SNMP-VIEW-BASED-ACM-MIB DEFINITIONS ::= BEGIN

IMPORTS

    MODULE-COMPLIANCE, OBJECT-GROUP       FROM SNMPv2-CONF

    MODULE-IDENTITY, OBJECT-TYPE,

    snmpModules                           FROM SNMPv2-SMI

    TestAndIncr,

    RowStatus, StorageType                FROM SNMPv2-TC

    SnmpAdminString,

    SnmpSecurityLevel,

    SnmpSecurityModel                     FROM SNMP-FRAMEWORK-MIB;

snmpVacmMIB       MODULE-IDENTITY

    LAST-UPDATED "200210160000Z"          -- 16 Oct 2002, midnight

    ORGANIZATION "SNMPv3 Working Group"

    CONTACT-INFO "WG-email:   snmpv3@lists.tislabs.com

                  Subscribe:  majordomo@lists.tislabs.com

                              In message body:  subscribe snmpv3

                  Co-Chair:   Russ Mundy

                              Network Associates Laboratories

                  postal:     15204 Omega Drive, Suite 300

                              Rockville, MD 20850-4601

                              USA

                  email:      mundy@tislabs.com

                  phone:      +1 301-947-7107

                  Co-Chair:   David Harrington

                              Enterasys Networks

                  Postal:     35 Industrial Way

                              P. O. Box 5004

                              Rochester, New Hampshire 03866-5005

                              USA

                  EMail:      dbh@enterasys.com

                  Phone:      +1 603-337-2614

                  Co-editor:  Bert Wijnen

                              Lucent Technologies

                  postal:     Schagen 33

                              3461 GL Linschoten

                              Netherlands

                  email:      bwijnen@lucent.com

                  phone:      +31-348-480-685

                  Co-editor:  Randy Presuhn

                              BMC Software, Inc.

                  postal:     2141 North First Street

                              San Jose, CA 95131

                              USA

                  email:      randy_presuhn@bmc.com

                  phone:      +1 408-546-1006

                  Co-editor:  Keith McCloghrie

                              Cisco Systems, Inc.

                  postal:     170 West Tasman Drive

                              San Jose, CA  95134-1706

                              USA

                  email:      kzm@cisco.com

                  phone:      +1-408-526-5260

                 "

    DESCRIPTION  "The management information definitions for the

                  View-based Access Control Model for SNMP.

                  Copyright (C) The Internet Society (2002). This

                  version of this MIB module is part of RFC 3415;

                  see the RFC itself for full legal notices.

                 "

--  Revision history

    REVISION     "200210160000Z"          -- 16 Oct 2002, midnight

    DESCRIPTION  "Clarifications, published as RFC3415"

    REVISION     "199901200000Z"          -- 20 Jan 1999, midnight

    DESCRIPTION  "Clarifications, published as RFC2575"

    REVISION     "199711200000Z"          -- 20 Nov 1997, midnight

    DESCRIPTION  "Initial version, published as RFC2275"

    ::= { snmpModules 16 }

-- Administrative assignments ****************************************

vacmMIBObjects      OBJECT IDENTIFIER ::= { snmpVacmMIB 1 }

vacmMIBConformance  OBJECT IDENTIFIER ::= { snmpVacmMIB 2 }

-- Information about Local Contexts **********************************

vacmContextTable OBJECT-TYPE

    SYNTAX       SEQUENCE OF VacmContextEntry

    MAX-ACCESS   not-accessible

    STATUS       current

    DESCRIPTION "The table of locally available contexts.

                 This table provides information to SNMP Command

                 Generator applications so that they can properly

                 configure the vacmAccessTable to control access to

                 all contexts at the SNMP entity.

                 This table may change dynamically if the SNMP entity

                 allows that contexts are added/deleted dynamically

                 (for instance when its configuration changes).  Such

                 changes would happen only if the management

                 instrumentation at that SNMP entity recognizes more

                 (or fewer) contexts.

                 The presence of entries in this table and of entries

                 in the vacmAccessTable are independent.  That is, a

                 context identified by an entry in this table is not

                 necessarily referenced by any entries in the

                 vacmAccessTable; and the context(s) referenced by an

                 entry in the vacmAccessTable does not necessarily

                 currently exist and thus need not be identified by an

                 entry in this table.

                 This table must be made accessible via the default

                 context so that Command Responder applications have

                 a standard way of retrieving the information.

