答复: a question about Management Authorization -01 document

[li chunxiu <lichunxiu@huawei.com>]

> > I agree with the point of view of a local policy named
"read-only-group1"
> > and another named "read-write-group1".
> > If the Access Control is mainly done in NAS, the Access Control policy
in
> > Radius may be very simple, and the pattern of "read-only-group1" is ok.
> > If the Radius needs to participate in the Access Control, there may be
some
> > complicate policies. If the policies are too complicated to be expressed
in
> > one Management-Policy-Id, which expression is better? Will the policies
be
> > separated to several parts in each Management-Policy-Id within each
> > Access-Accept? And these parts will be composed to be whole policies in
the
> > NAS to accomplish the Access Control, right?
> 
> Section 4 defines the purpose and scope of the access control policy
> attributes. In particular, note that the Management-Policy-Id and
> Management-Privilege-Level attributes are not meant to carry accress
> control rules; they merely identify which locally known access control
> rules to apply.

Thank you for clarify this two concepts. 
But in the SNMP/Netconf Access Control process, there are 3 entities, agent,
NAS and Radius server. Could you please explain how to define the "local
scope" concept? 
Thanks,
Li chunxiu 


--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>