There are many configuration parameters for the netconfd-pro server to control the content that client applications can access.


Control user account access with the --allowed-user parameter:

  • This parameter limits server access to the specified user names


allowed-user admin
allowed-user diag
allowed-user test



Enable or disable access control with the --access-control parameter:

  • This parameter selects the type of access control enabled within the server
    • --access-control=enforcing enables full access control (this is the default)
    • --access-control=permissive enforces access control for writing data, but not for reading data
    • --access-control=disabled enforces only objects tagged as nacm:default-deny-all or nacm:default-deny-write
    • --access-control=off will deactivate all access control mechanisms


access-control disabled



Enable a superuser to bypass access control with the --superuser parameter:

  • This parameter selects a user name that will bypass all access control, to allow system setup or repairs


superuser admin



Disable user write access to a YANG object with the ncx:user-write YANG extension:

  • This YANG extension controls what type of write operations are allowed for a YANG data node
    • Allows system-controlled objects to be deployed
    • DB-API "system" edits and SIL created data are not affected by this extension
    • Only client access (NETCONF, RESTCONF, CLI) is affected by this extension


 container interfaces {
   ncx:user-write “update”;
   list physical-interface {
     ncx:user-write “update”;
     …
   }
 }



Configure access control rules with the NACM YANG module:

  • This YANG module provides fully integrated access control for all northbound protocols
  • The default settings allow read and execute operations, but deny all write operations
  • The /nacm/groups subtree usually needs to be configured for any access control rules to have any affect
    • Each group represents a logical set of users; often represents an Administrative Role
    • Each group contains a list of user names
  • The /nacm/rule-list subtree contains the access control rules to enforce
    • Each rule-list applies to 1 or more groups
    • Each rule-list has 1 or more rules, checked in order; The first rule to apply is used
    • Each rule can apply to 1 module or all modules
    • Each rule can apply to an RPC operation, YANG action, YANG notification, or YANG data subtree
    • If a rule matches the content being accessed, then the 'action' (permit or deny) is applied