This module augments ietf-netconf-acm with additional access control data.
Version: 2013-03-07
module tailf-acm { yang-version 1; namespace "http://tail-f.com/yang/acm"; prefix tacm; import ietf-netconf-acm { prefix nacm; } organization "Tail-f Systems"; description "This module augments ietf-netconf-acm with additional access control data."; revision "2013-03-07" { description "Released as part of ConfD-4.2. Added cmd-read-default and cmd-exec-default."; } revision "2012-11-08" { description "Initial revision. Released as part of ConfD-4.1."; } augment /nacm:nacm { leaf cmd-read-default { type nacm:action-type; default "permit"; description "Controls whether command read access is granted if no appropriate cmdrule is found for a particular command read request."; } leaf cmd-exec-default { type nacm:action-type; default "permit"; description "Controls whether command exec access is granted if no appropriate cmdrule is found for a particular command exec request."; } leaf log-if-default-permit { type empty; description "If this leaf is present, access granted due to one of /nacm/read-default, /nacm/write-default, /nacm/exec-default /nacm/cmd-read-default, or /nacm/cmd-exec-default being set to 'permit' is logged in the developer log. Otherwise, only denied access is logged. Mainly intended for debugging of rules."; } } augment /nacm:nacm/nacm:groups/nacm:group { leaf gid { type int32; description "This leaf associates a numerical group ID with the group. When a OS command is executed on behalf of a user, supplementary group IDs are assigned based on 'gid' values for the groups that the use is a member of."; } } augment /nacm:nacm/nacm:rule-list { list cmdrule { key "name"; ordered-by user; description "One command access control rule. Command rules control access to CLI commands and Web UI functions. Rules are processed in user-defined order until a match is found. A rule matches if 'context', 'command', and 'access-operations' match the request. If a rule matches, the 'action' leaf determines if access is granted or not."; leaf name { type string { length "1..max"; } description "Arbitrary name assigned to the rule."; } leaf context { type union { type nacm:matchall-string-type; type string; } default "*"; description "This leaf matches if it has the value '*' or if its value identifies the agent that is requesting access, i.e. 'cli' for CLI or 'webui' for Web UI."; } leaf command { type string; default "*"; description "Space-separated tokens representing the command. Refer to the Tail-f AAA documentation for further details."; } leaf access-operations { type union { type nacm:matchall-string-type; type nacm:access-operations-type; } default "*"; description "Access operations associated with this rule. This leaf matches if it has the value '*' or if the bit corresponding to the requested operation is set."; } leaf action { type nacm:action-type; mandatory true; description "The access control action associated with the rule. If a rule is determined to match a particular request, then this object is used to determine whether to permit or deny the request."; } leaf log-if-permit { type empty; description "If this leaf is present, access granted due to this rule is logged in the developer log. Otherwise, only denied access is logged. Mainly intended for debugging of rules."; } leaf comment { type string; description "A textual description of the access rule."; } } // list cmdrule } augment /nacm:nacm/nacm:rule-list/nacm:rule { leaf context { type union { type nacm:matchall-string-type; type string; } default "*"; description "This leaf matches if it has the value '*' or if its value identifies the agent that is requesting access, e.g. 'netconf' for NETCONF, 'cli' for CLI, or 'webui' for Web UI."; } leaf log-if-permit { type empty; description "If this leaf is present, access granted due to this rule is logged in the developer log. Otherwise, only denied access is logged. Mainly intended for debugging of rules."; } } } // module tailf-acm
© 2023 YumaWorks, Inc. All rights reserved.