                 This table is read-only.  It cannot be configured via

                 SNMP.

                "

    ::= { vacmMIBObjects 1 }

vacmContextEntry OBJECT-TYPE

    SYNTAX       VacmContextEntry

    MAX-ACCESS   not-accessible

    STATUS       current

    DESCRIPTION "Information about a particular context."

    INDEX       {

                  vacmContextName

                }

    ::= { vacmContextTable 1 }

VacmContextEntry ::= SEQUENCE

    {

        vacmContextName SnmpAdminString

    }

vacmContextName  OBJECT-TYPE

    SYNTAX       SnmpAdminString (SIZE(0..32))

    MAX-ACCESS   read-only

    STATUS       current

    DESCRIPTION "A human readable name identifying a particular

                 context at a particular SNMP entity.

                 The empty contextName (zero length) represents the

                 default context.

                "

    ::= { vacmContextEntry 1 }

-- Information about Groups ******************************************

vacmSecurityToGroupTable OBJECT-TYPE

    SYNTAX       SEQUENCE OF VacmSecurityToGroupEntry

    MAX-ACCESS   not-accessible

    STATUS       current

    DESCRIPTION "This table maps a combination of securityModel and

                 securityName into a groupName which is used to define

                 an access control policy for a group of principals.

                "

    ::= { vacmMIBObjects 2 }

vacmSecurityToGroupEntry OBJECT-TYPE

    SYNTAX       VacmSecurityToGroupEntry

    MAX-ACCESS   not-accessible

    STATUS       current

    DESCRIPTION "An entry in this table maps the combination of a

                 securityModel and securityName into a groupName.

                "

    INDEX       {

                  vacmSecurityModel,

                  vacmSecurityName

                }

    ::= { vacmSecurityToGroupTable 1 }

VacmSecurityToGroupEntry ::= SEQUENCE

    {

        vacmSecurityModel               SnmpSecurityModel,

        vacmSecurityName                SnmpAdminString,

        vacmGroupName                   SnmpAdminString,

        vacmSecurityToGroupStorageType  StorageType,

        vacmSecurityToGroupStatus       RowStatus

    }

vacmSecurityModel OBJECT-TYPE

    SYNTAX       SnmpSecurityModel(1..2147483647)

    MAX-ACCESS   not-accessible

    STATUS       current

    DESCRIPTION "The Security Model, by which the vacmSecurityName

                 referenced by this entry is provided.

                 Note, this object may not take the 'any' (0) value.

                "

    ::= { vacmSecurityToGroupEntry 1 }

vacmSecurityName OBJECT-TYPE

    SYNTAX       SnmpAdminString (SIZE(1..32))

    MAX-ACCESS   not-accessible

    STATUS       current

    DESCRIPTION "The securityName for the principal, represented in a

                 Security Model independent format, which is mapped by

                 this entry to a groupName.

                "

    ::= { vacmSecurityToGroupEntry 2 }

vacmGroupName    OBJECT-TYPE

    SYNTAX       SnmpAdminString (SIZE(1..32))

    MAX-ACCESS   read-create

    STATUS       current

    DESCRIPTION "The name of the group to which this entry (e.g., the

                 combination of securityModel and securityName)

                 belongs.

                 This groupName is used as index into the

                 vacmAccessTable to select an access control policy.

                 However, a value in this table does not imply that an

                 instance with the value exists in table vacmAccesTable.

                "

    ::= { vacmSecurityToGroupEntry 3 }

vacmSecurityToGroupStorageType OBJECT-TYPE

    SYNTAX       StorageType

    MAX-ACCESS   read-create

    STATUS       current

    DESCRIPTION "The storage type for this conceptual row.

                 Conceptual rows having the value 'permanent' need not

                 allow write-access to any columnar objects in the row.

                "

    DEFVAL      { nonVolatile }

    ::= { vacmSecurityToGroupEntry 4 }

vacmSecurityToGroupStatus OBJECT-TYPE

    SYNTAX       RowStatus

    MAX-ACCESS   read-create

    STATUS       current

    DESCRIPTION "The status of this conceptual row.

                 Until instances of all corresponding columns are

                 appropriately configured, the value of the

                 corresponding instance of the vacmSecurityToGroupStatus

                 column is 'notReady'.

                 In particular, a newly created row cannot be made

                 active until a value has been set for vacmGroupName.

                 The  RowStatus TC [RFC2579] requires that this

                 DESCRIPTION clause states under which circumstances

                 other objects in this row can be modified:

                 The value of this object has no effect on whether

                 other objects in this conceptual row can be modified.

                "

    ::= { vacmSecurityToGroupEntry 5 }

-- Information about Access Rights ***********************************

vacmAccessTable  OBJECT-TYPE

    SYNTAX       SEQUENCE OF VacmAccessEntry

    MAX-ACCESS   not-accessible

    STATUS       current

    DESCRIPTION "The table of access rights for groups.

                 Each entry is indexed by a groupName, a contextPrefix,

                 a securityModel and a securityLevel.  To determine

                 whether access is allowed, one entry from this table

                 needs to be selected and the proper viewName from that

                 entry must be used for access control checking.

                 To select the proper entry, follow these steps:

                 1) the set of possible matches is formed by the

                    intersection of the following sets of entries:

                      the set of entries with identical vacmGroupName

                      the union of these two sets:

                       - the set with identical vacmAccessContextPrefix

                       - the set of entries with vacmAccessContextMatch

                         value of 'prefix' and matching

                         vacmAccessContextPrefix

                      intersected with the union of these two sets:

                       - the set of entries with identical

                         vacmSecurityModel

                       - the set of entries with vacmSecurityModel

                         value of 'any'

                      intersected with the set of entries with

                      vacmAccessSecurityLevel value less than or equal

                      to the requested securityLevel

                 2) if this set has only one member, we're done

                    otherwise, it comes down to deciding how to weight

                    the preferences between ContextPrefixes,

                    SecurityModels, and SecurityLevels as follows:

                    a) if the subset of entries with securityModel

                       matching the securityModel in the message is

                       not empty, then discard the rest.

                    b) if the subset of entries with

                       vacmAccessContextPrefix matching the contextName

                       in the message is not empty,

                       then discard the rest

                    c) discard all entries with ContextPrefixes shorter

                       than the longest one remaining in the set

                    d) select the entry with the highest securityLevel

                 Please note that for securityLevel noAuthNoPriv, all

                 groups are really equivalent since the assumption that

                 the securityName has been authenticated does not hold.

                "

    ::= { vacmMIBObjects 4 }

vacmAccessEntry  OBJECT-TYPE

    SYNTAX       VacmAccessEntry

    MAX-ACCESS   not-accessible

    STATUS       current

    DESCRIPTION "An access right configured in the Local Configuration

                 Datastore (LCD) authorizing access to an SNMP context.

                 Entries in this table can use an instance value for

                 object vacmGroupName even if no entry in table

                 vacmAccessSecurityToGroupTable has a corresponding

                 value for object vacmGroupName.

                "

    INDEX       { vacmGroupName,

                  vacmAccessContextPrefix,

                  vacmAccessSecurityModel,

                  vacmAccessSecurityLevel

                }

    ::= { vacmAccessTable 1 }

VacmAccessEntry ::= SEQUENCE

    {

        vacmAccessContextPrefix    SnmpAdminString,

        vacmAccessSecurityModel    SnmpSecurityModel,

        vacmAccessSecurityLevel    SnmpSecurityLevel,

        vacmAccessContextMatch     INTEGER,

        vacmAccessReadViewName     SnmpAdminString,

        vacmAccessWriteViewName    SnmpAdminString,

        vacmAccessNotifyViewName   SnmpAdminString,

        vacmAccessStorageType      StorageType,

        vacmAccessStatus           RowStatus

    }

vacmAccessContextPrefix OBJECT-TYPE

    SYNTAX       SnmpAdminString (SIZE(0..32))

    MAX-ACCESS   not-accessible

    STATUS       current

    DESCRIPTION "In order to gain the access rights allowed by this

                 conceptual row, a contextName must match exactly

                 (if the value of vacmAccessContextMatch is 'exact')

                 or partially (if the value of vacmAccessContextMatch

                 is 'prefix') to the value of the instance of this

                 object.

                "

    ::= { vacmAccessEntry 1 }

vacmAccessSecurityModel OBJECT-TYPE

    SYNTAX       SnmpSecurityModel

    MAX-ACCESS   not-accessible

    STATUS       current

    DESCRIPTION "In order to gain the access rights allowed by this

                 conceptual row, this securityModel must be in use.

                "

    ::= { vacmAccessEntry 2 }

vacmAccessSecurityLevel OBJECT-TYPE

    SYNTAX       SnmpSecurityLevel

    MAX-ACCESS   not-accessible

    STATUS       current

    DESCRIPTION "The minimum level of security required in order to

                 gain the access rights allowed by this conceptual

                 row.  A securityLevel of noAuthNoPriv is less than

                 authNoPriv which in turn is less than authPriv.

                 If multiple entries are equally indexed except for

                 this vacmAccessSecurityLevel index, then the entry

                 which has the highest value for

                 vacmAccessSecurityLevel is selected.

                "

    ::= { vacmAccessEntry 3 }

vacmAccessContextMatch OBJECT-TYPE

    SYNTAX       INTEGER

                { exact (1), -- exact match of prefix and contextName

                  prefix (2) -- Only match to the prefix

                }

    MAX-ACCESS   read-create

    STATUS       current

    DESCRIPTION "If the value of this object is exact(1), then all

                 rows where the contextName exactly matches

                 vacmAccessContextPrefix are selected.

                 If the value of this object is prefix(2), then all

                 rows where the contextName whose starting octets

                 exactly match vacmAccessContextPrefix are selected.

                 This allows for a simple form of wildcarding.

                "

    DEFVAL      { exact }

    ::= { vacmAccessEntry 4 }

vacmAccessReadViewName OBJECT-TYPE

    SYNTAX       SnmpAdminString (SIZE(0..32))

    MAX-ACCESS   read-create

    STATUS       current

    DESCRIPTION "The value of an instance of this object identifies

                 the MIB view of the SNMP context to which this

                 conceptual row authorizes read access.

                 The identified MIB view is that one for which the

                 vacmViewTreeFamilyViewName has the same value as the

                 instance of this object; if the value is the empty

                 string or if there is no active MIB view having this

                 value of vacmViewTreeFamilyViewName, then no access

                 is granted.

                "

    DEFVAL      { ''H }   -- the empty string

    ::= { vacmAccessEntry 5 }

vacmAccessWriteViewName OBJECT-TYPE

    SYNTAX       SnmpAdminString (SIZE(0..32))

    MAX-ACCESS   read-create

    STATUS       current

    DESCRIPTION "The value of an instance of this object identifies

                 the MIB view of the SNMP context to which this

                 conceptual row authorizes write access.

                 The identified MIB view is that one for which the

                 vacmViewTreeFamilyViewName has the same value as the

                 instance of this object; if the value is the empty

                 string or if there is no active MIB view having this

                 value of vacmViewTreeFamilyViewName, then no access

                 is granted.

                "

    DEFVAL      { ''H }   -- the empty string

    ::= { vacmAccessEntry 6 }

vacmAccessNotifyViewName OBJECT-TYPE

    SYNTAX       SnmpAdminString (SIZE(0..32))

    MAX-ACCESS   read-create

    STATUS       current

    DESCRIPTION "The value of an instance of this object identifies

                 the MIB view of the SNMP context to which this

                 conceptual row authorizes access for notifications.

                 The identified MIB view is that one for which the

                 vacmViewTreeFamilyViewName has the same value as the

                 instance of this object; if the value is the empty

                 string or if there is no active MIB view having this

                 value of vacmViewTreeFamilyViewName, then no access

                 is granted.

                "

    DEFVAL      { ''H }   -- the empty string

    ::= { vacmAccessEntry 7 }

vacmAccessStorageType OBJECT-TYPE

    SYNTAX       StorageType

    MAX-ACCESS   read-create

    STATUS       current

    DESCRIPTION "The storage type for this conceptual row.

                 Conceptual rows having the value 'permanent' need not

                 allow write-access to any columnar objects in the row.

                "

    DEFVAL      { nonVolatile }

    ::= { vacmAccessEntry 8 }

vacmAccessStatus OBJECT-TYPE

    SYNTAX       RowStatus

    MAX-ACCESS   read-create

    STATUS       current

    DESCRIPTION "The status of this conceptual row.

                 The  RowStatus TC [RFC2579] requires that this

                 DESCRIPTION clause states under which circumstances

                 other objects in this row can be modified:

                 The value of this object has no effect on whether

                 other objects in this conceptual row can be modified.

