-- *********************************************************************
-- CISCO-COMMON-ROLES-MIB.my: Common Roles Mib
--   
-- March 2003, Vinay Gaonkar
--   
-- Copyright (c) 2003, 2008 by cisco Systems Inc.
-- All rights reserved.
--   
-- *********************************************************************

CISCO-COMMON-ROLES-MIB DEFINITIONS ::= BEGIN

IMPORTS
    MODULE-IDENTITY,
    OBJECT-TYPE,
    Unsigned32
        FROM SNMPv2-SMI
    MODULE-COMPLIANCE,
    OBJECT-GROUP
        FROM SNMPv2-CONF
    RowStatus,
    TEXTUAL-CONVENTION,
    TruthValue
        FROM SNMPv2-TC
    SnmpAdminString
        FROM SNMP-FRAMEWORK-MIB
    ciscoMgmt
        FROM CISCO-SMI;


ciscoCommonRolesMIB MODULE-IDENTITY
    LAST-UPDATED    "200802150000Z"
    ORGANIZATION    "Cisco Systems Inc."
    CONTACT-INFO
            "Cisco Systems
            Customer Service
            Postal: 170 W Tasman Drive
            San Jose, CA  95134
            USA
            Tel: +1 800 553 -NETS
            E-mail: cs-san@cisco.com"
    DESCRIPTION
        "MIB module for managing the common roles between
        access methods like Command Line Interface (CLI), SNMP
        and XML interfaces.
        Every user on a device is associated with a role.
        A user role defines access rights afforded to the users
        that belog to this role. A role specifies which
        commands/operations a user is able to perform on what
        information.
        SNMP uses VACM (View-based Access Control Model) group
        to define access rights. Both SNMPv1/v2c community and
        SNMPv3 user have to belong to a group in order to access
        information.
        CLI uses proprietary mechanisms to define the access
        rights. Most of them depend on the underlying operating
        system.
        Groups created from SNMP are not same as the roles
        created from CLI unless they are synchronized. In
        addition to this, views make up the roles in VACM where
        was some kind of internal rules make the roles in the
        CLI. This MIB describes a framework in which a role
        defined independent of access methods. It is up to the
        the particular access method to convert this
        framework information into the native information. For
        example, SNMP needs to convert common role framework to
        VACM.
        Note that this framework could be also used for any
        other access methods other than SNMP and CLI.
        The framework needs a list of features and list of
        operations they can support. Features provide the data
        context and are system dependent. Operations are the
        actions that can be done on the data. The role are
        defined in terms of rules. Rules are essentially access
        rights which specify if a certain operation on a feature
        is permitted or not.
        An extension to this MIB module has been defined in 
        CISCO-COMMON-ROLES-EXT-MIB to provide support for a 
        framework which has compound features, i.e., features 
        defined as group of other features, and also to 
        provide another option for how a user's access can 
        be restricted."
    REVISION        "200802150000Z"
    DESCRIPTION
        "Added two new types to commonRoleSupportedOperation.
        Added commonRoleSupportedOperation to
        ciscoCommonRolesMIBCompliance, to indicate that a device
        implementing this MIB need not support the two new types.
        Added ciscoCommonRolesExtMIBCompliance and
        ccrmConfigurationExtGroup, defining compliance is for
        entities that implement the CISCO-COMMON-ROLES-EXT-MIB"
    REVISION        "200309150000Z"
    DESCRIPTION
        "Added DEFVAL to commonRoleRuleFeatureName. Also, removed
        commonRoleRuleFeatureName from mandatory object list while
        creating row in the commonRoleRuleTable."
    REVISION        "200306300000Z"
    DESCRIPTION
        "Initial version of this MIB module."
    ::= { ciscoMgmt 361 }


ciscoCommonRolesNotifications  OBJECT IDENTIFIER
    ::= { ciscoCommonRolesMIB 0 }

ciscoCommonRolesMIBObjects  OBJECT IDENTIFIER
    ::= { ciscoCommonRolesMIB 1 }

ciscoCommonRolesMIBConformance  OBJECT IDENTIFIER
    ::= { ciscoCommonRolesMIB 2 }

ccrInfo  OBJECT IDENTIFIER
    ::= { ciscoCommonRolesMIBObjects 1 }

ccrRoleConfig  OBJECT IDENTIFIER
    ::= { ciscoCommonRolesMIBObjects 2 }

ccrRuleConfig  OBJECT IDENTIFIER
    ::= { ciscoCommonRolesMIBObjects 3 }


-- Textual Conventions

CommonRoleOperation ::= TEXTUAL-CONVENTION
    STATUS          current
    DESCRIPTION
        "Operations allowed for a common role.
        clear  - Clear operation
        config - Config/Set operation
        debug  - Debug operation
        show   - Show/Get operation
        exec   - Exec/Set Operation

