cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
987
Views
3
Helpful
4
Replies
Highlighted
Beginner

NACM rule to restrict a group/user to see some services

Hi all,

I'm trying to configure a NACM rule to restrict users, belonging to a particular group, to see a  particular service.

I have PAM enabled.

I created a group (nmc) and a user (nmcuser) associated to it on Linux.

I added the group "nmc" on nacm, with user "nmcuser" associated to it:

    nacm groups group nmc

     user-name [ nmcuser ]

    !

I created a rule-list "monitoring":

    nacm rule-list monitoring

     group [ nmc ]

I added a rule:

    rule no-service-A

     module-name service-A

     path        /services

     action      deny

    !


### the following in order to see all the other paths ###

    rule read-only

     access-operations read

     action            permit

    !

From CLI:

nmcuser@ncs# show running-config services <TAB>

Possible completions:

  service-A   

  customer-service          Service that can be linked to customer

  service-B        

  global-settings          

  logging                   Configure service logging

  service-C        

  service-D  

  service-X      

  service-Y

  service-Z

  plan-notifications        Configuration to send plan-state-change notifications for plan state transitions.

  service                   List of resource facing services     

  |                         Output modifiers

  <cr>                     

 

I would expect to see all the services except the "service-A".

I also tried changing  module-name (i.e. service-A, tailf-ncs-services, tailf-ncs, etc.) and path (i.e. /, /services, /services/service-A, /services/service-A:service-A, etc.), without success: "service-A" is always visible!

Is there any mistake in my configuration?

Thank you.

Christian

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Beginner

This works for me on NSO 4.5

 

<rule>

 

<name>ncs-service-A-deny</name>

 

<module-name>tailf-ncs</module-name>

 

<path>/services/service-A</path>

 

<access-operations>create read update delete exec</access-operations>

 

<action>deny</action>

 

</rule>

 

Make sure to log out and log back in again with a restricted user after committing the change.

View solution in original post

4 REPLIES 4
Highlighted
Beginner

This works for me on NSO 4.5

 

<rule>

 

<name>ncs-service-A-deny</name>

 

<module-name>tailf-ncs</module-name>

 

<path>/services/service-A</path>

 

<access-operations>create read update delete exec</access-operations>

 

<action>deny</action>

 

</rule>

 

Make sure to log out and log back in again with a restricted user after committing the change.

View solution in original post

Highlighted

Hi David,

I'm using NSO 4.5.3.

I always log out and log back in with the involved user.

I will try your configuration.

Thank you for your suggestions.

Christian

Highlighted
Cisco Employee

Couple of things to mention here:

1. Both rule-lists and rules are evaluated in-order, so if users try to perform something, they will either succeed or fail according to the first rule on the first rule-list that matches.

2. As you mentioned you are using PAM, PAM will assign an NSO user to its OS groups upon login to NSO, so it might be that your NSO user is not only being assigned to the nmc group you assign using NACM rules, but also to other groups coming from PAM, which may or may not have other NACM rules associated with them (e.g. gets assigned to the admin group which practically permits anything).

So, check the audit log upon login to see which groups the user is being assigned to, and also verify the order in which your rule-lists and rules are configured (and also the NACM default actions you have set).

Highlighted

Hi Yftach,

thank you to your advices and David Bartlett suggestions, I finally succeeded in applying my rules.

The order was right, maybe the error was on "module", "path" and "access-operations" combination.

Thank you very much for your help.

Christian