                "

    ::= { vacmAccessEntry 9 }

-- Information about MIB views ***************************************

-- Support for instance-level granularity is optional.

--

-- In some implementations, instance-level access control

-- granularity may come at a high performance cost.  Managers

-- should avoid requesting such configurations unnecessarily.

vacmMIBViews     OBJECT IDENTIFIER ::= { vacmMIBObjects 5 }

vacmViewSpinLock OBJECT-TYPE

    SYNTAX       TestAndIncr

    MAX-ACCESS   read-write

    STATUS       current

    DESCRIPTION "An advisory lock used to allow cooperating SNMP

                 Command Generator applications to coordinate their

                 use of the Set operation in creating or modifying

                 views.

                 When creating a new view or altering an existing

                 view, it is important to understand the potential

                 interactions with other uses of the view.  The

                 vacmViewSpinLock should be retrieved.  The name of

                 the view to be created should be determined to be

                 unique by the SNMP Command Generator application by

                 consulting the vacmViewTreeFamilyTable.  Finally,

                 the named view may be created (Set), including the

                 advisory lock.

                 If another SNMP Command Generator application has

                 altered the views in the meantime, then the spin

                 lock's value will have changed, and so this creation

                 will fail because it will specify the wrong value for

                 the spin lock.

                 Since this is an advisory lock, the use of this lock

                 is not enforced.

                "

    ::= { vacmMIBViews 1 }

vacmViewTreeFamilyTable OBJECT-TYPE

    SYNTAX       SEQUENCE OF VacmViewTreeFamilyEntry

    MAX-ACCESS   not-accessible

    STATUS       current

    DESCRIPTION "Locally held information about families of subtrees

                 within MIB views.

                 Each MIB view is defined by two sets of view subtrees:

                   - the included view subtrees, and

                   - the excluded view subtrees.

                 Every such view subtree, both the included and the

                 excluded ones, is defined in this table.

                 To determine if a particular object instance is in

                 a particular MIB view, compare the object instance's

                 OBJECT IDENTIFIER with each of the MIB view's active

                 entries in this table.  If none match, then the

                 object instance is not in the MIB view.  If one or

                 more match, then the object instance is included in,

                 or excluded from, the MIB view according to the

                 value of vacmViewTreeFamilyType in the entry whose

                 value of vacmViewTreeFamilySubtree has the most

                 sub-identifiers.  If multiple entries match and have

                 the same number of sub-identifiers (when wildcarding

                 is specified with the value of vacmViewTreeFamilyMask),

                 then the lexicographically greatest instance of

                 vacmViewTreeFamilyType determines the inclusion or

                 exclusion.

                 An object instance's OBJECT IDENTIFIER X matches an

                 active entry in this table when the number of

                 sub-identifiers in X is at least as many as in the

                 value of vacmViewTreeFamilySubtree for the entry,

                 and each sub-identifier in the value of

                 vacmViewTreeFamilySubtree matches its corresponding

                 sub-identifier in X.  Two sub-identifiers match

                 either if the corresponding bit of the value of

                 vacmViewTreeFamilyMask for the entry is zero (the

                 'wild card' value), or if they are equal.

                 A 'family' of subtrees is the set of subtrees defined

                 by a particular combination of values of

                 vacmViewTreeFamilySubtree and vacmViewTreeFamilyMask.

                 In the case where no 'wild card' is defined in the

                 vacmViewTreeFamilyMask, the family of subtrees reduces

                 to a single subtree.

                 When creating or changing MIB views, an SNMP Command

                 Generator application should utilize the

                 vacmViewSpinLock to try to avoid collisions.  See

                 DESCRIPTION clause of vacmViewSpinLock.

                 When creating MIB views, it is strongly advised that

                 first the 'excluded' vacmViewTreeFamilyEntries are

                 created and then the 'included' entries.

                 When deleting MIB views, it is strongly advised that

                 first the 'included' vacmViewTreeFamilyEntries are

                 deleted and then the 'excluded' entries.

                 If a create for an entry for instance-level access

                 control is received and the implementation does not

                 support instance-level granularity, then an

                 inconsistentName error must be returned.

                "

    ::= { vacmMIBViews 2 }

vacmViewTreeFamilyEntry OBJECT-TYPE

    SYNTAX       VacmViewTreeFamilyEntry

    MAX-ACCESS   not-accessible

    STATUS       current

    DESCRIPTION "Information on a particular family of view subtrees

                 included in or excluded from a particular SNMP

                 context's MIB view.

