Tip

This is the documentation for the 19.12 version. Looking for the documentation of the latest version? Have a look here.

NETCONF Access Control Model (NACM)

NETCONF Access Control Model (NACM) provides a means by which access can be granted to or restricted from groups in TNSR.

NACM is group-based and these groups and group membership lists are maintained in the NACM configuration.

User authentication is not handled by NACM, but by other processes depending on how the user connects. For examples, see User Management and HTTP Server.

See also

The data model and procedures for evaluating whether a user is authorized to perform a given action are defined in RFC 8341.

Warning

TNSR Does not provide protection against changing the rules in such a way that causes a loss of access. Should a lockout situation occur, see Regaining Access if Locked Out by NACM.

• NACM Example
• View NACM Configuration
• Enable or Disable NACM
• NACM Default Policy Actions
• NACM Username Mapping
• NACM Groups
• NACM Rule Lists
• NACM Rules
• NACM Rule Processing Order
• Regaining Access if Locked Out by NACM

NACM Defaults

TNSR version 18.08 or later includes a default set of NACM rules. These rules allow members of group admin to have unlimited access and sets the default policies to deny. This configuration includes the users tnsr and root in the group admin.

See also

To see the specific rules from the default configuration, see NACM Example or view the current NACM configuration as described in View NACM Configuration.

For users of older installations or those who have removed the default NACM configuration, NACM defaults to disabled with no defined groups or rule lists, and with the following default policies:

Default Read policy : permit
Default Write policy: deny
Default Exec policy : permit