CISCO-COMMON-ROLES-EXT-MIB

File: CISCO-COMMON-ROLES-EXT-MIB.mib (30078 bytes)

Imported modules

SNMPv2-SMI SNMPv2-CONF SNMPv2-TC
SNMP-FRAMEWORK-MIB CISCO-COMMON-ROLES-MIB CISCO-SMI

Imported symbols

MODULE-IDENTITY OBJECT-TYPE Unsigned32
Integer32 MODULE-COMPLIANCE OBJECT-GROUP
RowStatus TEXTUAL-CONVENTION TruthValue
SnmpAdminString ccrmConfigurationExtGroup ciscoMgmt

Defined Types

CcreOperation  
Privileges allowed for a common role. read - Read opeation readWrite - Read-Write operation Note that if a privilege is not supported by an access method, then it does not apply to that access method. There privileges are not related to the privileges defined in 'CommonRoleOperation'
TEXTUAL-CONVENTION    
  INTEGER read(1), readWrite(2)  

CcreResourceAccess  
A User can be restricted from accessing resources, in addition to being restricted from performing certain operations. For e.g. a user assigned a role can be restricted from accessing all VLANs configured on the device except VLAN 1 and 4, or a user can be allowed to access all VSANs configured on the device except VSAN 5 and 10, or a User can be allowed to access Interface 1, 5, 10, 15 and 20 and restricted from accessing all other interfaces. This Bit mask lists the types of resources to which user access can be controlled. vsan(0) Bit value of 0 indicates that the user has access to no VSANs. However a user can be selectively assigned access to VSANs and each such accessible VSAN will have an entry in the 'ccreRoleScopeTable'. Bit value of 1 indicates that the user has access to all VSANs. In this case there are no VSAN entries in the 'ccreRoleScopeTable'. Setting the bit to 1 results in deletion of all VSAN entries from the ccreRoleScopeTable, for the role identified by 'ccreRoleName'. vlan(1) Bit value of 0 indicates that the user has access to no VLANs. However a user can be selectively assigned access to VLANs and each such accessible VLAN will have an entry in the 'ccreRoleScopeTable'. Bit value of 1 indicates that the user has access to all VLANs. In this case there are no VLAN entries in the 'ccreRoleScopeTable'. Setting the bit to 1 results in deletion of all VLAN entries from the ccreRoleScopeTable, for the role identified by 'ccreRoleName'. interface(2) Bit value of 0 indicates that the user has access to no interfaces. However a user can be selectively assigned access to interfaces and each such accessible interface will have an entry in the 'ccreRoleScopeTable'. Bit value of 1 indicates that the user has access to all interfaces. In this case there are no interface entries in the 'ccreRoleScopeTable'. Setting the bit to 1 results in deletion of all interface entries from the ccreRoleScopeTable, for the role identified by 'ccreRoleName'.
TEXTUAL-CONVENTION    
  BITS vsan(0), vlan(1), interface(2)  

CcreFeatureElementEntry  
SEQUENCE    
  ccreFeatureName SnmpAdminString
  ccreFeatureElementIndex Unsigned32
  ccreFeatureElementName SnmpAdminString
  ccreFeatureElementType INTEGER
  ccreFeatureRowStatus RowStatus

CcreRoleEntry  
SEQUENCE    
  ccreRoleName SnmpAdminString
  ccreRoleDescription SnmpAdminString
  ccreRoleResourceAccess CcreResourceAccess
  ccreRoleRowStatus RowStatus

CcreRoleScopeEntry  
SEQUENCE    
  ccreRoleScopeIndex Unsigned32
  ccreRoleScopeRestriction INTEGER
  ccreRoleScopeValue Integer32
  ccreRoleScopeRowStatus RowStatus

CcreRuleEntry  
SEQUENCE    
  ccreRuleNumber Unsigned32
  ccreRuleFeatureElementName SnmpAdminString
  ccreRuleFeatureElementType INTEGER
  ccreRuleOperation CcreOperation
  ccreRuleOperationPermitted TruthValue
  ccreRuleRowStatus RowStatus

