<module xmlns="urn:ietf:params:xml:ns:yang:yin:1" xmlns:nacm="urn:ietf:params:xml:ns:yang:ietf-netconf-acm" xmlns:yang="urn:ietf:params:xml:ns:yang:ietf-yang-types" name="ietf-netconf-acm-when">

  <namespace uri="urn:ietf:params:xml:ns:yang:ietf-netconf-acm"/>

  <prefix value="nacm"/>

  <import module="ietf-yang-types">

    <prefix value="yang"/>

  </import>

  <organization>

    <text>IETF NETCONF (Network Configuration) Working Group</text>

  </organization>

  <contact>

    <text>WG Web:   <http://tools.ietf.org/wg/netconf/>

WG List:  <mailto:netconf@ietf.org>

WG Chair: Mehmet Ersue

          <mailto:mehmet.ersue@nsn.com>

WG Chair: Bert Wijnen

          <mailto:bertietf@bwijnen.net>

Editor:   Andy Bierman

          <mailto:andy@yumaworks.com>

Editor:   Martin Bjorklund

          <mailto:mbj@tail-f.com></text>

  </contact>

  <description>

    <text>NETCONF Access Control Model.

Copyright (c) 2012 IETF Trust and the persons identified as

authors of the code.  All rights reserved.

Redistribution and use in source and binary forms, with or

without modification, is permitted pursuant to, and subject

to the license terms contained in, the Simplified BSD

License set forth in Section 4.c of the IETF Trust's

Legal Provisions Relating to IETF Documents

(http://trustee.ietf.org/license-info).

This version of this YANG module is part of RFC 6536; see

the RFC itself for full legal notices.</text>

  </description>

  <revision date="2012-02-22">

    <description>

      <text>Initial version</text>

    </description>

    <reference>

      <text>RFC 6536: Network Configuration Protocol (NETCONF)

          Access Control Model</text>

    </reference>

  </revision>

  <extension name="default-deny-write">

    <description>

      <text>Used to indicate that the data model node

represents a sensitive security system parameter.

If present, and the NACM module is enabled (i.e.,

/nacm/enable-nacm object equals 'true'), the NETCONF server

will only allow the designated 'recovery session' to have

write access to the node.  An explicit access control rule is

required for all other users.

The 'default-deny-write' extension MAY appear within a data

definition statement.  It is ignored otherwise.</text>

    </description>

  </extension>

  <extension name="default-deny-all">

    <description>

      <text>Used to indicate that the data model node

controls a very sensitive security system parameter.

If present, and the NACM module is enabled (i.e.,

/nacm/enable-nacm object equals 'true'), the NETCONF server

will only allow the designated 'recovery session' to have

read, write, or execute access to the node.  An explicit

access control rule is required for all other users.

The 'default-deny-all' extension MAY appear within a data

definition statement, 'rpc' statement, or 'notification'

