cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
187
Views
0
Helpful
3
Replies
tcragg1
Cisco Employee

NACM to allow access to /devices/device/check-sync and sync-from

I am trying to create an NACM rule that will allow certain users that have otherwise very limited access to be able to trigger a check-sync and sync-from at the devices/device level (i.e. "devices device ce0 check-sync" instead of "devices check-sync").  Doing this at the devices level seems simple enough, but I have not been able to make it work at the individual device level. Below is the NACM rule-list:

 

nacm rule-list console
 group [ console_grp_local network_nso_vpn_service root ]
 rule wxc-vpn-customer
  path              /services/vpn-customer
  access-operations create,read,update,delete
  action            permit
 !
 rule wxc-vpn-connect
  path              /services/vpn-connect
  access-operations create,read,update,delete
  action            permit
 !
 rule f5-health-check
  path              /ncs-state/ha
  access-operations read
  action            permit
 !
 rule check-sync
  path              /ncs:devices/ncs:device[name='$DEVICE']/ncs:check-sync
  access-operations exec
  action            permit
 !
 rule sync-from
  path              /ncs:devices/ncs:sync-from
  access-operations exec
  action            permit
 !
 rule default-deny
  action deny
 !
 cmdrule any-command
  action permit
 !
!

The sync-from rule seems to give access to the "devices sync-from" command, but I get a "No entries found" error at the "devices device" level.

 

What do I need to change about the check-sync rule to enable access to the "devices device ce0 check-sync" command?

 

1 ACCEPTED SOLUTION

Accepted Solutions

I set up an example myself and this worked for me:

Spoiler
 rule no-see-config
path /ncs:devices/ncs:device/config
access-operations read
action deny
!
rule see-device
path /ncs:devices/ncs:device
access-operations read
action permit
!
rule sync-from
path /ncs:devices/ncs:device/ncs:check-sync
access-operations exec
action permit
!
rule see-device-settings
path /ncs:devices/ncs:global-settings
access-operations read
action permit
!

This ensures that I can see the device and it settings and that I can check-sync them.  I am not entirely sure what the _minimal_ set of rules is here. It might be that this can be trimmed down quite a lot, but you do need at least ned-settings and some of the general flags for how the device should behave.

View solution in original post

3 REPLIES 3
vleijon
Cisco Employee

Try just putting /ncs:devices/ncs:device/ncs:check-sync for the path.

I still just get "No entries found" with that path.

I set up an example myself and this worked for me:

Spoiler
 rule no-see-config
path /ncs:devices/ncs:device/config
access-operations read
action deny
!
rule see-device
path /ncs:devices/ncs:device
access-operations read
action permit
!
rule sync-from
path /ncs:devices/ncs:device/ncs:check-sync
access-operations exec
action permit
!
rule see-device-settings
path /ncs:devices/ncs:global-settings
access-operations read
action permit
!

This ensures that I can see the device and it settings and that I can check-sync them.  I am not entirely sure what the _minimal_ set of rules is here. It might be that this can be trimmed down quite a lot, but you do need at least ned-settings and some of the general flags for how the device should behave.

View solution in original post