        Note that if an operation is not supported by an access
        method, then it does not apply to that access method."
    SYNTAX          INTEGER  {
                        clear(1),
                        config(2),
                        debug(3),
                        show(4),
                        exec(5)
                    }
-- commonRoleFeatureTable

commonRoleFeatureTable OBJECT-TYPE
    SYNTAX          SEQUENCE OF CommonRoleFeatureEntry 
    MAX-ACCESS      not-accessible
    STATUS          current
    DESCRIPTION
        "This table lists all the features and the operations
        supported by the features on the system."
    ::= { ccrInfo 1 }

commonRoleFeatureEntry OBJECT-TYPE
    SYNTAX          CommonRoleFeatureEntry
    MAX-ACCESS      not-accessible
    STATUS          current
    DESCRIPTION
        "An entry (conceptual row) in the
        commonRoleFeatureTable containing information about
        features and the operations supported by each of the
        features."
    INDEX           { commonRoleFeatureIndex } 
    ::= { commonRoleFeatureTable 1 }

CommonRoleFeatureEntry ::= SEQUENCE {
        commonRoleFeatureIndex     Unsigned32,
        commonRoleFeatureName      SnmpAdminString,
        commonRoleFeatureOperation CommonRoleOperation
}

commonRoleFeatureIndex OBJECT-TYPE
    SYNTAX          Unsigned32 (1..4294967295 )
    MAX-ACCESS      not-accessible
    STATUS          current
    DESCRIPTION
        "An arbitrary index for this entry." 
    ::= { commonRoleFeatureEntry 1 }

commonRoleFeatureName OBJECT-TYPE
    SYNTAX          SnmpAdminString (SIZE  (1..32))
    MAX-ACCESS      read-only
    STATUS          current
    DESCRIPTION
        "Name of the feature. For example, strings like 'ip',
        'snmp-server' and 'vsan' are valid feature names." 
    ::= { commonRoleFeatureEntry 2 }

commonRoleFeatureOperation OBJECT-TYPE
    SYNTAX          CommonRoleOperation
    MAX-ACCESS      read-only
    STATUS          current
    DESCRIPTION
        "The operation associated with this feature." 
    ::= { commonRoleFeatureEntry 3 }
 

-- commonRoleSupportedOperTable

commonRoleSupportedOperTable OBJECT-TYPE
    SYNTAX          SEQUENCE OF CommonRoleSupportedOperEntry 
    MAX-ACCESS      not-accessible
    STATUS          current
    DESCRIPTION
        "This table lists all the access methods supported on
        device and the operations supported by each of the
        access methods.
        The operations listed in CommonRoleOperation may not
        be supported by all the access methods. For example,
        suppose that in the future, a new operation 'create' is
        added to CommonRoleOperation. CLI may not support it;
        but may be supported by XML. So this operation would not
        apply to CLI. This table captures the supported
        operations for each of the access methods."
    ::= { ccrInfo 2 }

commonRoleSupportedOperEntry OBJECT-TYPE
    SYNTAX          CommonRoleSupportedOperEntry
    MAX-ACCESS      not-accessible
    STATUS          current
    DESCRIPTION
        "An entry (conceptual row) in the
        commonRoleSupportedOperTable which lists the operations
        supported by the local device for a particular access
        method."
    INDEX           { commonRoleAccessMethod } 
    ::= { commonRoleSupportedOperTable 1 }

