRIPTION "Description of the common role. This is same as commonRoleDescription." ::= { ccreRoleEntry 2 } ccreRoleResourceAccess OBJECT-TYPE SYNTAX CcreResourceAccess MAX-ACCESS read-create STATUS current DESCRIPTION "Defines the default access to the resources to which access can be controlled. vsan(0) Bit value of 0 indicates that the user has access to no VSANs. However a user can be selectively assigned access to VSANs and each such accessible VSAN will have an entry in the 'ccreRoleScopeTable'. Bit value of 1 indicates that the user has access to all VSANs. In this case there are no VSAN entries in the 'ccreRoleScopeTable'. Setting the bit to 1 results in deletion of all VSAN entries from the ccreRoleScopeTable, for the role identified by 'ccreRoleName'. vlan(1) Bit value of 0 indicates that the user has access to no VLANs. However a user can be selectively assigned access to VLANs and each such accessible VLAN will have an entry in the 'ccreRoleScopeTable'. Bit value of 1 indicates that the user has access to all VLANs. In this case there are no VLAN entries in the 'ccreRoleScopeTable'. Setting the bit to 1 results in deletion of all VLAN entries from the ccreRoleScopeTable, for the role identified by 'ccreRoleName'. interface(2) Bit value of 0 indicates that the user has access to no Interfaces. However a user can be selectively assigned access to interfaces and each such accessible interface will have an entry in the 'ccreRoleScopeTable'. Bit value of 1 indicates that the user has access to all interfaces. In this case there are no interface entries in the 'ccreRoleScopeTable'. Setting the bit to 1 results in deletion of all interface entries from the ccreRoleScopeTable, for the role identified by 'ccreRoleName'. For example a role which has access to all VSANs, all VLANs and no Interface will have this field set as - - - |0|1|1| - - -" ::= { ccreRoleEntry 3 } ccreRoleRowStatus OBJECT-TYPE SYNTAX RowStatus MAX-ACCESS read-create STATUS current DESCRIPTION "Status of this role." ::= { ccreRoleEntry 4 } -- ccreRoleScopeTable ccreRoleScopeTable OBJECT-TYPE SYNTAX SEQUENCE OF CcreRoleScopeEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "This table lists the resources to which a user belonging to a role can access. A role may be restricted from accessing various resources of a device. This table lists the resources that a role can access. If for a role there is no entry in this table, then restriction, if any, is determined by the ccrePermitAllPolicies object in the ccreRoleTable. Each resource (VSAN, VLAN or Interface) to which a role has access to, has a separate entry in the table. For e.g. if a role has access to VLAN 1, 2, 6 and 7; VSAN 2, 5 and 8 and interface 2/1 and 2/3, this table will have 9 entries, 4 for VSANs, 3 for VLANs and 2 for Interfaces. Entries in this table can be created/deleted using ccreRoleScopeRowStatus. The table provides the same information as 'commonRoleScopeRestriction', 'commonRoleScope1' and 'commonRoleScope2' but in a different way. The object 'commonRoleScope1' and 'commonRoleScope2' are 256*8 bit mask with each bit representing a VLAN. 'commonRoleScope1' identifies VLANS 1 to 2048 whereas 'commonRoleScope2' identifies VLANS 2049 to 4096. In this table, there is a separate entry for each VSAN, along with separate entry for each VLAN and Interface to which a role has access. The purpose of this table is to remove the limit of 4096 that are supported by 'commonRoleTable'. All entries in this table are persistent across device reboots" ::= { ccreRoleConfig 3 } ccreRoleScopeEntry OBJECT-TYPE SYNTAX CcreRoleScopeEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "An entry (conceptual row) in the ccreRoleScopeTable. There is one entry for each different scope value of a Role. If a Role 'R1' is defined to have scope on VSAN-1, VSAN-2, VLAN-1, VLAN#, Interface fc1/1 