Re: ????: a question about Management Authorization -01 document

[Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de>]

On Wed, Dec 19, 2007 at 10:46:36AM +0800, li chunxiu wrote:

> Here is a situation:
> 1.NETCONF access, defined by a policy:
>       *  Service-Type (6) = Framed-Management (xx)
>       *  Framed-Management-Protocol (xx) = NETCONF(3)
>       *  Management-Policy-Id (xx) = " Read-only group1"
> 2. NETCONF access, defined by a policy:
>       *  Service-Type (6) = Framed-Management (xx)
>       *  Framed-Management-Protocol (xx) = NETCONF(3)
>       *  Management-Policy-Id (xx) = "group1 Read-only"
> 3. NETCONF access, defined by a policy, with the Management-Privilege-Level
> attribute:
>       *  Service-Type (6) = Framed-Management (xx)
>       *  Framed-Management-Protocol (xx) = NETCONF(3)
>       *  Management-Policy-Id (xx) = "group1 "
>       *  Management-Privilege-Level (xx) = 15 
> Comment:15 denotes Read-only 
>         16 denotes create  ... ...
> I think the 3rd example using the Management-Privilege-Level attribute
> clarifies the use methods of Management-Privilege-Level attribute. 
> What is your opinion?

Since NETCONF right now does not have a defined access control system,
the discussion is kind of pointless since implementations can do
whatever they like. That said, let me say that I personally find a
combination of Management-Policy-Id and Management-Privilege-Level
somewhat strange.

/js

-- 
Juergen Schoenwaelder           Jacobs University Bremen gGmbH
Phone: +49 421 200 3587         Campus Ring 1, 28759 Bremen, Germany
Fax:   +49 421 200 3103         <http://www.jacobs-university.de/>

--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>