NACM Username Mapping¶
NACM does not authenticate users itself, but it does need to know the username to determine group membership.
The method of authentication determines the username as seen by NACM. For example, users authenticated by username and password (e.g. PAM auth for RESTCONF or the CLI) will have that same username in TNSR.
CLI users can check their TNSR username with the
NACM obeys the following rules to determine a username:
|SSH Password:||NACM username is the same as the login username|
|SSH User Key:||NACM username is the same as the login username|
|HTTP Server Password:|
|NACM username is the same as the login username|
|HTTP Server Client Certificate:|
|NACM username is the Common Name of the user
To create a group, use the
nacm group <group-name> command:
tnsr(config)# nacm group admin
This changes to the
config-nacm-group mode where group members can be
defined using the
member <username> command:
tnsr(config-nacm-group)# member root tnsr(config-nacm-group)# member tnsr
The username in this context is the mapped username described in NACM Username Mapping.
Host operating system users that were created manually and not managed through TNSR cannot be used as group members. See User Management for information on managing users in TNSR.
To remove a member, use the
no form of the command:
tnsr(config)# nacm group admin tnsr(config-nacm-group)# no member tnsr
To remove a group, use
no nacm group <group-name>:
tnsr(config)# no nacm group admin