From ffecebf32ad5c2883b8d49daf254544a28069f69 Mon Sep 17 00:00:00 2001
From: Olof hagsand <olof@hagsand.se>
Date: Sun, 27 Jan 2019 13:26:15 +0100
Subject: [PATCH] * NACM Data node READ access module support (RFC8341 3.4.5)  
  * Access control points added for `get` and `get-config` in addition to
 incoming rpc.    * RFC 8341 Example A.2 implemented, see:
 [test/test_nacm_module.sh] * Added `username` argument on `xmldb_put()`
 datastore function for NACM data-node write checks * Added
 `xml_rootchild_node()` lib function as variant of `xml_rootchild()`

---
 CHANGELOG.md                       |  10 +-
 apps/backend/backend_client.c      |  87 ++++--
 apps/backend/backend_commit.c      |   6 +-
 apps/backend/backend_main.c        |   9 +-
 apps/restconf/restconf_methods.c   |  14 +-
 datastore/datastore_client.c       |   2 +-
 datastore/text/clixon_xmldb_text.c |  63 ++++-
 datastore/text/clixon_xmldb_text.h |   2 +-
 example/example_backend.c          |   2 +-
 lib/clixon/clixon_nacm.h           |   5 +-
 lib/clixon/clixon_xml.h            |   1 +
 lib/clixon/clixon_xml_db.h         |   4 +-
 lib/src/clixon_nacm.c              | 419 ++++++++++++++++++++++++-----
 lib/src/clixon_xml.c               |  41 ++-
 lib/src/clixon_xml_db.c            |   6 +-
 lib/src/clixon_xml_map.c           |   2 +-
 test/lib.sh                        |   5 +-
 test/test_nacm.sh                  |   2 +-
 test/test_nacm_ext.sh              |   2 +-
 test/test_nacm_module.sh           | 119 ++++++--
 20 files changed, 656 insertions(+), 145 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 088d8a70..8f5079e3 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -77,12 +77,17 @@
     * CLICON_YANG_MAIN_FILE Provides a filename with a single module filename.
     * CLICON_YANG_MAIN_DIR Provides a directory where all yang modules should be loaded.
 * NACM extension (RFC8341)
-  * NACM module support (RFC8341 A1+A2)
+  * NACM Data node READ access module support (RFC8341 3.4.5)
+    * Access control points added for `get` and `get-config` in addition to incoming rpc.
+    * RFC 8341 Example A.2 implemented, see: [test/test_nacm_module.sh]
+  * Remaining work:
+    * data-node module write/create/delete/update
+    * data-node path 
   * Recovery user "_nacm_recovery" added.
     * Example use is restconf PUT when NACM edit-config is permitted, then automatic commit and discard are permitted using recovery user.
-  * Example user changed adm1 to andy to comply with RFC8341 example
 	
 ### API changes on existing features (you may need to change your code)
+* Added `username` argument on `xmldb_put()` datastore function for NACM data-node write checks
 * Rearranged yang files
   * Moved and updated all standard ietf and iana yang files from example and yang/ to `yang/standard`.
   * Moved clixon yang files from yang to `yang/clixon`
@@ -112,6 +117,7 @@
   * For backward compatibility, define CLICON_CLI_MODEL_TREENAME_PATCH in clixon_custom.h
 
 ### Minor changes
+* Added `xml_rootchild_node()` lib function as variant of `xml_rootchild()`
 * Added -o "<option>=<value>" command-line option to all programs: backend, cli, netconf, restconf.
   * Any config option from file can be overrided by giving them on command-line.
 * Added -p <dir> command-line option to all programs: backend, cli, netconf, restconf.
diff --git a/apps/backend/backend_client.c b/apps/backend/backend_client.c
index f8766206..c9efa40a 100644
--- a/apps/backend/backend_client.c
+++ b/apps/backend/backend_client.c
@@ -177,14 +177,19 @@ netconf_db_find(cxobj *xn,
 static int
 from_client_get_config(clicon_handle h,
 		       cxobj        *xe,
+		       char         *username,
 		       cbuf         *cbret)
 {
-    int    retval = -1;
-    char  *db;
-    cxobj *xfilter;
-    char  *selector = "/";
-    cxobj *xret = NULL;
-    cbuf  *cbx = NULL; /* Assist cbuf */
+    int     retval = -1;
+    char   *db;
+    cxobj  *xfilter;
+    char   *xpath = "/";
+    cxobj  *xret = NULL;
+    cbuf   *cbx = NULL; /* Assist cbuf */
+    cxobj  *xnacm = NULL;
+    cxobj **xvec = NULL;
+    size_t  xlen;    
+    int     ret;
     
     if ((db = netconf_db_find(xe, "source")) == NULL){
 	clicon_err(OE_XML, 0, "db not found");
@@ -201,13 +206,23 @@ from_client_get_config(clicon_handle h,
 	goto ok;
     }
     if ((xfilter = xml_find(xe, "filter")) != NULL)
-	if ((selector = xml_find_value(xfilter, "select"))==NULL)
-	    selector="/";
-    if (xmldb_get(h, db, selector, 1, &xret) < 0){
+	if ((xpath = xml_find_value(xfilter, "select"))==NULL)
+	    xpath="/";
+    if (xmldb_get(h, db, xpath, 1, &xret) < 0){
 	if (netconf_operation_failed(cbret, "application", "read registry")< 0)
 	    goto done;
 	goto ok;
     }
+    /* Pre-NACM access step */
+    if ((ret = nacm_access(h, username, &xnacm)) < 0)
+	goto done;
+    if (ret == 0){ /* Do NACM validation */
+	if (xpath_vec(xret, "%s", &xvec, &xlen, xpath?xpath:"/") < 0)
+	    goto done;
+	/* NACM datanode/module read validation */
+	if (nacm_datanode_read(xret, xvec, xlen, username, xnacm) < 0) 
+	    goto done;
+    }
     cprintf(cbret, "<rpc-reply>");
     if (xret==NULL)
 	cprintf(cbret, "<data/>");
@@ -221,6 +236,10 @@ from_client_get_config(clicon_handle h,
  ok:
     retval = 0;
  done:
+    if (xnacm)
+	xml_free(xnacm);
+    if (xvec)
+	free(xvec);
     if (cbx)
 	cbuf_free(cbx);
     if (xret)
@@ -356,6 +375,7 @@ client_statedata(clicon_handle h,
 static int
 from_client_get(clicon_handle h,
 		cxobj        *xe,
+		char         *username,
 		cbuf         *cbret)
 {
     int     retval = -1;
@@ -363,7 +383,10 @@ from_client_get(clicon_handle h,
     char   *xpath = "/";
     cxobj  *xret = NULL;
     int     ret;
-    
+    cxobj **xvec = NULL;
+    size_t  xlen;    
+    cxobj  *xnacm = NULL;
+
     if ((xfilter = xml_find(xe, "filter")) != NULL)
 	if ((xpath = xml_find_value(xfilter, "select"))==NULL)
 	    xpath="/";
@@ -383,6 +406,16 @@ from_client_get(clicon_handle h,
 	    goto done;
 	goto ok;
     }
+    /* Pre-NACM access step */
+    if ((ret = nacm_access(h, username, &xnacm)) < 0)
+	goto done;
+    if (ret == 0){ /* Do NACM validation */
+	if (xpath_vec(xret, "%s", &xvec, &xlen, xpath?xpath:"/") < 0)
+	    goto done;
+	/* NACM datanode/module read validation */
+	if (nacm_datanode_read(xret, xvec, xlen, username, xnacm) < 0) 
+	    goto done;
+    }
     cprintf(cbret, "<rpc-reply>");     /* OK */
     if (xret==NULL)
 	cprintf(cbret, "<data/>");
@@ -396,6 +429,10 @@ from_client_get(clicon_handle h,
  ok:
     retval = 0;
  done:
+    if (xnacm)
+	xml_free(xnacm);
+    if (xvec)
+	free(xvec);
     if (xret)
 	xml_free(xret);
     return retval;
@@ -412,6 +449,7 @@ static int
 from_client_edit_config(clicon_handle h,
 			cxobj        *xn,
 			int           mypid,
+			char         *username,
 			cbuf         *cbret)
 {
     int                 retval = -1;
@@ -485,7 +523,7 @@ from_client_edit_config(clicon_handle h,
 	 */
 	if (xml_apply0(xc, CX_ELMNT, xml_sort, NULL) < 0)
 	    goto done;
-	if ((ret = xmldb_put(h, target, operation, xc, cbret)) < 0){
+	if ((ret = xmldb_put(h, target, operation, xc, username, cbret)) < 0){
 	    clicon_debug(1, "%s ERROR PUT", __FUNCTION__);	
 	    if (netconf_operation_failed(cbret, "protocol", clicon_err_reason)< 0)
 		goto done;
@@ -963,7 +1001,8 @@ from_client_msg(clicon_handle        h,
     yang_spec           *yspec;
     yang_stmt           *ye;
     yang_stmt           *ymod;
-
+    cxobj               *xnacm = NULL;
+    
     clicon_debug(1, "%s", __FUNCTION__);
     pid = ce->ce_pid;
     yspec = clicon_dbspec_yang(h); 
@@ -996,6 +1035,8 @@ from_client_msg(clicon_handle        h,
 	goto reply;
     xe = NULL;
     username = xml_find_value(x, "username");
+    /* May be used by callbacks, etc */
+    clicon_username_set(h, username);
     while ((xe = xml_child_each(x, xe, CX_ELMNT)) != NULL) {
 	rpc = xml_name(xe);
 	if ((ye = xml_spec(xe)) == NULL){
@@ -1009,17 +1050,25 @@ from_client_msg(clicon_handle        h,
 	}
 	module = ymod->ys_argument;
 	clicon_debug(1, "%s module:%s rpc:%s", __FUNCTION__, module, rpc);
-	/* Make NACM access control if enabled as "internal"*/
-	if ((ret = nacm_access(h, rpc, module, username, cbret)) < 0)
+	/* Pre-NACM access step */
+	xnacm = NULL;
+	if ((ret = nacm_access(h, username, &xnacm)) < 0)
 	    goto done;
-	if (ret == 0)
-	    goto reply;
+	if (ret == 0){ /* Do NACM validation */
+	    /* NACM rpc operation exec validation */
+	    if ((ret = nacm_rpc(rpc, module, username, xnacm, cbret)) < 0)
+		goto done;
+	    if (xnacm)
+		xml_free(xnacm);
+	    if (ret == 0) /* Not permitted and cbret set */
+		goto reply;
+	}
 	if (strcmp(rpc, "get-config") == 0){
-	    if (from_client_get_config(h, xe, cbret) <0)
+	    if (from_client_get_config(h, xe, username, cbret) <0)
 		goto done;
 	}
 	else if (strcmp(rpc, "edit-config") == 0){
-	    if (from_client_edit_config(h, xe, pid, cbret) <0)
+	    if (from_client_edit_config(h, xe, pid, username, cbret) <0)
 		goto done;
 	}
 	else if (strcmp(rpc, "copy-config") == 0){
@@ -1039,7 +1088,7 @@ from_client_msg(clicon_handle        h,
 		goto done;
 	}
 	else if (strcmp(rpc, "get") == 0){
-	    if (from_client_get(h, xe, cbret) < 0)
+	    if (from_client_get(h, xe, username, cbret) < 0)
 		goto done;
 	}
 	else if (strcmp(rpc, "close-session") == 0){
diff --git a/apps/backend/backend_commit.c b/apps/backend/backend_commit.c
index 8c406d69..19cc96d3 100644
--- a/apps/backend/backend_commit.c
+++ b/apps/backend/backend_commit.c
@@ -285,7 +285,8 @@ candidate_commit(clicon_handle h,
 
