This is the documentation for the 19.02 version. Looking for the documentation of the latest version? Have a look here.
NACM Rule Lists¶
NACM rules are contained inside a rule list. A rule list may contain multiple rules, and they are used in the order they are entered. Rule lists are also checked in the order they were created. Consider the order of lists and rules carefully when crafting rule lists.
Create a rule list:
tnsr(config)# nacm rule-list ro-rules
Set the group to which the rule list applies, use
tnsr(config-nacm-rule-list)# group readonly
For information on defining groups, see NACM Username Mapping.
When configuring a rule list (
config-nacm-rule-list mode), the
<name> command defines a new rule:
tnsr(config-nacm-rule-list)# rule permit-all
After entering this command, the CLI will be in
From here, a variety of behaviors for the rule can be set, including:
- access-operations <exec|*>
The type of operation covered by this rule. Can either be
*to cover all access operations.
- action <deny|permit>
The action to take when this rule is matched, either
denyto deny access or
permitto allow access.
- comment <text>
Arbitrary text describing the purpose of this rule.
Next, the following types can be used to specify the restriction to be enacted by this rule:
- module <*>
The name of the Yang module covered by this rule.
Only module name
*is supported at this time.
- path <path-name>
XML path to restrict with this rule.
- rpc <rpc-name>
The name of an RPC call to be restricted by this rule, such as
get-config, and so on.
As shown in NACM Example, the following set of commands defines a rule list and then creates a rule to permit access to everything in TNSR:
tnsr(config)# nacm rule-list admin-rules tnsr(config-nacm-rule-list)# group admin tnsr(config-nacm-rule-list)# rule permit-all tnsr(config-nacm-rule)# module * tnsr(config-nacm-rule)# access-operations * tnsr(config-nacm-rule)# action permit tnsr(config-nacm-rule)# exit tnsr(config-nacm-rule-list)# exit
NACM Rule Processing Order¶
When consulting defined rule lists, NACM acts in the following manner:
If NACM is disabled, it skips all checks, otherwise it proceeds
NACM consults group lists to find which groups contain this user
NACM checks each rule list in the order they are defined
NACM checks the group membership for each of these rule lists
NACM compares the group defined on the rule list to the groups for this user, and if there is a match, it checks rules in the list
NACM checks the rules in the order they are defined inside the rule list
NACM compares the current access operation to the rule and if it matches, the rest of the rule is tested
NACM attempts to match the following criteria, if defined on the rule:
moduleon the rule name must match the requested module or
rpc-namematches the RPC call in the request
pathmatches the XML path to the requested data
If the rule is matched, NACM consults the action on the rule and acts as indicated, either permitting or denying access
NACM repeats these checks until there are no more rules, and then no more rule lists
If no rules matched, NACM consults the default policies for the attempted operation and takes the indicated action