and fc1/2, then there will be six entries for role 'R1' in this table, one each for VSAN-1, VSAN2, VLAN-1, VLAN-1, fc1/1 and fc1/2." INDEX { ccreRoleName, ccreRoleScopeIndex } ::= { ccreRoleScopeTable 1 } CcreRoleScopeEntry ::= SEQUENCE { ccreRoleScopeIndex Unsigned32, ccreRoleScopeRestriction INTEGER , ccreRoleScopeValue Integer32, ccreRoleScopeRowStatus RowStatus } ccreRoleScopeIndex OBJECT-TYPE SYNTAX Unsigned32 (1..4294967295 ) MAX-ACCESS not-accessible STATUS current DESCRIPTION "An index value for this entry which uniquely distinguishes it from all other entries for same Role." ::= { ccreRoleScopeEntry 1 } ccreRoleScopeRestriction OBJECT-TYPE SYNTAX INTEGER { vsan(1), vlan(2), interface(3) } MAX-ACCESS read-create STATUS current DESCRIPTION "This object indicates the type of the scope restriction about which the information is provided by row." ::= { ccreRoleScopeEntry 2 } ccreRoleScopeValue OBJECT-TYPE SYNTAX Integer32 (1..2147483647 ) MAX-ACCESS read-create STATUS current DESCRIPTION "This object identifies the resource this role can access. If the value of 'ccreRoleScopeRestriction' is 'vsan' or 'vlan', this object specifies the Id (which is a number) of the VSAN/VLAN. If the value of 'ccreRoleScopeRestriction' is 'interface', this object specifies the IfIndex of the interface." ::= { ccreRoleScopeEntry 3 } ccreRoleScopeRowStatus OBJECT-TYPE SYNTAX RowStatus MAX-ACCESS read-create STATUS current DESCRIPTION "Status of this scope restriction entry." ::= { ccreRoleScopeEntry 4 } -- ccreRuleTable ccreRuleTable OBJECT-TYPE SYNTAX SEQUENCE OF CcreRuleEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "This table lists all the rules configured for roles defined in the ccreRoleTable. Each rule defines the access (permit/deny) allowed to a particular command, feature or a feature group. Entries in this table are also created/deleted using ccreRuleRowStatus. A row in this table cannot be made 'active' until a value is explicitly provided for that row's instances of following objects : - ccreRuleOperation If ccreRuleFeatureElementName is a command, then - ccreRuleOperation is not needed to be set A device implementing this MIB need not implement the objects that form a conceptual row in the 'commonRuleRoleTable' table, which is defined in the CISCO-COMMON-ROLES-MIB. There is no relation between the rows in 'commonRuleRoleTable' and this table as both define different operation types. Each table can have rows with no corresponding rows in other table. All entries in this table are persistent across device reboots" ::= { ccreRuleConfig 2 } ccreRuleEntry OBJECT-TYPE SYNTAX CcreRuleEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "An entry (conceptual row) in the ccreRuleRuleTable. There is one entry for each Rule contained in a Role. For eg. if a Role 'R1' has 6 rules, there will be six entries for Role 'R1'." INDEX { ccreRoleName, ccreRuleNumber } ::= { ccreRuleTable 1 } CcreRuleEntry ::= SEQUENCE { ccreRuleNumber Unsigned32, ccreRuleFeatureElementName SnmpAdminString, ccreRuleFeatureElementType INTEGER , ccreRuleOperation CcreOperation, ccreRuleOperationPermitted TruthValue, ccreRuleRowStatus RowStatus } ccreRuleNumber OBJECT-TYPE SYNTAX Unsigned32 (1..256) MAX-ACCESS not-accessible STATUS current DESCRIPTION "A unique index for a rule in a particular role. The rule are applied according to their rule number, i.e. Rule 1 will be the first rule applied followed by Rule 2 and so on. Rule numbers need not be contiguous, for e.g. a Role can have three rule numbered 1, 4 & 7. Further when a new rule is added to this Role it can be rule number 2 or 5 or 9 (any number other than 1, 4 and 7)." ::= { ccreRuleEntry 1 } ccreRuleFeatureElementName OBJECT-TYPE SYNTAX SnmpAdminString (SIZE (0..32)) MAX-ACCESS read-create STATUS current DESCRIPTION "Name of the command or feature or feature group. If this is