NACM Rule Lists

NACM rules are contained inside a rule list. A rule list may contain multiple rules, and they are used in the order they are entered. Rule lists are also checked in the order they were created. Consider the order of lists and rules carefully when crafting rule lists.

Create a rule list:

tnsr(config)# nacm rule-list ro-rules

Set the group to which the rule list applies, use group <group-name>:

tnsr(config-nacm-rule-list)# group readonly

See also

For information on defining groups, see NACM Username Mapping.

NACM Rules

When configuring a rule list (config-nacm-rule-list mode), the rule <name> command defines a new rule:

tnsr(config-nacm-rule-list)# rule permit-all

After entering this command, the CLI will be in config-nacm-rule mode.

From here, a variety of behaviors for the rule can be set, including:

access-operations <exec|*>:
 The type of operation covered by this rule. Can either be exec, or * to cover all access operations.
action <deny|permit>:
 The action to take when this rule is matched, either deny to deny access or permit to allow access.
comment <text>:Arbitrary text describing the purpose of this rule.

Next, the following types can be used to specify the restriction to be enacted by this rule:

module <*>:

The name of the Yang module covered by this rule.

Warning

Only module name * is supported at this time.

path <path-name>:
 

XML path to restrict with this rule.

rpc <rpc-name>:

The name of an RPC call to be restricted by this rule, such as edit-config, get-config, and so on.

As shown in NACM Example, the following set of commands defines a rule list and then creates a rule to permit access to everything in TNSR:

tnsr(config)# nacm rule-list admin-rules
tnsr(config-nacm-rule-list)# group admin
tnsr(config-nacm-rule-list)# rule permit-all
tnsr(config-nacm-rule)# module *
tnsr(config-nacm-rule)# access-operations *
tnsr(config-nacm-rule)# action permit
tnsr(config-nacm-rule)# exit
tnsr(config-nacm-rule-list)# exit

NACM Rule Processing Order

When consulting defined rule lists, NACM acts in the following manner:

  • If NACM is disabled, it skips all checks, otherwise it proceeds
  • NACM consults group lists to find which groups contain this user
  • NACM checks each rule list in the order they are defined
  • NACM checks the group membership for each of these rule lists
  • NACM compares the group defined on the rule list to the groups for this user, and if there is a match, it checks rules in the list
  • NACM checks the rules in the order they are defined inside the rule list
  • NACM compares the current access operation to the rule and if it matches, the rest of the rule is tested
  • NACM attempts to match the following criteria, if defined on the rule:
    • The module on the rule name must match the requested module or *.
    • The rpc-name matches the RPC call in the request
    • The path matches the XML path to the requested data
  • If the rule is matched, NACM consults the action on the rule and acts as indicated, either permitting or denying access
  • NACM repeats these checks until there are no more rules, and then no more rule lists
  • If no rules matched, NACM consults the default policies for the attempted operation and takes the indicated action