NETCONF operation access control: allows specific NETCONF operations,
such as <edit-config>, <get>, <sync-full>, <sync-inc>, and <commit>.
Module access control: allows access to specific feature modules,
such as Telnet-client, Layer 3 virtual private network (L3VPN), Open Shortest Path First (OSPF), Fault-MGR, Device-MGR, and Intermediate System-to-Intermediate System (IS-IS).
Data node access control: allows users to query and modify specific data nodes,
such as: /ifm/interfaces/interface/ifAdminStatus/devm/globalPara/maxChassisNum.
The access control rules for NETCONF operations and data nodes can be configured.
By default, HUAWEI-NACM is enabled.
Access control is performed only for the delivered operations but not for all the changed nodes in the model tree. For example, when a delete operation is performed for a parent node, this operation automatically applies to its child nodes without authentication. Therefore, the data of both the parent node and its child nodes is deleted in this case.
The HUAWEI-NACM mechanism is similar to the task authentication mechanism in command authentication. HUAWEI-NACM is designed based on NETCONF access control model.
Authentication, authorization and accounting (AAA) defines tasks, task groups, and user groups. The task authentication mechanism uses a three-layer access control model. This model organizes commands into tasks, tasks into task groups, and task groups into user groups.
The HUAWEI-NACM mechanism is based on the task authentication mechanism. The HUAWEI-NACM mechanism subscribes to required information from the task authentication mechanism and stores the obtained information in its local data structures.
NETCONF operations are implemented based on NETCONF sessions established using Secure Shell (SSH). NETCONF authorization applies only to SSH users.
The operation permissions of a user are defined by the user group to which the user belongs. All users in a user group have the same permissions.
A user's rights cannot be greater than those of the user group.
A user group consists of multiple task groups.
A task group consists of multiple tasks.
A task can be assigned one or more of the following permissions when being added to a task group: read, write, and execute.
Commands for each feature or module belong to a single task. Tasks are pre-configured and cannot be added, modified, or deleted.
Figure 1 shows the task authentication diagram, and Figure 2 shows the HUAWEI-NACM diagram. The HUAWEI-NACM mechanism adds rules for NETCONF operation and data node access control based on the task authentication mechanism.
HUAWEI-NACM is a mechanism to restrict access for particular users to a pre-configured subset of all available NETCONF protocol operations and contents.