{ "content": [ { "type": "text", "text": "# snmpvacm(1) (man)\n\n**Summary:** snmpvacm - creates and maintains SNMPv3 View-based Access Control entries on a network entity\n\n**Synopsis:** snmpvacm [COMMON OPTIONS] AGENT createSec2Group MODEL SECURITYNAME GROUPNAME\nsnmpvacm [COMMON OPTIONS] AGENT deleteSec2Group MODEL SECURITYNAME\nsnmpvacm [COMMON OPTIONS] AGENT createView [-Ce] NAME SUBTREE MASK\nsnmpvacm [COMMON OPTIONS] AGENT deleteView NAME SUBTREE\nsnmpvacm [COMMON OPTIONS] AGENT createAccess GROUPNAME [CONTEXTPREFIX] MODEL LEVEL CON‐\nTEXTMATCH READVIEW WRITEVIEW NOTIFYVIEW\nsnmpvacm [COMMON OPTIONS] AGENT deleteAccess GROUPNAME [CONTEXTPREFIX] MODEL LEVEL\nsnmpvacm [COMMON OPTIONS] AGENT createAuth GROUPNAME [CONTEXTPREFIX] MODEL LEVEL AUTHTYPE\nCONTEXTMATCH VIEW\nsnmpvacm [COMMON OPTIONS] AGENT deleteAuth GROUPNAME [CONTEXTPREFIX] MODEL LEVEL AUTHTYPE\n\n## Examples\n\n- `Given a pre-existing user dave (which could be set up using the snmpusm(1) command), we could`\n- `configure full read-write access to the whole OID tree using the commands:`\n- `snmpvacm localhost createSec2Group 3 dave RWGroup`\n- `snmpvacm localhost createView all .1 80`\n- `snmpvacm localhost createAccess RWGroup 3 1 1 all all none`\n- `This creates a new security group named \"RWGroup\" containing the SNMPv3 user \"dave\", a new`\n- `view \"all\" containing the full OID tree based on .iso(1) , and then allows those users in the`\n- `group \"RWGroup\" (i.e. \"dave\") both read- and write-access to the view \"all\" (i.e. the full`\n- `OID tree) when using authenticated SNMPv3 requests.`\n- `As a second example, we could set up read-only access to a portion of the OID tree using the`\n- `commands:`\n- `snmpvacm localhost createSec2Group 3 wes ROGroup`\n- `snmpvacm localhost createView sysView system fe`\n- `snmpvacm localhost createAccess ROGroup 3 0 1 sysView none none`\n- `This creates a new security group named \"ROGroup\" containing the (pre-existing) user \"wes\", a`\n- `new view \"sysView\" containing just the OID tree based on`\n- `.iso(1).org(3).dod(6).inet(1).mgmt(2).mib-2(1).system(1) , and then allows those users in the`\n- `group \"ROGroup\" (i.e. \"wes\") read-access, but not write-access to the view \"sysView\" (i.e.`\n- `the system group).`\n\n## See Also\n\n- snmpcmd(1)\n- snmpusm(1)\n- snmpd.conf(5)\n- snmp.conf(5)\n\n## Section Outline\n\n- **NAME** (2 lines)\n- **SYNOPSIS** (12 lines)\n- **DESCRIPTION** (9 lines)\n- **SUB-COMMANDS** (177 lines)\n- **EXAMPLES** (33 lines)\n- **EXIT STATUS** (10 lines)\n- **LIMITATIONS** (13 lines)\n- **SEE ALSO** (5 lines)\n\n## Full Content\n\n### NAME\n\nsnmpvacm - creates and maintains SNMPv3 View-based Access Control entries on a network entity\n\n### SYNOPSIS\n\nsnmpvacm [COMMON OPTIONS] AGENT createSec2Group MODEL SECURITYNAME GROUPNAME\nsnmpvacm [COMMON OPTIONS] AGENT deleteSec2Group MODEL SECURITYNAME\nsnmpvacm [COMMON OPTIONS] AGENT createView [-Ce] NAME SUBTREE MASK\nsnmpvacm [COMMON OPTIONS] AGENT deleteView NAME SUBTREE\nsnmpvacm [COMMON OPTIONS] AGENT createAccess GROUPNAME [CONTEXTPREFIX] MODEL LEVEL CON‐\nTEXTMATCH READVIEW WRITEVIEW NOTIFYVIEW\nsnmpvacm [COMMON OPTIONS] AGENT deleteAccess GROUPNAME [CONTEXTPREFIX] MODEL LEVEL\nsnmpvacm [COMMON OPTIONS] AGENT createAuth GROUPNAME [CONTEXTPREFIX] MODEL LEVEL AUTHTYPE\nCONTEXTMATCH VIEW\nsnmpvacm [COMMON OPTIONS] AGENT deleteAuth GROUPNAME [CONTEXTPREFIX] MODEL LEVEL AUTHTYPE\n\n### DESCRIPTION\n\nsnmpvacm is an SNMP application that can be used to do simple maintenance on the View-based\nControl Module (VACM) tables of an SNMP agent. The SNMPv3 VACM specifications (see RFC2575)\ndefine assorted tables to specify groups of users, MIB views, and authorised access settings.\nThese snmpvacm commands effectively create or delete rows in the appropriate one of these ta‐\nbles, and match the equivalent configure directives which are documented in the snmpd.conf(5)\nman page.\n\nA fuller explanation of how these operate can be found in the project FAQ.