1 module ietf-netconf-acm {
3 namespace "urn:ietf:params:xml:ns:yang:ietf-netconf-acm";
7 import ietf-yang-types {
12 "IETF NETCONF (Network Configuration) Working Group";
15 "WG Web: <https://datatracker.ietf.org/wg/netconf/>
16 WG List: <mailto:netconf@ietf.org>
19 <mailto:andy@yumaworks.com>
21 Author: Martin Bjorklund
22 <mailto:mbj@tail-f.com>";
25 "Network Configuration Access Control Model.
27 Copyright (c) 2012 - 2018 IETF Trust and the persons
28 identified as authors of the code. All rights reserved.
30 Redistribution and use in source and binary forms, with or
31 without modification, is permitted pursuant to, and subject
32 to the license terms contained in, the Simplified BSD
33 License set forth in Section 4.c of the IETF Trust's
34 Legal Provisions Relating to IETF Documents
35 (https://trustee.ietf.org/license-info).
37 This version of this YANG module is part of RFC 8341; see
38 the RFC itself for full legal notices.";
40 revision "2018-02-14" {
42 "Added support for YANG 1.1 actions and notifications tied to
43 data nodes. Clarified how NACM extensions can be used by
46 "RFC 8341: Network Configuration Access Control Model";
49 revision "2012-02-22" {
53 "RFC 6536: Network Configuration Protocol (NETCONF)
54 Access Control Model";
58 * Extension statements
61 extension default-deny-write {
63 "Used to indicate that the data model node
64 represents a sensitive security system parameter.
66 If present, the NETCONF server will only allow the designated
67 'recovery session' to have write access to the node. An
68 explicit access control rule is required for all other users.
70 If the NACM module is used, then it must be enabled (i.e.,
71 /nacm/enable-nacm object equals 'true'), or this extension
74 The 'default-deny-write' extension MAY appear within a data
75 definition statement. It is ignored otherwise.";
78 extension default-deny-all {
80 "Used to indicate that the data model node
81 controls a very sensitive security system parameter.
83 If present, the NETCONF server will only allow the designated
84 'recovery session' to have read, write, or execute access to
85 the node. An explicit access control rule is required for all
88 If the NACM module is used, then it must be enabled (i.e.,
89 /nacm/enable-nacm object equals 'true'), or this extension
92 The 'default-deny-all' extension MAY appear within a data
93 definition statement, 'rpc' statement, or 'notification'
94 statement. It is ignored otherwise.";
101 typedef user-name-type {
106 "General-purpose username string.";
109 typedef matchall-string-type {
114 "The string containing a single asterisk '*' is used
115 to conceptually represent all possible values
116 for the particular leaf using this data type.";
119 typedef access-operations-type {
123 "Any protocol operation that creates a
128 "Any protocol operation or notification that
129 returns the value of a data node.";
133 "Any protocol operation that alters an existing
138 "Any protocol operation that removes a data node.";
142 "Execution access to the specified protocol operation.";
149 typedef group-name-type {
155 "Name of administrative group to which
156 users can be assigned.";
159 typedef action-type {
163 "Requested action is permitted.";
167 "Requested action is denied.";
171 "Action taken by the server when a particular
175 typedef node-instance-identifier {
178 "Path expression used to represent a special
179 data node, action, or notification instance-identifier
182 A node-instance-identifier value is an
183 unrestricted YANG instance-identifier expression.
184 All the same rules as an instance-identifier apply,
185 except that predicates for keys are optional. If a key
186 predicate is missing, then the node-instance-identifier
187 represents all possible server instances for that key.
189 This XML Path Language (XPath) expression is evaluated in the
192 o The set of namespace declarations are those in scope on
193 the leaf element where this type is used.
195 o The set of variable bindings contains one variable,
196 'USER', which contains the name of the user of the
199 o The function library is the core function library, but
200 note that due to the syntax restrictions of an
201 instance-identifier, no functions are allowed.
203 o The context node is the root node in the data tree.
205 The accessible tree includes actions and notifications tied
210 * Data definition statements
214 nacm:default-deny-all;
217 "Parameters for NETCONF access control model.";
223 "Enables or disables all NETCONF access control
224 enforcement. If 'true', then enforcement
225 is enabled. If 'false', then enforcement
233 "Controls whether read access is granted if
234 no appropriate rule is found for a
235 particular read request.";
242 "Controls whether create, update, or delete access
243 is granted if no appropriate rule is found for a
244 particular write request.";
251 "Controls whether exec access is granted if no appropriate
252 rule is found for a particular protocol operation request.";
255 leaf enable-external-groups {
259 "Controls whether the server uses the groups reported by the
260 NETCONF transport layer when it assigns the user to a set of
261 NACM groups. If this leaf has the value 'false', any group
262 names reported by the transport layer are ignored by the
266 leaf denied-operations {
267 type yang:zero-based-counter32;
271 "Number of times since the server last restarted that a
272 protocol operation request was denied.";
275 leaf denied-data-writes {
276 type yang:zero-based-counter32;
280 "Number of times since the server last restarted that a
281 protocol operation request to alter
282 a configuration datastore was denied.";
285 leaf denied-notifications {
286 type yang:zero-based-counter32;
290 "Number of times since the server last restarted that
291 a notification was dropped for a subscription because
292 access to the event type was denied.";
297 "NETCONF access control groups.";
303 "One NACM group entry. This list will only contain
304 configured entries, not any entries learned from
305 any transport protocols.";
308 type group-name-type;
310 "Group name associated with this entry.";
313 leaf-list user-name {
316 "Each entry identifies the username of
317 a member of the group associated with
327 "An ordered collection of access control rules.";
334 "Arbitrary name assigned to the rule-list.";
338 type matchall-string-type;
339 type group-name-type;
342 "List of administrative groups that will be
343 assigned the associated access rights
344 defined by the 'rule' list.
346 The string '*' indicates that all groups apply to the
354 "One access control rule.
356 Rules are processed in user-defined order until a match is
357 found. A rule matches if 'module-name', 'rule-type', and
358 'access-operations' match the request. If a rule
359 matches, the 'action' leaf determines whether or not
367 "Arbitrary name assigned to the rule.";
372 type matchall-string-type;
377 "Name of the module associated with this rule.
379 This leaf matches if it has the value '*' or if the
380 object being accessed is defined in the module with the
381 specified module name.";
385 "This choice matches if all leafs present in the rule
386 match the request. If no leafs are present, the
387 choice matches all requests.";
388 case protocol-operation {
391 type matchall-string-type;
395 "This leaf matches if it has the value '*' or if
396 its value equals the requested protocol operation
401 leaf notification-name {
403 type matchall-string-type;
407 "This leaf matches if it has the value '*' or if its
408 value equals the requested notification name.";
414 type node-instance-identifier;
417 "Data node instance-identifier associated with the
418 data node, action, or notification controlled by
421 Configuration data or state data
422 instance-identifiers start with a top-level
423 data node. A complete instance-identifier is
424 required for this type of path value.
426 The special value '/' refers to all possible
427 datastore contents.";
432 leaf access-operations {
434 type matchall-string-type;
435 type access-operations-type;
439 "Access operations associated with this rule.
441 This leaf matches if it has the value '*' or if the
442 bit corresponding to the requested operation is set.";
449 "The access control action associated with the
450 rule. If a rule has been determined to match a
451 particular request, then this object is used
452 to determine whether to permit or deny the
459 "A textual description of the access rule.";