I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG .  These comments were written primarily for the benefit of the security area directors.  Document editors and WG chairs should treat these comments just like any other last call comments. This document defines "the use of information provided by [AAA] services ... to dynamically update user-to-group mappings in [VACM]." - it does this by adding a module to the MIB and defining elements of procedure for the new object types in this MIB.   The document reads well and has a good security considerations section. I only have a couple of comments on Section 7: 1. (Editorial:) Suggest letting the first paragraph form a new sub-subsection 7.2.1: "Required Information". Easier to reference. 2. In the current subsection 7.2, please clarify if all items are required for "further processing" or not. The current text just states that User-Name and Management-Policy-ID are. 3. Current sub-subsection 7.2.1 seems to indicate that neither the User-Name nor the Management-Policy-ID are required (says "or equivalent"). Please clarify if this is inconsistent with the text in 7.2 or not (maybe I'm missing something here). 4. In Section 7.2.3, how many groups can a user be a member of for a given securityModel in this design? Only one? -- Magnus