statement.  It is ignored otherwise.</text>

    </description>

  </extension>

  <typedef name="user-name-type">

    <type name="string">

      <length value="1..max"/>

    </type>

    <description>

      <text>General Purpose Username string.</text>

    </description>

  </typedef>

  <typedef name="matchall-string-type">

    <type name="string">

      <pattern value="\*"/>

    </type>

    <description>

      <text>The string containing a single asterisk '*' is used

to conceptually represent all possible values

for the particular leaf using this data type.</text>

    </description>

  </typedef>

  <typedef name="access-operations-type">

    <type name="bits">

      <bit name="create">

        <description>

          <text>Any protocol operation that creates a

new data node.</text>

        </description>

      </bit>

      <bit name="read">

        <description>

          <text>Any protocol operation or notification that

returns the value of a data node.</text>

        </description>

      </bit>

      <bit name="update">

        <description>

          <text>Any protocol operation that alters an existing

data node.</text>

        </description>

      </bit>

      <bit name="delete">

        <description>

          <text>Any protocol operation that removes a data node.</text>

        </description>

      </bit>

      <bit name="exec">

        <description>

          <text>Execution access to the specified protocol operation.</text>

        </description>

      </bit>

    </type>

    <description>

      <text>NETCONF Access Operation.</text>

    </description>

  </typedef>

  <typedef name="group-name-type">

    <type name="string">

      <length value="1..max"/>

      <pattern value="[^\*].*"/>

    </type>

    <description>

      <text>Name of administrative group to which

users can be assigned.</text>

    </description>

  </typedef>

  <typedef name="action-type">

    <type name="enumeration">

      <enum name="permit">

        <description>

          <text>Requested action is permitted.</text>

        </description>

      </enum>

      <enum name="deny">

        <description>

          <text>Requested action is denied.</text>

        </description>

      </enum>

    </type>

    <description>

      <text>Action taken by the server when a particular

rule matches.</text>

    </description>

  </typedef>

  <typedef name="node-instance-identifier">

    <type name="yang:xpath1.0"/>

    <description>

      <text>Path expression used to represent a special

data node instance identifier string.

A node-instance-identifier value is an

unrestricted YANG instance-identifier expression.

All the same rules as an instance-identifier apply

except predicates for keys are optional.  If a key

predicate is missing, then the node-instance-identifier

represents all possible server instances for that key.

This XPath expression is evaluated in the following context:

 o  The set of namespace declarations are those in scope on

    the leaf element where this type is used.

 o  The set of variable bindings contains one variable,

    'USER', which contains the name of the user of the current

     session.

 o  The function library is the core function library, but

    note that due to the syntax restrictions of an

    instance-identifier, no functions are allowed.

