|
Packit |
8fb591 |
|
|
Packit |
8fb591 |
|
|
Packit |
8fb591 |
xmlns="urn:ietf:params:xml:ns:yang:yin:1"
|
|
Packit |
8fb591 |
xmlns:nacm="urn:ietf:params:xml:ns:yang:ietf-netconf-acm"
|
|
Packit |
8fb591 |
xmlns:yang="urn:ietf:params:xml:ns:yang:ietf-yang-types">
|
|
Packit |
8fb591 |
<namespace uri="urn:ietf:params:xml:ns:yang:ietf-netconf-acm"/>
|
|
Packit |
8fb591 |
<prefix value="nacm"/>
|
|
Packit |
8fb591 |
<import module="ietf-yang-types">
|
|
Packit |
8fb591 |
<prefix value="yang"/>
|
|
Packit |
8fb591 |
</import>
|
|
Packit |
8fb591 |
<organization>
|
|
Packit |
8fb591 |
<text>IETF NETCONF (Network Configuration) Working Group</text>
|
|
Packit |
8fb591 |
</organization>
|
|
Packit |
8fb591 |
<contact>
|
|
Packit |
8fb591 |
<text>WG Web: <http://tools.ietf.org/wg/netconf/>
|
|
Packit |
8fb591 |
WG List: <mailto:netconf@ietf.org>
|
|
Packit |
8fb591 |
|
|
Packit |
8fb591 |
WG Chair: Mehmet Ersue
|
|
Packit |
8fb591 |
<mailto:mehmet.ersue@nsn.com>
|
|
Packit |
8fb591 |
|
|
Packit |
8fb591 |
WG Chair: Bert Wijnen
|
|
Packit |
8fb591 |
<mailto:bertietf@bwijnen.net>
|
|
Packit |
8fb591 |
|
|
Packit |
8fb591 |
Editor: Andy Bierman
|
|
Packit |
8fb591 |
<mailto:andy@yumaworks.com>
|
|
Packit |
8fb591 |
|
|
Packit |
8fb591 |
Editor: Martin Bjorklund
|
|
Packit |
8fb591 |
<mailto:mbj@tail-f.com></text>
|
|
Packit |
8fb591 |
</contact>
|
|
Packit |
8fb591 |
<description>
|
|
Packit |
8fb591 |
<text>NETCONF Access Control Model.
|
|
Packit |
8fb591 |
|
|
Packit |
8fb591 |
Copyright (c) 2012 IETF Trust and the persons identified as
|
|
Packit |
8fb591 |
authors of the code. All rights reserved.
|
|
Packit |
8fb591 |
|
|
Packit |
8fb591 |
Redistribution and use in source and binary forms, with or
|
|
Packit |
8fb591 |
without modification, is permitted pursuant to, and subject
|
|
Packit |
8fb591 |
to the license terms contained in, the Simplified BSD
|
|
Packit |
8fb591 |
License set forth in Section 4.c of the IETF Trust's
|
|
Packit |
8fb591 |
Legal Provisions Relating to IETF Documents
|
|
Packit |
8fb591 |
(http://trustee.ietf.org/license-info).
|
|
Packit |
8fb591 |
|
|
Packit |
8fb591 |
This version of this YANG module is part of RFC 6536; see
|
|
Packit |
8fb591 |
the RFC itself for full legal notices.</text>
|
|
Packit |
8fb591 |
</description>
|
|
Packit |
8fb591 |
<revision date="2012-02-22">
|
|
Packit |
8fb591 |
<description>
|
|
Packit |
8fb591 |
<text>Initial version;
|
|
Packit |
8fb591 |
Errata ID: 3862 and 3863</text>
|
|
Packit |
8fb591 |
</description>
|
|
Packit |
8fb591 |
<reference>
|
|
Packit |
8fb591 |
<text>RFC 6536: Network Configuration Protocol (NETCONF)
|
|
Packit |
8fb591 |
Access Control Model</text>
|
|
Packit |
8fb591 |
</reference>
|
|
Packit |
8fb591 |
</revision>
|
|
Packit |
8fb591 |
<extension name="default-deny-write">
|
|
Packit |
8fb591 |
<description>
|
|
Packit |
8fb591 |
<text>Used to indicate that the data model node
|
|
Packit |
8fb591 |
represents a sensitive security system parameter.
