12-18-2020 08:42 AM
I am trying to create an NACM rule that will allow certain users that have otherwise very limited access to be able to trigger a check-sync and sync-from at the devices/device level (i.e. "devices device ce0 check-sync" instead of "devices check-sync"). Doing this at the devices level seems simple enough, but I have not been able to make it work at the individual device level. Below is the NACM rule-list:
nacm rule-list console group [ console_grp_local network_nso_vpn_service root ] rule wxc-vpn-customer path /services/vpn-customer access-operations create,read,update,delete action permit ! rule wxc-vpn-connect path /services/vpn-connect access-operations create,read,update,delete action permit ! rule f5-health-check path /ncs-state/ha access-operations read action permit ! rule check-sync path /ncs:devices/ncs:device[name='$DEVICE']/ncs:check-sync access-operations exec action permit ! rule sync-from path /ncs:devices/ncs:sync-from access-operations exec action permit ! rule default-deny action deny ! cmdrule any-command action permit ! !
The sync-from rule seems to give access to the "devices sync-from" command, but I get a "No entries found" error at the "devices device" level.
What do I need to change about the check-sync rule to enable access to the "devices device ce0 check-sync" command?
Solved! Go to Solution.
12-18-2020 09:34 AM
I set up an example myself and this worked for me:
rule no-see-config
path /ncs:devices/ncs:device/config
access-operations read
action deny
!
rule see-device
path /ncs:devices/ncs:device
access-operations read
action permit
!
rule sync-from
path /ncs:devices/ncs:device/ncs:check-sync
access-operations exec
action permit
!
rule see-device-settings
path /ncs:devices/ncs:global-settings
access-operations read
action permit
!
This ensures that I can see the device and it settings and that I can check-sync them. I am not entirely sure what the _minimal_ set of rules is here. It might be that this can be trimmed down quite a lot, but you do need at least ned-settings and some of the general flags for how the device should behave.
12-18-2020 08:44 AM
12-18-2020 08:53 AM
I still just get "No entries found" with that path.
12-18-2020 09:34 AM
I set up an example myself and this worked for me:
rule no-see-config
path /ncs:devices/ncs:device/config
access-operations read
action deny
!
rule see-device
path /ncs:devices/ncs:device
access-operations read
action permit
!
rule sync-from
path /ncs:devices/ncs:device/ncs:check-sync
access-operations exec
action permit
!
rule see-device-settings
path /ncs:devices/ncs:global-settings
access-operations read
action permit
!
This ensures that I can see the device and it settings and that I can check-sync them. I am not entirely sure what the _minimal_ set of rules is here. It might be that this can be trimmed down quite a lot, but you do need at least ned-settings and some of the general flags for how the device should behave.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide