Simple Network Protocol Management (SNMP) provides a simple protocol for managing devices in a network. FIG. 1 illustrates a network management station 120 communicating with agents 124 in managed devices 126 via an SNMP protocol. The network management station 120 executes network management applications 122 that monitor and control the managed devices 126. The interface 128 allows users 130, such as network administrators, to access the network management station 120.
The managed devices 126 have agents 124, which are typically software modules that collect and store management information and provide an interface between the network management station 120 and the managed device(s) 126. The network management station 120 and the agents 124 communicate via a simple set of commands and employ a Management Information Sase (MIS) 132. A MIS 132 describes various managed objects associated with its managed device 126. To retrieve or modify information, the network management station 120 sends a request to the managed device 126, identifying a managed object in the MIS 132.
Principals may make requests to access the managed objects via the network management station. A principal may be a user acting in a particular role, a set of users each acting in a particular role, an application, a set of applications, or a combination of these. SNMP has an access control mechanism that controls the access privileges a principal has to managed objects. For example, one principal may only have read access to certain managed objects, while another principal may have read/write access to those managed objects. Furthermore, access control may be used in connection with SNMP notification messages.
SNMP has a specification for an engine that comprises an access control subsystem that checks whether a specific type of access (e.g., read, write, notify) to a particular managed object (instance) is allowed. The access control subsystem may use an access control model that specifies sets of access control rules that pertain to respective groups of principals. In the SNMP viewbased access control model (VACM), a group is a set of principals that have certain access privileges to managed objects. In an SNMP view-based access control model, the combination of a securityModel and a securityName maps to at most one group. A securityName is the principal on whose behalf access is requested and a securityModel is a security model under which access is requested. Some SNMP access control models are known as “view-based.” However, other than “view-based” models are contemplated.
The relative simplicity of SNMP has led to its proliferation. However, SNMP's simplicity constrains its flexibility and functionality. For example, an ultimate determination of access to a managed object may involve additional factors to those already discussed, including: securityLevel (Level of Security under which access is requested), viewType (view to be checked (read, write or notify)), contextName (context in which access is requested), and variableName (object instance to which access is requested). Because many factors are involved in determining access to a managed object in a networked device, it would be possible for complexity to increase greatly if individual portions of the overall process are made even slightly more complex. Moreover, it is difficult to foresee where a benefit of adding complexity to the process may outweigh a cost of the added complexity.
Therefore, it would be desirable to have a method and system for management of networked devices that is simple and flexible. It would be advantageous if this method and system were compatible with an SNMP protocol.