1 module ietf-netconf-acm {
3 namespace "urn:ietf:params:xml:ns:yang:ietf-netconf-acm";
7 import ietf-yang-types {
12 "IETF NETCONF (Network Configuration) Working Group";
15 "WG Web: <https://datatracker.ietf.org/wg/netconf/>
16 WG List: <mailto:netconf@ietf.org>
18 <mailto:andy@yumaworks.com>
19 Author: Martin Bjorklund
20 <mailto:mbj@tail-f.com>";
23 "Network Configuration Access Control Model.
24 Copyright (c) 2012 - 2018 IETF Trust and the persons
25 identified as authors of the code. All rights reserved.
26 Redistribution and use in source and binary forms, with or
27 without modification, is permitted pursuant to, and subject
28 to the license terms contained in, the Simplified BSD
29 License set forth in Section 4.c of the IETF Trust's
30 Legal Provisions Relating to IETF Documents
31 (https://trustee.ietf.org/license-info).
32 This version of this YANG module is part of RFC 8341; see
33 the RFC itself for full legal notices.";
35 revision "2018-02-14" {
37 "Added support for YANG 1.1 actions and notifications tied to
38 data nodes. Clarified how NACM extensions can be used by
41 "RFC 8341: Network Configuration Access Control Model";
44 revision "2012-02-22" {
48 "RFC 6536: Network Configuration Protocol (NETCONF)
49 Access Control Model";
53 * Extension statements
56 extension default-deny-write {
58 "Used to indicate that the data model node
59 represents a sensitive security system parameter.
60 If present, the NETCONF server will only allow the designated
61 'recovery session' to have write access to the node. An
62 explicit access control rule is required for all other users.
63 If the NACM module is used, then it must be enabled (i.e.,
64 /nacm/enable-nacm object equals 'true'), or this extension
66 The 'default-deny-write' extension MAY appear within a data
67 definition statement. It is ignored otherwise.";
70 extension default-deny-all {
72 "Used to indicate that the data model node
73 controls a very sensitive security system parameter.
74 If present, the NETCONF server will only allow the designated
75 'recovery session' to have read, write, or execute access to
76 the node. An explicit access control rule is required for all
78 If the NACM module is used, then it must be enabled (i.e.,
79 /nacm/enable-nacm object equals 'true'), or this extension
81 The 'default-deny-all' extension MAY appear within a data
82 definition statement, 'rpc' statement, or 'notification'
83 statement. It is ignored otherwise.";
90 typedef user-name-type {
95 "General-purpose username string.";
98 typedef matchall-string-type {
103 "The string containing a single asterisk '*' is used
104 to conceptually represent all possible values
105 for the particular leaf using this data type.";
108 typedef access-operations-type {
112 "Any protocol operation that creates a
117 "Any protocol operation or notification that
118 returns the value of a data node.";
122 "Any protocol operation that alters an existing
127 "Any protocol operation that removes a data node.";
131 "Execution access to the specified protocol operation.";
138 typedef group-name-type {
144 "Name of administrative group to which
145 users can be assigned.";
148 typedef action-type {
152 "Requested action is permitted.";
156 "Requested action is denied.";
160 "Action taken by the server when a particular
164 typedef node-instance-identifier {
167 "Path expression used to represent a special
168 data node, action, or notification instance-identifier
170 A node-instance-identifier value is an
171 unrestricted YANG instance-identifier expression.
172 All the same rules as an instance-identifier apply,
173 except that predicates for keys are optional. If a key
174 predicate is missing, then the node-instance-identifier
175 represents all possible server instances for that key.
176 This XML Path Language (XPath) expression is evaluated in the
178 o The set of namespace declarations are those in scope on
179 the leaf element where this type is used.
180 o The set of variable bindings contains one variable,
181 'USER', which contains the name of the user of the
183 o The function library is the core function library, but
184 note that due to the syntax restrictions of an
185 instance-identifier, no functions are allowed.
186 o The context node is the root node in the data tree.
187 The accessible tree includes actions and notifications tied
192 * Data definition statements
196 nacm:default-deny-all;
199 "Parameters for NETCONF access control model.";
205 "Enables or disables all NETCONF access control
206 enforcement. If 'true', then enforcement
207 is enabled. If 'false', then enforcement
215 "Controls whether read access is granted if
216 no appropriate rule is found for a
217 particular read request.";
224 "Controls whether create, update, or delete access
225 is granted if no appropriate rule is found for a
226 particular write request.";
233 "Controls whether exec access is granted if no appropriate
234 rule is found for a particular protocol operation request.";
237 leaf enable-external-groups {
241 "Controls whether the server uses the groups reported by the
242 NETCONF transport layer when it assigns the user to a set of
243 NACM groups. If this leaf has the value 'false', any group
244 names reported by the transport layer are ignored by the
248 leaf denied-operations {
249 type yang:zero-based-counter32;
253 "Number of times since the server last restarted that a
254 protocol operation request was denied.";
257 leaf denied-data-writes {
258 type yang:zero-based-counter32;
262 "Number of times since the server last restarted that a
263 protocol operation request to alter
264 a configuration datastore was denied.";
267 leaf denied-notifications {
268 type yang:zero-based-counter32;
272 "Number of times since the server last restarted that
273 a notification was dropped for a subscription because
274 access to the event type was denied.";
279 "NETCONF access control groups.";
285 "One NACM group entry. This list will only contain
286 configured entries, not any entries learned from
287 any transport protocols.";
290 type group-name-type;
292 "Group name associated with this entry.";
295 leaf-list user-name {
298 "Each entry identifies the username of
299 a member of the group associated with
309 "An ordered collection of access control rules.";
316 "Arbitrary name assigned to the rule-list.";
320 type matchall-string-type;
321 type group-name-type;
324 "List of administrative groups that will be
325 assigned the associated access rights
326 defined by the 'rule' list.
327 The string '*' indicates that all groups apply to the
335 "One access control rule.
336 Rules are processed in user-defined order until a match is
337 found. A rule matches if 'module-name', 'rule-type', and
338 'access-operations' match the request. If a rule
339 matches, the 'action' leaf determines whether or not
347 "Arbitrary name assigned to the rule.";
352 type matchall-string-type;
357 "Name of the module associated with this rule.
358 This leaf matches if it has the value '*' or if the
359 object being accessed is defined in the module with the
360 specified module name.";
364 "This choice matches if all leafs present in the rule
365 match the request. If no leafs are present, the
366 choice matches all requests.";
367 case protocol-operation {
370 type matchall-string-type;
374 "This leaf matches if it has the value '*' or if
375 its value equals the requested protocol operation
380 leaf notification-name {
382 type matchall-string-type;
386 "This leaf matches if it has the value '*' or if its
387 value equals the requested notification name.";
393 type node-instance-identifier;
396 "Data node instance-identifier associated with the
397 data node, action, or notification controlled by
399 Configuration data or state data
400 instance-identifiers start with a top-level
401 data node. A complete instance-identifier is
402 required for this type of path value.
403 The special value '/' refers to all possible
404 datastore contents.";
409 leaf access-operations {
411 type matchall-string-type;
412 type access-operations-type;
416 "Access operations associated with this rule.
417 This leaf matches if it has the value '*' or if the
418 bit corresponding to the requested operation is set.";
425 "The access control action associated with the
426 rule. If a rule has been determined to match a
427 particular request, then this object is used
428 to determine whether to permit or deny the
435 "A textual description of the access rule.";