How to get xpath to configure nacm to restrict the config

balajinp · July 16, 2024, 11:09pm

I want to deny the access to the below CLI however this show is augmented cli
“/infra:show/infra:subscriber/infra:input/infra:subs-type”

show subscriber wps

Tried configuration
nacm rule-list low-user
rule deny-show-sub-filter-1
path /tailf-mobile-infra:show/tailf-mobile-infra:subscriber/tailf-mobile-infra:input/tailf-mobile-infra:wps
access-operations *
action deny
exit
exit

However this configuration is denying the access to low-user subscriber. Please suggest me how to get the path for show subscriber wps command

cohult · July 18, 2024, 9:55am

Try adding a NACM cmdrule instead. For details, see ConfD UG, section “Command Authorization”. You can also browse this forum for cmdrule examples.

balajinp · August 1, 2024, 10:12pm

Thanks Cohult. We tried with cmdrule and it is working for fixed commands. Is it possible to have regex for cmdrule? If there is any free string that comes within the command, it will be difficult to control that command. For example, “delete interface eth0 port 30”. Here, I want to control it that if there is any ethernet but the port is 30. If there are multiple ethernet names, then we need to provide multiple ethernets.

cohult · August 5, 2024, 7:00am

Yes, for example:
<command>delete interface eth[0-9]+ port 30</command>
or
<command>delete interface .+ port 30</command>

balajinp · August 13, 2024, 5:31am

thank you , its working

balajinp · August 13, 2024, 6:01pm

Helllo Cohult, One more query , it about the rule given below, We want a regex to allow all the names come under compliance and want restrict specific name under the service. This service is child under compliance. Is it possible to use some regex at parent level ?

Example one without regex , Its working

[smf] smf# show running-config nacm rule-list comp-deny
Tue Aug 13 17:51:35.761 UTC+00:00
nacm rule-list comp-deny
group [ testrbac ]
rule comp-deny
path /profile/compliance[name=‘comp1’]/service[name=‘n2’]
access-operations *
action deny
exit
exit
[smf] smf#

We tried the below regex but it didn’t work

/profile/compliance[name=‘.*’]/service[name=‘n2’]
/profile/compliance[name=‘.+’]/service[name=‘n2’]
/profile/compliance[name=‘*’]/service[name=‘n2’]
/profile/compliance[name=*]/service[name=‘n2’]

Please help us to use a proper regex for the above example.

cohult · August 14, 2024, 6:40am

Regex is only supported for command rules, not data rules.
Data rules follow the standard: RFC 8341: Network Configuration Access Control Model. See node-instance-identifier.
So as described by the node-instance-identifier text in the RFC, you can try something like:
/profile/compliance/service[name=‘n2’]