Solved: Re: Block access to config mode - nacm rule

suvdeshm · ‎11-22-2022

What is the nacm rule to block access to config mode but be able to read device config and do sync-from for all users?

When I try config mode I can get in but I cannot actually configure anything on device but what is a way to not allow to get in config mode as well?

The outcome for me:---

oper@ncs(config)# devices device ios0 config exec a

Possible completions:

a

admin-mode Set to run the action in admin mode

auto-prompts One-shot auto-prompts list, used to ignore/reply on questions

oper@ncs(config)# exit

This is the nacm rule that I have currently :------

admin@ncs# show running-config nacm

nacm write-default deny

nacm cmd-read-default permit

nacm cmd-exec-default permit

nacm rule-list oper

group [ oper ]

rule devices-config-rule

path /devices/device/config

access-operations read

action permit

!

tohagber · ‎11-23-2022

The cmdrule would be something like this:
admin@ncs# show running-config nacm rule-list oper
nacm rule-list oper
group [ oper ]
cmdrule config_mode1
context * ! *
command config ! *
access-operations * ! *
action deny
!
cmdrule config_mode2
context * ! *
command configure ! *
access-operations * ! *
action deny
!
....

View solution in original post

tohagber · ‎11-23-2022

Hi,

To block groups to get into config mode you can use cmdrule to reject the "config"/"configure" command token. cmdrule is a NSO proprietary cli authorization added to nacm see cmdrule here.

tohagber · ‎11-23-2022

The cmdrule would be something like this:
admin@ncs# show running-config nacm rule-list oper
nacm rule-list oper
group [ oper ]
cmdrule config_mode1
context * ! *
command config ! *
access-operations * ! *
action deny
!
cmdrule config_mode2
context * ! *
command configure ! *
access-operations * ! *
action deny
!
....

suvdeshm · ‎11-23-2022

Thank you ! That worked.