Is there a simple, straightforward way to adjust the authorization of all CLI users so that any new CLI session that starts is only permitted to perform read operations, and that any command that would write to the CDB will fail? And at the same time, continue to allow all operations from other northbound interfaces. Basically, we want to have a master switch that will make the CLI read-only. Is it possible through NACM or confd.conf?
If it’s not possible to have a single global switch, how would it be done through command rules?
The User Guide section 14.6.1 mentions an augmentation in the tail-f.yang for the leaf nodes “cmd-read-default” and “cmd-exec-default”, with some brief explanation following that, but I don’t understand how this can be utilized to achieve the result of making all CLI commands read-only. Thank you for any further explanation you can provide.