Defined Values

ciscoCommonRolesExtMIB 1.3.6.1.4.1.9.9.651
A MIB Module for managing the roles that are common between access methods like Command Line Interface (CLI), SNMP and XML interface. This MIB is an extension to the CISCO-COMMON-ROLES-MIB, which is for managing Common Roles on a device with fixed feature. Terminology: Commands are the basic operations that can be performed on a device. For example 'show aaa *', 'clear aaa *', 'config t; ip arp *'. Commands can be organized into groups called Features. Features can be organized into groups called Feature Groups. The constituents of a Feature (i.e. Commands) and the constituents of a Feature Group (i.e. Features) are collectively referred to as Feature Elements. This MIB extends the CISCO-COMMON-ROLES-MIB by adding the following. Features can be organized into groups called feature groups. Access privileges can be assigned to feature group(s) associated with a Role. The five access privileges (clear, config, debug, show & exec) are replaced by two access privileges ('read' and 'readWrite'). These two privileges have no relation to the replaced five privileges. The types of objects to which access can be restricted is extended to include VLANs and Interfaces. A device implementing this MIB need not implement CISCO-COMMON-ROLES-MIB.
MODULE-IDENTITY    

ciscoCommonRolesExtNotifications 1.3.6.1.4.1.9.9.651.0
OBJECT IDENTIFIER    

ciscoCommonRolesExtMIBObjects 1.3.6.1.4.1.9.9.651.1
OBJECT IDENTIFIER    

ciscoCommonRolesExtMIBConformance 1.3.6.1.4.1.9.9.651.2
OBJECT IDENTIFIER    

ccreInfo 1.3.6.1.4.1.9.9.651.1.1
OBJECT IDENTIFIER    

ccreRoleConfig 1.3.6.1.4.1.9.9.651.1.2
OBJECT IDENTIFIER    

ccreRuleConfig 1.3.6.1.4.1.9.9.651.1.3
OBJECT IDENTIFIER    

ccreFeatureElementTable 1.3.6.1.4.1.9.9.651.1.1.1
This table lists all the features and feature groups configured on a device. For each feature it lists all the command(s) contained in the feature. For each feature groups it lists all the features contained in the group. A feature element is either a feature or a feature group. A device may have some predefined features which may not be editable by a user. In addition, a device may allow a user to define new feature group. A device implementing this MIB need not implement the objects that form a conceptual row in the 'commonRolesFeatureTable' table defined in the CISCO-COMMON-ROLES MIB. The entries in this table are persistent across device reboots.
Status: current Access: not-accessible
OBJECT-TYPE    
  SEQUENCE OF  
    CcreFeatureElementEntry

ccreFeatureElementEntry 1.3.6.1.4.1.9.9.651.1.1.1.1
An entry (conceptual row) in the ccreFeatureElementTable. Each row in this table represents an element (command or a feature) contained in a feature or a feature group. For example a 'radius' feature that contains three commands - 'radius-server', 'radius-cfs' and 'aaa group server radius', this table will have three entries, one each for the three commands. ccreFeatureName ccreFeatureIndex ccreFeatureElementName 'radius' 1 'radius-server' 'radius' 2 'radius-cfs' 'radius' 3 'aaa group server radius' 'arp' 1 'show arp' 'arp' 2 'clear ip arp'
Status: current Access: not-accessible
OBJECT-TYPE    
  CcreFeatureElementEntry  

ccreFeatureName 1.3.6.1.4.1.9.9.651.1.1.1.1.1
Identifies the feature or the feature group for which this entry represents an element. This object is the same as the commonRoleFeatureName.
Status: current Access: not-accessible
OBJECT-TYPE    
  SnmpAdminString Size(1..32)  

ccreFeatureElementIndex 1.3.6.1.4.1.9.9.651.1.1.1.1.2
An index value for this element which uniquely distinguishes it from all other elements of same feature.
Status: current Access: not-accessible
OBJECT-TYPE    
  Unsigned32 1..4294967295  

