Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

Access Privileges for an SNMP Group

SNMP version 3 (SNMPv3) uses the view-based access control model (VACM), which allows you to configure the access privileges granted to a group. You can control the access by filtering the MIB objects available for a specific operation through a predefined view. You assign views to determine the objects that are visible for read, write, and notify operations for a particular group, using a particular context, a particular security model (v1, v2c, or usm), and a particular security level (authenticated, privacy, or none). For information about how to configure views, see Configure MIB Views.

You define user access to management information at the [edit snmp v3 vacm] hierarchy level. All access control within VACM operates on groups, which are collections of users as defined by USM, or community strings as defined in the SNMPv1 and SNMPv2c security models.

The term security-name refers to these generic end users. The group to which a specific security name belongs is configured at the [edit snmp v3 vacm security-to-group] hierarchy level. That security name can be associated with a group defined at the [edit snmp v3 vacm security-to-group] hierarchy level. A group identifies a collection of SNMP users that share the same access policy. You then define the access privileges associated with a group at the [edit snmp v3 vacm access] hierarchy level. You can define the access using views. For each group, you can apply different views depending on the SNMP operation; for example, read (get, getNext, or getBulk) write (set), notifications, the security level used (authentication, privacy, or none), and the security model (v1, v2c, or usm) used within an SNMP request.

You configure members of a group with the security-name statement. For v3 packets using USM, the security name is the same as the username. For SNMPv1 or SNMPv2c packets, the security name is determined based on the community string. Security names are specific to a security model. If you are also configuring VACM access policies for SNMPv1 or SNMPv2c packets, you must assign security names to groups for each security model (SNMPv1 or SNMPv2c) at the [edit snmp v3 vacm security-to-group] hierarchy level. You must also associate a security name with an SNMP community at the [edit snmp v3 snmp-community community-index] hierarchy level.

To configure the access privileges for an SNMP group, include statements at the [edit snmp v3 vacm] hierarchy level. For more information about this statement, see vacm.

Configure the Access Privileges Granted to a Group

This topic includes the following sections:

Configure the Group

To configure the access privileges granted to a group, include the group statement at the [edit snmp v3 vacm access] hierarchy level:

group-name is a collection of SNMP users that belong to a common SNMP list that defines an access policy. Users belonging to a particular SNMP group inherit all access privileges granted to that group.

Configure the Security Model

To configure the security model, include the security-model statement at the [edit snmp v3 vacm access group group-name (default-context-prefix | context-prefix context-prefix)] hierarchy level:

  • any—Any security model

  • usm—SNMPv3 security model

  • v1—SNMPV1 security model

  • v2c—SNMPv2c security model

Configure the Security Level

To configure the access privileges granted to packets with a particular security level, include the security-level statement at the [edit snmp v3 vacm access group group-name (default-context-prefix | context-prefix context-prefix) security-model (any | usm | v1 | v2c)] hierarchy level:

  • none—Provides no authentication and no encryption.

  • authentication—Provides authentication but no encryption.

  • privacy—Provides authentication and encryption.

You can grant access privileges to all packets with a security level equal to or greater than that configured. If you are configuring the SNMPv1 or SNMPv2c security model, use none as your security level. If you are configuring the SNMPv3 security model (USM), use the authentication, none, or privacy security level.

Associate MIB Views with an SNMP User Group

MIB views define access privileges for members of a group. You can apply separate views for each SNMP operation (read, write, and notify) within each security model (usm, v1, and v2c) and each security level (authentication, none, and privacy) supported by SNMP.

To associate MIB views with an SNMP user group, include the following statements at the [edit snmp v3 vacm access group group-name (default-context-prefix | context-prefix context-prefix) security-model (any | usm | v1 | v2c) security-level (authentication | none | privacy)] hierarchy level. For more information about this statement, see access (SNMP).

You must associate at least one view (notify, read, or write) at the [edit snmp v3 vacm access group group-name (default-context-prefix | context-prefix context-prefix) security-model (any | usm | v1 | v2c) security-level (authentication | none | privacy)] hierarchy level.

You must configure the MIB view at the [edit snmp view view-name] hierarchy level. For information about how to configure MIB views, see Configure MIB Views.

This section describes the following topics related to this configuration:

Configure the Notify View

To associate notify access with an SNMP user group, include the notify-view statement at the [edit snmp v3 vacm access group group-name (default-context-prefix | context-prefix context-prefix) security-model (any | usm | v1 | v2c) security-level (authentication | none | privacy)] hierarchy level. For more information about this statement, see notify-view.

view-name specifies the notify access, which is a list of notifications that can be sent to each user in an SNMP group. A view name cannot exceed 32 characters.

Configure the Read View

To associate a read view with an SNMP group, include the read-view statement at the [edit snmp v3 vacm access group group-name (default-context-prefix | context-prefix context-prefix) security-model (any | usm | v1 | v2c) security-level (authentication | none | privacy)] hierarchy level. For more information about this statement, see read-view.

view-name specifies read access for an SNMP user group. A view name cannot exceed 32 characters.

Configure the Write View

To associate a write view with an SNMP user group, include the write-view statement at the [edit snmp v3 vacm access group group-name (default-context-prefix | context-prefix context-prefix) security-model (any | usm | v1 | v2c) security-level (authentication | none | privacy)] hierarchy level. For more information about this statement, see write-view.

view-name specifies write access for an SNMP user group. A view name cannot exceed 32 characters.

Example: Configure the Access Privileges Granted to a Group

Define access privileges:

Assign Security Model and Security Name to a Group

To assign security names to groups, include the following statements at the [edit snmp v3 vacm security-to-group] hierarchy level. For more information about this statement, see security-model (Group).

This topic includes the following sections:

Configure the Security Model

To configure the security model, include the security-model statement at the [edit snmp v3 vacm security-to-group] hierarchy level:

  • usm—SNMPv3 security model

  • v1—SNMPv1 security model

  • v2c—SNMPv2 security model

Assign Security Names to Groups

To associate a security name with an SNMPv3 user, or a v1 or v2 community string, include the security-name statement at the [edit snmp v3 vacm security-to-group security-model (usm | v1 | v2c)] hierarchy level:

For SNMPv3, the security-name is the username configured at the [edit snmp v3 usm local-engine user username] hierarchy level. For SNMPv1 and SNMPv2c, the security name is the community string configured at the [edit snmp v3 snmp-community community-index] hierarchy level. For information about configuring usernames, see Create SNMPv3 Users. For information about configuring a community string, see Configure SNMPv3 Community.

Note:

The USM security name is separate from the SNMPv1 and SNMPv2c security name. If you support SNMPv1 and SNMPv2c in addition to SNMPv3, you must configure separate security names within the security-to-group configuration at the [edit snmp v3 vacm access] hierarchy level.

Configure the Group

After you have created SNMPv3 users, or v1 or v2 security names, you associate them with a group. A group is a set of security names belonging to a particular security model. A group defines the access rights for all users belonging to it. Access rights defines what SNMP objects can read, writte to, or create. A group also defines the notifications a user can receive.

If you already have a group that is configured with all the view and access permissions that you want to give a user, you can add the user to that group. If you want to give a user view and access permissions that no other groups have, or if you do not have any groups configured, create a group, and add the user to it.

To configure the access privileges granted to a group, include the group statement at the [edit snmp v3 vacm security-to-group security-model (usm | v1 | v2c) security-name security-name] hierarchy level. For more information about this statement, see group (Defining Access Privileges for an SNMPv3 Group).

Example: Security Group Configuration

Assign security names to groups: