NACM rule to restrict list entry for RBAC rule

manish.varshney · August 30, 2022, 10:33pm

Hello,
I’ve a data model that is a list of elements, say below

list access-list 
{
                key id;
                leaf id {
                     type string;
               }
               leaf name {
                     type string;
               }
               ..
}

I want to create rules such that, user access can be limited to element in the list.
Say, list has 32 element and I want to create a rule that give access to element 1 of the list and deny for all others.

I created below NACM rule

/nacm:nacm/'rule-list'{test_role}/rule{test_rule}                                                       
/nacm:nacm/'rule-list'{test_role}/rule{test_rule}/0                                        
/nacm:nacm/'rule-list'{test_role}/rule{test_rule}/0/508857660 = 1323346008,             
/nacm:nacm/'rule-list'{test_role}/rule{test_rule}/action = permit, 
/nacm:nacm/'rule-list'{test_role}/rule{test_rule}/path = /access-list{1}/,
/nacm:nacm/'rule-list'{test_role}/rule{test_rule}/'module-name' = test_m,
/nacm:nacm/'rule-list'{test_role}/rule{test_rule}/'access-operations' = create 
read update delete exec,
/nacm:nacm/'rule-list'{test_role}/rule{test_rule}/tacm:context = *,

But with above rule, user (with above group) gets read access to all list elements and NO edit permission to any of the list element.

Any thoughts, what could be correct rule to restrict access to list element.

Thanks,
Manish

cohult · October 23, 2022, 11:37am

Hello

Not exactly sure what you want to do here, but the “path” is in the wrong format, here /access-list{1}.
I believe it should be /access-list[id=1]
See RFC 8341: Network Configuration Access Control Model and the examples in that RFC + the ConfD UG chapter “Rpc, notification, and data authorization”.

Best regards