Aaa_init.xml rules

General
1

Hi,
I have a yang model defined like:

augment /config/system {
                list admin {
                        description "Create administrator";
                        tailf:cli-suppress-mode;
                        tailf:cli-suppress-list-no;
                        min-elements 1;
                        key "adminname";
                        leaf adminname {
                                type AAA_USER_NAME;
                        }
                        leaf password {
                                type AAA_USER_PASSWD;
                        }
                }

I want to define a rule in aaa_init.xml where any admin can create any other admin , say adminname=admin1 creating adminname=admin2 entry but is allowed to change/update only his password.

I was trying like:

  \<rule>
    <name>Allow admin password access</name>
    <module-name>exa-base</module-name>
    <path>/config/system/admin[adminname='$USER']/password</path>
    <access-operations>read update</access-operations>
    <action>permit</action>
  </rule>
  <rule>
    <name>Allow admin access</name>
    <module-name>exa-base</module-name>
    <path>/config/system/admin/adminname</path>
    <access-operations>*</access-operations>
    <action>permit</action>
  </rule>

But this is not working.

2

Hi,
When you say your rules are not “working”, can you describe what it is that’s not working for you?

3

Hi,
I want the behaviour like:
on startup (using some startup-config.xml) create a factory defined admin record, say admin1 (it is working for me)
now login with admin1 (ssh login) and create admin2 using the above model. Now here I don’t want admin1 to provide admin2 password, that can be taken care internally. But he should only be able to change his own , admin1 entry password. Now admin2 login to the system and can create admin3 without seeing the password option but could update his own password using the same model.
Thanks

4

Have you defined any …deny to deny see, change, etc. other users password?
See NACM chapter in the UG and for example examples.confd//webui/basic/confd-cdb/aaa_init.xml as a reference