 o  The context node is the root node in the data tree.</text>

    </description>

  </typedef>

  <container name="nacm">

    <nacm:default-deny-all/>

    <description>

      <text>Parameters for NETCONF Access Control Model.</text>

    </description>

    <leaf name="enable-nacm">

      <type name="boolean"/>

      <default value="true"/>

      <description>

        <text>Enables or disables all NETCONF access control

enforcement.  If 'true', then enforcement

is enabled.  If 'false', then enforcement

is disabled.</text>

      </description>

    </leaf>

    <leaf name="read-default">

      <type name="action-type"/>

      <default value="permit"/>

      <description>

        <text>Controls whether read access is granted if

no appropriate rule is found for a

particular read request.</text>

      </description>

    </leaf>

    <leaf name="write-default">

      <type name="action-type"/>

      <default value="deny"/>

      <description>

        <text>Controls whether create, update, or delete access

is granted if no appropriate rule is found for a

particular write request.</text>

      </description>

    </leaf>

    <leaf name="exec-default">

      <type name="action-type"/>

      <default value="permit"/>

      <description>

        <text>Controls whether exec access is granted if no appropriate

rule is found for a particular protocol operation request.</text>

      </description>

    </leaf>

    <leaf name="enable-external-groups">

      <type name="boolean"/>

      <default value="true"/>

      <description>

        <text>Controls whether the server uses the groups reported by the

NETCONF transport layer when it assigns the user to a set of

NACM groups.  If this leaf has the value 'false', any group

names reported by the transport layer are ignored by the

server.</text>

      </description>

    </leaf>

    <leaf name="denied-operations">

      <type name="yang:zero-based-counter32"/>

      <config value="false"/>

      <mandatory value="true"/>

      <description>

        <text>Number of times since the server last restarted that a

protocol operation request was denied.</text>

      </description>

    </leaf>

    <leaf name="denied-data-writes">

      <type name="yang:zero-based-counter32"/>

      <config value="false"/>

      <mandatory value="true"/>

      <when value="../denied-operations > 0"/>

      <description>

        <text>Number of times since the server last restarted that a

protocol operation request to alter

a configuration datastore was denied.</text>

      </description>

    </leaf>

    <leaf name="denied-notifications">

      <type name="yang:zero-based-counter32"/>

      <config value="false"/>

      <mandatory value="true"/>

      <description>

        <text>Number of times since the server last restarted that

a notification was dropped for a subscription because

access to the event type was denied.</text>

      </description>

    </leaf>

    <container name="groups">

      <description>

        <text>NETCONF Access Control Groups.</text>

      </description>

      <list name="group">

        <key value="name"/>

        <description>

          <text>One NACM Group Entry.  This list will only contain

configured entries, not any entries learned from

any transport protocols.</text>

        </description>

        <leaf name="name">

          <type name="group-name-type"/>

          <description>

            <text>Group name associated with this entry.</text>

          </description>

        </leaf>

        <leaf-list name="user-name">

          <type name="user-name-type"/>

          <description>

            <text>Each entry identifies the username of

a member of the group associated with

this entry.</text>

          </description>

        </leaf-list>

      </list>

    </container>

    <list name="rule-list">

      <key value="name"/>

      <ordered-by value="user"/>

      <description>

        <text>An ordered collection of access control rules.</text>

      </description>

      <leaf name="name">

        <type name="string">

          <length value="1..max"/>

        </type>

        <description>

          <text>Arbitrary name assigned to the rule-list.</text>

        </description>

      </leaf>

      <leaf-list name="group">

        <type name="union">

          <type name="matchall-string-type"/>

          <type name="group-name-type"/>

        </type>

        <description>

          <text>List of administrative groups that will be

assigned the associated access rights

defined by the 'rule' list.

The string '*' indicates that all groups apply to the

entry.</text>

        </description>

      </leaf-list>

      <list name="rule">

        <key value="name"/>

        <ordered-by value="user"/>

        <description>

          <text>One access control rule.

Rules are processed in user-defined order until a match is

found.  A rule matches if 'module-name', 'rule-type', and

'access-operations' match the request.  If a rule

matches, the 'action' leaf determines if access is granted

or not.</text>

        </description>

        <leaf name="name">

          <type name="string">

            <length value="1..max"/>

          </type>

          <description>

            <text>Arbitrary name assigned to the rule.</text>

          </description>

        </leaf>

        <leaf name="module-name">

          <type name="union">

            <type name="matchall-string-type"/>

            <type name="string"/>

          </type>

          <default value="*"/>

          <description>

            <text>Name of the module associated with this rule.

This leaf matches if it has the value '*' or if the

object being accessed is defined in the module with the

specified module name.</text>

          </description>

        </leaf>

        <choice name="rule-type">

          <description>

            <text>This choice matches if all leafs present in the rule

match the request.  If no leafs are present, the

choice matches all requests.</text>

          </description>

          <case name="protocol-operation">

            <leaf name="rpc-name">

              <type name="union">

                <type name="matchall-string-type"/>

                <type name="string"/>

              </type>

              <description>

                <text>This leaf matches if it has the value '*' or if

its value equals the requested protocol operation

name.</text>

              </description>

            </leaf>

          </case>

          <case name="notification">

            <leaf name="notification-name">

              <type name="union">

                <type name="matchall-string-type"/>

                <type name="string"/>

              </type>

              <description>

                <text>This leaf matches if it has the value '*' or if its

value equals the requested notification name.</text>

              </description>

            </leaf>

          </case>

          <case name="data-node">

            <leaf name="path">

              <type name="node-instance-identifier"/>

              <mandatory value="true"/>

              <description>

                <text>Data Node Instance Identifier associated with the

data node controlled by this rule.

Configuration data or state data instance

identifiers start with a top-level data node.  A

complete instance identifier is required for this

type of path value.

The special value '/' refers to all possible

datastore contents.</text>

              </description>

            </leaf>

          </case>

        </choice>

        <leaf name="access-operations">

          <type name="union">

            <type name="matchall-string-type"/>

            <type name="access-operations-type"/>

          </type>

          <default value="*"/>

          <description>

            <text>Access operations associated with this rule.

This leaf matches if it has the value '*' or if the

bit corresponding to the requested operation is set.</text>

          </description>

        </leaf>

        <leaf name="action">

          <type name="action-type"/>

          <mandatory value="true"/>

          <description>

            <text>The access control action associated with the

rule.  If a rule is determined to match a

particular request, then this object is used

to determine whether to permit or deny the

request.</text>

          </description>

        </leaf>

        <leaf name="comment">

          <type name="string"/>

          <description>

            <text>A textual description of the access rule.</text>

          </description>

        </leaf>

      </list>

    </list>

  </container>

</module>