Re: architecture and security

[Andy Bierman <ietf@andybierman.com>]

Juergen Schoenwaelder wrote:
> On Thu, Apr 13, 2006 at 09:27:33AM -0700, Andy Bierman wrote:
>  
> > I also want to point out that nobody is asking for instance granularity
> > within a row.  People have asked for "user A can look at all instances
> > of the foo object" or "user B can look at all the data in row X of
> > the interfaces table".  This is very different than VACM (and much
> > simpler/better IMO), where the columns in an individual row can have
> > different access control rights for every user.
>
> Still, the hard problem are references to things under access control.
> Some boxes to maintain fault history tables that may refer to
> interfaces (or to physical ports that are related to interfaces). How
> will the access control model deal with such cases?
>
> Of course, fault history data is not config data so you can take the
> formal position that this example is out of scope for netconf access
> control. But I think the question of how to deal with references will
> remain and this is especially nasty if references are embedded into
> identifiers.

References in identifiers -- you mean like information
carried in the instance portion of an OID?

Not sure what you mean

> Note that I am not asking for a complex solution - I just believe we
> should be very clear what an access control model can do and what not.

Agreed.


> /js

Andy

--
to unsubscribe send a message to netconf-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/netconf/>