      /* Optionally write (potentially modified) tree back to candidate */
      if (clicon_option_bool(h, "CLICON_TRANSACTION_MOD")){
-	 if ((ret = xmldb_put(h, candidate, OP_REPLACE, td->td_target, cbret)) < 0)
+	 if ((ret = xmldb_put(h, candidate, OP_REPLACE, td->td_target,
+			      clicon_username_get(h), cbret)) < 0)
 	     goto done;
 	 if (ret == 0)
 	     goto fail;
@@ -440,7 +441,8 @@ from_client_validate(clicon_handle h,
     }
     /* Optionally write (potentially modified) tree back to candidate */
     if (clicon_option_bool(h, "CLICON_TRANSACTION_MOD")){
-	if ((ret = xmldb_put(h, "candidate", OP_REPLACE, td->td_target, cbret)) < 0)
+	if ((ret = xmldb_put(h, "candidate", OP_REPLACE, td->td_target,
+			     clicon_username_get(h), cbret)) < 0)
 	    goto done;
 	goto ok;
     }
diff --git a/apps/backend/backend_main.c b/apps/backend/backend_main.c
index c6a835fe..93e25bed 100644
--- a/apps/backend/backend_main.c
+++ b/apps/backend/backend_main.c
@@ -195,7 +195,7 @@ db_merge(clicon_handle h,
     if (xmldb_get(h, (char*)db1, NULL, 1, &xt) < 0)
 	goto done;
     /* Merge xml into db2. Without commit */
-    retval = xmldb_put(h, (char*)db2, OP_MERGE, xt, cbret);
+    retval = xmldb_put(h, (char*)db2, OP_MERGE, xt, clicon_username_get(h), cbret);
  done:
     if (xt)
 	xml_free(xt);
@@ -318,7 +318,7 @@ load_extraxml(clicon_handle h,
     if (xml_rootchild(xt, 0, &xt) < 0)
 	goto done;
     /* Merge user reset state */
-    retval = xmldb_put(h, (char*)db, OP_MERGE, xt, cbret);
+    retval = xmldb_put(h, (char*)db, OP_MERGE, xt, clicon_username_get(h), cbret);
  done:
     if (fd != -1)
 	close(fd);
@@ -857,6 +857,10 @@ main(int    argc,
 	    goto done;
     if (xmldb_setopt(h, "pretty", (void*)(intptr_t)clicon_option_bool(h, "CLICON_XMLDB_PRETTY")) < 0)
 	goto done;
+    if (xmldb_setopt(h, "nacm_mode", (void*)nacm_mode) < 0)
+	goto done;
+    if (xmldb_setopt(h, "nacm_xtree", (void*)clicon_nacm_ext(h)) < 0)
+	goto done;
     /* Startup mode needs to be defined,  */
     startup_mode = clicon_startup_mode(h);
     if (startup_mode == -1){ 	
@@ -906,7 +910,6 @@ main(int    argc,
 	}
     }
     /* Write pid-file */
-
     if ((pid = pidfile_write(pidfile)) <  0)
 	goto done;
 
diff --git a/apps/restconf/restconf_methods.c b/apps/restconf/restconf_methods.c
index 27512442..fcc266a9 100644
--- a/apps/restconf/restconf_methods.c
+++ b/apps/restconf/restconf_methods.c
@@ -643,18 +643,19 @@ match_list_keys(yang_stmt *y,
     char      *keyd;
 
     if (y->ys_keyword != Y_LIST &&y->ys_keyword != Y_LEAF_LIST)
-	return -1;
+	goto done;
     cvk = y->ys_cvec; /* Use Y_LIST cache, see ys_populate_list() */
     cvi = NULL;
     while ((cvi = cvec_each(cvk, cvi)) != NULL) {
 	keyname = cv_string_get(cvi);	    
 	if ((xkeya = xml_find(xapipath, keyname)) == NULL)
 	    goto done; /* No key in api-path */
-	    
-	keya = xml_body(xkeya);
+	if ((keya = xml_body(xkeya)) == NULL)
+	    goto done;
 	if ((xkeyd = xml_find(xdata, keyname)) == NULL)
 	    goto done; /* No key in data */
-	keyd = xml_body(xkeyd);
+	if ((keyd = xml_body(xkeyd)) == NULL)
+	    goto done;
 	if (strcmp(keya, keyd) != 0)
 	    goto done; /* keys dont match */
     }
@@ -778,7 +779,7 @@ api_data_put(clicon_handle h,
 		goto done;
 	    goto ok;
 	}
-    }      
+    }
     /* The message-body MUST contain exactly one instance of the
      * expected data resource. 
      */
@@ -807,6 +808,7 @@ api_data_put(clicon_handle h,
 	    goto ok;
 	}
     }
+    
     /* Add operation (create/replace) as attribute */
     if ((xa = xml_new("operation", x, NULL)) == NULL)
 	goto done;
@@ -831,6 +833,7 @@ api_data_put(clicon_handle h,
 	xml_name_set(xtop, "config");
     }
     else {
+	clicon_debug(1, "%s x:%s xbot:%s",__FUNCTION__, xml_name(x), xml_name(xbot));
 	/* Check same symbol in api-path as data */	    
 	if (strcmp(xml_name(x), xml_name(xbot))){
 	    if (netconf_operation_failed_xml(&xerr, "protocol", "Not same symbol in api-path as data") < 0)
@@ -896,7 +899,6 @@ api_data_put(clicon_handle h,
      by NACM */
     cprintf(cbx, "<rpc username=\"%s\">", NACM_RECOVERY_USER);
     cprintf(cbx, "<commit/></rpc>");
-    
     if (clicon_rpc_netconf(h, cbuf_get(cbx), &xretcom, NULL) < 0)
 	goto done;
     if ((xe = xpath_first(xretcom, "//rpc-error")) != NULL){
diff --git a/datastore/datastore_client.c b/datastore/datastore_client.c
index a5b6ab1e..b2a0a2a8 100644
--- a/datastore/datastore_client.c
+++ b/datastore/datastore_client.c
@@ -248,7 +248,7 @@ main(int argc, char **argv)
 	    clicon_err(OE_UNIX, errno, "cbuf_new");
 	    goto done;
 	}
-	if (xmldb_put(h, db, op, xt, cbret) < 1)
+	if (xmldb_put(h, db, op, xt, NULL, cbret) < 1)
 	    goto done;
 	    