\n\n### SUB-COMMANDS\n\ncreateSec2Group MODEL SECURITYNAME GROUPNAME\nCreate an entry in the SNMPv3 security name to group table. This table allows a single ac‐\ncess control entry to be applied to a number of users (or 'principals'), and is indexed by\nthe security model and security name values.\n\nMODEL\n\nAn integer representing the security model, taking one of the following values:\n1 - reserved for SNMPv1\n2 - reserved for SNMPv2c\n3 - User-based Security Model (USM)\n\n\nSECURITYNAME\n\nA string representing the security name for a principal (represented in a security-\nmodel-independent format). For USM-based requests, the security name is the same as\nthe username.\n\n\nGROUPNAME\n\nA string identifying the group that this entry (i.e. security name/model pair) should\nbelong to. This group name will then be referenced in the access table (see createAc‐‐\ncess below).\n\ndeleteSec2Group MODEL SECURITYNAME\nDelete an entry from the SNMPv3 security name to group table, thus removing access control\nsettings for the given principal. The entry to be removed is indexed by the MODEL and SECU‐\nRITYNAME values, which should match those used in the corresponding createSec2Group command\n(or equivalent).\n\n\ncreateView [-Ce] NAME SUBTREE MASK\nCreate an entry in the SNMPv3 MIB view table. A MIB view consists of a family of view sub‐\ntrees which may be individually included in or (occasionally) excluded from the view. Each\nview subtree is defined by a combination of an OID subtree together with a bit string mask.\nThe view table is indexed by the view name and subtree OID values.\n\n[-Ce]\n\nAn optional flag to indicate that this view subtree should be excluded from the named\nview. If not specified, the default is to include the subtree in the view. When con‐\nstructing a view from a mixture of included and excluded subtrees, the excluded sub‐\ntrees should be defined first - particularly if the named view is already referenced\nin one or more access entries.\n\nNAME\n\nA string identifying a particular MIB view, of which this OID subtree/mask forms part\n(possibly the only part).\n\nSUBTREE\n\nThe OID defining the root of the subtree to add to (or exclude from) the named view.\n\nMASK\n\nA bit mask indicating which sub-identifiers of the associated subtree OID should be\nregarded as significant.\n\n\ndeleteView NAME SUBTREE\nDelete an entry from the SNMPv3 view table, thus removing the subtree from the given MIB\nview. Removing the final (or only) subtree will result in the deletion of the view. The en‐\ntry to be removed is indexed by the NAME and SUBTREE values, which should match those used in\nthe corresponding createView command (or equivalent).\n\nWhen removing subtrees from a mixed view (i.e. containing both included and excluded sub‐\ntrees), the included subtrees should be removed first.\n\n\ncreateAccess GROUPNAME [CONTEXTPREFIX] MODEL LEVEL CONTEXTMATCH READVIEW WRITEVIEW NOTIFYVIEW\nCreate an entry in the SNMPv3 access table, thus allowing a certain level of access to par‐\nticular MIB views for the principals in the specified group (given suitable security model\nand levels in the request). The access table is indexed by the group name, context prefix,\nsecurity model and security level values.\n\nGROUPNAME\n\nThe name of the group that this access entry applies to (as set up by a cre‐‐\nateSec2Group command, or equivalent)\n\nCONTEXTPREFIX\n\nA string representing a context name (or collection of context names) which this ac‐\ncess entry applies to. The interpretation of this string depends on the value of the\nCONTEXTMATCH field (see below).\n\nIf omitted, this will default to the null context \"\".\n\nMODEL\n\nAn integer representing the security model, taking one of the following values:\n1 - reserved for SNMPv1\n2 - reserved for SNMPv2c\n3 - User-based Security Model (USM)\n\nLEVEL\n\nAn integer representing the minimal security level, taking one of the following val‐\nues:\n1 - noAuthNoPriv\n2 - authNoPriv\n3 - authPriv\n\nThis access entry will be applied to requests of this level or higher (where authPriv\nis higher than authNoPriv which is in turn higher than noAuthNoPriv).