                 Implementations must not restrict the number of

                 families of view subtrees for a given MIB view,

                 except as dictated by resource constraints on the

                 overall number of entries in the

                 vacmViewTreeFamilyTable.

                 If no conceptual rows exist in this table for a given

                 MIB view (viewName), that view may be thought of as

                 consisting of the empty set of view subtrees.

                "

    INDEX       { vacmViewTreeFamilyViewName,

                  vacmViewTreeFamilySubtree

                }

    ::= { vacmViewTreeFamilyTable 1 }

VacmViewTreeFamilyEntry ::= SEQUENCE

    {

        vacmViewTreeFamilyViewName     SnmpAdminString,

        vacmViewTreeFamilySubtree      OBJECT IDENTIFIER,

        vacmViewTreeFamilyMask         OCTET STRING,

        vacmViewTreeFamilyType         INTEGER,

        vacmViewTreeFamilyStorageType  StorageType,

        vacmViewTreeFamilyStatus       RowStatus

    }

vacmViewTreeFamilyViewName OBJECT-TYPE

    SYNTAX       SnmpAdminString (SIZE(1..32))

    MAX-ACCESS   not-accessible

    STATUS       current

    DESCRIPTION "The human readable name for a family of view subtrees.

                "

    ::= { vacmViewTreeFamilyEntry 1 }

vacmViewTreeFamilySubtree OBJECT-TYPE

    SYNTAX       OBJECT IDENTIFIER

    MAX-ACCESS   not-accessible

    STATUS       current

    DESCRIPTION "The MIB subtree which when combined with the

                 corresponding instance of vacmViewTreeFamilyMask

                 defines a family of view subtrees.

                "

    ::= { vacmViewTreeFamilyEntry 2 }

vacmViewTreeFamilyMask OBJECT-TYPE

    SYNTAX       OCTET STRING (SIZE (0..16))

    MAX-ACCESS   read-create

    STATUS       current

    DESCRIPTION "The bit mask which, in combination with the

                 corresponding instance of vacmViewTreeFamilySubtree,

                 defines a family of view subtrees.

                 Each bit of this bit mask corresponds to a

                 sub-identifier of vacmViewTreeFamilySubtree, with the

                 most significant bit of the i-th octet of this octet

                 string value (extended if necessary, see below)

                 corresponding to the (8*i - 7)-th sub-identifier, and

                 the least significant bit of the i-th octet of this

                 octet string corresponding to the (8*i)-th

                 sub-identifier, where i is in the range 1 through 16.

                 Each bit of this bit mask specifies whether or not

                 the corresponding sub-identifiers must match when

                 determining if an OBJECT IDENTIFIER is in this

                 family of view subtrees; a '1' indicates that an

                 exact match must occur; a '0' indicates 'wild card',

                 i.e., any sub-identifier value matches.

                 Thus, the OBJECT IDENTIFIER X of an object instance

                 is contained in a family of view subtrees if, for

                 each sub-identifier of the value of

                 vacmViewTreeFamilySubtree, either:

                   the i-th bit of vacmViewTreeFamilyMask is 0, or

                   the i-th sub-identifier of X is equal to the i-th

                   sub-identifier of the value of

                   vacmViewTreeFamilySubtree.

                 If the value of this bit mask is M bits long and

                 there are more than M sub-identifiers in the

                 corresponding instance of vacmViewTreeFamilySubtree,

                 then the bit mask is extended with 1's to be the

                 required length.

                 Note that when the value of this object is the

                 zero-length string, this extension rule results in

                 a mask of all-1's being used (i.e., no 'wild card'),

                 and the family of view subtrees is the one view

                 subtree uniquely identified by the corresponding

                 instance of vacmViewTreeFamilySubtree.

                 Note that masks of length greater than zero length

                 do not need to be supported.  In this case this

                 object is made read-only.

                "

    DEFVAL      { ''H }

    ::= { vacmViewTreeFamilyEntry 3 }

vacmViewTreeFamilyType OBJECT-TYPE

    SYNTAX       INTEGER  { included(1), excluded(2) }

    MAX-ACCESS   read-create

    STATUS       current

    DESCRIPTION "Indicates whether the corresponding instances of

                 vacmViewTreeFamilySubtree and vacmViewTreeFamilyMask

                 define a family of view subtrees which is included in

                 or excluded from the MIB view.