     }
diff --git a/datastore/text/clixon_xmldb_text.c b/datastore/text/clixon_xmldb_text.c
index e7a6999e..8c64616f 100644
--- a/datastore/text/clixon_xmldb_text.c
+++ b/datastore/text/clixon_xmldb_text.c
@@ -88,6 +88,8 @@ struct text_handle {
 				   Assumes single backend*/
     char          *th_format;   /* Datastroe format: xml / json */
     int            th_pretty;   /* Store xml/json pretty-printed. */
+    char          *th_nacm_mode;
+    cxobj         *th_nacm_xtree;
 };
 
 /* Struct per database in hash */
@@ -207,6 +209,8 @@ text_disconnect(xmldb_handle xh)
 	    }
 	    hash_free(th->th_dbs);
 	}
+	if (th->th_nacm_mode)
+	    free(th->th_nacm_mode);
 	free(th);
     }
     retval = 0;
@@ -239,6 +243,10 @@ text_getopt(xmldb_handle xh,
 	*value = th->th_format;
     else if (strcmp(optname, "pretty") == 0)
 	*value = &th->th_pretty;
+    else if (strcmp(optname, "nacm_mode") == 0)
+	*value = &th->th_nacm_mode;
+    else if (strcmp(optname, "nacm_xtree") == 0)
+	*value = th->th_nacm_xtree;
     else{
 	clicon_err(OE_PLUGIN, 0, "Option %s not implemented by plugin", optname);
 	goto done;
@@ -288,6 +296,15 @@ text_setopt(xmldb_handle xh,
     else if (strcmp(optname, "pretty") == 0){
 	th->th_pretty = (intptr_t)value;
     }
+    else if (strcmp(optname, "nacm_mode") == 0){
+	if (value && (th->th_nacm_mode = strdup((char*)value)) == NULL){
+	    clicon_err(OE_UNIX, 0, "strdup");
+	    goto done;
+	}
+    }
+    else if (strcmp(optname, "nacm_xtree") == 0){
+	th->th_nacm_xtree = (cxobj*)value;
+    }
     else{
 	clicon_err(OE_PLUGIN, 0, "Option %s not implemented by plugin", optname);
 	goto done;
@@ -421,10 +438,17 @@ xml_copy_marked(cxobj *x0,
  * The function returns a minimal tree that includes all sub-trees that match
  * xpath.
  * This is a clixon datastore plugin of the the xmldb api
- * @see xmldb_get
+ * @param[in]  h      Clicon handle
+ * @param[in]  dbname Name of database to search in (filename including dir path
+ * @param[in]  xpath  String with XPATH syntax. or NULL for all
+ * @param[in]  config If set only configuration data, else also state
+ * @param[out] xret   Single return XML tree. Free with xml_free()
+ * @retval     0      OK
+ * @retval     -1     Error
+ * @see xmldb_get  the generic API function
  */
 int
-text_get(xmldb_handle xh,
+text_get(xmldb_handle  xh,
 	 const char   *db, 
 	 char         *xpath,
 	 int           config,
@@ -434,6 +458,7 @@ text_get(xmldb_handle xh,
     char           *dbfile = NULL;
     yang_spec      *yspec;
     cxobj          *xt = NULL;
+    cxobj          *x;
     int             fd = -1;
     cxobj         **xvec = NULL;
     size_t          xlen;
@@ -486,7 +511,6 @@ text_get(xmldb_handle xh,
 	 */
     } /* xt == NULL */
     /* Here xt looks like: <config>...</config> */
-
     if (xpath_vec(xt, "%s", &xvec, &xlen, xpath?xpath:"/") < 0)
 	goto done;
 
@@ -496,11 +520,13 @@ text_get(xmldb_handle xh,
      */
     if (xvec != NULL)
 	for (i=0; i<xlen; i++){
-	    xml_flag_set(xvec[i], XML_FLAG_MARK);
-	    if (th->th_cache)
-		xml_apply_ancestor(xvec[i], (xml_applyfn_t*)xml_flag_set, (void*)XML_FLAG_CHANGE);
+	    x = xvec[i];
+	    xml_flag_set(x, XML_FLAG_MARK);
+	    if (1 || th->th_cache)
+		xml_apply_ancestor(x, (xml_applyfn_t*)xml_flag_set, (void*)XML_FLAG_CHANGE);
 	}
 
+    
     if (th->th_cache){
 	/* Copy the matching parts of the (relevant) XML tree.
 	 * If cache was NULL, also write to datastore cache
@@ -534,13 +560,16 @@ text_get(xmldb_handle xh,
     /* reset flag */
     if (xml_apply(xt, CX_ELMNT, (xml_applyfn_t*)xml_flag_reset, (void*)XML_FLAG_MARK) < 0)
 	goto done;
+
     /* filter out state (operations) data if config not set. Mark all nodes
      that are not config data */
-    if (config && xml_apply(xt, CX_ELMNT, xml_non_config_data, NULL) < 0)
-	goto done;
-    /* Remove (prune) nodes that are marked (that does not pass test) */
-    if (xml_tree_prune_flagged(xt, XML_FLAG_MARK, 1) < 0)
-	goto done;
+    if (config){
+	if (xml_apply(xt, CX_ELMNT, xml_non_config_data, NULL) < 0)
+	    goto done;
+	/* Remove (prune) nodes that are marked (that does not pass test) */
+	if (xml_tree_prune_flagged(xt, XML_FLAG_MARK, 1) < 0)
+	    goto done;
+    }
     /* Add default values (if not set) */
     if (xml_apply(xt, CX_ELMNT, xml_default, NULL) < 0)
 	goto done;
@@ -939,13 +968,23 @@ xml_container_presence(cxobj  *x,
 
 /*! Modify database provided an xml tree and an operation
  * This is a clixon datastore plugin of the the xmldb api
- * @see xmldb_put
+ * @param[in]  h      CLICON handle
+ * @param[in]  db     running or candidate
+ * @param[in]  op     Top-level operation, can be superceded by other op in tree
+ * @param[in]  x1     xml-tree. Top-level symbol is dummy
+ * @param[in]  username User name for nacm
+ * @param[out] cbret  Initialized cligen buffer. On exit contains XML if retval == 0
+ * @retval     1      OK
+ * @retval     0      Failed, cbret contains error xml message
+ * @retval     -1     Error
+ * @see xmldb_put  the generic API function
  */
 int
 text_put(xmldb_handle        xh,
 	 const char         *db, 
 	 enum operation_type op,
 	 cxobj              *x1,
+	 char               *username,
     	 cbuf               *cbret)
 {
     int                 retval = -1;
diff --git a/datastore/text/clixon_xmldb_text.h b/datastore/text/clixon_xmldb_text.h
index 9bb46e42..ed365634 100644
--- a/datastore/text/clixon_xmldb_text.h
+++ b/datastore/text/clixon_xmldb_text.h
@@ -40,7 +40,7 @@
  * Prototypes
  */
 int text_get(xmldb_handle h, const char *db, char *xpath, int config, cxobj **xtop);
-int text_put(xmldb_handle h, const char *db, enum operation_type op, cxobj *xt, cbuf *cbret);
+int text_put(xmldb_handle h, const char *db, enum operation_type op, cxobj *xt, char *username, cbuf *cbret);
 int text_dump(FILE *f, char *dbfilename, char *rxkey);
 int text_copy(xmldb_handle h, const char *from, const char *to);
 int text_lock(xmldb_handle h, const char *db, int pid);
diff --git a/example/example_backend.c b/example/example_backend.c
index e0adc3ff..2c366a14 100644
--- a/example/example_backend.c
+++ b/example/example_backend.c
@@ -243,7 +243,7 @@ example_reset(clicon_handle h,
 	goto done;
     }
     /* Merge user reset state */
-    if ((ret = xmldb_put(h, (char*)db, OP_MERGE, xt, cbret)) < 0)
+    if ((ret = xmldb_put(h, (char*)db, OP_MERGE, xt, clicon_username_get(h), cbret)) < 0)
 	goto done;
     if (ret == 0){
 	clicon_err(OE_XML, 0, "Error when writing to XML database: %s",
diff --git a/lib/clixon/clixon_nacm.h b/lib/clixon/clixon_nacm.h
index cdae13bb..670e7eec 100644
--- a/lib/clixon/clixon_nacm.h
+++ b/lib/clixon/clixon_nacm.h
@@ -48,7 +48,8 @@
 /*
  * Prototypes
  */
-int nacm_access(clicon_handle h, char *rpc, char *module,
-		char *username, cbuf *cbret);
+int nacm_rpc(char *rpc, char *module, char *username, cxobj *xnacm, cbuf *cbret);
+int nacm_datanode_read(cxobj *xt, cxobj **xvec, size_t xlen, char *username, cxobj *nacm_xtree);
+int nacm_access(clicon_handle h, char *username, cxobj **xnacmp);
 
 #endif /* _CLIXON_NACM_H */
diff --git a/lib/clixon/clixon_xml.h b/lib/clixon/clixon_xml.h
index be3e2352..5a4b13b5 100644
--- a/lib/clixon/clixon_xml.h
+++ b/lib/clixon/clixon_xml.h
@@ -138,6 +138,7 @@ int       xml_purge(cxobj *xc);
 int       xml_child_rm(cxobj *xp, int i);
 int       xml_rm(cxobj *xc);
 int       xml_rootchild(cxobj  *xp, int i, cxobj **xcp);
+int       xml_rootchild_node(cxobj  *xp, cxobj *xc);
 
 char     *xml_body(cxobj *xn);
 cxobj    *xml_body_get(cxobj *xn);
diff --git a/lib/clixon/clixon_xml_db.h b/lib/clixon/clixon_xml_db.h
index a79349d1..042d414f 100644
--- a/lib/clixon/clixon_xml_db.h
+++ b/lib/clixon/clixon_xml_db.h
@@ -78,7 +78,7 @@ typedef int (xmldb_setopt_t)(xmldb_handle xh, char *optname, void *value);
 typedef int (xmldb_get_t)(xmldb_handle xh, const char *db, char *xpath, int config, cxobj **xtop);
 
 /* Type of xmldb put function */
-typedef int (xmldb_put_t)(xmldb_handle xh, const char *db, enum operation_type op, cxobj *xt, cbuf *cbret);
+typedef int (xmldb_put_t)(xmldb_handle xh, const char *db, enum operation_type op, cxobj *xt, char *username, cbuf *cbret);
 
 /* Type of xmldb copy function */
 typedef int (xmldb_copy_t)(xmldb_handle xh, const char *from, const char *to);
@@ -139,7 +139,7 @@ int xmldb_disconnect(clicon_handle h);
 int xmldb_getopt(clicon_handle h, char *optname, void **value);
 int xmldb_setopt(clicon_handle h, char *optname, void *value);
 int xmldb_get(clicon_handle h, const char *db, char *xpath, int config, cxobj **xtop);
-int xmldb_put(clicon_handle h, const char *db, enum operation_type op, cxobj *xt, cbuf *cbret);
+int xmldb_put(clicon_handle h, const char *db, enum operation_type op, cxobj *xt, char *username, cbuf *cbret);
 int xmldb_copy(clicon_handle h, const char *from, const char *to);
 int xmldb_lock(clicon_handle h, const char *db, int pid);
 int xmldb_unlock(clicon_handle h, const char *db);
diff --git a/lib/src/clixon_nacm.c b/lib/src/clixon_nacm.c
index 8efa4421..5a5ed3da 100644
--- a/lib/src/clixon_nacm.c
+++ b/lib/src/clixon_nacm.c
@@ -90,8 +90,8 @@ nacm_match_access(char *access_operations,
 }
 
 /*! Match nacm single rule. Either match with access or deny. Or not match.
- * @param[in]  h      Clicon handle
- * @param[in]  name  rpc name
+ * @param[in]  rpc    rpc name
+ * @param[in]  module Yang module name
  * @param[in]  xrule  NACM rule XML tree
  * @param[out] cbret  Cligen buffer result. Set to an error msg if retval=0.
  * @retval -1  Error
@@ -126,11 +126,10 @@ nacm_match_access(char *access_operations,
            has the special value "*".
  */
 static int
-nacm_match_rule(clicon_handle h,
-		char         *name,
-		char         *module,
-		cxobj        *xrule,
-		cbuf         *cbret)
+nacm_rule_rpc(char         *rpc,
+	      char         *module,
+	      cxobj        *xrule,
+	      cbuf         *cbret)
 {
     int    retval = -1;
     char  *module_rule; /* rule module name */
@@ -149,7 +148,7 @@ nacm_match_rule(clicon_handle h,
 	(strcmp(module_rule,"*")==0 || strcmp(module_rule,module)==0)){
 	if (nacm_match_access(access_operations, "exec")){
 	    if (rpc_rule==NULL ||
-		strcmp(rpc_rule, "*")==0 || strcmp(rpc_rule, name)==0){
+		strcmp(rpc_rule, "*")==0 || strcmp(rpc_rule, rpc)==0){
 		/* Here is a matching rule */
 		if (action && strcmp(action, "permit")==0){
 		    retval = 1;
@@ -169,31 +168,26 @@ nacm_match_rule(clicon_handle h,
     return retval;
 }
 
-/*! Process a nacm message control
- * @param[in]  h     Clicon handle
- * @param[in]  mode  NACMmode, internal or external
- * @param[in]  name  rpc name
- * @param[in]  username
- * @param[in]  xtop
+/*! Process nacm incoming RPC message validation steps
+ * @param[in]  module   Yang module name
+ * @param[in]  rpc      rpc name
+ * @param[in]  username User name making access
+ * @param[in]  xnacm    NACM xml tree
  * @param[out] cbret Cligen buffer result. Set to an error msg if retval=0.
  * @retval -1  Error
  * @retval  0  Not access and cbret set
  * @retval  1  Access
  * @see RFC8341 3.4.4.  Incoming RPC Message Validation
  */
-static int
-nacm_rpc_validation(clicon_handle h,
-		    char         *name,
-		    char         *module,
-		    char         *username,
-		    cxobj        *xtop,
-		    cbuf         *cbret)
+int
+nacm_rpc(char         *rpc,
+	 char         *module,
+	 char         *username,
+	 cxobj        *xnacm,
+	 cbuf         *cbret)
 {
     int     retval = -1;
-    cxobj  *xacm;
-    cxobj  *x;
     cxobj  *xrule;
-    char   *enabled = NULL;
     cxobj **gvec = NULL; /* groups */
     size_t  glen;
     cxobj  *xrlist;
@@ -205,26 +199,10 @@ nacm_rpc_validation(clicon_handle h,
     int     i, j;
     char   *exec_default = NULL;
     
-    /* 1.   If the "enable-nacm" leaf is set to "false", then the protocol
-       operation is permitted. (or config does not exist) */
-    if ((xacm = xpath_first(xtop, "nacm")) == NULL)
-	goto permit;
-    exec_default = xml_find_body(xacm, "exec-default");
-    if ((x = xpath_first(xacm, "enable-nacm")) == NULL)
-	goto permit;
-    enabled = xml_body(x);
-    if (strcmp(enabled, "true") != 0)
-	goto permit;
-
-    /* 2.   If the requesting session is identified as a recovery session,
-       then the protocol operation is permitted. NYI */
-    if (strcmp(username, NACM_RECOVERY_USER) == 0)
-	goto permit;
-    
     /* 3.   If the requested operation is the NETCONF <close-session>
        protocol operation, then the protocol operation is permitted.
     */
-    if (strcmp(name, "close-session") == 0)
+    if (strcmp(rpc, "close-session") == 0)
 	goto permit;
     /* 4.   Check all the "group" entries to see if any of them contain a
        "user-name" entry that equals the username for the session
@@ -234,7 +212,7 @@ nacm_rpc_validation(clicon_handle h,
     if (username == NULL)
 	goto step10;
     /* User's group */
-    if (xpath_vec(xacm, "groups/group[user-name='%s']", &gvec, &glen, username) < 0)
+    if (xpath_vec(xnacm, "groups/group[user-name='%s']", &gvec, &glen, username) < 0)
 	goto done;
     /* 5. If no groups are found, continue with step 10. */
     if (glen == 0)
@@ -243,7 +221,7 @@ nacm_rpc_validation(clicon_handle h,
         configuration.  If a rule-list's "group" leaf-list does not
         match any of the user's groups, proceed to the next rule-list
         entry. */
-    if (xpath_vec(xacm, "rule-list", &rlistvec, &rlistlen) < 0)
+    if (xpath_vec(xnacm, "rule-list", &rlistvec, &rlistlen) < 0)
 	goto done;
     for (i=0; i<rlistlen; i++){
 	xrlist = rlistvec[i];
@@ -265,7 +243,7 @@ nacm_rpc_validation(clicon_handle h,
 	for (j=0; j<rlen; j++){
 	    xrule = rvec[j];
 	    /* -1 error, 0 deny, 1 permit, 2 continue */
-	    if ((ret = nacm_match_rule(h, name, module, xrule, cbret)) < 0)
+	    if ((ret = nacm_rule_rpc(rpc, module, xrule, cbret)) < 0)
 		goto done;
 	    switch(ret){
 	    case 0: /* deny */
@@ -287,13 +265,14 @@ nacm_rpc_validation(clicon_handle h,
     /* 11.  If the requested protocol operation is the NETCONF
         <kill-session> or <delete-config>, then the protocol operation
         is denied. */
-    if (strcmp(name, "kill-session")==0 || strcmp(name, "delete-config")==0){
+    if (strcmp(rpc, "kill-session")==0 || strcmp(rpc, "delete-config")==0){
 	if (netconf_access_denied(cbret, "protocol", "default deny") < 0)
 	    goto done;
 	goto deny;
     }
     /*   12.  If the "exec-default" leaf is set to "permit", then permit the
 	 protocol operation; otherwise, deny the request. */
+    exec_default = xml_find_body(xnacm, "exec-default");
     if (exec_default ==NULL || strcmp(exec_default, "permit")==0)
 	goto permit;
     if (netconf_access_denied(cbret, "protocol", "default deny") < 0)
@@ -316,56 +295,358 @@ nacm_rpc_validation(clicon_handle h,
     goto done;
 }
 
