Access only rpc-get commands

Mihalis · ‎01-08-2019

Hi,

I am trying to implement a nacm rule on which a user that belongs to that group will have access only to rpc-get commands on Juniper.
Access to everything else under devices is not allowed.
If i have the rules like the following user has access to all rpc commands.

nacm rule-list readonly
group [ ncsro ]
rule rpc-get
path   /devices/device/rpc/*
action permit

rule read-only
path              /
access-operations read
action            permit
!
rule devices
path   /devices
action deny
!

If i set the rule to :
rule rpc-get
path   /devices/device/rpc/rpc-get-*
action permit

It doesnt work....

Tried also this:

rule rpc-get
module-name juniper-rpc
rpc-name    get
action      permit

But still doesnt work..

Any tips?

Br
Mihalis

Jan Lindblad · ‎01-16-2019

I'm not sure I understand exactly what you are after. As an NSO user, you don't really issue any NETCONF get requests towards Juniper devices. NSO does that. So do you want to prevent NSO from ever configuring this device? If so, I guess you should give NSO device credentials that are only for reading. Or you could use NSO NACM rules to prevent some or all users from ever writing to the devices/device[name='yourdevice'], and also preventing them from running /devices/sync-to and /devices/device[name='yourdevice']/sync-to

In case I'm missing the point here, please explain what you had in mind.

AI decisions being a “black box”
Organizational resistance to change
Data quality and completeness issues
Security, compliance, or privacy concerns
Skills or knowledge gaps among staff
Lack of trust in AI recommendations
Other
Fear of automation causing outages or misconfigurations