|
|
Packit |
8fb591 |
|
|
Packit |
8fb591 |
If present, and the NACM module is enabled (i.e.,
|
|
Packit |
8fb591 |
/nacm/enable-nacm object equals 'true'), the NETCONF server
|
|
Packit |
8fb591 |
will only allow the designated 'recovery session' to have
|
|
Packit |
8fb591 |
write access to the node. An explicit access control rule is
|
|
Packit |
8fb591 |
required for all other users.
|
|
Packit |
8fb591 |
|
|
Packit |
8fb591 |
The 'default-deny-write' extension MAY appear within a data
|
|
Packit |
8fb591 |
definition statement. It is ignored otherwise.</text>
|
|
Packit |
8fb591 |
</description>
|
|
Packit |
8fb591 |
</extension>
|
|
Packit |
8fb591 |
<extension name="default-deny-all">
|
|
Packit |
8fb591 |
<description>
|
|
Packit |
8fb591 |
<text>Used to indicate that the data model node
|
|
Packit |
8fb591 |
controls a very sensitive security system parameter.
|
|
Packit |
8fb591 |
|
|
Packit |
8fb591 |
If present, and the NACM module is enabled (i.e.,
|
|
Packit |
8fb591 |
/nacm/enable-nacm object equals 'true'), the NETCONF server
|
|
Packit |
8fb591 |
will only allow the designated 'recovery session' to have
|
|
Packit |
8fb591 |
read, write, or execute access to the node. An explicit
|
|
Packit |
8fb591 |
access control rule is required for all other users.
|
|
Packit |
8fb591 |
|
|
Packit |
8fb591 |
The 'default-deny-all' extension MAY appear within a data
|
|
Packit |
8fb591 |
definition statement, 'rpc' statement, or 'notification'
|
|
Packit |
8fb591 |
statement. It is ignored otherwise.</text>
|
|
Packit |
8fb591 |
</description>
|
|
Packit |
8fb591 |
</extension>
|
|
Packit |
8fb591 |
<typedef name="user-name-type">
|
|
Packit |
8fb591 |
<type name="string">
|
|
Packit |
8fb591 |
<length value="1..max"/>
|
|
Packit |
8fb591 |
</type>
|
|
Packit |
8fb591 |
<description>
|
|
Packit |
8fb591 |
<text>General Purpose Username string.</text>
|
|
Packit |
8fb591 |
</description>
|
|
Packit |
8fb591 |
</typedef>
|
|
Packit |
8fb591 |
<typedef name="matchall-string-type">
|
|
Packit |
8fb591 |
<type name="string">
|
|
Packit |
8fb591 |
<pattern value="\*"/>
|
|
Packit |
8fb591 |
</type>
|
|
Packit |
8fb591 |
<description>
|
|
Packit |
8fb591 |
<text>The string containing a single asterisk '*' is used
|
|
Packit |
8fb591 |
to conceptually represent all possible values
|
|
Packit |
8fb591 |
for the particular leaf using this data type.</text>
|
|
Packit |
8fb591 |
</description>
|
|
Packit |
8fb591 |
</typedef>
|
|
Packit |
8fb591 |
<typedef name="access-operations-type">
|
|
Packit |
8fb591 |
<type name="bits">
|
|
Packit |
8fb591 |
<bit name="create">
|
|
Packit |
8fb591 |
<description>
|
|
Packit |
8fb591 |
<text>Any protocol operation that creates a
|
|
Packit |
8fb591 |
new data node.</text>
|
|
Packit |
8fb591 |
</description>
|
|
Packit |
8fb591 |
</bit>
|
|
Packit |
8fb591 |
<bit name="read">
|
|
Packit |
8fb591 |
<description>
|
|
Packit |
8fb591 |
<text>Any protocol operation or notification that
|
|
Packit |
8fb591 |
returns the value of a data node.</text>
|
|
Packit |
8fb591 |
</description>
|
|
Packit |
8fb591 |
</bit>
|
|
Packit |
8fb591 |
<bit name="update">
|
|
Packit |
8fb591 |
<description>
|
|
Packit |
8fb591 |
<text>Any protocol operation that alters an existing
