Solved: Re: NSO NACM Data Node Rule for a device

ZAhmad04890 · ‎03-09-2022

Hi,

I have created a new user in NSO named user1 and restricted access to device PE0 using the data Node rule as below

nacm groups group user1

user-name [ user1 public ]

nacm rule-list user1

group [ user1 ]

rule BLOCK-PE0

path devices/device[name='PE0']

access-operations create,read,update,delete

action deny

However when I login in NSO using user1 , the device PE0 is not blocked for the user1 , and i can still make changes to the device PE0 using NSO, what can I do in above configuration , that all the changes to the device PE0 are blocked for the user user1 ?

Thanks & Regards

vleijon · ‎03-09-2022

Your path has to start with /devices/device at least.

View solution in original post

vleijon · ‎03-09-2022

Your path has to start with /devices/device at least.

ZAhmad04890 · ‎04-22-2022

Hi vleijon,

when I am logging in NSO with a user other than admin, I cannot see the NACM rules is the running configuration of NSO, neither i can modify any NACM configuration, are the NACM rules only accessible via admin user on NSO ? and also NACM config can be modified only via admin user ?

Thanks.

vleijon · ‎04-23-2022

The editing of NACM rules also follows the NACM rules, so it will depend on your configuration. Generally, since being allowed to edit the NACM rules indirectly gives you access to everything it make sense to restrict access.

ZAhmad04890 · ‎04-23-2022

Does that mean that we can create a new account in NSO and can give it administrative privileges equal to admin?

vleijon · ‎04-24-2022

Yes, the name admin is not special in any way, it is all driven by the rules.