-/*! Make nacm access control 
- * @param[in]  h     Clicon handle
- * @param[in]  name  rpc name
- * @param[in]  username
- * @param[out] cbret Cligen buffer result. Set to an error msg if retval=0.
+/*---------------------------------------------------------------
+ * Datanode read
+ */
+
+/*! We have a rule matching user group. Now match proper read operation and module
+ * @see RFC8341 3.4.5.  Data Node Access Validation point (6)
+ * 
+ */
+static int
+rule_datanode_read(cxobj  *xrule,
+		   cxobj  *xr,
+		   cxobj  *xt,
+		   int    *match)
+{
+    int        retval = -1;
+    cxobj     *xp; /* parent */
+    char      *access_operations;
+    char      *module_rule; /* rule module name */
+    yang_stmt *ys;
+    yang_stmt *ymod;
+    char      *module;
+    char      *path;
+    cxobj     *xpath; /* xpath match */
+
+    *match = 0;
+    /*  6b) Either (1) the rule does not have a "rule-type" defined or
+	(2) the "rule-type" is "data-node" and the "path" matches the
+	requested data node, action node, or notification node.  A
+	path is considered to match if the requested node is the node
+	specified by the path or is a descendant node of the path.*/    
+    if ((path = xml_find_body(xrule, "path")) == NULL){
+	if (xml_find_body(xrule, "rpc-name") ||xml_find_body(xrule, "notification-name"))
+	    goto nomatch;
+    }
+    /* 6c) For a "read" access operation, the rule's "access-operations"
+	leaf has the "read" bit set or has the special value "*" */
+    access_operations = xml_find_body(xrule, "access-operations");
+    if (!nacm_match_access(access_operations, "read"))
+	goto nomatch;
+    /* 6a) The rule's "module-name" leaf is "*" or equals the name of
+     * the YANG module where the requested data node is defined. */
+    if ((module_rule = xml_find_body(xrule, "module-name")) == NULL)
+	goto nomatch;
+    if (strcmp(module_rule,"*")!=0){
+	if ((ys = xml_spec(xr)) == NULL)
+	    goto nomatch;
+	ymod = ys_module(ys);
+	module = ymod->ys_argument;
+	if (strcmp(module, module_rule) != 0)
+	    goto nomatch;
+    }
+    /* Here module is matched, now check for path if any */
+    if (path){ 
+	if ((xpath = xpath_first(xt, "%s", path)) == NULL)
+	    goto nomatch;
+	/* The requested node xr is the node specified by the path or is a 
+	 * descendant node of the path:
+	 * xmatch is one of xvec[] or an ancestor of the xvec[] nodes.
+	 */
+	xp = xr;
+	do {
+	    if (xpath == xp)
+		goto match;
+	} while ((xp = xml_parent(xp)) != NULL);
+    }
+ match:
+    *match = 1;
+ nomatch:
+    retval = 0;
+    // done:
+    return retval;
+}
+
+/*! Make nacm datanode and module rule read access validation
+ * Just purge nodes that fail validation (dont send netconf error message)
+ * @param[in]  xt       XML root tree with "config" label 
+ * @param[in]  xrvec    Vector of requested nodes (sub-part of xt)
+ * @param[in]  xrlen    Length of requsted node vector
+ * @param[in]  username 
+ * @param[in]  xaxm     NACM xml tree
  * @retval -1  Error
  * @retval  0  Not access and cbret set
  * @retval  1  Access
- * @see RFC8341 3.4.4.  Incoming RPC Message Validation
+ * @see RFC8341 3.4.5.  Data Node Access Validation
+ * 3.2.4: <get> and <get-config> Operations
+ * Data nodes to which the client does not have read access are silently
+ * omitted, along with any descendants, from the <rpc-reply> message.
+ * For NETCONF filtering purposes, the selection criteria are applied to the
+ * subset of nodes that the user is authorized to read, not the entire datastore.
+ * @note assume mode is internal or external, not disabled
+ * @node There is unclarity on what "a data node" means wrt a read operation.
+ * Suppose a tree is accessed. Is "the data node" just the top of the tree?
+ * (1) Or is it all nodes, recursively, in the data-tree?
+ * (2) Or is the datanode only the requested tree, NOT the whole datatree?
+ * Example: 
+ * - r0 default permit/deny *
+ * - rule r1 to permit/deny /a
+ * - rule r2 to permit/deny /a/b
+ * - rule r3 to permit/deny /a/b/c
+ * - rule r4 to permit/deny /d
+
+ * - read access on /a/b which returns <a><b><c/><d/></b></a>?
+ * permit - t; deny - f
+ *    r1  |  r2  |  r3  | result (r0 and r4 are dont cares - dont match)
+ *  ------+------+------+---------
+ *    t   |  t   |  t   | <a><b><c/><d/></b></a>  
+ *    t   |  t   |  f   | <a><b><d/></b></a>
+ *    t   |  f   |  t   | <a/>       
+ *    t   |  f   |  f   | <a/>     
+ *    f   |  t   |  t   | 
+ *    f   |  t   |  f   | 
+ *    f   |  f   |  t   | 
+ *    f   |  f   |  f   | 
+ *
+ * - read access on / which returns <d/><e/>?
+ * permit - t; deny - f
+ *    r0  |  r4  | result
+ *  ------+------+---------
+ *    t   |  t   | <d/><e/>
+ *    t   |  f   | <e/>
+ *    f   |  t   | <d/>
+ *    f   |  f   | 
+ * Algorithm 1, based on an xml tree XT:
+ * The special variable ACTION can have values: 
+ *      permit/deny/default
+ * 1. Traverse through all nodes x in xt. Set ACTION to default
+ *   - Find first exact matching rule r of non-default rules r1-rn on x
+ *     - if found set ACTION to r->action (permit/deny).
+ *   - if ACTION is deny purge x and all descendants
+ *   - if ACTION is permit, mark x as PERMIT
+ *   - continue traverse
+ * 2. If default action is 
+ * 2. Traverse through all nodes x in xt. Set ACTION to default r0->action
+ *   - if x is marked as PERMIT
+ *   - if ACTION is deny deny purge x and all descendants
+ *
+ * Algorithm 2 (based on requested node set XRS which are sub-trees in XT).
+ * For each XR in XRS, check match with rule r1-rn, r0.
+ * 1. XR is PERMIT 
+ *     - Recursively match subtree to find reject sub-trees and purge.
+ * 2. XR is REJECT. Purge XR.
+ * Module-rule w no path is implicit rule on top node.
+ *
+ * A module rule has the "module-name" leaf set but no nodes from the
+ * "rule-type" choice set.
  */
 int
-nacm_access(clicon_handle h,
-	    char         *rpc,
-	    char         *module,
-	    char         *username,
-	    cbuf         *cbret)
+nacm_datanode_read(cxobj  *xt,
+		   cxobj **xrvec,
+		   size_t  xrlen,    
+		   char   *username,
+		   cxobj  *xnacm)
 {
     int     retval = -1;
-    cxobj  *xtop = NULL;
-    char   *mode;
+    cxobj **gvec = NULL; /* groups */
+    cxobj  *xr;
+    size_t  glen;
+    cxobj  *xrlist;
+    cxobj **rlistvec = NULL; /* rule-list */
+    size_t  rlistlen;
+    cxobj **rvec = NULL; /* rules */
+    size_t  rlen;
+    int     i, j, k;
+    char   *read_default = NULL;
+    char   *gname;
+    int     match;
+    cxobj  *xrule;
+    char   *action;
 
