Solved: Re: NACM rule to restrict a group/user to see some services

Chri_Erenti · ‎06-27-2018

Hi all,

I'm trying to configure a NACM rule to restrict users, belonging to a particular group, to see a particular service.

I have PAM enabled.

I created a group (nmc) and a user (nmcuser) associated to it on Linux.

I added the group "nmc" on nacm, with user "nmcuser" associated to it:

nacm groups group nmc

user-name [ nmcuser ]

!

I created a rule-list "monitoring":

nacm rule-list monitoring

group [ nmc ]

I added a rule:

rule no-service-A

module-name service-A

path /services

action deny

!

### the following in order to see all the other paths ###

rule read-only

access-operations read

action permit

!

From CLI:

nmcuser@ncs# show running-config services <TAB>

Possible completions:

service-A

customer-service Service that can be linked to customer

service-B

global-settings

logging Configure service logging

service-C

service-D

service-X

service-Y

service-Z

plan-notifications Configuration to send plan-state-change notifications for plan state transitions.

service List of resource facing services

| Output modifiers

<cr>

I would expect to see all the services except the "service-A".

I also tried changing module-name (i.e. service-A, tailf-ncs-services, tailf-ncs, etc.) and path (i.e. /, /services, /services/service-A, /services/service-A:service-A, etc.), without success: "service-A" is always visible!

Is there any mistake in my configuration?

Thank you.

Christian

davidmb · ‎06-27-2018

This works for me on NSO 4.5

<rule>

<name>ncs-service-A-deny</name>

<module-name>tailf-ncs</module-name>

<path>/services/service-A</path>

<access-operations>create read update delete exec</access-operations>

</rule>

Make sure to log out and log back in again with a restricted user after committing the change.

View solution in original post

davidmb · ‎06-27-2018

This works for me on NSO 4.5

<rule>

<name>ncs-service-A-deny</name>

<module-name>tailf-ncs</module-name>

<path>/services/service-A</path>

<access-operations>create read update delete exec</access-operations>

</rule>

Make sure to log out and log back in again with a restricted user after committing the change.

Chri_Erenti · ‎06-28-2018

Hi David,

I'm using NSO 4.5.3.

I always log out and log back in with the involved user.

I will try your configuration.

Thank you for your suggestions.

Christian

yfherzog · ‎06-27-2018

Couple of things to mention here:

1. Both rule-lists and rules are evaluated in-order, so if users try to perform something, they will either succeed or fail according to the first rule on the first rule-list that matches.

2. As you mentioned you are using PAM, PAM will assign an NSO user to its OS groups upon login to NSO, so it might be that your NSO user is not only being assigned to the nmc group you assign using NACM rules, but also to other groups coming from PAM, which may or may not have other NACM rules associated with them (e.g. gets assigned to the admin group which practically permits anything).

So, check the audit log upon login to see which groups the user is being assigned to, and also verify the order in which your rule-lists and rules are configured (and also the NACM default actions you have set).

Chri_Erenti · ‎06-28-2018

Hi Yftach,

thank you to your advices and David Bartlett suggestions, I finally succeeded in applying my rules.

The order was right, maybe the error was on "module", "path" and "access-operations" combination.

Thank you very much for your help.

Christian