Wildcard group matching in nacm

we have a nacm configuration indicates the path /foo/bar is disallowed to be changed for defined any group. so I used wildcard * for this purpose.

nacm write-default permit
nacm groups group admin
 user-name [ admin private ]
nacm groups group new_group
 user-name [ james ]
nacm groups group oper
 user-name [ oper public ]
nacm rule-list new_group
 group [ * ]
 rule foo
  path              /foo/bar
  access-operations create
  action            deny

the behavior is expected. however a new user Jim, which is not included in any nacm group is still to be blocked to modify the object /foo/bar.

[local]h1(config)#foo bar
Error: failed to create path - access denied

I don’t see the usage of wildcard * in chapter 14 ( I may miss something) , so the using wildcard for above case for user Jim is expected?

Your behavior is expected as the rule-list for a wildcard group applies to all users including the ones without any assigned group.

thanks, does usage of wildcard and something like the usage ‘$USER’ mention in somewhere of user guide?

The usage of wildcard for “group” is specified in ietf-netconf-acm.yang (NACM RFC 6536) as follows:

  leaf-list group {
    type union {
      type matchall-string-type;
      type group-name-type;
      "List of administrative groups that will be
       assigned the associated access rights
       defined by the 'rule' list.

       The string '*' indicates that all groups apply to the

The data type for “path” is also defined in the same YANG module in which node-instance-identifier is a typedef for yang:xpath1.0 as specified in the YANG RFC 6020.

        leaf path {
          type node-instance-identifier;
          mandatory true;
            "Data Node Instance Identifier associated with the
             data node controlled by this rule.

             Configuration data or state data instance
             identifiers start with a top-level data node.  A
             complete instance identifier is required for this
             type of path value.

             The special value '/' refers to all possible
             datastore contents.";

Right, but I guess it’s worth mentioning that it’s not an “identity” typedef - in particular, the description (description text is “normative” in a YANG module) has:

    o  The set of variable bindings contains one variable,
       'USER', which contains the name of the user of the current

And of course there is discussion about this in “14.6 Authorization” in the User Guide, but it doesn’t repeat all the text in the RFC… (which is referenced in “14.2. Structure - data models”).

according to the leaf-list group definition, the meaning of ‘’ apply to the all groups only, I guess the behavior of confd has extension to apply rule-list for group '’ to all users of all groups plus user out of any group.

‘$USER’ could be an environment variable in confd context, I would like to know if there are other environment variables in confd context.

It wouldn’t make sense if “*” assigned to leaf-list group doesn’t include users without an assigned group as that would imply that no rules will apply to such users. Rules as defined in NACM are role or group based and not user based. You can define a default group for users without any assigned groups with the /confdConfig/aaa/defaultGroup setting in confd.conf.

It looks like you must have not seen Per’s response before this question. $USER isn’t an environment variable. It is defined in the ietf-netconf-acm module with its description listed by Per in his previous response.