cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Highlighted

Add users to existing access-role

Hello,

I am trying to add an AD user to an existing group.
Code I tried:
set access-role name "Test_Access_Role" users "test1" machines "any" networks "any" remote-access-clients "any"

Every command I enter returns an error message.

what am I missing?

0 Kudos
6 Replies
Admin
Admin

Re: Add users to existing access-role

Because you're calling the API incorrectly for users.
It should be users.add.source and then the AD name, if I'm reading the documentation properly.
Refer to the API documentation: https://sc1.checkpoint.com/documents/latest/APIs/index.html#cli/set-access-role~v1.5%20

Re: Add users to existing access-role

Hi,

I tried to write as you wrote but I get the following error message:

set access-role name "Test_Access_Role" users.add.source "test1" machines "any" networks "any" remote-access-clients "any"

code: "generic_err_missing_required_parameters"
message: "Missing parameter: [selection]"

Any idea?

Tnx 

0 Kudos
wislleym
Nickel

Re: Add users to existing access-role

I am trying to create an access role and am having difficulties. I am trying to add the active directory group called DIRECTORS. I used the command add access-role name "DIRECTORS" networks "any" machines "any" users.add.source "DIRECTORS". The output of the command indicates that the select parameter is missing, but reading the MANAGEMENT API I could not identify what this parameter would be.

0 Kudos
Admin
Admin

Re: Add users to existing access-role

Definitely something missing in the API documentation as I have no idea what "selection" refers to here.
@Amiad_Stern any ideas?

wislleym
Nickel

Re: Add users to existing access-role

Hello PhoneBoy. After some trying i created the access role. I used the command add access-role name "DIRETORIA" networks "any" machines "any" remote-access-client "any" users.add.source "PAINT.LOCAL__AD" users.selection "Diretoria" where PAINT.LOCAL is the name from my domain and where Diretoria is the name of my active directory group. A message was displayed stating that the requested object name [Diretoria] was not unique and that i should use the base-dn parameter to add the access role. Then i used the command add access-role name "DIRETORIA" networks "any" machines "any" remote-access-client "any" users.source "PAINT.LOCAL__AD" users.selection "Diretoria" users.base-dn "CN=Diretoria,OU=Diretoria,OU=MATRIZ,DC=paint,DC=local" color "yellow"

34.jpg

Admin
Admin

Re: Add users to existing access-role

The error message was a little misleading but it does appear that's documented.
Glad you got it working.