NACM rules are not working

[srilchan81]

NON-SUPERUSER:

I have created a new user “test” with password “Test@123”
For this new user I have connected yangcli and created some rules for the user “test” with the reference of RFC
I have added the newly created user to the limited group and created rule to deny all the operations for the module “fscfa” with this new user (proprietary module)
Here the user is treated as non-super user
Uploading nacm_non_super_user_configs.txt…

Below are the configs for non-superuser:

replace /nacm/groups/group/user-name
test
limited
commit
replace /nacm/rule-list/name
limited-acl
replace /nacm/rule-list/group
limited
limited-acl
replace /nacm/rule-list/rule/action
deny
deny-fs-fs-cfa
limited-acl
replace /nacm/rule-list/rule/access-operations
*
deny-fs-fs-cfa
limited-acl
replace /nacm/rule-list/rule/module-name
fscfa
deny-fs-fs-cfa
limited-acl
commit
sget /nacm/

even afer creating the deny rule for fscfa module , I am able to do all the operations like create, replace, get, delete ..
so, I cross verified the xml generated with the above configs against the xml in RFC 8341 (“NACM_RFC_reference.txt” file contains XML reference from RFC)
I didn’t find any differences between the xml’s, configurations are configured properly and reflected in sget output also, but the functionality is not working
NOTE: for this non-superuser please find the “nacm_non_super_user_configs.txt” file for the configs log, sget output, testing for “fscfa”, and the XML populated for the nacm configs

SUPERUSER:

In the similar way, I have checked for the administrative user i.e, “root” user nothing but the superuser
Here also same it is happing as non-superuser “test”. For “root” user used below configs

Below are the configs for superuser:

replace /nacm/groups/group/user-name
root
admin
commit
replace /nacm/rule-list/name
admin-acl
replace /nacm/rule-list/group
admin
admin-acl
replace /nacm/rule-list/rule/action
deny
deny-fs-if
admin-acl
replace /nacm/rule-list/rule/access-operations
create
deny-fs-if
admin-acl
replace /nacm/rule-list/rule/module-name
fsif
deny-fs-if
admin-acl
commit
sget /nacm/

NOTE: for this superuser please find the “nacm_root_user_configs.txt” file for the configs log, sget output, testing for “fscfa”, and the XML populated for the nacm configs

[vlvassilev]

NACM is only partially implemented and some of the rules are working but not all. I will keep this issue open as a warning for those who have NACM as absolute requirement. For me it is not high in the priority so do not expect any focus on the required work in near future.

[srilchan81]

ok thanks for the reply.

[srilchan81]

Hello
Is it possible to specify working rules? we will convey the same to our customer.

regards
Srilekha