+
+    
+    /* 3.   Check all the "group" entries to see if any of them contain a
+       "user-name" entry that equals the username for the session
+       making the request.  (If the "enable-external-groups" leaf is
+       "true", add to these groups the set of groups provided by the
+       transport layer.)	       */
+    if (username == NULL)
+	goto step9;
+    /* User's group */
+    if (xpath_vec(xnacm, "groups/group[user-name='%s']", &gvec, &glen, username) < 0)
+	goto done;
+    /* 4. If no groups are found, continue with step 9. */
+    if (glen == 0)
+	goto step9;
+    /* 5. Process all rule-list entries, in the order they appear in the
+        configuration.  If a rule-list's "group" leaf-list does not
+        match any of the user's groups, proceed to the next rule-list
+        entry. */
+    if (xpath_vec(xnacm, "rule-list", &rlistvec, &rlistlen) < 0)
+	goto done;
+    for (k=0; k<xrlen; k++){     /* Loop through requested nodes */
+	xr = xrvec[k]; /* requested node XR */
+	match = 0; /* Go thru steps 5,6,7, if no match do 8-13 */ 
+	for (i=0; i<rlistlen; i++){ 	/* Loop through rule list */
+	    xrlist = rlistvec[i];
+	    /* Loop through user's group to find match in this rule-list */
+	    for (j=0; j<glen; j++){
+		gname = xml_find_body(gvec[j], "name");
+		if (xpath_first(xrlist, ".[group='%s']", gname)!=NULL)
+		    break; /* found */
+	    }
+	    if (j==glen) /* not found */
+		continue;
+	    /* 6. For each rule-list entry found, process all rules, in order,
+	       until a rule that matches the requested access operation is
+	       found. (see 6 sub rules in nacm_match_rule2)
+	    */
+	    if (xpath_vec(xrlist, "rule", &rvec, &rlen) < 0)
+		goto done;
+	    for (j=0; j<rlen; j++){ /* Loop through rules */
+		xrule = rvec[j];
+		if (rule_datanode_read(xrule, xr, xt, &match) < 0)
+		    goto done;
+		if (match) /* xrule match */
+		    break;
+	    }
+	    if (match) /* xrule match */
+		break;
+	}
+	if (match){ /* xrule match requested node xr */
+	    if ((action = xml_find_body(xrule, "action")) == NULL)
+		continue;
+	    if (strcmp(action, "deny")==0){
+		if (xml_purge(xr) < 0)
+		    goto done;
+	    }
+	    else if (strcmp(action, "permit")==0)
+		;/* XXX recursively find denies in xr and purge them 
+		  * ie go back to the k-loop with all sub-items?
+		  */
+	}
+	else{ /* no rule matching xr, apply default */
+    /*11.  For a "read" access operation, if the "read-default" leaf is set
+        to "permit", then include the requested data node in the reply;
+        otherwise, do not include the requested data node or any of its
+        descendants in the reply.*/
+	    read_default = xml_find_body(xnacm, "read-default");
+	    if (read_default == NULL || strcmp(read_default, "deny")==0)
+		if (xml_purge(xr) < 0)
+		    goto done;
+	}
+    } /* xr */
+    goto ok;
+    /* 8.   At this point, no matching rule was found in any rule-list
+       entry. */
+ step9:
+    /*    9.   For a "read" access operation, if the requested data node is
+        defined in a YANG module advertised in the server capabilities
+        and the data definition statement contains a
+        "nacm:default-deny-all" statement, then the requested data node
+        and all its descendants are not included in the reply.
+    */
+    for (k=0; k<xrlen; k++)     /* Loop through requested nodes */
+	if (xml_purge(xrvec[k]) < 0)
+	    goto done;
+ ok:
+    retval = 0;
+ done:
+    clicon_debug(1, "%s retval:%d", __FUNCTION__, retval);
+    if (gvec)
+	free(gvec);
+    if (rlistvec)
+	free(rlistvec);
+    if (rvec)
+	free(rvec);
+    return retval;
+}
+
+/*! NACM intial pre- access control enforcements 
+ * Initial NACM steps and common to all NACM access validation.
+ * If retval=0 continue with next NACM step, eg rpc, module, 
+ * etc. If retval = 1 access is OK and skip next NACM step.
+ * @param[in]  h        Clicon handle
+ * @param[in]  username
+ * @param[out] xncam    NACM XML tree, set if retval=0. Free after use
+ * @retval -1  Error
+ * @retval  0  OK not yet permit/. continue with next NACM step using xnacm
+ * @retval  1  OK permitted. dont do next NACM step
+ * @code
+ *   cxobj *xnacm = NULL;
+ *   if ((ret = nacm_access(h, username, &xnacm)) < 0)
+ *     err;
+ *   if (ret == 0){
+ *      // Next step NACM processing
+ *      xml_free(xnacm);
+ *   }
+ * @endcode
+ * @see RFC8341 3.4 Access Control Enforcement Procedures
+ */
+int
+nacm_access(clicon_handle  h,
+	    char          *username,
+	    cxobj        **xnacmp)
+{
+    int     retval = -1;
+    cxobj  *xnacm0 = NULL;
+    cxobj  *xnacm;
+    char   *mode;
+    char   *enabled;
+    cxobj  *x;
+    
     clicon_debug(1, "%s", __FUNCTION__);
     mode = clicon_option_str(h, "CLICON_NACM_MODE");
-    if (mode == NULL || strcmp(mode, "disabled") == 0){
-	retval = 1;
-	goto done;
-    }
-
+    if (mode == NULL || strcmp(mode, "disabled") == 0)
+	goto permit;
     /* 0. If nacm-mode is external, get NACM defintion from separet tree,
        otherwise get it from internal configuration */
     if (strcmp(mode, "external")==0){
-	if ((xtop = clicon_nacm_ext(h)) == NULL){
+	cxobj *xne;
+	if ((xne = clicon_nacm_ext(h)) == NULL){
 	    clicon_err(OE_XML, 0, "No nacm external tree");
 	    goto done;
 	}
+	if ((xnacm0 = xml_dup(xne)) == NULL)
+	    goto done;
     }
     else if (strcmp(mode, "internal")==0){
-	if (xmldb_get(h, "running", "nacm", 0, &xtop) < 0)
+	if (xmldb_get(h, "running", "nacm", 0, &xnacm0) < 0)
 	    goto done;	
     }
     else{
 	clicon_err(OE_UNIX, 0, "Invalid NACM mode: %s", mode);
 	goto done;
     }
-    /* Do the real nacm processing */
-    if ((retval = nacm_rpc_validation(h, rpc, module, username, xtop, cbret)) < 0)
+    /* If config does not exist, then the operation is permitted. (?) */
+    if ((xnacm = xpath_first(xnacm0, "nacm")) == NULL)
+	goto permit;
+    if (xml_rootchild_node(xnacm0, xnacm) < 0)
 	goto done;
+    xnacm0 = NULL;
+    *xnacmp = xnacm;
+    /* Do initial nacm processing common to all access validation in
+     * RFC8341 3.4 */
+    /* 1.   If the "enable-nacm" leaf is set to "false", then the protocol
+       operation is permitted. */
+    if ((x = xpath_first(xnacm, "enable-nacm")) == NULL)
+	goto permit;
+    enabled = xml_body(x);
+    if (strcmp(enabled, "true") != 0)
+	goto permit;
+    /* 2.   If the requesting session is identified as a recovery session,
+       then the protocol operation is permitted. NYI */
+    if (username && strcmp(username, NACM_RECOVERY_USER) == 0)
+	goto permit;
+
+    retval = 0; /* not permitted yet. continue with next NACM step */
  done:
+    if (retval != 0 && xnacm0)
+	xml_free(xnacm0);
     clicon_debug(1, "%s retval:%d (0:deny 1:permit)", __FUNCTION__, retval);
-    if (strcmp(mode, "internal")==0 && xtop)
-	xml_free(xtop);
     return retval;
+ permit:
+    retval = 1;
+    goto done;
 }
diff --git a/lib/src/clixon_xml.c b/lib/src/clixon_xml.c
index 17b1845c..1d4f2741 100644
--- a/lib/src/clixon_xml.c
+++ b/lib/src/clixon_xml.c
@@ -640,7 +640,7 @@ xml_child_each(cxobj           *xparent,
 	       cxobj           *xprev, 
 	       enum cxobj_type  type)
 {
-    int i;
+    int    i;
     cxobj *xn = NULL; 
 
     for (i=xprev?xprev->_x_vector_i+1:0; i<xparent->x_childvec_len; i++){
@@ -957,6 +957,7 @@ xml_rm(cxobj *xc)
  *  # Here xt will be: <a>2</a>
  * @endcode
  * @see xml_child_rm
+ * @see xml_child_rootchild_node  where xc is explicitly given
  */
 int
 xml_rootchild(cxobj  *xp, 
@@ -984,6 +985,44 @@ xml_rootchild(cxobj  *xp,
     return retval;
 }
 
+/*! Return a child sub-tree, while removing parent and all other children
+ * Given a root xml node, remove the child from its parent
+ * , remove the parent and all other children.
+ * Before: xp-->[..xc..]
+ * After: xc
+ * @param[in]  xp   xml parent node. Must be root. Will be deleted
+ * @param[in]  xc   xml child node. Must be a child of xp
+ * @retval     0    OK
+ * @retval    -1    Error
+ * @see xml_child_rootchild  where an index is used to find xc
+ */
+int
+xml_rootchild_node(cxobj  *xp, 
+		   cxobj  *xc)
+{
+    int    retval = -1;
+    cxobj *x;
+    int    i;
+
+    if (xml_parent(xp) != NULL){
+	clicon_err(OE_XML, 0, "Parent is not root");
+	goto done;
+    }
+    x = NULL; i = 0;
+    while ((x = xml_child_each(xp, x, -1)) != NULL) {
+	if (x == xc)
+	    break;
+	i++;
+    }
+    if (xml_child_rm(xp, i) < 0)
+	goto done;
+    if (xml_free(xp) < 0)
+	goto done;
+    retval = 0;
+ done:
+    return retval;
+}
+
 /*! Get the first sub-node which is an XML body.
  * @param[in]   xn          xml tree node
  * @retval  The returned body as a pointer to the name string
diff --git a/lib/src/clixon_xml_db.c b/lib/src/clixon_xml_db.c
index 73959bf7..e68f8258 100644
--- a/lib/src/clixon_xml_db.c
+++ b/lib/src/clixon_xml_db.c
@@ -379,6 +379,7 @@ xmldb_get(clicon_handle h,
  * @param[in]  db     running or candidate
  * @param[in]  op     Top-level operation, can be superceded by other op in tree
  * @param[in]  xt     xml-tree. Top-level symbol is dummy
+ * @param[in]  username User name for nacm
  * @param[out] cbret  Initialized cligen buffer. On exit contains XML if retval == 0
  * @retval     1      OK
  * @retval     0      Failed, cbret contains error xml message
@@ -389,7 +390,7 @@ xmldb_get(clicon_handle h,
  *   cxobj     *xret = NULL;
  *   if (xml_parse_string("<a>17</a>", yspec, &xt) < 0)
  *     err;
- *   if ((ret = xmldb_put(xh, "running", OP_MERGE, xt, cbret)) < 0)
+ *   if ((ret = xmldb_put(xh, "running", OP_MERGE, xt, username, cbret)) < 0)
  *     err;
  *   if (ret==0)
  *     cbret contains netconf error message
@@ -404,6 +405,7 @@ xmldb_put(clicon_handle       h,
 	  const char         *db, 
 	  enum operation_type op, 
 	  cxobj              *xt,
+	  char               *username,
 	  cbuf               *cbret)
 {
     int               retval = -1;
@@ -434,7 +436,7 @@ xmldb_put(clicon_handle       h,
 	cbuf_free(cb);
     }
 #endif
-    retval = xa->xa_put_fn(xh, db, op, xt, cbret);
+    retval = xa->xa_put_fn(xh, db, op, xt, username, cbret);
  done:
     return retval;
 }
diff --git a/lib/src/clixon_xml_map.c b/lib/src/clixon_xml_map.c
index 62608af5..c0babd4f 100644
--- a/lib/src/clixon_xml_map.c
+++ b/lib/src/clixon_xml_map.c
@@ -2117,7 +2117,7 @@ api_path2xml(char       *api_path,
     int    nvec;
     cxobj *xroot;
 
-    clicon_debug(1, "%s", __FUNCTION__);
+    clicon_debug(1, "%s api_path:%s", __FUNCTION__, api_path);
     if (*api_path!='/'){
 	clicon_err(OE_XML, EINVAL, "Invalid api-path: %s (must start with '/')",
 		   api_path);
diff --git a/test/lib.sh b/test/lib.sh
index bb28e4ca..feac39c1 100755
--- a/test/lib.sh
+++ b/test/lib.sh
@@ -149,14 +149,17 @@ expectfn(){
   fi
 }
 
+# 
 expecteq(){
   ret=$1
   expect=$2
+#  echo "ret:$ret"
+#  echo "expect:$expect"
   if [ -z "$ret" -a -z "$expect" ]; then
       return
   fi
   if [[ "$ret" = "$expect" ]]; then
-      echo
+      echo 
   else
       err "$expect" "$ret"
   fi
diff --git a/test/test_nacm.sh b/test/test_nacm.sh
index 460fec59..528eabcc 100755
--- a/test/test_nacm.sh
+++ b/test/test_nacm.sh
@@ -55,7 +55,7 @@ EOF
 RULES=$(cat <<EOF
    <nacm xmlns="urn:ietf:params:xml:ns:yang:ietf-netconf-acm">
      <enable-nacm>false</enable-nacm>
-     <read-default>deny</read-default>
+     <read-default>permit</read-default>
      <write-default>deny</write-default>
      <exec-default>deny</exec-default>
 
diff --git a/test/test_nacm_ext.sh b/test/test_nacm_ext.sh
index f0fdf0a5..bb9302bc 100755
--- a/test/test_nacm_ext.sh
+++ b/test/test_nacm_ext.sh
@@ -76,7 +76,7 @@ EOF
 cat <<EOF > $nacmfile
    <nacm>
      <enable-nacm>true</enable-nacm>
-     <read-default>deny</read-default>
+     <read-default>permit</read-default>
      <write-default>deny</write-default>
      <exec-default>deny</exec-default>
 
diff --git a/test/test_nacm_module.sh b/test/test_nacm_module.sh
index 0ac5f9d5..d8427f5a 100755
--- a/test/test_nacm_module.sh
+++ b/test/test_nacm_module.sh
@@ -1,16 +1,17 @@
 #!/bin/bash
 # Authentication and authorization and IETF NACM
 # NACM module rules
+# A module rule has the "module-name" leaf set but no nodes from the
+# "rule-type" choice set.
 # @see test_nacm.sh is slightly modified - this follows the RFC more closely
 # See RFC 8341 A.1 and A.2
 # Note: use clixon-example instead of ietf-netconf-monitoring since the latter is
-# not yet implemented
 # Tests for 
 # deny-ncm:  This rule prevents the "guest" group from reading any
-#     monitoring information in the "ietf-netconf-monitoring" YANG
+#     monitoring information in the "clixon-example" YANG
 #     module.
 # permit-ncm:  This rule allows the "limited" group to read the
-#     "ietf-netconf-monitoring" YANG module.
+#     "clixon-example" YANG module.
 # permit-exec:  This rule allows the "limited" group to invoke any
 #     protocol operation supported by the server.
 # permit-all:  This rule allows the "admin" group complete access to
@@ -75,13 +76,12 @@ RULES=$(cat <<EOF
 
      $NGROUPS
 
-
      <rule-list>
        <name>guest-acl</name>
        <group>guest</group>
        <rule>
          <name>deny-ncm</name>
-         <module-name>ietf-netconf-monitoring</module-name>
+         <module-name>clixon-example</module-name>
          <access-operations>*</access-operations>
          <action>deny</action>
          <comment>
@@ -95,8 +95,7 @@ RULES=$(cat <<EOF
        <group>limited</group>
        <rule>
          <name>permit-ncm</name>
-         <rpc-name>get</rpc-name>
-         <module-name>ietf-netconf-monitoring</module-name>
+         <module-name>clixon-example</module-name>
          <access-operations>read</access-operations>
          <action>permit</action>
          <comment>
@@ -119,6 +118,7 @@ RULES=$(cat <<EOF
    </nacm>
    <x xmlns="urn:example:nacm">42</x>
    <translate xmlns="urn:example:clixon"><k>key42</k><value>val42</value></translate>
+   <translate xmlns="urn:example:clixon"><k>key43</k><value>val43</value></translate>
 EOF
 )
 
@@ -157,35 +157,118 @@ expecteq "$(curl -u andy:bar -sS -X PUT -d '{"enable-nacm": true}' http://localh
 
 #--------------- nacm enabled
 
-# Read monitoring information from example - (ietf-netconf-monitoring)
+#----READ monitoring information from example - (ietf-netconf-monitoring)
+#user:admin
 new2 "admin read ok"
-expecteq "$(curl -u andy:bar -sS -X GET http://localhost/restconf/data/clixon-example:translate)" '{"clixon-example:translate": [{"k": "key42","value": "val42"}]}
+expecteq "$(curl -u andy:bar -sS -X GET http://localhost/restconf/data/clixon-example:translate)" '{"clixon-example:translate": [{"k": "key42","value": "val42"},{ "k": "key43","value": "val43"}]}
 
'
 
-new2 "limit read ok"
-expecteq "$(curl -u wilma:bar -sS -X GET http://localhost/restconf/data/clixon-example:translate)" '{"clixon-example:translate": [{"k": "key42","value": "val42"}]}
+new2 "admin read netconf ok"
+expecteof "$clixon_netconf -U andy -qf $cfg" 0 '<rpc><get-config><source><candidate/></source><filter type="xpath" select="/translate"/></get-config></rpc>]]>]]>' '^<rpc-reply><data><translate xmlns="urn:example:clixon"><k>key42</k><value>val42</value></translate><translate xmlns="urn:example:clixon"><k>key43</k><value>val43</value></translate></data></rpc-reply>]]>]]>$'
+
+new2 "admin read element ok"
+expecteq "$(curl -u andy:bar -sS -X GET http://localhost/restconf/data/clixon-example:translate=key42/value)" '{"clixon-example:value": "val42"}
 