\n\nCONTEXTMATCH\n\nIndicates how to interpret the CONTEXTPREFIX value. If this field has the value '1'\n(representing 'exact') then the context name of a request must match the CONTEXTPREFIX\nvalue exactly for this access entry to be applicable to that request.\n\nIf this field has the value '2' (representing 'prefix') then the initial substring of\nthe context name of a request must match the CONTEXTPREFIX value for this access entry\nto be applicable to that request. This provides a simple form of wildcarding.\n\nREADVIEW\n\nThe name of the MIB view (as set up by createView or equivalent) defining the MIB ob‐\njects for which this request may request the current values.\n\nIf there is no view with this name, then read access is not granted.\n\nWRITEVIEW\n\nThe name of the MIB view (as set up by createView or equivalent) defining the MIB ob‐\njects for which this request may potentially SET new values.\n\nIf there is no view with this name, then read access is not granted.\n\nNOTIFYVIEW\n\nThe name of the MIB view (as set up by createView or equivalent) defining the MIB ob‐\njects which may be included in notification request.\n\nNote that this aspect of access control is not currently supported.\n\n\ndeleteAccess GROUPNAME [CONTEXTPREFIX] MODEL LEVEL\nDelete an entry from the SNMPv3 access table, thus removing the specified access control set‐\ntings. The entry to be removed is indexed by the group name, context prefix, security model\nand security level values, which should match those used in the corresponding createAccess\ncommand (or equivalent).\n\n\ncreateAuth GROUPNAME [CONTEXTPREFIX] MODEL LEVEL AUTHTYPE CONTEXTMATCH VIEW\nCreate an entry in the Net-SNMP extension to the standard access table, thus allowing a cer‐\ntain type of access to the MIB view for the principals in the specified group. The interpre‐\ntation of GROUPNAME, CONTEXTPREFIX, MODEL, LEVEL and CONTEXTMATCH are the same as for the\ncreateAccess directive. The extension access table is indexed by the group name, context\nprefix, security model, security level and authtype values.\n\nAUTHTYPE\n\nThe style of access that this entry should be applied to. See snmpd.conf(5) and sn‐\nmptrapd.conf(5) for details of valid tokens.\n\nVIEW\n\nThe name of the MIB view (as set up by createView or equivalent) defining the MIB ob‐\njects for which this style of access is authorized.\n\n\ndeleteAuth GROUPNAME [CONTEXTPREFIX] MODEL LEVEL AUTHTYPE\nDelete an entry from the extension access table, thus removing the specified access control\nsettings. The entry to be removed is indexed by the group name, context prefix, security\nmodel, security level and authtype values, which should match those used in the corresponding\ncreateAuth command (or equivalent).\n\n\nNote that snmpget REQUIRES an argument specifying the agent to query as described in the .I\nsnmpcmd(1) manual page.\n\n### EXAMPLES\n\nGiven a pre-existing user dave (which could be set up using the snmpusm(1) command), we could\nconfigure full read-write access to the whole OID tree using the commands:\n\n\nsnmpvacm localhost createSec2Group 3 dave RWGroup\n\nsnmpvacm localhost createView all .1 80\n\nsnmpvacm localhost createAccess RWGroup 3 1 1 all all none\n\nThis creates a new security group named \"RWGroup\" containing the SNMPv3 user \"dave\", a new\nview \"all\" containing the full OID tree based on .iso(1) , and then allows those users in the\ngroup \"RWGroup\" (i.e. \"dave\") both read- and write-access to the view \"all\" (i.e. the full\nOID tree) when using authenticated SNMPv3 requests.\n\n\nAs a second example, we could set up read-only access to a portion of the OID tree using the\ncommands:\n\n\nsnmpvacm localhost createSec2Group 3 wes ROGroup\n\nsnmpvacm localhost createView sysView system fe\n\nsnmpvacm localhost createAccess ROGroup 3 0 1 sysView none none\n\nThis creates a new security group named \"ROGroup\" containing the (pre-existing) user \"wes\", a\nnew view \"sysView\" containing just the OID tree based on\n.iso(1).org(3).dod(6).inet(1).mgmt(2).mib-2(1).system(1) , and then allows those users in the\ngroup \"ROGroup\" (i.e. \"wes\") read-access, but not write-access to the view \"sysView\" (i.e.\nthe system group).