A method by a network device to restrict access to a management interface, where the management interface is defined by a data model, and where the network device is provided by an equipment provider to an equipment operator for use by the equipment operator. The method includes receiving a first request from a management system to perform a first management operation that involves accessing a module of the data model, where the first request specifies a security credential as a key for a security wrapper defined by the module, and where the security credential is supplied to the management system by the equipment provider and is inaccessible to the equipment operator, verifying whether the security credential specified by the first request is valid, and performing the first management operation in response to verifying that the security credential specified by the first request is valid.