ccreFeatureElementName 1.3.6.1.4.1.9.9.651.1.1.1.1.3
Name of the feature element represented by this row.
Status: current Access: read-create
OBJECT-TYPE    
  SnmpAdminString Size(1..32)  

ccreFeatureElementType 1.3.6.1.4.1.9.9.651.1.1.1.1.4
An indication of the type of element represented by this row. When this field has the value 'command', this row represents a command name. When this field has the value 'feature', this row represents a feature name. This field must have the value 'none' when a feature could not otherwise be represented in this table because the feature does not yet have any elements defined for it. When features are added to an empty feature-group, the row with element type 'none' is still maintained in this table. Deleting this row (with type as 'none') will delete the feature group and all other rows representing relationship between this feature group and its members. A feature should have at least one element, whereas a feature-group may have zero or more entries. All entries in this table are persistent across device reboots
Status: current Access: read-create
OBJECT-TYPE    
  INTEGER command(1), feature(2), none(3)  

ccreFeatureRowStatus 1.3.6.1.4.1.9.9.651.1.1.1.1.5
Status of this row.
Status: current Access: read-create
OBJECT-TYPE    
  RowStatus  

ccreRoleTable 1.3.6.1.4.1.9.9.651.1.2.2
This table lists all the common roles configured on this device. Common roles are the user roles which are common across SNMP and CLI. A device implementing this MIB need not implement the objects that form a conceptual row in the 'commonRoleTable' defined in the CISCO-COMMON-ROLES MIB. This table and the 'commonRoleTable' table both have one entry per Role defined on the device. However unlike the 'commonRoleTable', this table does not contain any scope restriction information. The scope restriction information instead is contained in the 'ccreRoleScopeTable' Table. If a device implements this this table along with 'commonRoleTable' a row existing in 'commonRoleTable' should also exist in this table and vice versa. All entries in this table are persistent across device reboots.
Status: current Access: not-accessible
OBJECT-TYPE    
  SEQUENCE OF  
    CcreRoleEntry

ccreRoleEntry 1.3.6.1.4.1.9.9.651.1.2.2.1
An entry (conceptual row) in the ccreRoleTable. One entry per role defined on the device.
Status: current Access: not-accessible
OBJECT-TYPE    
  CcreRoleEntry  

ccreRoleName 1.3.6.1.4.1.9.9.651.1.2.2.1.1
Name of the common role. This is same as commonRoleName.
Status: current Access: not-accessible
OBJECT-TYPE    
  SnmpAdminString Size(1..16)  

ccreRoleDescription 1.3.6.1.4.1.9.9.651.1.2.2.1.2
Description of the common role. This is same as commonRoleDescription.
Status: current Access: read-create
OBJECT-TYPE    
  SnmpAdminString Size(0..64)  

ccreRoleResourceAccess 1.3.6.1.4.1.9.9.651.1.2.2.1.3
Defines the default access to the resources to which access can be controlled. vsan(0) Bit value of 0 indicates that the user has access to no VSANs. However a user can be selectively assigned access to VSANs and each such accessible VSAN will have an entry in the 'ccreRoleScopeTable'. Bit value of 1 indicates that the user has access to all VSANs. In this case there are no VSAN entries in the 'ccreRoleScopeTable'. Setting the bit to 1 results in deletion of all VSAN entries from the ccreRoleScopeTable, for the role identified by 'ccreRoleName'. vlan(1) Bit value of 0 indicates that the user has access to no VLANs. However a user can be selectively assigned access to VLANs and each such accessible VLAN will have an entry in the 'ccreRoleScopeTable'. Bit value of 1 indicates that the user has access to all VLANs. In this case there are no VLAN entries in the 'ccreRoleScopeTable'. Setting the bit to 1 results in deletion of all VLAN entries from the ccreRoleScopeTable, for the role identified by 'ccreRoleName'. interface(2) Bit value of 0 indicates that the user has access to no Interfaces. However a user can be selectively assigned access to interfaces and each such accessible interface will have an entry in the 'ccreRoleScopeTable'. Bit value of 1 indicates that the user has access to all interfaces. In this case there are no interface entries in the 'ccreRoleScopeTable'. Setting the bit to 1 results in deletion of all interface entries from the ccreRoleScopeTable, for the role identified by 'ccreRoleName'. For example a role which has access to all VSANs, all VLANs and no Interface will have this field set as - - - |0|1|1| - - -
Status: current Access: read-create
OBJECT-TYPE    
  CcreResourceAccess  

