Specifies access restrictions for a user group.
Verify the users in the group before applying restrictions. To specify restrictions for any group, ensure that the admin user
is not part of that group. By default, admin user is configured in a each group.
Syntax
nacm rule-list <rule-name> group <group-name> cmdrule <cmdrule-name> command <command to restrict> access-operations exec action deny
Command Parameters
Table 45. Parameter Description
Command Parameter
|
Description
|
rule-list
|
Name of rule list.
|
group
|
Name of the group or list of groups to which the rules apply.
|
command
|
Command that is restricted for the user group.
|
access-operations
|
Used to match the operation that ConfD tries to perform. It must be one or more of the values from the accessoperations-type:
create, read, update, delete, exec
|
action
|
If all of the previous fields match, the rule as a whole matches and the value of action (permit or deny) is taken.
If a match is found, a decision is made whether to permit or deny the request in its entirety. If action is permit, the request
is permitted; if action is deny, the request is denied.
|
Command Usage
To delete the admin user from the read-only group, use the following command:
scheduler(config)#no nacm groups group crd-read-only user-name admin
For the configuration to take effect, log out of the CLI session and log in again after configuring any nacm rule-list.
Examples
Restrict crd-read-only group from config command:
scheduler(config)#nacm rule-list crdreadgrp group crd-read-only cmdrule denyconfig command config access-operations exec action deny
scheduler(config-cmdrule-denyconfig)# commit
Restrict crd-read-only and policy-ro group from config command:
scheduler(config)#nacm rule-list readonly-restrict group [ crd-read-only policy-ro ] cmdrule cfg-restrict command config access-operations exec action deny
scheduler(config-cmdrule-cfg-restrict)#commit
Restrict crd-read-only and policy-ro group from docker command:
scheduler(config)#nacm rule-list readonly-restrict group [ crd-read-only policy-ro ] cmdrule docker-restrict command docker access-operations exec action deny
scheduler(config-cmdrule-docker-restrict)# commit
Restrict crd-read-only and policy-ro group from system stop command:
scheduler(config)#nacm rule-list readonly-restrict group [ crd-read-only policy-ro ] cmdrule sys-stop command "system stop" access-operations exec action deny
scheduler(config-cmdrule-sys-stop)# commit
Restrict crd-read-only and policy-ro group from system start command:
scheduler(config)#nacm rule-list readonly-restrict group [ crd-read-only policy-ro ] cmdrule sys-start command "system start" access-operations exec action deny
scheduler(config-cmdrule-sys-start)# commit
Restrict load override command for all the users including admin:
scheduler(config)#nacm rule-list readonly-restrict group [ * ] cmdrule load-override command "load override" access-operations exec action deny
scheduler(config-cmdrule-load-override)# commit