a zero-length string, then this rule applies to all the features supported on the device as enumerated in commonRoleFeatureTable." DEFVAL { ''H } ::= { ccreRuleEntry 2 } ccreRuleFeatureElementType OBJECT-TYPE SYNTAX INTEGER { command(1), feature(2), featureGroup(3), all(4) } MAX-ACCESS read-create STATUS current DESCRIPTION "Specifies the type of entry (command or feature or feature group) as specified by the object ccreRuleFeatureElementName" ::= { ccreRuleEntry 3 } ccreRuleOperation OBJECT-TYPE SYNTAX CcreOperation MAX-ACCESS read-create STATUS current DESCRIPTION "The operation for this rule." ::= { ccreRuleEntry 4 } ccreRuleOperationPermitted OBJECT-TYPE SYNTAX TruthValue MAX-ACCESS read-create STATUS current DESCRIPTION "This object tells if the operation `ccreRuleOperation' is permitted or denied. The operation is permitted if the value of this object is `true'. If the value of the object is 'false', the operation is not permitted." DEFVAL { true } ::= { ccreRuleEntry 5 } ccreRuleRowStatus OBJECT-TYPE SYNTAX RowStatus MAX-ACCESS read-create STATUS current DESCRIPTION "Status of this rule." ::= { ccreRuleEntry 6 } -- Conformance ccreMIBCompliances OBJECT IDENTIFIER ::= { ciscoCommonRolesExtMIBConformance 1 } ccreMIBGroups OBJECT IDENTIFIER ::= { ciscoCommonRolesExtMIBConformance 2 } ccreMIBCompliance MODULE-COMPLIANCE STATUS current DESCRIPTION "The compliance statement for entities which implement the CISCO-COMMON-ROLES-EXT-MIB." MODULE -- this module MANDATORY-GROUPS { ccreConfigurationGroup } OBJECT ccreFeatureElementName MIN-ACCESS read-only DESCRIPTION "Support for write/create access is not required." OBJECT ccreFeatureElementType MIN-ACCESS read-only DESCRIPTION "Support for write/create access is not required." OBJECT ccreFeatureRowStatus MIN-ACCESS read-only DESCRIPTION "Support for write/create access is not required." OBJECT ccreRoleDescription MIN-ACCESS read-only DESCRIPTION "Support for write/create access is not required." OBJECT ccreRoleResourceAccess MIN-ACCESS read-only DESCRIPTION "Support for write/create access is not required." OBJECT ccreRoleRowStatus MIN-ACCESS read-only DESCRIPTION "Support for write/create access is not required." OBJECT ccreRoleScopeRestriction MIN-ACCESS read-only DESCRIPTION "Support for write/create access is not required." OBJECT ccreRoleScopeValue MIN-ACCESS read-only DESCRIPTION "Support for write/create access is not required." OBJECT ccreRoleScopeRowStatus MIN-ACCESS read-only DESCRIPTION "Support for write/create access is not required." OBJECT ccreRuleFeatureElementName MIN-ACCESS read-only DESCRIPTION "Support for write/create access is not required." OBJECT ccreRuleFeatureElementType MIN-ACCESS read-only DESCRIPTION "Support for write/create access is not required." OBJECT ccreRuleOperation MIN-ACCESS read-only DESCRIPTION "Support for write/create access is not required." OBJECT ccreRuleOperationPermitted MIN-ACCESS read-only DESCRIPTION "Support for write/create access is not required." OBJECT ccreRuleRowStatus MIN-ACCESS read-only DESCRIPTION "Support for write/create access is not required." MODULE CISCO-COMMON-ROLES-MIB MANDATORY-GROUPS { ccrmConfigurationExtGroup } OBJECT commonRoleSupportedOperation SYNTAX BITS { read(5), readWrite(6) } DESCRIPTION "Only 'read', 'readWrite' need to be supported." ::= { ccreMIBCompliances 1 } -- Units of Conformance ccreConfigurationGroup OBJECT-GROUP OBJECTS { ccreFeatureElementName, ccreFeatureElementType, ccreFeatureRowStatus, ccreRoleDescription, ccreRoleResourceAccess, ccreRoleRowStatus, ccreRoleScopeRestriction, ccreRoleScopeValue, ccreRoleScopeRowStatus, ccreRuleFeatureElementName, ccreRuleFeatureElementType, ccreRuleOperation, ccreRuleOperationPermitted, ccreRuleRowStatus } STATUS current DESCRIPTION "A collection of objects for Common Roles Extention configuration." ::= { ccreMIBGroups 1 } END