|
|
Packit |
8fb591 |
data node.</text>
|
|
Packit |
8fb591 |
</description>
|
|
Packit |
8fb591 |
</bit>
|
|
Packit |
8fb591 |
<bit name="delete">
|
|
Packit |
8fb591 |
<description>
|
|
Packit |
8fb591 |
<text>Any protocol operation that removes a data node.</text>
|
|
Packit |
8fb591 |
</description>
|
|
Packit |
8fb591 |
</bit>
|
|
Packit |
8fb591 |
<bit name="exec">
|
|
Packit |
8fb591 |
<description>
|
|
Packit |
8fb591 |
<text>Execution access to the specified protocol operation.</text>
|
|
Packit |
8fb591 |
</description>
|
|
Packit |
8fb591 |
</bit>
|
|
Packit |
8fb591 |
</type>
|
|
Packit |
8fb591 |
<description>
|
|
Packit |
8fb591 |
<text>NETCONF Access Operation.</text>
|
|
Packit |
8fb591 |
</description>
|
|
Packit |
8fb591 |
</typedef>
|
|
Packit |
8fb591 |
<typedef name="group-name-type">
|
|
Packit |
8fb591 |
<type name="string">
|
|
Packit |
8fb591 |
<length value="1..max"/>
|
|
Packit |
8fb591 |
<pattern value="[^\*].*"/>
|
|
Packit |
8fb591 |
</type>
|
|
Packit |
8fb591 |
<description>
|
|
Packit |
8fb591 |
<text>Name of administrative group to which
|
|
Packit |
8fb591 |
users can be assigned.</text>
|
|
Packit |
8fb591 |
</description>
|
|
Packit |
8fb591 |
</typedef>
|
|
Packit |
8fb591 |
<typedef name="action-type">
|
|
Packit |
8fb591 |
<type name="enumeration">
|
|
Packit |
8fb591 |
<enum name="permit">
|
|
Packit |
8fb591 |
<description>
|
|
Packit |
8fb591 |
<text>Requested action is permitted.</text>
|
|
Packit |
8fb591 |
</description>
|
|
Packit |
8fb591 |
</enum>
|
|
Packit |
8fb591 |
<enum name="deny">
|
|
Packit |
8fb591 |
<description>
|
|
Packit |
8fb591 |
<text>Requested action is denied.</text>
|
|
Packit |
8fb591 |
</description>
|
|
Packit |
8fb591 |
</enum>
|
|
Packit |
8fb591 |
</type>
|
|
Packit |
8fb591 |
<description>
|
|
Packit |
8fb591 |
<text>Action taken by the server when a particular
|
|
Packit |
8fb591 |
rule matches.</text>
|
|
Packit |
8fb591 |
</description>
|
|
Packit |
8fb591 |
</typedef>
|
|
Packit |
8fb591 |
<typedef name="node-instance-identifier">
|
|
Packit |
8fb591 |
<type name="yang:xpath1.0"/>
|
|
Packit |
8fb591 |
<description>
|
|
Packit |
8fb591 |
<text>Path expression used to represent a special
|
|
Packit |
8fb591 |
data node instance identifier string.
|
|
Packit |
8fb591 |
|
|
Packit |
8fb591 |
A node-instance-identifier value is an
|
|
Packit |
8fb591 |
unrestricted YANG instance-identifier expression.
|
|
Packit |
8fb591 |
All the same rules as an instance-identifier apply
|
|
Packit |
8fb591 |
except predicates for keys are optional. If a key
|
|
Packit |
8fb591 |
predicate is missing, then the node-instance-identifier
|
|
Packit |
8fb591 |
represents all possible server instances for that key.
|
|
Packit |
8fb591 |
|
|
Packit |
8fb591 |
This XPath expression is evaluated in the following context:
|
|
Packit |
8fb591 |
|
|
Packit |
8fb591 |
o The set of namespace declarations are those in scope on
|
|
Packit |
8fb591 |
the leaf element where this type is used.
|
|
Packit |
8fb591 |
|
|
Packit |
8fb591 |
o The set of variable bindings contains one variable,
|
|
Packit |
8fb591 |
'USER', which contains the name of the user of the current
|
|
Packit |
8fb591 |
session.
