By default, the NSO adapter connects to NSO using a single global service account (machineLogin). To enable per-user authorization — where Platform makes NSO calls on behalf of individual authenticated users — configure external authentication using the ph-auth.py script and set the adapter to tokenLogin.
This page covers external authentication setup and NSO NETCONF Access Control Model (NACM) configuration.
External authentication allows NSO to validate user identities against Itential Platform. When a workflow performs an NSO operation, NSO calls the ph-auth.py script, which queries Platform and returns the user’s group memberships. NSO then applies NACM rules based on those groups.
Network connectivity is required between NSO and Platform (typically port 3000) for external authentication to function.
The following must be installed on the NSO server:
Edit /etc/ncs/ncs.conf to enable external authentication. Both external authentication and local or PAM authentication should be configured. Local authentication can be disabled once external authentication is confirmed working.
Restart NSO after saving changes:
In the NSO adapter service config in Platform, change authenticationStrategy.method from machineLogin to tokenLogin:
When using tokenLogin, verify that users map to the correct southbound device credentials in NSO. Run the following for each authentication group, substituting the appropriate device credentials:
NSO’s NETCONF Access Control Model (NACM) controls which users and groups can access which devices and services. The itential_tools package includes sample NACM rules to get started.
The sample NACM rules assume three groups, shared between Platform and NSO:
The groups returned by the NSO AAA provider (via ph-auth.py) must match the group names defined in your NACM rule-lists. A mismatch will cause authorization failures even when authentication succeeds.
The sample rules include three rule-lists:
Load the included sample-nacm-rules.xml file into the NSO CDB:
Review the commit dry-run output before committing to confirm the rules are correct for your environment.
The sample rules include a rule-list for whitelisting devices to the users group. Add each device that users should be able to access:
In a NACM-enabled system, any device added to NSO — whether configured manually or onboarded through a Platform workflow — must have its NACM group assignments defined at the time of onboarding.
Add service model instances to the users whitelist. To whitelist all instances of a service model:
To whitelist a single service instance:
In a NACM-enabled system, any new service instance added to NSO must have its NACM group assignments defined. Service instances may be restricted to a single group or made accessible to multiple groups using separate NACM rules.