Note
|
The examples in this section are for illustrative purposes only.
|
The following is a sample for groups configuration.
<nacm xmlns="urn:ietf:params:xml:ns:yang:ietf-netconf-acm">
<groups>
<group>
<name>administrators</name>
<user-name>admin</user-name>
<user-name>root</user-name>
</group>
<group>
<name>limited-permission</name>
<user-name>alice</user-name>
<user-name>bob</user-name>
</group>
</groups>
</nacm>
Table 1. Description of the Configuration Paramenters for Groups Configuration
Parameter
|
Description
|
<name>administrators</name>
|
Group name
|
<user-name>admin</user-name>
|
User name
|
<user-name>root</user-name>
|
User name
|
The following is a sample for creating module rules.
<nacm xmlns="urn:ietf:params:xml:ns:yang:ietf-netconf-acm">
<rule-list>
<name>only-ietf-interfaces</name>
<group>limited-permission</group>
<rule>
<name>deny-native</name>
<module-name>Cisco-IOS-XE-native</module-name>
<access-operations>*</access-operations>
<action>deny</action>
</rule>
<rule>
<name>allow-ietf-interfaces</name>
<module-name>ietf-interfaces</module-name>
<access-operations>*</access-operations>
<action>permit</action>
</rule>
</rule-list>
</nacm>
Table 2. Description of the Configuration Paramenters for Creating Module Rules
Parameter
|
Description
|
<name>only-ietf-interfaces</name>
|
Unique rule-list name
|
<group>limited-permission</group>
|
Groups that rule-list applies to
|
<name>deny-native</name>
|
Unique rule name
|
<module-name>Cisco-IOS-XE-native</module-name>
|
Name of the YANG module
|
<access-operations>*</access-operations>
|
CRUDx operation types
|
<action>deny</action>
|
Permit/deny
|
The following is a sample for creating protocol operation rules.
<nacm xmlns="urn:ietf:params:xml:ns:yang:ietf-netconf-acm">
<rule-list>
<name>only-get</name>
<group>limited-permission</group>
<rule>
<name>deny-edit-config</name>
<module-name>ietf-netconf</module-name>
<rpc-name>edit-config</rpc-name>
<access-operations>exec</access-operations>
<action>deny</action>
</rule>
<rule>
<name>allow-get</name>
<module-name>ietf-netconf</module-name>
<rpc-name>get</rpc-name>
<access-operations>exec</access-operations>
<action>permit</action>
</rule>
</rule-list>
</nacm>
Table 3. Description of the Configuration Paramenters for Creating Protocol Operation Rules
Parameter
|
Description
|
<name>only-get</name>
|
Unique rule-list name
|
<group>limited-permission</group>
|
Groups that rule-list applies to
|
<name>deny-edit-config</name>
|
Unique rule name
|
<module-name>ietf-netconf</module-name>
|
Name of module containing the RPC
|
<rpc-name>edit-config</rpc-name>
|
Name of the RPC
|
<access-operations>exec</access-operations>
|
Execute permission for the RPC
|
<action>deny</action>
|
Permit/deny
|
The following is a sample for creating data node rules.
<nacm xmlns="urn:ietf:params:xml:ns:yang:ietf-netconf-acm">
<rule-list>
<name>hide-enable-passwords</name>
<group>limited-permission</group>
<rule>
<name>deny-enable-passwords</name>
<path xmlns:ios="http://cisco.com/ns/yang/Cisco-IOS-XE-native>/ios:native/enable
</path>
<access-operations>*</access-operations>
<action>deny</action>
</rule>
</rule-list>
</nacm>
Table 4. Description of the Configuration Paramenters for Creating Data Node Rules
Parameter
|
Description
|
<name>hide-enable-passwords</name>
|
Unique rule-list name
|
<group>limited-permission</group>
|
Groups that rule-list applies to
|
<name>deny-enable-passwords</name>
|
Unique rule name
|
<path xmlns:ios="http://cisco.com/ns/yang/Cisco-IOS-XE-native>/ios:native/enable</path>
|
Path to the data node being granted/denied
|
<access-operations>*</access-operations>
|
CRUDx operation types
|
<action>deny</action>
|
Permit/deny
|
The following is an example NACM configuration that permits all groups to use the standard NETCONF RPCs <get> and <get-config>,
the schema download RPC <get-schema>, and read-only access to the data in the module ietf-interfaces:
<nacm xmlns="urn:ietf:params:xml:ns:yang:ietf-netconf-acm">
<rule-list>
<name>readonly-protocol</name>
<group>*</group>
<rule>
<name>get-permit</name>
<module-name>ietf-netconf</module-name>
<rpc-name>get</rpc-name>
<access-operations>exec</access-operations>
<action>permit</action>
</rule>
<rule>
<name>get-config-permit</name>
<module-name>ietf-netconf</module-name>
<rpc-name>get-config</rpc-name>
<access-operations>exec</access-operations>
<action>permit</action>
</rule>
<rule>
<name>get-schema-permit</name>
<module-name>ietf-netconf-monitoring</module-name>
<rpc-name>get-schema</rpc-name>
<access-operations>exec</access-operations>
<action>permit</action>
</rule>
</rule-list>
<rule-list>
<name>readonly-data</name>
<group>*</group>
<rule>
<name>ietf-interfaces-permit</name>
<module-name>ietf-interfaces</module-name>
<access-operations>read</access-operations>
<action>permit</action>
</rule>
</rule-list>
</nacm>