Configuring a placeholder rule, Rule processing – Brocade Network OS NETCONF Operations Guide v4.1.1 User Manual

Page 215

Advertising

Network OS NETCONF Operations Guide

183

53-1003231-02

Command access rules

Refer to the Network OS Administrator’s Guide for details about how rules apply to configuration
commands, operational commands, and interface key-based commands.

Configuring a placeholder rule

A rule created to allow the no-operation command does not enforce any authorization rules.
Instead, you can use this instance as a placeholder for a valid command that is added later, as
shown in the following example.

1. Issue the <edit-config> RPC to configure the <rule> node in the

urn:brocade.com:mgmt:brocade-aaa namespace.

2. Under the <rule> node, include the <command>/<enumList> hierarchy of node elements.

3. Under the <enumList> node, include the empty <no-operation> element to serve as a

placeholder.

<?xml version="1.0" encoding="UTF-8"?>

<edit-config>

</target>

<action>reject</action>

<operation>read-write</operation>

<role>NetworkAdmin</role>

<enumList>no-operation</enumList>

</command>

</rule>

</config>

</edit-config>

</rpc>

<rpc-reply message-id="810" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">

<ok/>

</rpc-reply>

Rule processing

When a user executes a command, rules are searched in ascending order by index for a match and
the action of the first matching rule is applied. If none of the rules match, command execution is
blocked. If conflicting permissions exist for a role in different indices, the rule with lowest index
number is applied.

operation

Optional. Defines the general access mode granted by the rule. Access can be read-only or
read-write (default).

action

Optional. A modifier restricting the general access mode. The specified access is either
accepted (accept) or rejected (reject). The default value is “reject”.

TABLE 7

Rule attributes (Continued)

Parameter

Description

Advertising