RE: New Issue: MGMT-00 -command privilege levels

["David B. Nelson" <dnelson@elbrysnetworks.com>]

Greg Weber writes...

> From section 4:
> "The local application of the Management-Policy-Id within the managed
>    entity may take the form of (a) one of an enumeration of command
>    privilege levels, ..."
> The draft does not currently describe valid values for the case when
> Management-Policy-Id is supposed to represent a privilege level.  
> The excerpt above mentions an enumeration; the attribute value is 
> later defined as type Text.

Yes.  We've just been discussing this same issue in the context of review
comments from Dave Harrington.

> Requested change:
> I would suggest removing references to command privilege levels and
> let the NASes map Management-Policy-Id based on what functionality is
> locally supported.  Privilege level (if supported on the client) may
> be one of many types of local policy, e.g. time of day restrictions on
> command execution.  I don't think we want to address all these, do we?
> In the excerpted sentence, I think (a) is just a subset of (c).

There are at least a couple of ways to resolve this.  One is to do as you
suggest and remove the text that talks about privilege levels in terms of
the Management-Policy-Id attribute, and leave it at that.  The approach that
I've proposed in the other thread is to add an explicit attribute to convey
an Integer-valued management privilege level, given that this construct
seems fairly popular and widely deployed.

Is there a good reason that we should avoid an explicit attribute to cover
this common use case?



--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>