ccreRoleRowStatus 1.3.6.1.4.1.9.9.651.1.2.2.1.4
Status of this role.
Status: current Access: read-create
OBJECT-TYPE    
  RowStatus  

ccreRoleScopeTable 1.3.6.1.4.1.9.9.651.1.2.3
This table lists the resources to which a user belonging to a role can access. A role may be restricted from accessing various resources of a device. This table lists the resources that a role can access. If for a role there is no entry in this table, then restriction, if any, is determined by the ccrePermitAllPolicies object in the ccreRoleTable. Each resource (VSAN, VLAN or Interface) to which a role has access to, has a separate entry in the table. For e.g. if a role has access to VLAN 1, 2, 6 and 7; VSAN 2, 5 and 8 and interface 2/1 and 2/3, this table will have 9 entries, 4 for VSANs, 3 for VLANs and 2 for Interfaces. Entries in this table can be created/deleted using ccreRoleScopeRowStatus. The table provides the same information as 'commonRoleScopeRestriction', 'commonRoleScope1' and 'commonRoleScope2' but in a different way. The object 'commonRoleScope1' and 'commonRoleScope2' are 256*8 bit mask with each bit representing a VLAN. 'commonRoleScope1' identifies VLANS 1 to 2048 whereas 'commonRoleScope2' identifies VLANS 2049 to 4096. In this table, there is a separate entry for each VSAN, along with separate entry for each VLAN and Interface to which a role has access. The purpose of this table is to remove the limit of 4096 that are supported by 'commonRoleTable'. All entries in this table are persistent across device reboots
Status: current Access: not-accessible
OBJECT-TYPE    
  SEQUENCE OF  
    CcreRoleScopeEntry

ccreRoleScopeEntry 1.3.6.1.4.1.9.9.651.1.2.3.1
An entry (conceptual row) in the ccreRoleScopeTable. There is one entry for each different scope value of a Role. If a Role 'R1' is defined to have scope on VSAN-1, VSAN-2, VLAN-1, VLAN#, Interface fc1/1 and fc1/2, then there will be six entries for role 'R1' in this table, one each for VSAN-1, VSAN2, VLAN-1, VLAN-1, fc1/1 and fc1/2.
Status: current Access: not-accessible
OBJECT-TYPE    
  CcreRoleScopeEntry  

ccreRoleScopeIndex 1.3.6.1.4.1.9.9.651.1.2.3.1.1
An index value for this entry which uniquely distinguishes it from all other entries for same Role.
Status: current Access: not-accessible
OBJECT-TYPE    
  Unsigned32 1..4294967295  

ccreRoleScopeRestriction 1.3.6.1.4.1.9.9.651.1.2.3.1.2
This object indicates the type of the scope restriction about which the information is provided by row.
Status: current Access: read-create
OBJECT-TYPE    
  INTEGER vsan(1), vlan(2), interface(3)  

ccreRoleScopeValue 1.3.6.1.4.1.9.9.651.1.2.3.1.3
This object identifies the resource this role can access. If the value of 'ccreRoleScopeRestriction' is 'vsan' or 'vlan', this object specifies the Id (which is a number) of the VSAN/VLAN. If the value of 'ccreRoleScopeRestriction' is 'interface', this object specifies the IfIndex of the interface.
Status: current Access: read-create
OBJECT-TYPE    
  Integer32 1..2147483647  

ccreRoleScopeRowStatus 1.3.6.1.4.1.9.9.651.1.2.3.1.4
Status of this scope restriction entry.
Status: current Access: read-create
OBJECT-TYPE    
  RowStatus  

