Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1381
Views
5
Helpful
2
Replies

NACM rule to restrict user to access only restconf url

Go to solution
schallagalla
Level 1
Level 1

‎01-02-2020 03:52 AM - edited ‎01-02-2020 03:54 AM

Hi All,

 

I have a action package which should be accessible to particular user. 

 

I created user and group using nacm and then rule list,, which is taking only "/" as path. if i provide path as /restconf/operations, then i see below error in devel log.

 Error : "/restconf/operations/ep-api/" in access Rule "epp_admin/api_access" is not valid for URN star.

 

I have not given star in the path given in nacm.

 

group epp_admin {
user-name [ eppnso ];
}

rule-list epp_admin
group [ epp_admin ];
rule api_access {
module-name *;
path /restconf/operations/ep-api/;
access-operations create,read,update,delete,exec;
action permit;
context *;
}

cmdrule any-command {
action permit;
}

 

please let me know if anyone encountered this error before?

 

Thanks.

 

 

 

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
yfherzog
Cisco Employee
Cisco Employee

‎01-02-2020 05:02 AM

Hi,

 

I wasn't able to understand what exactly you're trying to achieve, but 2 comments that might help:

 

1. I think you can drop the module-name altogether in most cases (I think you might be good with dropping context and access-operations in this case).

2. NACM is mostly API-agnostic, so when you provide the path inside a rule, you typically include the data model path, rather than anything related to the interface to be used (e.g. RESTCONF).

So, in this case, your path might be /ep-api, rather than '/restconf/...'

 

Hope this might help somehow!

View solution in original post

0 Helpful
2 Replies 2

Go to solution
yfherzog
Cisco Employee
Cisco Employee

‎01-02-2020 05:02 AM

Hi,

 

I wasn't able to understand what exactly you're trying to achieve, but 2 comments that might help:

 

1. I think you can drop the module-name altogether in most cases (I think you might be good with dropping context and access-operations in this case).

2. NACM is mostly API-agnostic, so when you provide the path inside a rule, you typically include the data model path, rather than anything related to the interface to be used (e.g. RESTCONF).

So, in this case, your path might be /ep-api, rather than '/restconf/...'

 

Hope this might help somehow!

0 Helpful

Go to solution
schallagalla
Level 1
Level 1
In response to yfherzog

‎01-04-2020 08:24 PM

Thanks Yftach.

 

As you said, i removed /restconf/operations and added access to devices. Its working as expected. 

Thanks for your quick reply.

Customers Also Viewed These Support Documents