-
Notifications
You must be signed in to change notification settings - Fork 188
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
How to restrict acm module level modifications from non-recovery (root) user? #1551
Comments
The rule that you provided basically says "the |
With the default configuration you have |
@michalvasko
There is an option to deny/permit operations to a specific module using a group and rule as mentioned in the example below:
n2cli dump: expected behavior because in above rule is deny
edit operation allowed if we change < action > tag value to permit. (same validated for ietf-netconf-acm module as well) We have close to ~50 private modules (doesn't include acm/netconf-server etc). Do we need to add rules for each module or is there anyway to allow modifications to ~50 private modules and disallow modification to acm module? |
That is not right, you are saying that if you have |
The tag "action" was enclosed in braces is not shown in the preview.
|
The interpretation of these rules is explained in section 3.4.5 of the standard; it involves a non-trivial set of interactions between several mechanisms, and I'm afraid that any one-paragraph summary will be incomplete. There's no support for a single rule to match multiple modules as far as I can tell. What you could do instead is to rely on the module-level annotations ( |
We deployed netconf server having 2 users configured
It is clear that, root user has permission to modify content in acm module. With the below acm config, operator user has permission to create, update, read and delete. Because of which modify operations to acm module content is also allowed which we want to disallow. Please let us know if there is any example to disallow edits to acm from operator user. (leaf: module-name)
The text was updated successfully, but these errors were encountered: