Managing NACM Rules¶
NACM Rule Lists¶
NACM rules are contained inside a rule list. A rule list may contain multiple rules, and they are used in the order they are entered. Rule lists are also checked in the order they were created. Consider the order of lists and rules carefully when crafting rule lists.
Create a rule list:
tnsr(config)# nacm rule-list ro-rules
Set the group to which the rule list applies, use group <group-name>
:
tnsr(config-nacm-rule-list)# group readonly
See also
For information on defining groups, see NACM Authorization.
NACM Rules¶
When configuring a rule list (config-nacm-rule-list
mode), the rule
<name>
command defines a new rule:
tnsr(config-nacm-rule-list)# rule permit-all
After entering this command, the CLI will be in config-nacm-rule
mode.
From here, a variety of behaviors for the rule can be set, including:
- access-operations <name>:
The type of operations matched by this rule. Allowed values include:
Multiple types may be specified in a single command.
- *:
Match all operations
Note
This value cannot be combined with other types as the result would be redundant.
- create:
Any protocol operation that creates a new data node.
- delete:
Any protocol operation that removes a data node.
- exec:
Execution access to the specified protocol operation.
- read:
Any protocol operation or notification that returns the value of a data node.
- update:
Any protocol operation that alters an existing data node.
- action <deny|permit>:
The action to take when this rule is matched, either
deny
to deny access orpermit
to allow access.- comment <text>:
Arbitrary text describing the purpose of this rule.
Next, the following types can be used to specify the restriction to be enacted by this rule:
- module <*>:
The name of the Yang module covered by this rule, for example
netgate-nat
.The complete list of modules can be viewed in the CLI by entering
module ?
from this mode. The REST API documentation also contains a list of modules.- path <path-name>:
XML path to restrict with this rule. This path must include proper namespace prefixes and may also include key restrictions.
For example, to control access to interface state data (e.g.
show interface
output), use/ngif:interfaces-state/ngif:interface
To control access for a single interface, specify its name in the path:
/ngif:interfaces-state/ngif:interface[ngif:name='ipip0']
- rpc <rpc-name>:
The name of an RPC call to be restricted by this rule, such as
edit-config
,get-config
, and so on.
Warning
Users with access to modify the configuration (edit-config
) should also
be granted access to read the same paths (e.g. get-config
). If a user
only has edit-config
access to a path, the user may receive an
access-denied
message in the CLI for that path when attempting to use a
configuration command which makes a modification. This can happen because
validation of certain commands requires reading the configuration to
determine if the attempted command contains appropriate values.
NACM Rule Examples¶
As shown in NACM Example, the following set of commands defines a rule list and then creates a rule to permit access to everything in TNSR:
tnsr(config)# nacm rule-list admin-rules
tnsr(config-nacm-rule-list)# group admin
tnsr(config-nacm-rule-list)# rule permit-all
tnsr(config-nacm-rule)# module *
tnsr(config-nacm-rule)# access-operations *
tnsr(config-nacm-rule)# action permit
tnsr(config-nacm-rule)# exit
tnsr(config-nacm-rule-list)# exit
Using the available module
and access-operation, rules are possible that
limit in more fine-grained ways.
This next example will allow a user in the limited
group to see information
from commands like show
, but not make changes to the configuration:
tnsr(config)# nacm rule-list limited-rules
tnsr(config-nacm-rule-list)# group limited
tnsr(config-nacm-rule-list)# rule read-only
tnsr(config-nacm-rule)# module *
tnsr(config-nacm-rule)# access-operations read exec
tnsr(config-nacm-rule)# action permit
tnsr(config-nacm-rule)# exit
tnsr(config-nacm-rule-list)# exit
Selective restrictions are also possible with rules that limit access to
specific modules while allowing access to everything else. In this example,
users in the limited
group may access any module except for NTP.
tnsr(config)# nacm rule-list limited-rules
tnsr(config-nacm-rule-list)# group limited
tnsr(config-nacm-rule-list)# rule no-ntp
tnsr(config-nacm-rule)# module netgate-ntp
tnsr(config-nacm-rule)# access-operations *
tnsr(config-nacm-rule)# action deny
tnsr(config-nacm-rule)# exit
tnsr(config-nacm-rule-list)# rule permit-all
tnsr(config-nacm-rule)# module *
tnsr(config-nacm-rule)# access-operations *
tnsr(config-nacm-rule)# action permit
tnsr(config-nacm-rule)# exit
tnsr(config-nacm-rule-list)# exit
Restricting by path allows fine-grained control over specific areas of
configuration and state data. This example denies access to show interface
commands if a user is in the limited
group:
tnsr(config)# nacm rule-list limited-rules
tnsr(config-nacm-rule-list)# group limited
tnsr(config-nacm-rule-list)# rule no-interface-state
tnsr(config-nacm-rule)# action deny
tnsr(config-nacm-rule)# path /ngif:interfaces-state/ngif:interface
tnsr(config-nacm-rule)# exit
tnsr(config-nacm-rule-list)# rule permit-all
tnsr(config-nacm-rule)# action permit
tnsr(config-nacm-rule)# exit
tnsr(config-nacm-rule-list)# exit
NACM Rule Processing Order¶
When consulting defined rule lists, NACM acts in the following manner:
If NACM is disabled, it skips all checks, otherwise it proceeds
NACM consults group lists to find which groups contain this user
NACM checks each rule list in the order they are defined
NACM checks the group membership for each of these rule lists
NACM compares the group defined on the rule list to the groups for this user, and if there is a match, it checks rules in the list
NACM checks the rules in the order they are defined inside the rule list
NACM compares the current access operation to the rule and if it matches, the rest of the rule is tested
NACM attempts to match the following criteria, if defined on the rule:
The
module
on the rule name must match the requested module or*
.The
rpc-name
matches the RPC call in the requestThe
path
matches the XML path to the requested data
If the rule is matched, NACM consults the action on the rule and acts as indicated, either permitting or denying access
NACM repeats these checks until there are no more rules, and then no more rule lists
If no rules matched, NACM consults the default policies for the attempted operation and takes the indicated action