CommonRoleSupportedOperEntry ::= SEQUENCE {
        commonRoleAccessMethod       INTEGER ,
        commonRoleSupportedOperation BITS
}

commonRoleAccessMethod OBJECT-TYPE
    SYNTAX          INTEGER  {
                        cli(1),
                        snmp(2)
                    }
    MAX-ACCESS      not-accessible
    STATUS          current
    DESCRIPTION
        "Access method supported on this system." 
    ::= { commonRoleSupportedOperEntry 1 }

commonRoleSupportedOperation OBJECT-TYPE
    SYNTAX          BITS {
                        clear(0),
                        config(1),
                        debug(2),
                        show(3),
                        exec(4),
                        read(5),
                        readWrite(6)
                    }
    MAX-ACCESS      read-only
    STATUS          current
    DESCRIPTION
        "Operations supported by the access method.
        clear     - Clear operation
        config    - Config/Set operation
        debug     - Debug operation
        show      - Show/Get operation
        exec      - Exec/Set Operation
        read      - Read operation
        readWrite - Read/Write operation
        ." 
    ::= { commonRoleSupportedOperEntry 2 }
 


-- commonRoleMaxRoles

commonRoleMaxRoles OBJECT-TYPE
    SYNTAX          Unsigned32 (1..65535 )
    MAX-ACCESS      read-only
    STATUS          current
    DESCRIPTION
        "Maximum number of common roles that can be configured
        this device. i.e., the maximum number of entries in the
        commonRoleTable." 
    ::= { ccrRoleConfig 1 }
-- commonRoleTable

commonRoleTable OBJECT-TYPE
    SYNTAX          SEQUENCE OF CommonRoleEntry 
    MAX-ACCESS      not-accessible
    STATUS          current
    DESCRIPTION
        "This table lists all the common roles configured on this
        device.Common roles are the user roles which are common
        across SNMP and CLI."
    ::= { ccrRoleConfig 2 }

commonRoleEntry OBJECT-TYPE
    SYNTAX          CommonRoleEntry
    MAX-ACCESS      not-accessible
    STATUS          current
    DESCRIPTION
        "An entry (conceptual row) in the commonRoleTable."
    INDEX           { commonRoleName } 
    ::= { commonRoleTable 1 }

CommonRoleEntry ::= SEQUENCE {
        commonRoleName             SnmpAdminString,
        commonRoleDescription      SnmpAdminString,
        commonRoleScopeRestriction INTEGER ,
        commonRoleScope1           OCTET STRING,
        commonRoleScope2           OCTET STRING,
        commonRoleRowStatus        RowStatus
}

commonRoleName OBJECT-TYPE
    SYNTAX          SnmpAdminString (SIZE  (1..16))
    MAX-ACCESS      not-accessible
    STATUS          current
    DESCRIPTION
        "Name of the common role." 
    ::= { commonRoleEntry 1 }

commonRoleDescription OBJECT-TYPE
    SYNTAX          SnmpAdminString (SIZE  (0..64))
    MAX-ACCESS      read-create
    STATUS          current
    DESCRIPTION
        "Description of the common role."
    DEFVAL          { ''H } 
    ::= { commonRoleEntry 2 }

commonRoleScopeRestriction OBJECT-TYPE
    SYNTAX          INTEGER  {
                        none(1),
                        vsan(2)
                    }
    MAX-ACCESS      read-create
    STATUS          current
    DESCRIPTION
        "This object indicates if there is a scope restriction
        for this role.

        If the value of this object is 'none', then there no
        scope restriction.

        If it is 'vsan', the two objects commonRoleScope1 and
        commonRoleScope2 provide the list of Virtual Storage
        Area Networks (VSANs) which this role can access. The
        object commonRoleScope1 provides list of VSANs from 0
        through 2047 and commonRoleScope2 provides from 2048
        through 4095. Each octet within the value of the the two
        objects specifies a set of eight VSANs. The first octet
        specifies VSANs 0 through 7 for commonRoleScope1 and
        VSANs 2048 through 2054 for commonRoleScope2. Similarly,
        the second octet specifies VSANs 8 through 15 and VSANs
        2055 through 2062 for commonRoleScope2, etc. Within each
        octet, the most significant bit represents the lowest
        numbered VSAN, and the least significant bit represents
        the highest numbered VSAN. Thus, each VSAN, is
        represented by a single bit within the value of this
        object. A role can access a VSAN  if and only if that bit
        has a value of '1'. If these objects have a value which
        are less than 256 bytes long, then the VSANs which are
        not represented are not considered to be in these list.
        If both the scope objects are zero-length strings, then
        this role can not access any VSANs if this object is
        `vsan'. The role can access all the VSANs if the this
        object is 'none'. Also, both commonRoleScope1 and
        commonRoleScope2 are invalid if this object is 'none'.