'
 
-new2 "guest read fail"
-expecteq "$(curl -u guest:bar -sS -X GET http://localhost/restconf/data/clixon-example:translate)" '{"ietf-restconf:errors" : {"error": {"error-type": "protocol","error-tag": "access-denied","error-severity": "error","error-message": "default deny"}}}
'
-
-new2 "guest read other module"
-expecteq "$(curl -u guest:bar -sS -X GET http://localhost/restconf/data/nacm-example:x)" '{"ietf-restconf:errors" : {"error": {"error-type": "protocol","error-tag": "access-denied","error-severity": "error","error-message": "default deny"}}}
'
-
 new2 "admin read other module OK"
 expecteq "$(curl -u andy:bar -sS -X GET http://localhost/restconf/data/nacm-example:x)" '{"nacm-example:x": 42}
 
'
 
+new2 "admin read state OK"
+expecteq "$(curl -u andy:bar -sS -X GET http://localhost/restconf/data/clixon-example:state)" '{"clixon-example:state": {"op": "42"}}
+
'
+
+new "admin read top ok (all)"
+ret=$(curl -u andy:bar -sS -X GET http://localhost/restconf/data)
+expect='{"data": {"nacm-example:x": 42,"clixon-example:translate":'
+match=`echo $ret | grep -EZo "$expect"`
+if [ -z "$match" ]; then
+    err "$expect" "$ret"
+fi
+
+#user:limit
+
+new2 "limit read ok"
+expecteq "$(curl -u wilma:bar -sS -X GET http://localhost/restconf/data/clixon-example:translate)" '{"clixon-example:translate": [{"k": "key42","value": "val42"},{ "k": "key43","value": "val43"}]}
+
'
+
+new2 "limit read netconf ok"
+expecteof "$clixon_netconf -U wilma -qf $cfg" 0 '<rpc><get-config><source><candidate/></source><filter type="xpath" select="/translate"/></get-config></rpc>]]>]]>' '^<rpc-reply><data><translate xmlns="urn:example:clixon"><k>key42</k><value>val42</value></translate><translate xmlns="urn:example:clixon"><k>key43</k><value>val43</value></translate></data></rpc-reply>]]>]]>$'
+
+new2 "limit read element ok"
+expecteq "$(curl -u wilma:bar -sS -X GET http://localhost/restconf/data/clixon-example:translate=key42/value)" '{"clixon-example:value": "val42"}
+
'
+
+new2 "limit read other module fail"
+expecteq "$(curl -u wilma:bar -sS -X GET http://localhost/restconf/data/nacm-example:x)" 'null
+
'
+
+new2 "limit read state OK"
+expecteq "$(curl -u wilma:bar -sS -X GET http://localhost/restconf/data/clixon-example:state)" '{"clixon-example:state": {"op": "42"}}
+
'
+
+new2 "limit read top ok (part)"
+expecteq "$(curl -u wilma:bar -sS -X GET http://localhost/restconf/data)" '{"data": {"clixon-example:translate": [{"k": "key42","value": "val42"},{ "k": "key43","value": "val43"}],"clixon-example:state": {"op": "42"}}}
+
'
+
+#user:guest
+
+new2 "guest read fail"
+expecteq "$(curl -u guest:bar -sS -X GET http://localhost/restconf/data/clixon-example:translate)" '{"ietf-restconf:errors" : {"error": {"error-type": "protocol","error-tag": "access-denied","error-severity": "error","error-message": "default deny"}}}
'
+
+new2 "guest read netconf fail"
+expecteof "$clixon_netconf -U guest -qf $cfg" 0 '<rpc><get-config><source><candidate/></source><filter type="xpath" select="/translate"/></get-config></rpc>]]>]]>' '^<rpc-reply><rpc-error><error-type>protocol</error-type><error-tag>access-denied</error-tag><error-severity>error</error-severity><error-message>default deny</error-message></rpc-error></rpc-reply>]]>]]>$'
+
+new2 "guest read element fail"
+expecteq "$(curl -u guest:bar -sS -X GET http://localhost/restconf/data/clixon-example:translate=key42/value)" '{"ietf-restconf:errors" : {"error": {"error-type": "protocol","error-tag": "access-denied","error-severity": "error","error-message": "default deny"}}}
'
+
+new2 "guest read other module fail"
+expecteq "$(curl -u guest:bar -sS -X GET http://localhost/restconf/data/nacm-example:x)" '{"ietf-restconf:errors" : {"error": {"error-type": "protocol","error-tag": "access-denied","error-severity": "error","error-message": "default deny"}}}
'
+
+new2 "guest read state fail"
+expecteq "$(curl -u guest:bar -sS -X GET http://localhost/restconf/data/clixon-example:state)" '{"ietf-restconf:errors" : {"error": {"error-type": "protocol","error-tag": "access-denied","error-severity": "error","error-message": "default deny"}}}
'
+
+new2 "guest read top ok (part)"
+expecteq "$(curl -u guest:bar -sS -X GET http://localhost/restconf/data)" '{"ietf-restconf:errors" : {"error": {"error-type": "protocol","error-tag": "access-denied","error-severity": "error","error-message": "default deny"}}}
'
+
+#------- RPC operation
+
 new2 "admin rpc ok"
 expecteq "$(curl -u andy:bar -s -X POST  -d '{"clixon-example:input":{"x":42}}' http://localhost/restconf/operations/clixon-example:example)" '{"clixon-example:output": {"x": "42","y": "42"}}
 
'
 
+new "admin rpc netconf ok"
+expecteof "$clixon_netconf -U andy -qf $cfg" 0 '<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0"><example xmlns="urn:example:clixon"><x>0</x></example></rpc>]]>]]>' '^<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0"><x xmlns="urn:example:clixon">0</x><y xmlns="urn:example:clixon">42</y></rpc-reply>]]>]]>$'
+
 new2 "limit rpc ok"
 expecteq "$(curl -u wilma:bar -s -X POST http://localhost/restconf/operations/clixon-example:example -d '{"clixon-example:input":{"x":42}}' )" '{"clixon-example:output": {"x": "42","y": "42"}}
 
'
 
+new "limit rpc netconf ok"
+expecteof "$clixon_netconf -U wilma -qf $cfg" 0 '<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0"><example xmlns="urn:example:clixon"><x>0</x></example></rpc>]]>]]>' '^<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0"><x xmlns="urn:example:clixon">0</x><y xmlns="urn:example:clixon">42</y></rpc-reply>]]>]]>$'
+
 new2 "guest rpc fail"
-expecteq "$(curl -u guest:bar -s -X POST http://localhost/restconf/operations/clixon-example:example -d '{"clixon-example:input":{"x":42}}' )" '{"ietf-restconf:errors" : {"error": {"error-type": "protocol","error-tag": "access-denied","error-severity": "error","error-message": "default deny"}}}
'
+expecteq "$(curl -u guest:bar -s -X POST http://localhost/restconf/operations/clixon-example:example -d '{"clixon-example:input":{"x":42}}' )" '{"ietf-restconf:errors" : {"error": {"error-type": "protocol","error-tag": "access-denied","error-severity": "error","error-message": "access denied"}}}
'
+
+new "guest rpc netconf fail"
+expecteof "$clixon_netconf -U guest -qf $cfg" 0 '<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0"><example xmlns="urn:example:clixon"><x>0</x></example></rpc>]]>]]>' '^<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0"><rpc-error><error-type>protocol</error-type><error-tag>access-denied</error-tag><error-severity>error</error-severity><error-message>access denied</error-message></rpc-error></rpc-reply>]]>]]>$'
+
+#------------------ Set read-default permit
+
+new "admin set read-default permit"
+expecteq "$(curl -u andy:bar -sS -X PUT -d '{"read-default": "permit"}' http://localhost/restconf/data/ietf-netconf-acm:nacm/read-default)" ""
+
+new2 "limit read ok"
+expecteq "$(curl -u wilma:bar -sS -X GET http://localhost/restconf/data/clixon-example:translate)" '{"clixon-example:translate": [{"k": "key42","value": "val42"},{ "k": "key43","value": "val43"}]}
+
'
+
+new2 "limit read other module ok"
+expecteq "$(curl -u wilma:bar -sS -X GET http://localhost/restconf/data/nacm-example:x)" '{"nacm-example:x": 42}
+
'
+
+new2 "guest read state fail"
+expecteq "$(curl -u guest:bar -sS -X GET http://localhost/restconf/data/clixon-example:state)" '{"ietf-restconf:errors" : {"error": {"error-type": "protocol","error-tag": "access-denied","error-severity": "error","error-message": "default deny"}}}
'
+
 
 new "Kill restconf daemon"
 sudo pkill -u www-data -f "/www-data/clixon_restconf"