|
|
Packit |
8fb591 |
|
|
Packit |
8fb591 |
o The function library is the core function library, but
|
|
Packit |
8fb591 |
note that due to the syntax restrictions of an
|
|
Packit |
8fb591 |
instance-identifier, no functions are allowed.
|
|
Packit |
8fb591 |
|
|
Packit |
8fb591 |
o The context node is the root node in the data tree.</text>
|
|
Packit |
8fb591 |
</description>
|
|
Packit |
8fb591 |
</typedef>
|
|
Packit |
8fb591 |
<container name="nacm">
|
|
Packit |
8fb591 |
<nacm:default-deny-all/>
|
|
Packit |
8fb591 |
<description>
|
|
Packit |
8fb591 |
<text>Parameters for NETCONF Access Control Model.</text>
|
|
Packit |
8fb591 |
</description>
|
|
Packit |
8fb591 |
<leaf name="enable-nacm">
|
|
Packit |
8fb591 |
<type name="boolean"/>
|
|
Packit |
8fb591 |
<default value="true"/>
|
|
Packit |
8fb591 |
<description>
|
|
Packit |
8fb591 |
<text>Enables or disables all NETCONF access control
|
|
Packit |
8fb591 |
enforcement. If 'true', then enforcement
|
|
Packit |
8fb591 |
is enabled. If 'false', then enforcement
|
|
Packit |
8fb591 |
is disabled.</text>
|
|
Packit |
8fb591 |
</description>
|
|
Packit |
8fb591 |
</leaf>
|
|
Packit |
8fb591 |
<leaf name="read-default">
|
|
Packit |
8fb591 |
<type name="action-type"/>
|
|
Packit |
8fb591 |
<default value="permit"/>
|
|
Packit |
8fb591 |
<description>
|
|
Packit |
8fb591 |
<text>Controls whether read access is granted if
|
|
Packit |
8fb591 |
no appropriate rule is found for a
|
|
Packit |
8fb591 |
particular read request.</text>
|
|
Packit |
8fb591 |
</description>
|
|
Packit |
8fb591 |
</leaf>
|
|
Packit |
8fb591 |
<leaf name="write-default">
|
|
Packit |
8fb591 |
<type name="action-type"/>
|
|
Packit |
8fb591 |
<default value="deny"/>
|
|
Packit |
8fb591 |
<description>
|
|
Packit |
8fb591 |
<text>Controls whether create, update, or delete access
|
|
Packit |
8fb591 |
is granted if no appropriate rule is found for a
|
|
Packit |
8fb591 |
particular write request.</text>
|
|
Packit |
8fb591 |
</description>
|
|
Packit |
8fb591 |
</leaf>
|
|
Packit |
8fb591 |
<leaf name="exec-default">
|
|
Packit |
8fb591 |
<type name="action-type"/>
|
|
Packit |
8fb591 |
<default value="permit"/>
|
|
Packit |
8fb591 |
<description>
|
|
Packit |
8fb591 |
<text>Controls whether exec access is granted if no appropriate
|
|
Packit |
8fb591 |
rule is found for a particular protocol operation request.</text>
|
|
Packit |
8fb591 |
</description>
|
|
Packit |
8fb591 |
</leaf>
|
|
Packit |
8fb591 |
<leaf name="enable-external-groups">
|
|
Packit |
8fb591 |
<type name="boolean"/>
|
|
Packit |
8fb591 |
<default value="true"/>
|
|
Packit |
8fb591 |
<description>
|
|
Packit |
8fb591 |
<text>Controls whether the server uses the groups reported by the
|
|
Packit |
8fb591 |
NETCONF transport layer when it assigns the user to a set of
|
|
Packit |
8fb591 |
NACM groups. If this leaf has the value 'false', any group
|
|
Packit |
8fb591 |
names reported by the transport layer are ignored by the
|
|
Packit |
8fb591 |
server.</text>
|
|
Packit |
8fb591 |
</description>
|
|
Packit |
8fb591 |
</leaf>
|
|
Packit |
8fb591 |
<leaf name="denied-operations">
|
|
Packit |
8fb591 |
<type name="yang:zero-based-counter32"/>
|
|
Packit |
8fb591 |
<config value="false"/>
|
|
Packit |
8fb591 |
<mandatory value="true"/>
|
|
Packit |
8fb591 |
<description>
|
|
Packit |
8fb591 |
<text>Number of times since the server last restarted that a
|
|
Packit |
8fb591 |
protocol operation request was denied.</text>
