What is the nacm rule to block access to config mode but be able to read device config and do sync-from for all users?
When I try config mode I can get in but I cannot actually configure anything on device but what is a way to not allow to get in config mode as well?
The outcome for me:---
oper@ncs(config)# devices device ios0 config exec a
admin-mode Set to run the action in admin mode
auto-prompts One-shot auto-prompts list, used to ignore/reply on questions
This is the nacm rule that I have currently :------
admin@ncs# show running-config nacm
nacm write-default deny
nacm cmd-read-default permit
nacm cmd-exec-default permit
nacm rule-list oper
group [ oper ]
Go to Solution.
The cmdrule would be something like this: admin@ncs# show running-config nacm rule-list oper nacm rule-list opergroup [ oper ]cmdrule config_mode1context * ! *command config ! *access-operations * ! *action deny!cmdrule config_mode2context * ! *command configure ! *access-operations * ! *action deny!....
View solution in original post
Hi, To block groups to get into config mode you can use cmdrule to reject the "config"/"configure" command token. cmdrule is a NSO proprietary cli authorization added to nacm see cmdrule here.
Thank you ! That worked.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the NSO Developer community: