Authorization profiles can be configured in any format including the classic CLI and the MD-CLI. Depending on the configuration, a match may be hit.
Each entry in a profile can be formatted for the classic CLI or the MD-CLI. Nokia recommends creating separate profiles for each interface type. For example, a profile for the classic CLI and a different profile for the MD-CLI.
Authorization checks are not performed by default for telemetry data. All configuration and state elements are available to authenticated telemetry subscriptions, with the exception of LI (Lawful Intercept) configuration and state elements, which are authorized separately based on the LI authorization configuration. To control telemetry data authorization, use the classic CLI configure>system>security>managment-interface>output-authorization> telemetry-data command or the MD-CLI configure system security aaa management-interface output-authorization telemetry-data command.
Table: Authorization and match hit based on entry format shows authorization and match hit based on the entry format configuration. This is true whether authorization is done using local user profiles or using an AAA server like TACACS+ or RADIUS.
| Profile entry format | Classic CLI | MD-CLI | NETCONF | gNMI set and get (gRPC) |
|---|---|---|---|---|
Classic CLI |
Yes |
Maybe |
Maybe |
Maybe |
MD-CLI |
Maybe |
Yes |
Yes |
Yes |