Hiding data from output when we run commands on a device
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-08-2022 11:35 PM
Hi Team,
Is there a way to hide/mask sensitive data that we might get after running some commands on the device via NSO?
For example, if we run show running-config on a device via NSO and we want to mask the passwords. I think there is a way to do that on the device level using the encryption service or the enable secret command, but I wanted to check if there is a way to achieve that using NSO.
Thanks in advance!
- Labels:
-
Best Practices
-
Developer
-
Other NSO Topics
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-09-2022 12:20 AM
Hello,
Yes there is a way to hide from CLI using some annotation in the yang file but you still can get the data using Java/Python.

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-09-2022 05:55 AM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-09-2022 03:16 AM
You can do something like this
leaf regex {
tailf:hidden all;
type string;
}
You can find more detail here.
tailf:hidden tag
This statement can be used to hide a node from some, or all, northbound interfaces. All nodes with the
same value are considered a hide group and are treated the same with regards to being visible or not in a
northbound interface.
The hidden statement can be used in: leaf, leaf-list, list, container, tailf:action, refine, rpc, and action.

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-10-2022 01:08 AM
Not sure if it is me that misunderstand your question or if its the other guys that answered :).
My take is that you dont want users in NSO to be able to see certain values in data showing up in the devices/device tree?
If that is the case you dont really get any help from tailf:hidden as you dont want to change the NED:s YANG files. The way you want to do it is prohibiting read to certain parts if the tree with NACM https://developer.cisco.com/docs/nso/guides/#!nso-5-6-administration-guide-the-aaa-infrastructure
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-10-2022 07:10 AM
Thanks for the suggestions, everyone. I'll give these a try and see which one suits my use case the best.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-11-2022 12:26 AM
I'm guessing this might help you?
Auto-encrypting passwords in NSO section in particular
