Policy Based Management MIB
RFC 4011

Approval announcement
Draft of message to be sent after approval:

From: The IESG <iesg-secretary@ietf.org>
To: IETF-Announce <ietf-announce@ietf.org>
Cc: Internet Architecture Board <iab@iab.org>,
    RFC Editor <rfc-editor@rfc-editor.org>, 
    snmpconf mailing list <snmpconf@snmp.com>, 
    snmpconf chair <snmpconf-chairs@tools.ietf.org>
Subject: Protocol Action: 'Policy Based Management MIB' to 
         Proposed Standard 

The IESG has approved the following document:

- 'Policy Based Management MIB '
   <draft-ietf-snmpconf-pm-16.txt> as a Proposed Standard

This document is the product of the Configuration Management with SNMP 
Working Group. 

The IESG contact persons are Bert Wijnen and Dan Romascanu.

A URL of this Internet-Draft is:

Technical Summary
 This memo defines a portion of the Management Information Base (MIB)
 for use with network management protocols in TCP/IP-based internets.
 In particular, this MIB defines objects that enable policy-based
 monitoring and management of SNMP infrastructures as well as a
 scripting language and a script execution environment.
Working Group Summary
 The Working Group took a long time to discuss this document. There
 was also discussion about the fact that this document combines both 
 a MIB module and a Scripting language specification, and some WG 
 members proposed to split the document in two.  However, in the end
 there was rough consensus to go forward with the combined 
 specification and the WG supports this document as a standards track
Protocol Quality
 The document has been reviewed for the IESG by Bert Wijnen.
 Patrik Faltstrom has reviewed the document for UTF-8 and for
 internationalization aspects.
 David Harrington did extensive review of revisions 9, 10 and 11 at
 the request of the Area Director back in mid 2002.

RFC-Editor note:

pls add the following text to the end of sect 13 "Security Considerations",
so that is on page 126:

  This MIB allows the delegation of access rights so that a user
  ("Joe") can instruct a Policy MIB agent to execute remote operations
  on his behalf that are authorized by keys stored by "Joe" into the
  usmUserTable. Care needs to be taken to ensure that unauthorized users
  are unable to configure their policies to use Joe's keys. While
  there are theoretically many ways to configure SNMP security, users
  are advised to follow the most straightforward way outlined below to
  minimize complexity and the resulting opportunity for errors.

    Assume that Joe has credentials that give him authority to manage
    agents A, B, and C, as well as the Policy MIB agent "P". Joe will
    store credentials for Joe@A, Joe@B, Joe@C in the usmUserTable of
    the Policy MIB agent. Then the following VACM configuration will
    will be used:

        VACM securityToGroupTable
        A single entry mapping user Joe@P to group JoesGroup

        VACM accessTable
        A single entry mapping group JoesGroup to write view JoesView

        VACM viewTreeFamilyTable
        ViewName        Subtree                             Type
        JoesView        points to Joe@A in usmUserTable     included
        JoesView        points to Joe@B in usmUserTable     included
        JoesView        points to Joe@C in usmUserTable     included

    In the preceding examples, the notation Joe@A represents the entry
    indexed by usmUserEngineID and usmUserName, where the SnmpEngineID
    is that of system A and the usmUserName is "Joe".