        Other means of restricting the scope of a role can be
        defined in the future by extending this object with
        additional enumerations.  Each such addition will
        define the restriction and any parameters it might
        have, which might or might not be specified via the
        corresponding values of commonRoleScope1 and
        commonRoleScope2."
    DEFVAL          { none } 
    ::= { commonRoleEntry 3 }

commonRoleScope1 OBJECT-TYPE
    SYNTAX          OCTET STRING
    MAX-ACCESS      read-create
    STATUS          current
    DESCRIPTION
        "This object provides the scope for the role. The actual
        meaning of this object depends the value of
        commonRoleScopeRestriction and is defined in that
         object."
    DEFVAL          { ''H } 
    ::= { commonRoleEntry 4 }

commonRoleScope2 OBJECT-TYPE
    SYNTAX          OCTET STRING
    MAX-ACCESS      read-create
    STATUS          current
    DESCRIPTION
        "This object provides the scope for the role. The actual
        meaning of this object depends the value of
        commonRoleScopeRestriction and is defined in that
         object."
    DEFVAL          { ''H } 
    ::= { commonRoleEntry 5 }

commonRoleRowStatus OBJECT-TYPE
    SYNTAX          RowStatus
    MAX-ACCESS      read-create
    STATUS          current
    DESCRIPTION
        "Status of this role." 
    ::= { commonRoleEntry 6 }
 


-- commonRoleMaxRulesPerRole

commonRoleMaxRulesPerRole OBJECT-TYPE
    SYNTAX          Unsigned32 (1..65535 )
    MAX-ACCESS      read-only
    STATUS          current
    DESCRIPTION
        "Maximum number of rules that can be configured for a
        role." 
    ::= { ccrRuleConfig 1 }
-- commonRoleRuleTable

commonRoleRuleTable OBJECT-TYPE
    SYNTAX          SEQUENCE OF CommonRoleRuleEntry 
    MAX-ACCESS      not-accessible
    STATUS          current
    DESCRIPTION
        "This table lists all the rules configured for roles
        defined in the commonRoleTable. Each rule defines a
        feature and related access-level which provides either
        permit or deny access to the feature information.

        Entries in this table are also created/deleted using
        commonRoleRuleRowStatus.

        A row in this table cannot be made 'active' until a
        value is explicitly provided for that row's instances
        of following objects :
        - commonRoleRuleOperation

        Also, the following objects cannot be modified when
        'commonRoleRuleRowStatus' is 'active' :
        - commonRoleRuleFeatureName
        - commonRoleRuleOperation
        - commonRoleRuleOperPermitted

        To modify the above objects, the entry must be deleted
        and re-created with new value of above objects."
    ::= { ccrRuleConfig 2 }

commonRoleRuleEntry OBJECT-TYPE
    SYNTAX          CommonRoleRuleEntry
    MAX-ACCESS      not-accessible
    STATUS          current
    DESCRIPTION
        "An entry (conceptual row) in the commonRoleRuleTable."
    INDEX           {
                        commonRoleName,
                        commonRoleRuleIndex
                    } 
    ::= { commonRoleRuleTable 1 }

CommonRoleRuleEntry ::= SEQUENCE {
        commonRoleRuleIndex         Unsigned32,
        commonRoleRuleFeatureName   SnmpAdminString,
        commonRoleRuleOperation     CommonRoleOperation,
        commonRoleRuleOperPermitted TruthValue,
        commonRoleRuleRowStatus     RowStatus
}

commonRoleRuleIndex OBJECT-TYPE
    SYNTAX          Unsigned32 (1..4294967295 )
    MAX-ACCESS      not-accessible
    STATUS          current
    DESCRIPTION
        "A sequential number starting from 1, and less than or
        equal to commonRoleMaxRulesPerRole, which identifies a
        rule." 
    ::= { commonRoleRuleEntry 1 }

commonRoleRuleFeatureName OBJECT-TYPE
    SYNTAX          SnmpAdminString (SIZE  (0..32))
    MAX-ACCESS      read-create
    STATUS          current
    DESCRIPTION
        "Name of the feature.
        If this is a zero-length string, then this rule applies
        to all the features supported on the system as
        enumerated in commonRoleFeatureTable."
    DEFVAL          { ''H } 
    ::= { commonRoleRuleEntry 2 }

