Yes, that is exactly right in your understanding! I am trying to look at a way of digging up the group, I was certain it was in the uinfo but it seems not. I’ll have to poke around a bit. ... View more

I am pretty sure I can tell you what is happening. I think that your action creates a fresh usersession, using startUserSession or something like that with an empty group list, that is the second line you see in the log.   Now calling that api doesn't use a password, so it doesn't do proper authentication, so it doesn't get any external groups. You want to give a group list when you start the user session. To avoid hardcoding both username as groups you can look at the uinfo (userinfo) that you get when the action is called and making sure to pass that on to the new session.   ... View more

Okay, the question is what groups are returned from PAM then, double check in devel.log what it actually gives though to make sure it is what you expect! It might be that for some reason PAM doesn’t return the ncsadmin group – this might be especially if pam authenticates in turn against a remote source such as LDAP. ... View more

The question is what groups were assigned when the user logged in. You didn’t mention if the user was using netconf or cli or some other interface, and you didn’t mention how authentication is setup, is it only local auth? The easiest thing is to check audit.log for a line like this: 26-Jan-2018::17:41:45.937 VLEIJON-M-N1WC ncs[49510]: audit user: admin/52 assigned to groups: admin,staff,com.apple.sharepoint.group.1,everyone,localaccounts,_appserverusr,_appserveradm,_lpadmin,_appstore,_lpoperator,_developer,com.apple.access_ftp,com.apple.access_screensharing,com.apple.access_ssh ... View more

So, look at this session: admin@ncs% request devices sync-from sync-result { device xr1 result true } [ok][2019-04-16 09:28:15] [edit] admin@ncs% rollback Possible completions: 10001 - 2019-04-02 21:02:47 by system via system 10002 - 2019-04-02 21:23:17 by admin via cli 10003 - 2019-04-02 21:23:56 by admin via cli 10004 - 2019-04-04 15:55:35 by admin via cli 10005 - 2019-04-16 09:28:15 by admin via cli selective - Apply a single rollback delta admin@ncs% request devices device xr1 sync-from result true [ok][2019-04-16 09:28:33] [edit] admin@ncs% request devices device xr1 sync-from result true [ok][2019-04-16 09:28:35] [edit] admin@ncs% rollback Possible completions: 10001 - 2019-04-02 21:02:47 by system via system 10002 - 2019-04-02 21:23:17 by admin via cli 10003 - 2019-04-02 21:23:56 by admin via cli 10004 - 2019-04-04 15:55:35 by admin via cli 10005 - 2019-04-16 09:28:15 by admin via cli 10006 - 2019-04-16 09:28:33 by admin via cli selective - Apply a single rollback delta Here I have done two sync-froms that show up in the rollback list as 10005 and 10006 respectively. I can issue "rollback 10005" to rollback only the first sync-from.   There is of course no guarantee that this is consistent or that it is what you want (if the changes are overlapping for instance), but you can do it! And you can do a show | compare to see what it would mean.   ... View more

Wait, what is the desired result here? Is it like reverting a single commit in git or more like resetting a branch?   In general, you can revert any single commit using the revert command. (If that commit is in your history.) ... View more

It really looks like you are connecting to an nso instance. What is $CONFD_IPC_PORT set to when you run the command? ... View more

It is enough if you post each question a single time. Did you source env.sh in the netsim directory first? That is a common cause of this problem. ... View more