NACM rule-list - to restrict certain CLI commands

smansor — Fri, 01 Mar 2019 11:58:40 GMT

Hi team,

I'm currently trying to prevent users from executing this command via all methods from NSO (cli, REST, etc)

"devices device <deviceName> config default interface Loopback 0"

I'm looking at NACM rule-list to apply this restriction, so far I have tried below paths, to no avail:

path: /devices/device/config/ios:EXEC/default[input/args="interface Loopback 0"]

access-operations: read,update,delete,exec

action: deny

path: /devices/device/config/ios:EXEC/default[args="interface Loopback 0"]

access-operations: read,update,delete,exec

action: deny

path: /devices/device/config/ios:EXEC/default[input="interface Loopback 0"]

access-operations: read,update,delete,exec

action: deny

If I change the path as /devices/device/config/ios:EXEC/default , I managed to restrict the "default" command itself - which is great, but wondering if there's a way I can drill down to more specific arguments?

This is the snippets of yang model of the IOS NED which I'm not sure if I construct my path correctly:

// default

tailf:action "default" {

tailf:info "Set a command to its defaults";

tailf:actionpoint ncsinternal {

tailf:internal;

}

input {

leaf-list args {

tailf:cli-drop-node-name;

tailf:cli-flat-list-syntax;

type string {

tailf:info "ACTION:;;default <argument(s)>";

}

output {

leaf result {

type string;

}

Thank you!

Re: NACM rule-list - to restrict certain CLI commands

Jan Lindblad — Tue, 29 Aug 2017 09:35:08 GMT

The NACM standard YANG module doesn't allow your use case. The leaf "path" is supposed to be an instance-identifier, and the value you provide isn't, since it refers to non-key leafs.

topic NACM rule-list - to restrict certain CLI commands in NSO Developer Hub Discussions

NACM rule-list - to restrict certain CLI commands

Re: NACM rule-list - to restrict certain CLI commands