06-27-2018 09:32 AM - edited 03-01-2019 04:11 AM
Hi all,
I'm trying to configure a NACM rule to restrict users, belonging to a particular group, to see a particular service.
I have PAM enabled.
I created a group (nmc) and a user (nmcuser) associated to it on Linux.
I added the group "nmc" on nacm, with user "nmcuser" associated to it:
nacm groups group nmc
user-name [ nmcuser ]
!
I created a rule-list "monitoring":
nacm rule-list monitoring
group [ nmc ]
I added a rule:
rule no-service-A
module-name service-A
path /services
action deny
!
### the following in order to see all the other paths ###
rule read-only
access-operations read
action permit
!
From CLI:
nmcuser@ncs# show running-config services <TAB>
Possible completions:
service-A
customer-service Service that can be linked to customer
service-B
global-settings
logging Configure service logging
service-C
service-D
service-X
service-Y
service-Z
plan-notifications Configuration to send plan-state-change notifications for plan state transitions.
service List of resource facing services
| Output modifiers
<cr>
I would expect to see all the services except the "service-A".
I also tried changing module-name (i.e. service-A, tailf-ncs-services, tailf-ncs, etc.) and path (i.e. /, /services, /services/service-A, /services/service-A:service-A, etc.), without success: "service-A" is always visible!
Is there any mistake in my configuration?
Thank you.
Christian
Solved! Go to Solution.
06-27-2018 10:06 AM
This works for me on NSO 4.5
<rule>
<name>ncs-service-A-deny</name>
<module-name>tailf-ncs</module-name>
<path>/services/service-A</path>
<access-operations>create read update delete exec</access-operations>
<action>deny</action>
</rule>
Make sure to log out and log back in again with a restricted user after committing the change.
06-27-2018 10:06 AM
This works for me on NSO 4.5
<rule>
<name>ncs-service-A-deny</name>
<module-name>tailf-ncs</module-name>
<path>/services/service-A</path>
<access-operations>create read update delete exec</access-operations>
<action>deny</action>
</rule>
Make sure to log out and log back in again with a restricted user after committing the change.
06-28-2018 01:28 AM
Hi David,
I'm using NSO 4.5.3.
I always log out and log back in with the involved user.
I will try your configuration.
Thank you for your suggestions.
Christian
06-27-2018 11:24 PM
Couple of things to mention here:
1. Both rule-lists and rules are evaluated in-order, so if users try to perform something, they will either succeed or fail according to the first rule on the first rule-list that matches.
2. As you mentioned you are using PAM, PAM will assign an NSO user to its OS groups upon login to NSO, so it might be that your NSO user is not only being assigned to the nmc group you assign using NACM rules, but also to other groups coming from PAM, which may or may not have other NACM rules associated with them (e.g. gets assigned to the admin group which practically permits anything).
So, check the audit log upon login to see which groups the user is being assigned to, and also verify the order in which your rule-lists and rules are configured (and also the NACM default actions you have set).
06-28-2018 02:20 AM
Hi Yftach,
thank you to your advices and David Bartlett suggestions, I finally succeeded in applying my rules.
The order was right, maybe the error was on "module", "path" and "access-operations" combination.
Thank you very much for your help.
Christian
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide