11.0 Enabling Authorization in SNMP v1/v2c using VACL


11.1 Overview

11.2 View Based Access Support in the Agent

11.3 Details of MIB Views to Managers

11.4 Adding Mib View Access to Managers

11.5 Implementing your own View Access


11.1 Overview


For security reasons, it is valuable to restrict the access rights of some groups to only a subset of the Management information in the Management domain. To provide this capability, access to a community is via a "MIB view" which details a specific set of managed object types within that community.


For example, for a given community,  there will be one MIB view which provides access to all management information in that community, and often there will be other MIB views each of which contains some subset of the information.

So, the access allowed for a group can be restricted in the desired manner by specifying its rights, in terms of the particular (subset) MIB view it can access.


By implementing the View-based access feature, this requirement can be achieved.


Note: View-based access Control for v1/v2c Agents is given based on the Community specified in the aclTable.


11.2 View-based Access Support in the Agent


By default, v1/v2c Agents do not support View-based Access feature.


The code that gets generated in the Main file on implementing View-based. Access is given below : -


Variables Declared for View Based Access are:

// Vacl Support
private com.adventnet.snmp.snmp2.agent.VaclTable vaclTable = null;

private com.adventnet.snmp.snmp2.agent.VaclTableRequestHandler vacl = null;

Code generated for View-based Access control implementation :

vacl = new com.adventnet.snmp.snmp2.agent.VaclTable((SnmpAgent)this, "ViewAccessControlTable.xml, "xml");


11.3 Details of MIB Views to Managers


WebNMS Java Agent provides vaclTable (. to store the information of Mib views and Community in the Agent side. The vaclTable present under AGENT-SNMP-CONFIG-MIB -> agentConfigurationGroup -> v1v2Authentication module has the following columns defined in it :

11.4 Adding MIB Views for Communities


Mib Views for a specified community can be specified in the vaclTable either : (1) Before Agent Start-Up or (2) During Run time.


11.4.1 Before Agent Start-Up


To add Mib Views to a Community before Agent start-up,


Using MIB Compiler UI

Using Text File / XML File / Runtime Memory


The entries configured using MIB Compiler UI gets stored in the configuration file, ViewAccessControlTable.xml or ViewAccessControlTable.txt gets under <Agent Toolkit Home>/snmpprojects/projectname/agent/bin/conf directory. To choose the type of storage,

This file has to be edited for adding View Access to communities. The ViewAccessControlTable.xml given below has been edited for adding a new entry with Community "private" and  mibViews ".".

    i style="font-style: italic;"><?xml version="1.0" encoding="UTF-8"?>


    <column name="aclCommunity"  value="public" ></column> 
    <column name="vaclmibViews"  value=".1.3.6" ></column>
    <column name="vaclviewStatus"  value="1" ></column> 


    <column name="aclCommunity"  value="private" ></column>
    <column name="vaclmibViews"  value="." ></column>
    <column name="vaclviewStatus"  value="1" ></column> 


Please note that the Agent has to be re-started for the changes to take effect.


Run time  memory can be used to store the Manager information in the Agent Memory . Using this option will not store the entries in text files or in xml files. After choosing the storage type,  follow the steps given in adding entries "From the Manager" i.e During Runtime (11.4.2). Please note that once  the Agent is killed, the entries added are removed from the memory.


Using API Calls


Adding the code highlighted below in the Main file generated provides view access to the community xxx from the OID .

    vaclTable = new com.adventnet.snmp.snmp2.agent.VaclTable((SnmpAgent)this);


    ("public", new String[]{".1.3.6"}));


    ("xxx", new String[]{"."}));

11.4.2 During Run Time


From the Manager


To add an entry to the vaclTable from the Manager,

    // For Vacl Table Remote Configuration

    vacl = new com.adventnet.snmp.snmp2.agent.VaclTableRequestHandler((SnmpAgent)this, vaclTable);


This method has to be included in the initSnmpExtensionNodes method.


11.5 Implementing Your Own View Access


You can also define your own View Access to Managers instead of using the default View Based Access Control Table in AGENT-SNMP-CONFIG-MIB. For this purpose: - 

  1. Define a similar vaclTable in your MIB using the OBJECT TYPE TABLE construct in MIB Editor. Please refer to "Adding a Table" in Creating a MIB section for using the construct. 

  2. The OID structure of the newly defined table should be same as the vaclTable in AGENT-SNMP-CONFIG-MIB.txt after the enterprise level as . enterpriseOID.  . is a sample entry oid.

  3. Add the following piece of code above the code for restartSnmpAgent in the Main file.

setRegisteredOid(java.lang.String oid)

  1. Now, compile the code and query the Agent with your defined community and check if it has view access.

  2. You will be able to receive the response.


Copyright © 2013, ZOHO Corp. All Rights Reserved.