|
|
Packit |
8fb591 |
</description>
|
|
Packit |
8fb591 |
</leaf>
|
|
Packit |
8fb591 |
<leaf name="denied-data-writes">
|
|
Packit |
8fb591 |
<type name="yang:zero-based-counter32"/>
|
|
Packit |
8fb591 |
<config value="false"/>
|
|
Packit |
8fb591 |
<mandatory value="true"/>
|
|
Packit |
8fb591 |
<description>
|
|
Packit |
8fb591 |
<text>Number of times since the server last restarted that a
|
|
Packit |
8fb591 |
protocol operation request to alter
|
|
Packit |
8fb591 |
a configuration datastore was denied.</text>
|
|
Packit |
8fb591 |
</description>
|
|
Packit |
8fb591 |
</leaf>
|
|
Packit |
8fb591 |
<leaf name="denied-notifications">
|
|
Packit |
8fb591 |
<type name="yang:zero-based-counter32"/>
|
|
Packit |
8fb591 |
<config value="false"/>
|
|
Packit |
8fb591 |
<mandatory value="true"/>
|
|
Packit |
8fb591 |
<description>
|
|
Packit |
8fb591 |
<text>Number of times since the server last restarted that
|
|
Packit |
8fb591 |
a notification was dropped for a subscription because
|
|
Packit |
8fb591 |
access to the event type was denied.</text>
|
|
Packit |
8fb591 |
</description>
|
|
Packit |
8fb591 |
</leaf>
|
|
Packit |
8fb591 |
<container name="groups">
|
|
Packit |
8fb591 |
<description>
|
|
Packit |
8fb591 |
<text>NETCONF Access Control Groups.</text>
|
|
Packit |
8fb591 |
</description>
|
|
Packit |
8fb591 |
<list name="group">
|
|
Packit |
8fb591 |
<key value="name"/>
|
|
Packit |
8fb591 |
<description>
|
|
Packit |
8fb591 |
<text>One NACM Group Entry. This list will only contain
|
|
Packit |
8fb591 |
configured entries, not any entries learned from
|
|
Packit |
8fb591 |
any transport protocols.</text>
|
|
Packit |
8fb591 |
</description>
|
|
Packit |
8fb591 |
<leaf name="name">
|
|
Packit |
8fb591 |
<type name="group-name-type"/>
|
|
Packit |
8fb591 |
<description>
|
|
Packit |
8fb591 |
<text>Group name associated with this entry.</text>
|
|
Packit |
8fb591 |
</description>
|
|
Packit |
8fb591 |
</leaf>
|
|
Packit |
8fb591 |
<leaf-list name="user-name">
|
|
Packit |
8fb591 |
<type name="user-name-type"/>
|
|
Packit |
8fb591 |
<description>
|
|
Packit |
8fb591 |
<text>Each entry identifies the username of
|
|
Packit |
8fb591 |
a member of the group associated with
|
|
Packit |
8fb591 |
this entry.</text>
|
|
Packit |
8fb591 |
</description>
|
|
Packit |
8fb591 |
</leaf-list>
|
|
Packit |
8fb591 |
</list>
|
|
Packit |
8fb591 |
</container>
|
|
Packit |
8fb591 |
<list name="rule-list">
|
|
Packit |
8fb591 |
<key value="name"/>
|
|
Packit |
8fb591 |
<ordered-by value="user"/>
|
|
Packit |
8fb591 |
<description>
|
|
Packit |
8fb591 |
<text>An ordered collection of access control rules.</text>
|
|
Packit |
8fb591 |
</description>
|
|
Packit |
8fb591 |
<leaf name="name">
|
|
Packit |
8fb591 |
<type name="string">
|
|
Packit |
8fb591 |
<length value="1..max"/>
|
|
Packit |
8fb591 |
</type>
|
|
Packit |
8fb591 |
<description>
|
|
Packit |
8fb591 |
<text>Arbitrary name assigned to the rule-list.</text>
|
|
Packit |
8fb591 |
</description>
|
|
Packit |
8fb591 |
</leaf>
|
|
Packit |
8fb591 |
<leaf-list name="group">
|
|
Packit |
8fb591 |
<type name="union">
|
|
Packit |
8fb591 |
<type name="matchall-string-type"/>
|
|
Packit |
8fb591 |
<type name="group-name-type"/>
|
|
Packit |
8fb591 |
</type>
|
|
Packit |
8fb591 |
<description>
|
|
Packit |
8fb591 |
<text>List of administrative groups that will be
|
|
Packit |
8fb591 |
assigned the associated access rights
|
|
Packit |
8fb591 |
defined by the 'rule' list.