\n\n### EXIT STATUS\n\nThe following exit values are returned:\n\n0 - Successful completion\n\n1 - A usage syntax error (which displays a suitable usage message) or a request timeout.\n\n2 - An error occurred while executing the command (which also displays a suitable error mes‐\nsage).\n\n### LIMITATIONS\n\nThis utility does not support the configuration of new community strings, so is only of use\nfor setting up new access control for SNMPv3 requests. It can be used to amend the access\nsettings for existing community strings, but not to set up new ones.\n\n\nThe use of numeric parameters for secLevel and contextMatch parameters is less than intu‐\nitive. These commands do not provide the full flexibility of the equivalent config file di‐\nrectives.\n\n\nThere is (currently) no equivalent to the one-shot configure directives rouser and rwuser.\n\n### SEE ALSO\n\nsnmpcmd(1), snmpusm(1), snmpd.conf(5), snmp.conf(5), RFC 2575, Net-SNMP project FAQ\n\n\n\nV5.9.1 05 Sep 2006 SNMPVACM(1)\n\n" } ], "structuredContent": { "command": "snmpvacm", "section": "1", "mode": "man", "summary": "snmpvacm - creates and maintains SNMPv3 View-based Access Control entries on a network entity", "synopsis": "snmpvacm [COMMON OPTIONS] AGENT createSec2Group MODEL SECURITYNAME GROUPNAME\nsnmpvacm [COMMON OPTIONS] AGENT deleteSec2Group MODEL SECURITYNAME\nsnmpvacm [COMMON OPTIONS] AGENT createView [-Ce] NAME SUBTREE MASK\nsnmpvacm [COMMON OPTIONS] AGENT deleteView NAME SUBTREE\nsnmpvacm [COMMON OPTIONS] AGENT createAccess GROUPNAME [CONTEXTPREFIX] MODEL LEVEL CON‐\nTEXTMATCH READVIEW WRITEVIEW NOTIFYVIEW\nsnmpvacm [COMMON OPTIONS] AGENT deleteAccess GROUPNAME [CONTEXTPREFIX] MODEL LEVEL\nsnmpvacm [COMMON OPTIONS] AGENT createAuth GROUPNAME [CONTEXTPREFIX] MODEL LEVEL AUTHTYPE\nCONTEXTMATCH VIEW\nsnmpvacm [COMMON OPTIONS] AGENT deleteAuth GROUPNAME [CONTEXTPREFIX] MODEL LEVEL AUTHTYPE", "flags": [], "examples": [ "Given a pre-existing user dave (which could be set up using the snmpusm(1) command), we could", "configure full read-write access to the whole OID tree using the commands:", "snmpvacm localhost createSec2Group 3 dave RWGroup", "snmpvacm localhost createView all .1 80", "snmpvacm localhost createAccess RWGroup 3 1 1 all all none", "This creates a new security group named \"RWGroup\" containing the SNMPv3 user \"dave\", a new", "view \"all\" containing the full OID tree based on .iso(1) , and then allows those users in the", "group \"RWGroup\" (i.e. \"dave\") both read- and write-access to the view \"all\" (i.e. the full", "OID tree) when using authenticated SNMPv3 requests.", "As a second example, we could set up read-only access to a portion of the OID tree using the", "commands:", "snmpvacm localhost createSec2Group 3 wes ROGroup", "snmpvacm localhost createView sysView system fe", "snmpvacm localhost createAccess ROGroup 3 0 1 sysView none none", "This creates a new security group named \"ROGroup\" containing the (pre-existing) user \"wes\", a", "new view \"sysView\" containing just the OID tree based on", ".iso(1).org(3).dod(6).inet(1).mgmt(2).mib-2(1).system(1) , and then allows those users in the", "group \"ROGroup\" (i.e. \"wes\") read-access, but not write-access to the view \"sysView\" (i.e.", "the system group)." ], "see_also": [ { "name": "snmpcmd", "section": "1", "url": "https://www.chedong.com/phpMan.php/man/snmpcmd/1/json" }, { "name": "snmpusm", "section": "1", "url": "https://www.chedong.com/phpMan.php/man/snmpusm/1/json" }, { "name": "snmpd.conf", "section": "5", "url": "https://www.chedong.com/phpMan.php/man/snmpd.conf/5/json" }, { "name": "snmp.conf", "section": "5", "url": "https://www.chedong.com/phpMan.php/man/snmp.conf/5/json" } ], "section_outline": [ { "name": "NAME", "lines": 2, "subsections": [] }, { "name": "SYNOPSIS", "lines": 12, "subsections": [] }, { "name": "DESCRIPTION", "lines": 9, "subsections": [] }, { "name": "SUB-COMMANDS", "lines": 177, "subsections": [] }, { "name": "EXAMPLES", "lines": 33, "subsections": [] }, { "name": "EXIT STATUS", "lines": 10, "subsections": [] }, { "name": "LIMITATIONS", "lines": 13, "subsections": [] }, { "name": "SEE ALSO", "lines": 5, "subsections": [] } ] } }