NACM Authorization¶
NACM Username Mapping¶
NACM does not authenticate users itself, but it does need to know the username to determine group membership.
The method of authentication determines the username as seen by NACM. For example, users authenticated by username and password (e.g. PAM auth for RESTCONF or the CLI) will have that same username in TNSR.
See also
For more information on how users are authenticated, see Authentication and User Management for CLI access and RESTCONF Server for access via RESTCONF.
CLI users can check their TNSR username with the whoami
command.
NACM obeys the following rules to determine a username:
- SSH Password:
NACM username is the same as the login username
- SSH User Key:
NACM username is the same as the login username
- HTTP Server Password:
NACM username is the same as the login username
- HTTP Server Client Certificate:
NACM username is the Common Name of the user certificate (
cn=
subject component)
NACM Groups¶
To create a group, use the nacm group <group-name>
command:
tnsr(config)# nacm group admin
This changes to the config-nacm-group
mode where group members can be
defined using the member <username>
command:
tnsr(config-nacm-group)# member root
tnsr(config-nacm-group)# member tnsr
The username in this context is the mapped username described in NACM Authorization.
Warning
Host operating system users that were created manually and not managed through TNSR cannot be used as group members. See Authentication and User Management for information on managing users in TNSR.
To remove a member, use the no
form of the command:
tnsr(config)# nacm group admin
tnsr(config-nacm-group)# no member tnsr
To remove a group, use no nacm group <group-name>
:
tnsr(config)# no nacm group admin