|
|
Packit |
8fb591 |
|
|
Packit |
8fb591 |
The string '*' indicates that all groups apply to the
|
|
Packit |
8fb591 |
entry.</text>
|
|
Packit |
8fb591 |
</description>
|
|
Packit |
8fb591 |
</leaf-list>
|
|
Packit |
8fb591 |
<list name="rule">
|
|
Packit |
8fb591 |
<key value="name"/>
|
|
Packit |
8fb591 |
<ordered-by value="user"/>
|
|
Packit |
8fb591 |
<description>
|
|
Packit |
8fb591 |
<text>One access control rule.
|
|
Packit |
8fb591 |
|
|
Packit |
8fb591 |
Rules are processed in user-defined order until a match is
|
|
Packit |
8fb591 |
found. A rule matches if 'module-name', 'rule-type', and
|
|
Packit |
8fb591 |
'access-operations' match the request. If a rule
|
|
Packit |
8fb591 |
matches, the 'action' leaf determines if access is granted
|
|
Packit |
8fb591 |
or not.</text>
|
|
Packit |
8fb591 |
</description>
|
|
Packit |
8fb591 |
<leaf name="name">
|
|
Packit |
8fb591 |
<type name="string">
|
|
Packit |
8fb591 |
<length value="1..max"/>
|
|
Packit |
8fb591 |
</type>
|
|
Packit |
8fb591 |
<description>
|
|
Packit |
8fb591 |
<text>Arbitrary name assigned to the rule.</text>
|
|
Packit |
8fb591 |
</description>
|
|
Packit |
8fb591 |
</leaf>
|
|
Packit |
8fb591 |
<leaf name="module-name">
|
|
Packit |
8fb591 |
<type name="union">
|
|
Packit |
8fb591 |
<type name="matchall-string-type"/>
|
|
Packit |
8fb591 |
<type name="string"/>
|
|
Packit |
8fb591 |
</type>
|
|
Packit |
8fb591 |
<default value="*"/>
|
|
Packit |
8fb591 |
<description>
|
|
Packit |
8fb591 |
<text>Name of the module associated with this rule.
|
|
Packit |
8fb591 |
|
|
Packit |
8fb591 |
This leaf matches if it has the value '*' or if the
|
|
Packit |
8fb591 |
object being accessed is defined in the module with the
|
|
Packit |
8fb591 |
specified module name.</text>
|
|
Packit |
8fb591 |
</description>
|
|
Packit |
8fb591 |
</leaf>
|
|
Packit |
8fb591 |
<choice name="rule-type">
|
|
Packit |
8fb591 |
<description>
|
|
Packit |
8fb591 |
<text>This choice matches if all leafs present in the rule
|
|
Packit |
8fb591 |
match the request. If no leafs are present, the
|
|
Packit |
8fb591 |
choice matches all requests.</text>
|
|
Packit |
8fb591 |
</description>
|
|
Packit |
8fb591 |
<case name="protocol-operation">
|
|
Packit |
8fb591 |
<leaf name="rpc-name">
|
|
Packit |
8fb591 |
<type name="union">
|
|
Packit |
8fb591 |
<type name="matchall-string-type"/>
|
|
Packit |
8fb591 |
<type name="string"/>
|
|
Packit |
8fb591 |
</type>
|
|
Packit |
8fb591 |
<description>
|
|
Packit |
8fb591 |
<text>This leaf matches if it has the value '*' or if
|
|
Packit |
8fb591 |
its value equals the requested protocol operation
|
|
Packit |
8fb591 |
name.</text>
|
|
Packit |
8fb591 |
</description>
|
|
Packit |
8fb591 |
</leaf>
|
|
Packit |
8fb591 |
</case>
|
|
Packit |
8fb591 |
<case name="notification">
|
|
Packit |
8fb591 |
<leaf name="notification-name">
|
|
Packit |
8fb591 |
<type name="union">
|
|
