Converted from YANG file 'ietf-netconf-acm.yang' by yangdump version 2.2.1732 Module: ietf-netconf-acm Organization: IETF NETCONF (Network Configuration) Working Group Version: 2011-12-23 Contact: WG Web: <http://tools.ietf.org/wg/netconf/> WG List: <mailto:netconf@ietf.org> WG Chair: Mehmet Ersue <mailto:mehmet.ersue@nsn.com> WG Chair: Bert Wijnen <mailto:bertietf@bwijnen.net> Editor: Andy Bierman <mailto:andy@netconfcentral.org> Editor: Martin Bjorklund <mailto:mbj@tail-f.com> NETCONF Access Control Model. Copyright (c) 2011 IETF Trust and the persons identified as authors of the code. All rights reserved. Redistribution and use in source and binary forms, with or without modification, is permitted pursuant to, and subject to the license terms contained in, the Simplified BSD License set forth in Section 4.c of the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info). This version of this YANG module is part of RFC XXXX; see the RFC itself for full legal notices. /usr/share/yuma/modules/ietf/ietf-netconf-acm.yang IETF NETCONF (Network Configuration) Working Group WG Web: <http://tools.ietf.org/wg/netconf/> WG List: <mailto:netconf@ietf.org> WG Chair: Mehmet Ersue <mailto:mehmet.ersue@nsn.com> WG Chair: Bert Wijnen <mailto:bertietf@bwijnen.net> Editor: Andy Bierman <mailto:andy@netconfcentral.org> Editor: Martin Bjorklund <mailto:mbj@tail-f.com> 2011-12-23 Initial version General Purpose User Name string. The string containing a single asterisk '*' is used to conceptually represent all possible values for the particular leaf using this data type. NETCONF Access Operation. Any protocol operation that creates a new data node. 0 Any protocol operation or notification that returns the value of a data node. 1 Any protocol operation that alters an existing data node. 2 Any protocol operation that removes a data node. 3 Execution access to the specified protocol operation. 4 Name of administrative group to which users can be assigned. Action taken by the server when a particular rule matches. Requested action is permitted. 0 Requested action is denied. 1 Path expression used to represent a special data node instance identifier string. A node-instance-identifier value is an unrestricted YANG instance-identifier expression. All the same rules as an instance-identifier apply except predicates for keys are optional. If a key predicate is missing, then the node-instance-identifier represents all possible server instances for that key. This XPath expression is evaluated in the following context: o The set of namespace declarations are those in scope on the leaf element where this type is used. o The set of variable bindings contains one variable, 'USER', which contains the name of user of the current session. o The function library is the core function library, but note that due to the syntax restrictions of an instance-identifier, no functions are allowed. o The context node is the root node in the data tree. Parameters for NETCONF Access Control Model. true Enable or disable all NETCONF access control enforcement. If 'true', then enforcement is enabled. If 'false', then enforcement is disabled. Controls whether read access is granted if no appropriate rule is found for a particular read request. Controls whether create, update, or delete access is granted if no appropriate rule is found for a particular write request. Controls whether exec access is granted if no appropriate rule is found for a particular protocol operation request. Controls whether the server uses the groups reported by the NETCONF transport layer when it assigns the user to a set of NACM groups. If this leaf has the value 'false', any group names reported by the transport layer are ignored by the server. Number of times a protocol operation request was denied since the server last restarted. false true Number of times a protocol operation request to alter a configuration datastore was denied, since the server last restarted. false true Number of times a notification was dropped for a subscription because access to the event type was denied, since the server last restarted. false true NETCONF Access Control Groups. One NACM Group Entry. This list will only contain configured entries, not any entries learned from any transport protocols. system Group name associated with this entry. Each entry identifies the user name of a member of the group associated with this entry. system An ordered collection of access control rules. user Arbitrary name assigned to the rule-list. List of administrative groups that will be assigned the associated access rights defined by the 'rule' list. The string '*' indicates that all groups apply to the entry. system One access control rule. Rules are processed in user-defined order until a match is found. A rule matches if 'module-name', 'rule-type', and 'access-operations' matches the request. If a rule matches, the 'action' leaf determines if access is granted or not. user Arbitrary name assigned to the rule. Name of the module associated with this rule. This leaf matches if it has the value '*', or if the object being accessed is defined in the module with the specified module name. This choice matches if all leafs present in the rule matches the request. If no leafs are present, the choice matches all requests. rule-type protocol-operation This leaf matches if it has the value '*', or if its value equals the requested protocol operation name. notification This leaf matches if it has the value '*', or if its value equals the requested notification name. data-node Data Node Instance Identifier associated with the data node controlled by this rule. Configuration data or state data instance identifiers start with a top-level data node. A complete instance identifier is required for this type of path value. The special value '/' refers to all possible data store contents. true Access operations associated with this rule. This leaf matches if it has the value '*', or if the bit corresponding to the requested operation is set. The access control action associated with the rule. If a rule is determined to match a particular request, then this object is used to determine whether to permit or deny the request. true A textual description of the access rule.