Dear NETMOD WG, I have just completed my YD LC review of draft-ietf-i2nsf-consumer-facing-interface-dm-07. The module authors propose a management access control model that builds on NACM concepts, but adds functionality that may be controversial. I would therefore like to give this heads up to all interested in NACM related topics to participate in the LC discussion for this module.
Very briefly, this is what is proposed: The module is about managing enterprise security equipment on a service model level, i.e. policies are configured and an orchestrator will have to figure out how to translate this into security device level changes. This service module has a list of policies, each of which contains a list of rules, that would be configured by different roles in the enterprise. For this purpose, each rule has a leaf-list of owners (leafrefs to the NACM groups). The intent is that the orchestrator should translate any changes of these owner leafs into specific NACM rules, so that only the owners (members of the listed NACM groups) are able to update the rule. Placing the ownership information inside the tree structure being controlled has certain usability advantages, and the simplicity of this leaf-list owners is stark in contrast with the collection of NACM rules it would correspond to. On the other hand, it may not make much sense for the orchestrator to allow controlling NACM rules over both the i2nsf owner leafs and NACM lists. What gives? Best Regards, /jan _______________________________________________ I2nsf mailing list [email protected] https://www.ietf.org/mailman/listinfo/i2nsf
