I am working on cleaning up snmpv1/2 and replacing it with snmpv3. I am doing some research and finding conflicting answers. My main goal is to limit the snmp access coming from only servers I define in an ACL. I would also like to separate between RO and RW access. For example:

# Standard ACL for Read-Only access
ip access-list standard RO-ACL
 permit 192.168.100.10    
 permit 192.168.100.20    
 deny   any

# Standard ACL for Read-Write access  
ip access-list standard RW-ACL
 permit 192.168.100.30     
 permit 192.168.100.40  
 deny   any

Now, I need some clarification on where to best apply it.

Option 1: 

! Read-Only Users
snmp-server user ro-user RO-GROUP v3 auth sha AuthPwd123! priv aes 128 PrivPwd123! access RO-ACL

! Read-Write Users 
snmp-server user rw-user RW-GROUP v3 auth sha AuthPwd456! priv aes 128 PrivPwd456! access RW-ACL

I like this option but I read some conflicting usage for this. For example:

The “access” keyword on these commands does NOT reference an access-list. It refers to an SNMP view access policy.

Option 2:

snmp-server group RO-GROUP v3 priv read iso access RO-ACL
snmp-server group RW-GROUP v3 priv read iso write iso access RW-ACL

I read same comment as above that this refers to SNMP view access policy instead.

Option 3:

snmp-server community dummy_ro RO RO-ACL
snmp-server community dummy_rw RW RW-ACL

Now this is the confusing one and I have read some saying it is necessary as well. My concern is that this will enable snmp v1/v2 and seems extra and unnecessary. However, I read some sites saying:

On most Cisco IOS and IOS-XE, you CANNOT attach an access-list directly to an SNMPv3 user or group. So you need to do here under community.
These commands does not enable v1/v2 per say but binds ACLs to SNMP process using dummy strings

Now I am confused .. Please assist with what is the best approach.