Hi All, Consider that we have a physical device, where a LNE (say "lne1" ) has been created. This LNE will be mounting some modules.
Note: For brevity sake, I have not included the prefix for each node in the xpaths mentioned below. Consider the following scenario : 1. NACM module exists in the same level as the LNE Module, and it has a rule to 'permit' create operation on /logical-network-elements/logical-network-element/root/interfaces path on group 'g1'. 2. NACM module also exists 'mounted' under the LNE "lne1" instance, and it has a rule to 'deny' create operation on /interfaces path on group 'g1'. The question arises, when an <edit-config> create operation is sent on the /logical-network-elements/logical-network-element/root/interfaces path, which rule is matched first ? (consider that user belongs to group 'g1' ) My thought is as below: 1. As per NACM rules, when the physical device rules are checked , we arrive at a result to permit/deny. 2. So there is no chance to check the rules under the mount-point at all. Hence there is no point in mounting a NACM module at all. Any other thoughts ? With Regards, Rohit
_______________________________________________ netmod mailing list [email protected] https://www.ietf.org/mailman/listinfo/netmod