commonRoleRuleOperation OBJECT-TYPE
    SYNTAX          CommonRoleOperation
    MAX-ACCESS      read-create
    STATUS          current
    DESCRIPTION
        "The operation permitted for this rule." 
    ::= { commonRoleRuleEntry 3 }

commonRoleRuleOperPermitted OBJECT-TYPE
    SYNTAX          TruthValue
    MAX-ACCESS      read-create
    STATUS          current
    DESCRIPTION
        "This object tells if the operation
        `commonRoleRuleOperation' is permitted on the  feature
        `commonRoleFeatureName'. The operation is permitted if
        the value of this object is `true'.
        If the value of the object is 'false', the operation is
        not permitted."
    DEFVAL          { true } 
    ::= { commonRoleRuleEntry 4 }

commonRoleRuleRowStatus OBJECT-TYPE
    SYNTAX          RowStatus
    MAX-ACCESS      read-create
    STATUS          current
    DESCRIPTION
        "Status of this rule." 
    ::= { commonRoleRuleEntry 5 }
 

-- Conformance

ciscoCommonRolesMIBCompliances  OBJECT IDENTIFIER
    ::= { ciscoCommonRolesMIBConformance 1 }

ciscoCommonRolesMIBGroups  OBJECT IDENTIFIER
    ::= { ciscoCommonRolesMIBConformance 2 }


ciscoCommonRolesMIBCompliance MODULE-COMPLIANCE
    STATUS          current
    DESCRIPTION
        "The compliance statement for entities which
        implement the CISCO-COMMON-ROLES-MIB (but not
        the CISCO-COMMON-ROLES-EXT-MIB)."
    MODULE          -- this module
    MANDATORY-GROUPS { ccrmConfigurationGroup }

    OBJECT          commonRoleRowStatus
    SYNTAX          INTEGER  {
                        active(1),
                        createAndGo(4),
                        destroy(6)
                    }
    DESCRIPTION
        "Only 'createAndGo', 'destroy' and 'active' need to be
        supported."

    OBJECT          commonRoleSupportedOperation
    SYNTAX          BITS {
                        clear(0),
                        config(1),
                        debug(2),
                        show(3),
                        exec(4)
                    }
    DESCRIPTION
        "Only 'clear', 'config', 'debug', 'show' and 'exec'
        need to be supported."
    ::= { ciscoCommonRolesMIBCompliances 1 }

ciscoCommonRolesExtMIBCompliance MODULE-COMPLIANCE
    STATUS          current
    DESCRIPTION
        "The compliance statement for entities that
        implement the CISCO-COMMON-ROLES-EXT-MIB."
    MODULE          -- this module
    MANDATORY-GROUPS { ccrmConfigurationExtGroup }
    ::= { ciscoCommonRolesMIBCompliances 2 }

-- Units of Conformance

ccrmConfigurationGroup OBJECT-GROUP
    OBJECTS         {
                        commonRoleFeatureName,
                        commonRoleFeatureOperation,
                        commonRoleSupportedOperation,
                        commonRoleMaxRoles,
                        commonRoleDescription,
                        commonRoleScopeRestriction,
                        commonRoleScope1,
                        commonRoleScope2,
                        commonRoleRowStatus,
                        commonRoleMaxRulesPerRole,
                        commonRoleRuleFeatureName,
                        commonRoleRuleOperation,
                        commonRoleRuleOperPermitted,
                        commonRoleRuleRowStatus
                    }
    STATUS          current
    DESCRIPTION
        "A collection of objects for Common Roles
        configuration."
    ::= { ciscoCommonRolesMIBGroups 1 }

ccrmConfigurationExtGroup OBJECT-GROUP
    OBJECTS         {
                        commonRoleMaxRoles,
                        commonRoleSupportedOperation,
                        commonRoleMaxRulesPerRole
                    }
    STATUS          current
    DESCRIPTION
        "A collection of objects for Common Roles configuration
        that need to be implemented by a device when the device
        implements the CISCO-COMMON-ROLES-EXT-MIB."
    ::= { ciscoCommonRolesMIBGroups 2 }

END

