I need to access OID's in the tmnxSecurityObjects tree. Is this possible without setting full 'rwa' access on the SNMP community?
Just adding a view include for a community with only 'r' access doesn't seem to be enough.
SNMP access to security objects, without full 'rwa'
Re: SNMP access to security objects, without full 'rwa'
That's correct, from the System Management Guide:
"•r — Grants only read access to objects in the MIB, except security objects.
• rw — Grants read and write access to all objects in the MIB, except security.
• rwa — Grants read and write access to all objects in the MIB, including security."
If you look at "show system security access-group" you'll see that snmp-ro and snmp-rw have a default view "no-security" associated with them.
You could define your own view similar to the default "no-security" one with access to the SecurityObjects tree and use an access-group to associate it with a usm-security community.
Or for a minimal example:
configure system security snmp view "tmnxSecurityObjects-view" subtree "1.3.6.1.4.1.6527.3.1.2.22"
configure system security snmp access group "tmnxSecurityObjects-group" security-model snmpv2c security-level no-auth-no-privacy read "tmnxSecurityObjects-view"
configure system security snmp usm-community foo group "tmnxSecurityObjects-group"
$ snmpbulkwalk -v2c -cfoo 10.10.10.10 tmnxSecurityObjects | head
TIMETRA-SECURITY-MIB::tmnxUserProfileRowStatus."default" = INTEGER: active(1)
TIMETRA-SECURITY-MIB::tmnxUserProfileRowStatus."administrative" = INTEGER: active(1)
....
....
"•r — Grants only read access to objects in the MIB, except security objects.
• rw — Grants read and write access to all objects in the MIB, except security.
• rwa — Grants read and write access to all objects in the MIB, including security."
If you look at "show system security access-group" you'll see that snmp-ro and snmp-rw have a default view "no-security" associated with them.
You could define your own view similar to the default "no-security" one with access to the SecurityObjects tree and use an access-group to associate it with a usm-security community.
Or for a minimal example:
configure system security snmp view "tmnxSecurityObjects-view" subtree "1.3.6.1.4.1.6527.3.1.2.22"
configure system security snmp access group "tmnxSecurityObjects-group" security-model snmpv2c security-level no-auth-no-privacy read "tmnxSecurityObjects-view"
configure system security snmp usm-community foo group "tmnxSecurityObjects-group"
$ snmpbulkwalk -v2c -cfoo 10.10.10.10 tmnxSecurityObjects | head
TIMETRA-SECURITY-MIB::tmnxUserProfileRowStatus."default" = INTEGER: active(1)
TIMETRA-SECURITY-MIB::tmnxUserProfileRowStatus."administrative" = INTEGER: active(1)
....
....
