[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: snmpconf General Functional Questions

All we're trying to do is make sure that when operators override a
policy that they do so deliberately. Access control is not the 
right tool to accomplish this.

If every operator has some more restrictive "root" priveleges and all
objects require this new privelege, nothing has changed from an access
control perspective and the same mistakes will be made.

And administering fine-grained access control to restrict only those
objects currently under policy control is a nightmare.


Jon Saperia wrote:
> on 07/06/2000 5:23 PM, Steve Waldbusser at waldbusser@nextbeacon.com wrote:
> > All I want is for the field engineer to have to do something special
> > to override a policy. Shouldn't he at least know that he has done
> > something significant? Wouldn't it be good if he was thus encouraged
> > to think twice? Wouldn't it be good if he was encouraged to mention it
> > to the network architect? ("hey, I needed to disable the blah policy
> > on trunk 7 last night because it was interacting poorly with the
> > backup circuit").
> >
> > My proposal is that he issue 2 commands rather than one. The first
> > disables the policy on the interface and the second is a normal
> > SNMP set that makes the change.
> Steve, I am in agreement with your concern. I think we can accomplish this
> without having to issue two commands though. You gave the example of not
> running as 'root' to avoid making mistakes - most of us have learned that
> lesson. My point is that the access/change of policy is an operational
> policy (forgive the pun) decision. If a system is under policy control,
> access to the MIB tree that contains everything except the policy objects,
> should be quite restricted. The operator would then have to use the root
> password to make the changes. This is analogous to 'su root' make all your
> changes and exit. Your preference would be to have the person 'sudo change
> 1', 'sudo change2' etc. In our case the equivalent of the sudo is to make
> the explicit something special you suggest.