                "

    DEFVAL      { included }

    ::= { vacmViewTreeFamilyEntry 4 }

vacmViewTreeFamilyStorageType OBJECT-TYPE

    SYNTAX       StorageType

    MAX-ACCESS   read-create

    STATUS       current

    DESCRIPTION "The storage type for this conceptual row.

                 Conceptual rows having the value 'permanent' need not

                 allow write-access to any columnar objects in the row.

                "

    DEFVAL      { nonVolatile }

    ::= { vacmViewTreeFamilyEntry 5 }

vacmViewTreeFamilyStatus OBJECT-TYPE

    SYNTAX       RowStatus

    MAX-ACCESS   read-create

    STATUS       current

    DESCRIPTION "The status of this conceptual row.

                 The  RowStatus TC [RFC2579] requires that this

                 DESCRIPTION clause states under which circumstances

                 other objects in this row can be modified:

                 The value of this object has no effect on whether

                 other objects in this conceptual row can be modified.

                "

    ::= { vacmViewTreeFamilyEntry 6 }

-- Conformance information *******************************************

vacmMIBCompliances  OBJECT IDENTIFIER ::= { vacmMIBConformance 1 }

vacmMIBGroups       OBJECT IDENTIFIER ::= { vacmMIBConformance 2 }

-- Compliance statements *********************************************

vacmMIBCompliance MODULE-COMPLIANCE

    STATUS       current

    DESCRIPTION "The compliance statement for SNMP engines which

                 implement the SNMP View-based Access Control Model

                 configuration MIB.

                "

    MODULE -- this module

        MANDATORY-GROUPS { vacmBasicGroup }

        OBJECT        vacmAccessContextMatch

        MIN-ACCESS    read-only

        DESCRIPTION  "Write access is not required."

        OBJECT        vacmAccessReadViewName

        MIN-ACCESS    read-only

        DESCRIPTION  "Write access is not required."

        OBJECT        vacmAccessWriteViewName

        MIN-ACCESS    read-only

        DESCRIPTION  "Write access is not required."

        OBJECT        vacmAccessNotifyViewName

        MIN-ACCESS    read-only

        DESCRIPTION  "Write access is not required."

        OBJECT        vacmAccessStorageType

        MIN-ACCESS    read-only

        DESCRIPTION  "Write access is not required."

        OBJECT        vacmAccessStatus

        MIN-ACCESS    read-only

        DESCRIPTION  "Create/delete/modify access to the

                      vacmAccessTable is not required.

                     "

        OBJECT        vacmViewTreeFamilyMask

        WRITE-SYNTAX  OCTET STRING (SIZE (0))

        MIN-ACCESS    read-only

        DESCRIPTION  "Support for configuration via SNMP of subtree

                      families using wild-cards is not required.

                     "

        OBJECT        vacmViewTreeFamilyType

        MIN-ACCESS    read-only

        DESCRIPTION  "Write access is not required."

        OBJECT        vacmViewTreeFamilyStorageType

        MIN-ACCESS    read-only

        DESCRIPTION  "Write access is not required."

        OBJECT        vacmViewTreeFamilyStatus

        MIN-ACCESS    read-only

        DESCRIPTION  "Create/delete/modify access to the

                      vacmViewTreeFamilyTable is not required.

                     "

    ::= { vacmMIBCompliances 1 }

-- Units of conformance **********************************************

vacmBasicGroup OBJECT-GROUP

    OBJECTS {

              vacmContextName,

              vacmGroupName,

              vacmSecurityToGroupStorageType,

              vacmSecurityToGroupStatus,

              vacmAccessContextMatch,

              vacmAccessReadViewName,

              vacmAccessWriteViewName,

              vacmAccessNotifyViewName,

              vacmAccessStorageType,

              vacmAccessStatus,

              vacmViewSpinLock,

              vacmViewTreeFamilyMask,

              vacmViewTreeFamilyType,

              vacmViewTreeFamilyStorageType,

              vacmViewTreeFamilyStatus

            }

    STATUS       current

    DESCRIPTION "A collection of objects providing for remote

                 configuration of an SNMP engine which implements

                 the SNMP View-based Access Control Model.

                "

    ::= { vacmMIBGroups 1 }

END