Configuring IETF-NACM Authorization

You can configure IETF-NACM authorization to authorize specific users to perform NETCONF operations or access NETCONF resources. This ensures device security.

Context

NACM authorization is an IETF-defined, more flexible authorization mode. It allows you to define NACM authorization rules to control specific users' permissions for performing NETCONF operations and accessing NETCONF resources.

Procedure

Run system-view
The system view is displayed.
Run netconf
The NETCONF view is displayed.
Run nacm
The NACM view is displayed.
Run nacm enable
The NACM function is enabled.
(Optional) Run read-default permit
Users are enabled to perform query operations.
(Optional) Run write-default permit
Users are enabled to perform configuration operations.
(Optional) Run execute-default permit
Users are enabled to have the default execution permission for RPC operations.
Run group-name group-name
An NACM user group is created, and the NACM user group view is displayed.
Run user-name user-name
A user is specified for the NACM user group.
Run quit
Exit the NACM user group view.
Run rule-list-name rule-list-name
An NACM rule list is created, and the NACM rule list view is displayed.
Run group group-name
The NACM user group is associated with the NACM authorization rule list.
Run rule-name rule-name action action
A name is set for an NACM authorization rule in the NACM authorization rule list view.
(Optional) Run description description
A description is configured for the NACM authorization rule.
Run module-name module-name
The name of a feature module is specified in the NACM authorization rule.
Run rule-type { rpc-name rpc-name | notification-name notification-name | path path }
A type is specified for the NACM authorization rule.
Run access-operation { { create | read | update | delete | exec } ^* | ^* }
Access operations are configured.
Run commit
The configuration is committed.