NACM rule query

manish.varshney · July 11, 2016, 10:22pm

Hi,
I’m using yang model which uses NACM rule-list.

access-operation of rule list can have 5 values (c,r,u,d,e).
Is it possible that based on some leaf value in the yang model, I can limit options of access-operation.

eg. lets say I’ve a leaf /feature/name – value of name could be v1,v2, v3 etc.
Access operation for each feature as below

    <feature>
            <name>v1
            <access_operation>create read update delete exec</access_operation?
    </feature>
    <feature>
            <name>v2</name>
            <access_operation>create read update delete</access_operation>
    </feature>
    <feature>
            <name>v3</name>
            <access_operation>create read update </access_operation>

access_operation in above yang model is also of type nacm:access-operations-type.
Now I’ve another yang model, that has feature and access_operation
leaf feature {
type leafref {
path " point to above feature name";
}
leaf access {
type nacm:access-operations-type;
}
}

Is it possible that above leaf access only takes values to what is defined above for each feature name.
if feature name is v1, access can have values as c r u d e
if feature name is v2, access can have values as c r u d
if feature name is v3, access can have values as c r u
Is this possible?

waitai · July 11, 2016, 10:43pm

The NACM model being used by ConfD is role based. Each user is assigned to one or more roles/groups with each role/group defining its authorization rules.

What you can do is to assign v1, v2 and v3 as data rules and assign them to their own groups. Each user will then be assigned to one of the three 3 groups.

Refer to Chapter 14.5 of the ConfD UG called Group Membership for more information.

manish.varshney · July 11, 2016, 10:54pm

waitai … I’m using role based model. When we define role, it gives dropdown list for features and 5 possible access operations for each feature (c r u d e). Based on the feature name, I want to limit this list of access operation. Predefined list of feature name and access operation mapping is defined in below yang model.
container component_list {
list component{
key “name”;
leaf name {
type string;
description “Feature names”;
}
leaf access_operation {
type nacm:access-operations-type;
}
}

}