Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
465
Views
0
Helpful
1
Replies

Access only rpc-get commands

Mihalis
Level 1
Level 1

‎01-08-2019 06:21 AM - edited ‎03-01-2019 04:15 AM

Hi,

I am trying to implement a nacm rule on which a user that belongs to that group will have access only to rpc-get commands on Juniper.
Access to everything else under devices is not allowed.
If i have the rules like the following user has access to all rpc commands.

nacm rule-list readonly
 group [ ncsro ]
 rule rpc-get
  path   /devices/device/rpc/*
  action permit

 rule read-only
  path              /
  access-operations read
  action            permit
 !
 rule devices
  path   /devices
  action deny
 !

 


If i set the rule to :
 rule rpc-get
  path   /devices/device/rpc/rpc-get-*
  action permit

It doesnt work....



Tried also this:

 rule rpc-get
  module-name juniper-rpc
  rpc-name    get
  action      permit


But still doesnt work..

Any tips?

 
Br
Mihalis

Labels:
0 Helpful
1 Reply 1

Jan Lindblad
Cisco Employee
Cisco Employee

‎01-16-2019 02:53 AM

I'm not sure I understand exactly what you are after. As an NSO user, you don't really issue any NETCONF get requests towards Juniper devices. NSO does that. So do you want to prevent NSO from ever configuring this device? If so, I guess you should give NSO device credentials that are only for reading. Or you could use NSO NACM rules to prevent some or all users from ever writing to the devices/device[name='yourdevice'], and also preventing them from running /devices/sync-to and /devices/device[name='yourdevice']/sync-to

 

In case I'm missing the point here, please explain what you had in mind.

0 Helpful
Customers Also Viewed These Support Documents