Is any procedure to allow read operation for a new netconf user having view priviliege alone

ameencse · August 2, 2020, 5:13pm

For example. I have created a confd user for show session. I would like to provide read operation only to the show user. Is there any way to do such?

Please help on this.

I have a following in aaa_init.xml which used by confd, if I add read permit seperately, then read works and right permission also enable for show user. Is there any seperate maapi calls for doing such permission enable for read alone.

 <nacm xmlns="urn:ietf:params:xml:ns:yang:ietf-netconf-acm">
    <write-default>permit</write-default>
    <groups>
      <group>
        <name>admin</name>
        <user-name>admin</user-name>
        <user-name>private</user-name>
      </group>
      <group>
        <name>oper</name>
      </group>
      <group>
        <name>config</name>
      </group>
    </groups>
    <rule-list>
      <name>admin</name>
      <group>admin</group>
      <rule>
        <name>any-access</name>
        <action>permit</action>
      </rule>
    </rule-list>
      <name>oper</name>
      <group>oper</group>
      <rule>
        <name>operation-only</name>
        <access-operations>create update delete exec</access-operations>
        <action>deny</action>
      </rule>
    </rule-list>

mvf · August 5, 2020, 8:33am

Please refer to How to insert code / netconf / yang / cli into forum.

You use somewhat nonstandard terminology, I’m only assuming what “show session” or “show user” means. Typically CLI commands like show bgp or show running-config interface require only read access permissions (and conversely, if the user has read permissions, they can run these show commands).

If you want to restrict some show commands for given user while keeping read rights, you may use cmdrule instances to do so.