NACM Authorization

NACM Username Mapping

NACM does not authenticate users itself, but it does need to know the username to determine group membership.

The method of authentication determines the username as seen by NACM. For example, users authenticated by username and password (e.g. PAM auth for RESTCONF or the CLI) will have that same username in TNSR.

See also

For more information on how users are authenticated, see Authentication and User Management for CLI access and RESTCONF Server for access via RESTCONF.

CLI users can check their TNSR username with the whoami command.

NACM obeys the following rules to determine a username:

SSH Password:

NACM username is the same as the login username

SSH User Key:

NACM username is the same as the login username

HTTP Server Password:

NACM username is the same as the login username

HTTP Server Client Certificate:

NACM username is the Common Name of the user certificate (cn= subject component)

NACM Groups

To create a group, use the nacm group <group-name> command:

tnsr(config)# nacm group admin

This changes to the config-nacm-group mode where group members can be defined using the member <username> command:

tnsr(config-nacm-group)# member root
tnsr(config-nacm-group)# member tnsr

The username in this context is the mapped username described in NACM Authorization.

Warning

Host operating system users that were created manually and not managed through TNSR cannot be used as group members. See Authentication and User Management for information on managing users in TNSR.

To remove a member, use the no form of the command:

tnsr(config)# nacm group admin
tnsr(config-nacm-group)# no member tnsr

To remove a group, use no nacm group <group-name>:

tnsr(config)# no nacm group admin