[NACM] Restrict access of list element

sszabolcs · March 13, 2018, 4:02pm

I would like to restrict the access of a list element if one of its non-key parameter has a specific value. Is this possible with NACM rules?

I tried with the following aaa config and it wasn’t worked for me.

Example aaa config part:

      <rule>
          <name>deny-list-elem</name>
          <path>/list/list-elem[non-key-param='restricted']</path>
          <access-operations>create read update delete</access-operations>
          <action>deny</action>
      </rule>
      <rule>
          <name>list-elem</name>
          <path>/list/list-elem/path>
          <access-operations>create read update delete</access-operations>
          <action>permit</action>
      </rule>

Corresponding YANG part:

      container list {
          list list-elem {
              key key-param;
              leaf key-param {
                  type string;
              }
              leaf non-key-param {
                  type enumeration {
                      enum allowed;
                      enum restricted;
                  }
              }
          }
      }

waitai · March 19, 2018, 12:39pm

In the path element of the rule list, you can only use the key parameters to specify the specific instance of a list.

sszabolcs · March 19, 2018, 12:44pm

Thanks for the clarification!

JING1 · February 11, 2019, 8:02am

Is there any other way to achieve the same ?

manish.varshney · September 1, 2022, 9:12pm

Hello, were you able to achieve this?
I’ve a similar requirement, where I want to restrict access to only one element of the list.
Say, in above data-model there are three list elements with key-param as abc, xyz, 123.
I want to write rule to give access only to element xyz and deny access to abc and 123.
Is this possible?
Appreciate any thoughts.

Thanks,
-Manish