Packit |
8fb591 |
<type name="matchall-string-type"/>
|
|
Packit |
8fb591 |
<type name="string"/>
|
|
Packit |
8fb591 |
</type>
|
|
Packit |
8fb591 |
<description>
|
|
Packit |
8fb591 |
<text>This leaf matches if it has the value '*' or if its
|
|
Packit |
8fb591 |
value equals the requested notification name.</text>
|
|
Packit |
8fb591 |
</description>
|
|
Packit |
8fb591 |
</leaf>
|
|
Packit |
8fb591 |
</case>
|
|
Packit |
8fb591 |
<case name="data-node">
|
|
Packit |
8fb591 |
<leaf name="path">
|
|
Packit |
8fb591 |
<type name="node-instance-identifier"/>
|
|
Packit |
8fb591 |
<mandatory value="true"/>
|
|
Packit |
8fb591 |
<description>
|
|
Packit |
8fb591 |
<text>Data Node Instance Identifier associated with the
|
|
Packit |
8fb591 |
data node controlled by this rule.
|
|
Packit |
8fb591 |
|
|
Packit |
8fb591 |
Configuration data or state data instance
|
|
Packit |
8fb591 |
identifiers start with a top-level data node. A
|
|
Packit |
8fb591 |
complete instance identifier is required for this
|
|
Packit |
8fb591 |
type of path value.
|
|
Packit |
8fb591 |
|
|
Packit |
8fb591 |
The special value '/' refers to all possible
|
|
Packit |
8fb591 |
datastore contents.</text>
|
|
Packit |
8fb591 |
</description>
|
|
Packit |
8fb591 |
</leaf>
|
|
Packit |
8fb591 |
</case>
|
|
Packit |
8fb591 |
</choice>
|
|
Packit |
8fb591 |
<leaf name="access-operations">
|
|
Packit |
8fb591 |
<type name="union">
|
|
Packit |
8fb591 |
<type name="matchall-string-type"/>
|
|
Packit |
8fb591 |
<type name="access-operations-type"/>
|
|
Packit |
8fb591 |
</type>
|
|
Packit |
8fb591 |
<default value="*"/>
|
|
Packit |
8fb591 |
<description>
|
|
Packit |
8fb591 |
<text>Access operations associated with this rule.
|
|
Packit |
8fb591 |
|
|
Packit |
8fb591 |
This leaf matches if it has the value '*' or if the
|
|
Packit |
8fb591 |
bit corresponding to the requested operation is set.</text>
|
|
Packit |
8fb591 |
</description>
|
|
Packit |
8fb591 |
</leaf>
|
|
Packit |
8fb591 |
<leaf name="action">
|
|
Packit |
8fb591 |
<type name="action-type"/>
|
|
Packit |
8fb591 |
<mandatory value="true"/>
|
|
Packit |
8fb591 |
<description>
|
|
Packit |
8fb591 |
<text>The access control action associated with the
|
|
Packit |
8fb591 |
rule. If a rule is determined to match a
|
|
Packit |
8fb591 |
particular request, then this object is used
|
|
Packit |
8fb591 |
to determine whether to permit or deny the
|
|
Packit |
8fb591 |
request.</text>
|
|
Packit |
8fb591 |
</description>
|
|
Packit |
8fb591 |
</leaf>
|
|
Packit |
8fb591 |
<leaf name="comment">
|
|
Packit |
8fb591 |
<type name="string"/>
|
|
Packit |
8fb591 |
<description>
|
|
Packit |
8fb591 |
<text>A textual description of the access rule.</text>
|
|
Packit |
8fb591 |
</description>
|
|
Packit |
8fb591 |
</leaf>
|
|
Packit |
8fb591 |
</list>
|
|
Packit |
8fb591 |
</list>
|
|
Packit |
8fb591 |
</container>
|
|
Packit |
8fb591 |
</module>
|