Export User Access Roles and Import to new CMA

ChckPnt82 — Thu, 02 Sep 2021 14:35:38 GMT

Is there a way to export User Access Roles via the API and then add them to a different CMA? I would prefer not to have to recreate them manually. I have some examples for network objects, but cannot figure out the access roles.

Re: Export User Access Roles and Import to new CMA

PhoneBoy — Thu, 02 Sep 2021 23:00:00 GMT

Yeah, you can list the access roles with show access-roles: https://sc1.checkpoint.com/documents/latest/APIs/#cli/show-access-roles~v1.8%20
You'd probably have to then list each one with show access-role uid xxxx,
And, presumably, create them with add access-role.

Re: Export User Access Roles and Import to new CMA

mcatanzaro — Sun, 05 Sep 2021 04:12:19 GMT

One of my customers has this exact requirement and I believe I found a solution in my lab.

Lab environment:

[Expert@mds:0]# clish -c 'show asset system' | grep Model Model: Smart-1 5050 [Expert@mds:0]# cat /etc/*-release Multi-Domain Security Management R80.40

Step 1. Getting the objects from the appropriate domain:

[Expert@mds:0]# mgmt_cli login user your_user password your_password domain "your_domain1" > id.txt [Expert@mds:0]# mgmt_cli show access-roles details-level "full" --format json -s id.txt | $CPDIR/jq/jq '.objects[] | [ .["name"], .["networks"], .["users"], .["machines"], .["remote-access-clients"] ] | @csv' -r > access-roles.csv

Step 2. Adding values to top row of .csv file:

[Expert@mds:0]# cat access-roles.csv "test_ar1","any","any","any", "test_ar2","any","any","any", "test_ar3","any","any","any", [Expert@mds:0]# vim access-roles.csv [Expert@mds:0]# cat access-roles.csv "name","networks","users","machines","remote-access-clients", "test_ar1","any","any","any", "test_ar2","any","any","any", "test_ar3","any","any","any",

Step 3. Log into target domain and add objects:

[Expert@mds:0]# mgmt_cli login user your_user password your_password domain "your_domain2" > id.txt [Expert@mds:0]# mgmt_cli show access-roles details-level "full" --format json -s id.txt | $CPDIR/jq/jq '.objects[] | [ .["name"], .["networks"], .["users"], .["machines"], .["remote-access-clients"] ] | @csv' -r [Expert@mds:0]# [Expert@mds:0]# mgmt_cli add access-role --batch access-roles.csv -s id.txt [Expert@mds:0]# mgmt_cli show access-roles details-level "full" --format json -s id.txt | $CPDIR/jq/jq '.objects[] | [ .["name"], .["networks"], .["users"], .["machines"], .["remote-access-clients"] ] | @csv' -r "test_ar1","any","any","any", "test_ar2","any","any","any", "test_ar3","any","any","any",

I would recommend testing this method out in a non-production environment to be safe. It all appears to work fine in my lab.

Re: Export User Access Roles and Import to new CMA

JozkoMrkvicka — Tue, 14 Sep 2021 18:34:18 GMT

Step 4: publish

Step 5: logout

😉

You can also skip Step 2 - create empty file where you will add headers and then append the file with the output from API command. No need to do manual work anymore.

topic Re: Export User Access Roles and Import to new CMA in API / CLI Discussion

Export User Access Roles and Import to new CMA

Re: Export User Access Roles and Import to new CMA

Re: Export User Access Roles and Import to new CMA

Re: Export User Access Roles and Import to new CMA