This is the confd path with which we can create new users with specific role ;
/system/aaa/authentication/users/user<username>/config/role<rolename> .
Now we got a requirement that the specific role i.e ‘role-name’ can only be assigned to a user account for schema users, no other users can be created with role ‘role-name’. Thus I used must statement in role leaf as below:
leaf role {
mandatory true;
must "(. != 'role-name') or ((. = 'role-name') and ../../username = /some-schema:users/some-schema:user/some-schema:config/some-schema:schema-user-name)" {
error-message "**Only schema users can be assigned the role role-name.**";
}
So it worked as expected, i am not able to create any user from confd with role as ‘role-name’ as well as when any schema user is getting created, the user account with the same name (as schema user name) with role ‘role-name’ will be added on the system.
But when I am trying to delete the schema user entry, I am getting below error:
(config)# no users user test-schema-name
(config)# commit
Aborted: 'system aaa authentication users user test-schema-name config role' (value "role-name"): **Only schema users can be assigned the role role-name.**
Can anyone please help me to understand why this error occurred while deleting the schema user?