Re: MIDCOM MIB access control

[Juergen Quittek <quittek@ccrle.nec.de>]

Hi Dave,

--On 11.12.2003 9:33 Uhr -0500 Harrington, David wrote:

> Hi,
>
> > I think the security community made experiences differing from yours.
> >
> > Let's take your example and replace the thief by one of your kids.
> > You would give your kid AND your wife access to the coins you collect
> > somewhere in the kitchen for giving tips to delivery service or for
> > paying stamps and so on.  But you probably would only give your wife
> > access to your checking account and block access from your kids to the
> > account.
>
> My response was to Tom's message, which was about the SAME underlying
> instrumentation, and the only thing two mibs provide are two interfaces
> to the same underlying data structures.

You are confusing the terms 'instrumentation' and 'data structure'.
No Tom's message was not about the SAME underlying instrumentation,
but yes, it was about the same underlying data structure.

> 	"Agreed that they both address the same underlying data
> structures, but I would think security setup would be simpler if you
> could specify access by module rather than having to do it object by
> object."
>
> That's not two piles of money; it's two checkbooks to the same
> underlying account. One of the things you really need is a mechanism
> that allows you to specify different permissions for different persons
> to the same datastore. That's what VACM provides.

Yes, it's not two piles of money.
But that is where the example fails to explain the issue well.

Anyway I agree with Dave Shield and Tom Patch, that simplicity of security
configuration is not among the really relevant criteria for our discussion.

Thanks,

   Juergen

> Dbh