ccreRuleTable 1.3.6.1.4.1.9.9.651.1.3.2
This table lists all the rules configured for roles defined in the ccreRoleTable. Each rule defines the access (permit/deny) allowed to a particular command, feature or a feature group. Entries in this table are also created/deleted using ccreRuleRowStatus. A row in this table cannot be made 'active' until a value is explicitly provided for that row's instances of following objects : - ccreRuleOperation If ccreRuleFeatureElementName is a command, then - ccreRuleOperation is not needed to be set A device implementing this MIB need not implement the objects that form a conceptual row in the 'commonRuleRoleTable' table, which is defined in the CISCO-COMMON-ROLES-MIB. There is no relation between the rows in 'commonRuleRoleTable' and this table as both define different operation types. Each table can have rows with no corresponding rows in other table. All entries in this table are persistent across device reboots
Status: current Access: not-accessible
OBJECT-TYPE    
  SEQUENCE OF  
    CcreRuleEntry

ccreRuleEntry 1.3.6.1.4.1.9.9.651.1.3.2.1
An entry (conceptual row) in the ccreRuleRuleTable. There is one entry for each Rule contained in a Role. For eg. if a Role 'R1' has 6 rules, there will be six entries for Role 'R1'.
Status: current Access: not-accessible
OBJECT-TYPE    
  CcreRuleEntry  

ccreRuleNumber 1.3.6.1.4.1.9.9.651.1.3.2.1.1
A unique index for a rule in a particular role. The rule are applied according to their rule number, i.e. Rule 1 will be the first rule applied followed by Rule 2 and so on. Rule numbers need not be contiguous, for e.g. a Role can have three rule numbered 1, 4 & 7. Further when a new rule is added to this Role it can be rule number 2 or 5 or 9 (any number other than 1, 4 and 7).
Status: current Access: not-accessible
OBJECT-TYPE    
  Unsigned32 1..256  

ccreRuleFeatureElementName 1.3.6.1.4.1.9.9.651.1.3.2.1.2
Name of the command or feature or feature group. If this is a zero-length string, then this rule applies to all the features supported on the device as enumerated in commonRoleFeatureTable.
Status: current Access: read-create
OBJECT-TYPE    
  SnmpAdminString Size(0..32)  

ccreRuleFeatureElementType 1.3.6.1.4.1.9.9.651.1.3.2.1.3
Specifies the type of entry (command or feature or feature group) as specified by the object ccreRuleFeatureElementName
Status: current Access: read-create
OBJECT-TYPE    
  INTEGER command(1), feature(2), featureGroup(3), all(4)  

ccreRuleOperation 1.3.6.1.4.1.9.9.651.1.3.2.1.4
The operation for this rule.
Status: current Access: read-create
OBJECT-TYPE    
  CcreOperation  

ccreRuleOperationPermitted 1.3.6.1.4.1.9.9.651.1.3.2.1.5
This object tells if the operation `ccreRuleOperation' is permitted or denied. The operation is permitted if the value of this object is `true'. If the value of the object is 'false', the operation is not permitted.
Status: current Access: read-create
OBJECT-TYPE    
  TruthValue  

ccreRuleRowStatus 1.3.6.1.4.1.9.9.651.1.3.2.1.6
Status of this rule.
Status: current Access: read-create
OBJECT-TYPE    
  RowStatus  

ccreMIBCompliances 1.3.6.1.4.1.9.9.651.2.1
OBJECT IDENTIFIER    

ccreMIBGroups 1.3.6.1.4.1.9.9.651.2.2
OBJECT IDENTIFIER    

ccreMIBCompliance 1.3.6.1.4.1.9.9.651.2.1.1
The compliance statement for entities which implement the CISCO-COMMON-ROLES-EXT-MIB.
Status: current Access: read-only
MODULE-COMPLIANCE    

ccreConfigurationGroup 1.3.6.1.4.1.9.9.651.2.2.1
A collection of objects for Common Roles Extention configuration.
Status: current Access: read-only
OBJECT-GROUP    

Generation date: July 28, 2023, 16:18:13, Copyright © 2007 - 2022 - Circitor