topic Re: Possible to lock an object? in General Topics

Possible to lock an object?

S_E_ — Thu, 28 Mar 2024 07:48:21 GMT

Hi,

a question came up if it is possible to lock an network object/group object to prevent this from 'overriding or modifying'. I really mean on object level and not on admin permission profiles or similar.

So, basically the wish to add/use this object in any rule, but should not be possible to modify the object itself without a command/api call.

I tried the api call 'mgmt_cli lock-object'. However, after publishing the session, the lock was reset automatically.

-> see attachement

Is there any better idea/solution?

Thanks

Regards

Re: Possible to lock an object?

_Val_ — Tue, 02 Apr 2024 12:30:30 GMT

The whole idea of a locked object is not to publish that session. Did you try that?

Re: Possible to lock an object?

CheckPointerXL — Tue, 02 Apr 2024 13:33:42 GMT

global objects in MDS enviroment 🙂

Re: Possible to lock an object?

S_E_ — Tue, 02 Apr 2024 14:50:47 GMT

hi, not really. The idea behind was that the object can't be overwritten by some admins or api calls.

Regards

Re: Possible to lock an object?

Bob_Zimmerman — Tue, 02 Apr 2024 14:54:18 GMT

A lock on an object only lasts until the session holding the lock is published or discarded. You can lock the object and log out without publishing.

That said, someone might see the lock, see who has it locked, and discard the session so they can make a change. This isn't a way to restrict the ability to change an object, it's only a guardrail against accidental changes.

Re: Possible to lock an object?

_Val_ — Tue, 02 Apr 2024 15:06:52 GMT

Exactly what @Bob_Zimmerman said! Exit the script without publishing the session. The object will remain locked till you publish or discard that session.

Re: Possible to lock an object?

Hugo_vd_Kooij — Wed, 03 Apr 2024 05:34:00 GMT

It becomes complicated if you want to do this for multiple objects.

Either you have 1 session per object left open and you will find that you run into problems due to the large number of open sessions.

Or you have to automate it and release the previous session and re lock the objects. with the inherent chance someone will beat you to it and lock one just before your script got to it.

So it is a sort of a finger in the dijk solution. It work with one small hole but ties you up as part of it. So choose wisely how to use it. I see way to many ways in which this can go wrong and turn against you.

The suggestion of a MDS with just 1 domain might have some merits for this purpose. Be it it has it's own challenges.