topic Re: Using the API to map an Access Layer to a Policy Package in API / CLI Discussion

Using the API to map an Access Layer to a Policy Package

Brian_Deutmeyer — Sat, 07 Dec 2019 01:46:45 GMT

Hi friends-

I'm looking to use the API to add a rule to a layer and then install policy on the appropriate package (or packages for a shared layer). In SmartConsole, when I view layers (Manage policies and layers...), it shows me the package(s) the layer is used on, but I can't seem to find that mapping in the API. I've tried both show access-layer and show access-layers, but neither give me the packages. I tried doing a where-used on my layer UID, but that just gives me an error. I've noticed that showing all my packages lists the layers that are used, but what about the other way around? How do find which policy(ies) my access layer is a part of?

I'm on v1.5.

Thanks!

Re: Using the API to map an Access Layer to a Policy Package

PhoneBoy — Sun, 08 Dec 2019 06:26:33 GMT

Pretty sure this is not part of the API. Sounds like a good RFE. @Nir_Amara

Re: Using the API to map an Access Layer to a Policy Package

Nir_Amara — Sun, 08 Dec 2019 14:20:06 GMT

Hey Brian,

Thank you for your question.

As @PhoneBoy mentioned, there's currently no API that corresponds with the SmartConsole view you mentioned.

Indeed, the current way to achieve that would be iterating on the policy packages access layers' and check on which packages the changed layer is in use.

If you need help with implementing such logic, feel free to consult with us here.

Regardless, we'll look into the possibility of adding such field to the "access-layer" reply in future versions.

Best Regards,

Nir

Re: Using the API to map an Access Layer to a Policy Package

Brian_Deutmeyer — Mon, 09 Dec 2019 04:11:03 GMT

Thanks, Nir.

Adding a "packages : []" output or something like that to the access-layer would be awesome. It would make it really easy to walk up the chain from adding a rule to installation.

I'll put my friend JQ to work and start dumping my packages until said enhancement arrives. Let me know if you want an official RFE.

Re: Using the API to map an Access Layer to a Policy Package

Brian_Deutmeyer — Mon, 30 Dec 2019 21:45:44 GMT

@Nir_Amara - I'm noticing that the show-package API does not show inline access layers in the output. I've even tried with full details. Would you agree? How do I map an inline layer to a package?

Re: Using the API to map an Access Layer to a Policy Package

PhoneBoy — Tue, 31 Dec 2019 00:06:50 GMT

If it's not a shared inline layer, you can assume it's part of the same policy package.
If the inline layer is shared, it could easily be part of multiple policy packages.

Re: Using the API to map an Access Layer to a Policy Package

Brian_Deutmeyer — Tue, 31 Dec 2019 01:32:24 GMT

I'm going back to my original question. I know my layer name (which may be an inline layer), but how do I find the package my layer is used on for installation? If it's not an inline layer, show-package does the trick, but inline...not so much.

Re: Using the API to map an Access Layer to a Policy Package

Yael_G — Tue, 31 Dec 2019 12:36:15 GMT

Hi Brian,

As Nir mentioned, we'll look into the possibility of adding such field to the "access-layer" reply in future versions.

In the mean time you can find the packages which are using a specific inline layer by using the following steps:

Use “show access-layers” to get all the access-layers.
For each layer use “show access-rulebase” with “use-object-dictionary” set to false.
If the inline layer is part of this access-layer you will find it in the output under “rulebase”-> “inline-layer”.
To find the package use Nir’s explanation with the layer you found in step 2.

Notice: the layers you will find in step 2 can be also inline-layers.

Re: Using the API to map an Access Layer to a Policy Package

Brian_Deutmeyer — Tue, 31 Dec 2019 13:33:37 GMT

OK. I'll give that a try. Thanks!