[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: draft-ops-mumble-conf_management-02.txt

To: "'saperia@mediaone.net'" <saperia@mediaone.net>
Subject: RE: draft-ops-mumble-conf_management-02.txt
From: "Weiss, Walter" <WWeiss@lucentctc.com>
Date: Tue, 19 Oct 1999 14:39:24 -0400
Cc: "'lsanchez@bbn.com'" <lsanchez@bbn.com>, mumble@ops.ietf.org


> > >     - allow for the configuration of redundant components (both as
> > >       network elements and configuration application platforms).  In
> > >       addition, the system should support the concept of individuals
> > >       (humans) in different roles with different access privileges,
> > >
> > First, I think there are two separate requirements here.  I am concerned
> > about the second requirement because it is not clear what you mean by
humans
> > or roles.  I thought we were using the term roles to mean a grouping of
> 
> Sadly, roles is an over used term.  Roles (before policy was ever
> discussed) were the types of fucntions people did in network centers. 
> For example, there might be a noc person who watches the display
> information and calls for additional help when they can not eaisly solve
> the problem.  Another role might be the backbone engineer who would have
> broader access to configuration operations.  In fact they might access
> systems from home in the case of emergecy.  In this case we me role in
> the more conventional use.  Luis, perhaps we can clarify that.
> 
I agree, it is a nit, but clarity is always helpful.

> > interfaces or devices that a policy can apply to.  Also are you applying
the
> > concept of access privileges to the policies or the elements being
> > configured?  If you are going to apply access privileges to
configuration
> > elements, then I think you are also suggesting that this protocol be
used
> > for purposes other than policy (direct configuration of routers in the
> > absence of policies?).  If this indeed the case, it should be stated as
an
> > additional requirement.
> > 
> Policies are configuration information and not all policies will be
> applied by a person to all items filling a certain 'role' using role in
> the policy context.  In the end some people have privaleges that others
> do not.  The configuration management system we propose must deal with
> the fact that network wide configuration information (what people call
> policies) can not be applied blindly by a device to all instances of
> contained objects which match a particular set of roles.

There are two questions here.  First, mention is made of access control
lists without reference to what is being controlled.  I suggested that it
might be the policy because it is part of the discussion of the document,
but I am pretty sure that is not what you had in mind.  I suspect that you
meant the interface to the device as abstracted by the configuration
protocol.  However that still leaves the question of what is being
controlled, the attributes or the records or certain types of requests.

The second question relates more to the phrasing of the requirement.  It is
not clear to me how ACLs on attributes make sense if it is policies that are
the actors manipulating the attributes.  Hence, there is an implication in
the wording that users and policies can use this configuration protocol
(although perhaps through a shared PDP) to manipulate the device.  If this
is the case, it should be stated more clearly.

regards,

-Walter

Prev by Date: Re: draft-ops-mumble-conf_management-02.txt
Next by Date: Re: draft-ops-mumble-conf_management-02.txt
Prev by thread: Re: draft-ops-mumble-conf_management-02.txt
Next by thread: Re: draft-ops-mumble-conf_management-02.txt
Index(es):
- Date
- Thread