Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1737
Views
5
Helpful
2
Replies

NACM rule to restrict user to access only restconf url

Go to solution
schallagalla
Level 1
Level 1

‎01-02-2020 03:52 AM - edited ‎01-02-2020 03:54 AM

Hi All,

 

I have a action package which should be accessible to particular user. 

 

I created user and group using nacm and then rule list,, which is taking only "/" as path. if i provide path as /restconf/operations, then i see below error in devel log.

 Error : "/restconf/operations/ep-api/" in access Rule "epp_admin/api_access" is not valid for URN star.

 

I have not given star in the path given in nacm.

 

group epp_admin {
user-name [ eppnso ];
}

rule-list epp_admin
group [ epp_admin ];
rule api_access {
module-name *;
path /restconf/operations/ep-api/;
access-operations create,read,update,delete,exec;
action permit;
context *;
}

cmdrule any-command {
action permit;
}

 

please let me know if anyone encountered this error before?

 

Thanks.

 

 

 

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
yfherzog
Cisco Employee
Cisco Employee

‎01-02-2020 05:02 AM

Hi,

 

I wasn't able to understand what exactly you're trying to achieve, but 2 comments that might help:

 

1. I think you can drop the module-name altogether in most cases (I think you might be good with dropping context and access-operations in this case).

2. NACM is mostly API-agnostic, so when you provide the path inside a rule, you typically include the data model path, rather than anything related to the interface to be used (e.g. RESTCONF).

So, in this case, your path might be /ep-api, rather than '/restconf/...'

 

Hope this might help somehow!

View solution in original post

0 Helpful
2 Replies 2

Go to solution
yfherzog
Cisco Employee
Cisco Employee

‎01-02-2020 05:02 AM

Hi,

 

I wasn't able to understand what exactly you're trying to achieve, but 2 comments that might help:

 

1. I think you can drop the module-name altogether in most cases (I think you might be good with dropping context and access-operations in this case).

2. NACM is mostly API-agnostic, so when you provide the path inside a rule, you typically include the data model path, rather than anything related to the interface to be used (e.g. RESTCONF).

So, in this case, your path might be /ep-api, rather than '/restconf/...'

 

Hope this might help somehow!

0 Helpful

Go to solution
schallagalla
Level 1
Level 1
In response to yfherzog

‎01-04-2020 08:24 PM

Thanks Yftach.

 

As you said, i removed /restconf/operations and added access to devices. Its working as expected. 

Thanks for your quick reply.

Polls
AI-powered tools for network troubleshooting are likely to be part of everyone’s workflow sooner or later. What is the single biggest challenge or concern you see with adopting these tools in your organization?
Show Choices
Hide Choices
Customers Also Viewed These Support Documents