Re: Access control

[Juergen Schoenwaelder <j.schoenwaelder@iu-bremen.de>]

On Fri, Nov 03, 2006 at 12:03:28PM -0500, David B Harrington wrote:
 
> In SNMP, the permissions are based on a tree of data; data tends to be
> statically defined and low-level.
> 
> In netconf, the permissions will be based on RPC methods; RPC methods
> are dynamic high-level sets of functionality. 

I have no clue what you mean with "static" and "dynamic" here. 

> The functionality may actually call other methods within the system,
> so "create vlan" may actually also manipulate an interface. The VLAN
> methodas may be defined as part of one capability, while the
> interface may be part of another capability.

> Should the ACM assume that permission to "create vlan" implies
> permission to "manipulate interface"?

Sorry, but I have trouble to follow you. Creating a VLAN via SNMP sets
has always caused changes of the interface table (at least on all
devices I have seen so far) and it does not matter from the SNMP
perspective whether you have read or write access to that
interface. In general, management operations usually cause changes in
operational state, in some cases even across a whole network.
Expanding access control to cover all the potentially affected
operational state is clearly unrealistic (and it does not really
matter here whether you use a data-oriented, a command-oriented, an
object-oriented or a document-oriented management protocol).

/js
 
-- 
Juergen Schoenwaelder		    International University Bremen
<http://www.eecs.iu-bremen.de/>	    P.O. Box 750 561, 28725 Bremen, Germany

--
to unsubscribe send a message to netconf-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/netconf/>