CISCO-COMMON-ROLES-EXT-MIB: View SNMP OID List / Download MIB

A MIB Module for managing the roles that are common between access methods like Command Line Interface (CLI), SNMP and XML interface. This MIB is an extension to the CISCO-COMMON-ROLES-MIB, which is for managing Common Roles on a device with fixed feature. Terminology: Commands are the basic operations that can be performed on a device. For example 'show aaa *', 'clear aaa *', 'config t; ip arp *'. Commands can be organized into groups called Features. Features can be organized into groups called Feature Groups. The constituents of a Feature (i.e. Commands) and the constituents of a Feature Group (i.e. Features) are collectively referred to as Feature Elements. This MIB extends the CISCO-COMMON-ROLES-MIB by adding the following. Features can be organized into groups called feature groups. Access privileges can be assigned to feature group(s) associated with a Role. The five access privileges (clear, config, debug, show & exec) are replaced by two access privileges ('read' and 'readWrite'). These two privileges have no relation to the replaced five privileges. The types of objects to which access can be restricted is extended to include VLANs and Interfaces. A device implementing this MIB need not implement CISCO-COMMON-ROLES-MIB.

This table lists all the features and feature groups configured on a device. For each feature it lists all the command(s) contained in the feature. For each feature groups it lists all the features contained in the group. A feature element is either a feature or a feature group. A device may have some predefined features which may not be editable by a user. In addition, a device may allow a user to define new feature group. A device implementing this MIB need not implement the objects that form a conceptual row in the 'commonRolesFeatureTable' table defined in the CISCO-COMMON-ROLES MIB. The entries in this table are persistent across device reboots.

An entry (conceptual row) in the ccreFeatureElementTable. Each row in this table represents an element (command or a feature) contained in a feature or a feature group. For example a 'radius' feature that contains three commands - 'radius-server', 'radius-cfs' and 'aaa group server radius', this table will have three entries, one each for the three commands. ccreFeatureName ccreFeatureIndex ccreFeatureElementName 'radius' 1 'radius-server' 'radius' 2 'radius-cfs' 'radius' 3 'aaa group server radius' 'arp' 1 'show arp' 'arp' 2 'clear ip arp'

Identifies the feature or the feature group for which this entry represents an element. This object is the same as the commonRoleFeatureName.

An index value for this element which uniquely distinguishes it from all other elements of same feature.

Name of the feature element represented by this row.

An indication of the type of element represented by this row. When this field has the value 'command', this row represents a command name. When this field has the value 'feature', this row represents a feature name. This field must have the value 'none' when a feature could not otherwise be represented in this table because the feature does not yet have any elements defined for it. When features are added to an empty feature-group, the row with element type 'none' is still maintained in this table. Deleting this row (with type as 'none') will delete the feature group and all other rows representing relationship between this feature group and its members. A feature should have at least one element, whereas a feature-group may have zero or more entries. All entries in this table are persistent across device reboots Enumeration: 'none': 3, 'command': 1, 'feature': 2.

Status of this row.

This table lists all the common roles configured on this device. Common roles are the user roles which are common across SNMP and CLI. A device implementing this MIB need not implement the objects that form a conceptual row in the 'commonRoleTable' defined in the CISCO-COMMON-ROLES MIB. This table and the 'commonRoleTable' table both have one entry per Role defined on the device. However unlike the 'commonRoleTable', this table does not contain any scope restriction information. The scope restriction information instead is contained in the 'ccreRoleScopeTable' Table. If a device implements this this table along with 'commonRoleTable' a row existing in 'commonRoleTable' should also exist in this table and vice versa. All entries in this table are persistent across device reboots.

An entry (conceptual row) in the ccreRoleTable. One entry per role defined on the device.

Name of the common role. This is same as commonRoleName.

Description of the common role. This is same as commonRoleDescription.

Defines the default access to the resources to which access can be controlled. vsan(0) Bit value of 0 indicates that the user has access to no VSANs. However a user can be selectively assigned access to VSANs and each such accessible VSAN will have an entry in the 'ccreRoleScopeTable'. Bit value of 1 indicates that the user has access to all VSANs. In this case there are no VSAN entries in the 'ccreRoleScopeTable'. Setting the bit to 1 results in deletion of all VSAN entries from the ccreRoleScopeTable, for the role identified by 'ccreRoleName'. vlan(1) Bit value of 0 indicates that the user has access to no VLANs. However a user can be selectively assigned access to VLANs and each such accessible VLAN will have an entry in the 'ccreRoleScopeTable'. Bit value of 1 indicates that the user has access to all VLANs. In this case there are no VLAN entries in the 'ccreRoleScopeTable'. Setting the bit to 1 results in deletion of all VLAN entries from the ccreRoleScopeTable, for the role identified by 'ccreRoleName'. interface(2) Bit value of 0 indicates that the user has access to no Interfaces. However a user can be selectively assigned access to interfaces and each such accessible interface will have an entry in the 'ccreRoleScopeTable'. Bit value of 1 indicates that the user has access to all interfaces. In this case there are no interface entries in the 'ccreRoleScopeTable'. Setting the bit to 1 results in deletion of all interface entries from the ccreRoleScopeTable, for the role identified by 'ccreRoleName'. For example a role which has access to all VSANs, all VLANs and no Interface will have this field set as - - - |0|1|1| - - -

Status of this role.

