1 <rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="m-1">
2 <data xmlns="urn:ietf:params:xml:ns:yang:ietf-netconf-monitoring">module ietf-netconf-acm {
3 namespace "urn:ietf:params:xml:ns:yang:ietf-netconf-acm";
6 import ietf-yang-types {
11 "IETF NETCONF (Network Configuration) Working Group";
13 "WG Web: <http://tools.ietf.org/wg/netconf/>
14 WG List: <mailto:netconf@ietf.org>
16 WG Chair: Mehmet Ersue
17 <mailto:mehmet.ersue@nsn.com>
20 <mailto:bertietf@bwijnen.net>
23 <mailto:andy@yumaworks.com>
25 Editor: Martin Bjorklund
26 <mailto:mbj@tail-f.com>";
28 "NETCONF Access Control Model.
30 Copyright (c) 2012 IETF Trust and the persons identified as
31 authors of the code. All rights reserved.
33 Redistribution and use in source and binary forms, with or
34 without modification, is permitted pursuant to, and subject
35 to the license terms contained in, the Simplified BSD
36 License set forth in Section 4.c of the IETF Trust's
37 Legal Provisions Relating to IETF Documents
38 (http://trustee.ietf.org/license-info).
40 This version of this YANG module is part of RFC 6536; see
41 the RFC itself for full legal notices.";
47 "RFC 6536: Network Configuration Protocol (NETCONF)
48 Access Control Model";
51 extension default-deny-write {
53 "Used to indicate that the data model node
54 represents a sensitive security system parameter.
56 If present, and the NACM module is enabled (i.e.,
57 /nacm/enable-nacm object equals 'true'), the NETCONF server
58 will only allow the designated 'recovery session' to have
59 write access to the node. An explicit access control rule is
60 required for all other users.
62 The 'default-deny-write' extension MAY appear within a data
63 definition statement. It is ignored otherwise.";
66 extension default-deny-all {
68 "Used to indicate that the data model node
69 controls a very sensitive security system parameter.
71 If present, and the NACM module is enabled (i.e.,
72 /nacm/enable-nacm object equals 'true'), the NETCONF server
73 will only allow the designated 'recovery session' to have
74 read, write, or execute access to the node. An explicit
75 access control rule is required for all other users.
77 The 'default-deny-all' extension MAY appear within a data
78 definition statement, 'rpc' statement, or 'notification'
79 statement. It is ignored otherwise.";
82 typedef user-name-type {
87 "General Purpose Username string.";
90 typedef matchall-string-type {
95 "The string containing a single asterisk '*' is used
96 to conceptually represent all possible values
97 for the particular leaf using this data type.";
100 typedef access-operations-type {
104 "Any protocol operation that creates a
109 "Any protocol operation or notification that
110 returns the value of a data node.";
114 "Any protocol operation that alters an existing
119 "Any protocol operation that removes a data node.";
123 "Execution access to the specified protocol operation.";
127 "NETCONF Access Operation.";
130 typedef group-name-type {
136 "Name of administrative group to which
137 users can be assigned.";
140 typedef action-type {
144 "Requested action is permitted.";
148 "Requested action is denied.";
152 "Action taken by the server when a particular
156 typedef node-instance-identifier {
159 "Path expression used to represent a special
160 data node instance identifier string.
162 A node-instance-identifier value is an
163 unrestricted YANG instance-identifier expression.
164 All the same rules as an instance-identifier apply
165 except predicates for keys are optional. If a key
166 predicate is missing, then the node-instance-identifier
167 represents all possible server instances for that key.
169 This XPath expression is evaluated in the following context:
171 o The set of namespace declarations are those in scope on
172 the leaf element where this type is used.
174 o The set of variable bindings contains one variable,
175 'USER', which contains the name of the user of the current
178 o The function library is the core function library, but
179 note that due to the syntax restrictions of an
180 instance-identifier, no functions are allowed.
182 o The context node is the root node in the data tree.";
186 nacm:default-deny-all;
188 "Parameters for NETCONF Access Control Model.";
193 "Enables or disables all NETCONF access control
194 enforcement. If 'true', then enforcement
195 is enabled. If 'false', then enforcement
203 "Controls whether read access is granted if
204 no appropriate rule is found for a
205 particular read request.";
212 "Controls whether create, update, or delete access
213 is granted if no appropriate rule is found for a
214 particular write request.";
221 "Controls whether exec access is granted if no appropriate
222 rule is found for a particular protocol operation request.";
225 leaf enable-external-groups {
229 "Controls whether the server uses the groups reported by the
230 NETCONF transport layer when it assigns the user to a set of
231 NACM groups. If this leaf has the value 'false', any group
232 names reported by the transport layer are ignored by the
236 leaf denied-operations {
237 type yang:zero-based-counter32;
241 "Number of times since the server last restarted that a
242 protocol operation request was denied.";
245 leaf denied-data-writes {
246 type yang:zero-based-counter32;
250 "Number of times since the server last restarted that a
251 protocol operation request to alter
252 a configuration datastore was denied.";
255 leaf denied-notifications {
256 type yang:zero-based-counter32;
260 "Number of times since the server last restarted that
261 a notification was dropped for a subscription because
262 access to the event type was denied.";
267 "NETCONF Access Control Groups.";
271 "One NACM Group Entry. This list will only contain
272 configured entries, not any entries learned from
273 any transport protocols.";
275 type group-name-type;
277 "Group name associated with this entry.";
280 leaf-list user-name {
283 "Each entry identifies the username of
284 a member of the group associated with
294 "An ordered collection of access control rules.";
300 "Arbitrary name assigned to the rule-list.";
305 type matchall-string-type;
306 type group-name-type;
309 "List of administrative groups that will be
310 assigned the associated access rights
311 defined by the 'rule' list.
313 The string '*' indicates that all groups apply to the
321 "One access control rule.
323 Rules are processed in user-defined order until a match is
324 found. A rule matches if 'module-name', 'rule-type', and
325 'access-operations' match the request. If a rule
326 matches, the 'action' leaf determines if access is granted
333 "Arbitrary name assigned to the rule.";
338 type matchall-string-type;
343 "Name of the module associated with this rule.
345 This leaf matches if it has the value '*' or if the
346 object being accessed is defined in the module with the
347 specified module name.";
352 "This choice matches if all leafs present in the rule
353 match the request. If no leafs are present, the
354 choice matches all requests.";
355 case protocol-operation {
358 type matchall-string-type;
362 "This leaf matches if it has the value '*' or if
363 its value equals the requested protocol operation
369 leaf notification-name {
371 type matchall-string-type;
375 "This leaf matches if it has the value '*' or if its
376 value equals the requested notification name.";
382 type node-instance-identifier;
385 "Data Node Instance Identifier associated with the
386 data node controlled by this rule.
388 Configuration data or state data instance
389 identifiers start with a top-level data node. A
390 complete instance identifier is required for this
393 The special value '/' refers to all possible
394 datastore contents.";
399 leaf access-operations {
401 type matchall-string-type;
402 type access-operations-type;
406 "Access operations associated with this rule.
408 This leaf matches if it has the value '*' or if the
409 bit corresponding to the requested operation is set.";
416 "The access control action associated with the
417 rule. If a rule is determined to match a
418 particular request, then this object is used
419 to determine whether to permit or deny the
426 "A textual description of the access rule.";