Balazs Lengyel wrote:
Hello, You are right, we need access control.For this reason each action defined in the data model should be defined as read/write/disturb-traffic. read: it only reads configuration and state data and doesn't effect the trafficwrite: it writes configuration data, but does not disturb the traffic disturb-traffic: means it can do anything.
I prefer these well-known hierarchical enumerations for max-access: read-only (read or notify) read-write (all operations except create & delete) read-create (all access) Andy
One can debate that these are the good categories for access control. Still the basic statement is that for each action defined in the data model you need to specify it's access properties in the data model as well.Balazs Andy Bierman wrote:Your access control model should be more robust than simply allowing user X to do anything called <action>. I don't see what benefit an intermediate SW component can realize if an extra generic container is added to <rpc>.
-- to unsubscribe send a message to netconf-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: <http://ops.ietf.org/lists/netconf/>