This table lists the resources to which a user belonging to a role can access. A role may be restricted from accessing various resources of a device. This table lists the resources that a role can access. If for a role there is no entry in this table, then restriction, if any, is determined by the ccrePermitAllPolicies object in the ccreRoleTable. Each resource (VSAN, VLAN or Interface) to which a role has access to, has a separate entry in the table. For e.g. if a role has access to VLAN 1, 2, 6 and 7; VSAN 2, 5 and 8 and interface 2/1 and 2/3, this table will have 9 entries, 4 for VSANs, 3 for VLANs and 2 for Interfaces. Entries in this table can be created/deleted using ccreRoleScopeRowStatus. The table provides the same information as 'commonRoleScopeRestriction', 'commonRoleScope1' and 'commonRoleScope2' but in a different way. The object 'commonRoleScope1' and 'commonRoleScope2' are 256*8 bit mask with each bit representing a VLAN. 'commonRoleScope1' identifies VLANS 1 to 2048 whereas 'commonRoleScope2' identifies VLANS 2049 to 4096. In this table, there is a separate entry for each VSAN, along with separate entry for each VLAN and Interface to which a role has access. The purpose of this table is to remove the limit of 4096 that are supported by 'commonRoleTable'. All entries in this table are persistent across device reboots

An entry (conceptual row) in the ccreRoleScopeTable. There is one entry for each different scope value of a Role. If a Role 'R1' is defined to have scope on VSAN-1, VSAN-2, VLAN-1, VLAN#, Interface fc1/1 and fc1/2, then there will be six entries for role 'R1' in this table, one each for VSAN-1, VSAN2, VLAN-1, VLAN-1, fc1/1 and fc1/2.

An index value for this entry which uniquely distinguishes it from all other entries for same Role.

This object indicates the type of the scope restriction about which the information is provided by row. Enumeration: 'interface': 3, 'vlan': 2, 'vsan': 1.

This object identifies the resource this role can access. If the value of 'ccreRoleScopeRestriction' is 'vsan' or 'vlan', this object specifies the Id (which is a number) of the VSAN/VLAN. If the value of 'ccreRoleScopeRestriction' is 'interface', this object specifies the IfIndex of the interface.

Status of this scope restriction entry.

This table lists all the rules configured for roles defined in the ccreRoleTable. Each rule defines the access (permit/deny) allowed to a particular command, feature or a feature group. Entries in this table are also created/deleted using ccreRuleRowStatus. A row in this table cannot be made 'active' until a value is explicitly provided for that row's instances of following objects : - ccreRuleOperation If ccreRuleFeatureElementName is a command, then - ccreRuleOperation is not needed to be set A device implementing this MIB need not implement the objects that form a conceptual row in the 'commonRuleRoleTable' table, which is defined in the CISCO-COMMON-ROLES-MIB. There is no relation between the rows in 'commonRuleRoleTable' and this table as both define different operation types. Each table can have rows with no corresponding rows in other table. All entries in this table are persistent across device reboots

An entry (conceptual row) in the ccreRuleRuleTable. There is one entry for each Rule contained in a Role. For eg. if a Role 'R1' has 6 rules, there will be six entries for Role 'R1'.

A unique index for a rule in a particular role. The rule are applied according to their rule number, i.e. Rule 1 will be the first rule applied followed by Rule 2 and so on. Rule numbers need not be contiguous, for e.g. a Role can have three rule numbered 1, 4 & 7. Further when a new rule is added to this Role it can be rule number 2 or 5 or 9 (any number other than 1, 4 and 7).

Name of the command or feature or feature group. If this is a zero-length string, then this rule applies to all the features supported on the device as enumerated in commonRoleFeatureTable.

Specifies the type of entry (command or feature or feature group) as specified by the object ccreRuleFeatureElementName Enumeration: 'all': 4, 'command': 1, 'feature': 2, 'featureGroup': 3.

The operation for this rule.

This object tells if the operation `ccreRuleOperation' is permitted or denied. The operation is permitted if the value of this object is `true'. If the value of the object is 'false', the operation is not permitted.

Status of this rule.

The compliance statement for entities which implement the CISCO-COMMON-ROLES-EXT-MIB.

A collection of objects for Common Roles Extention configuration.