Is it possible to hide parameter from Northbound Interafce (e.g. Netconf), but it should be possible to update from confd-cli? How can we achieve this?
You can use the tailf:hidden YANG annotation to hide a node from some, or all, northbound interfaces. Refer to the ConfD User Guide (tailf_yang_extensions section in vol. 5 of the man-pages) for more information.
I would like to clarify that the tailf:hidden statement names a hide group, i.e. all containers and leafs that has the tailf:hidden statement, with a specific hide group, are treated the same way as far as being hidden or invisible. The hide group name full is given a special meaning. The full hide group is hidden from all northbound interfaces, not just user interfaces.
Given the above, you can’t use tailf:hidden to hide only NETCONF but not CLI. An alternative is to use the tailf:export statement for CLI only which applies to the entire YANG module.
If you need to specify specific nodes within a YANG module to be hidden from NETCONF, you will need to do that through AAA authorization rules.
Well, you can’t make it “unhidden by default” in the CLI, but you can make it “unhidable” in the CLI, while always hidden in NETCONF, since you can have multiple tailf:hidden statements on a node, e.g.:
tailf:hidden full;
tailf:hidden debug;
The above combination will cause the node to always be hidden in NETCONF, but allow for unhide debug to make it visible in the CLI. (The combination of full and other value(s) didn’t actually work properly in older versions of ConfD, but should be OK at least in 7.1 and later.)
other approach could be using AAA rules to reject access to element for specific northbound context… depends on specifics of “hiding” requirement…
edit: only now i noticed waitai already mentioned this in his second reply 
Thanks for the correction.