How do I control access to netconfd-pro server content? : YumaWorks

The Online Documentation is more up-to-date.

Check the Access Control section first.

There are many configuration parameters for the netconfd-pro server to control the content that client applications can access.

Control user account access with the --allowed-user parameter:

allowed-user admin
allowed-user diag
allowed-user test

Enable or disable access control with the --access-control parameter:

This parameter selects the type of access control enabled within the server
- --access-control=enforcing enables full access control (this is the default)
- --access-control=permissive enforces access control for writing data, but not for reading data
- --access-control=disabled enforces only objects tagged as nacm:default-deny-all or nacm:default-deny-write
- --access-control=off will deactivate all access control mechanisms

access-control disabled

Enable a superuser to bypass access control with the --superuser parameter:

This parameter selects a user name that will bypass all access control, to allow system setup or repairs

superuser admin

Disable user write access to a YANG object with the ncx:user-write YANG extension:

This YANG extension controls what type of write operations are allowed for a YANG data node
- Allows system-controlled objects to be deployed
- DB-API "system" edits and SIL created data are not affected by this extension
- Only client access (NETCONF, RESTCONF, CLI) is affected by this extension

 container interfaces {
   ncx:user-write “update”;
   list physical-interface {
     ncx:user-write “update”;
     …
   }
 }

Configure access control rules with the NACM YANG module:

This YANG module provides fully integrated access control for all northbound protocols
The default settings allow read and execute operations, but deny all write operations
The /nacm/groups subtree usually needs to be configured for any access control rules to have any affect
- Each group represents a logical set of users; often represents an Administrative Role
- Each group contains a list of user names
The /nacm/rule-list subtree contains the access control rules to enforce
- Each rule-list applies to 1 or more groups
- Each rule-list has 1 or more rules, checked in order; The first rule to apply is used
- Each rule can apply to 1 module or all modules
- Each rule can apply to an RPC operation, YANG action, YANG notification, or YANG data subtree
- If a rule matches the content being accessed, then the 'action' (permit or deny) is applied

YumaWorks