This website uses cookies. By clicking OK, you consent to the use of cookies. Click Here to learn more about how we use cookies.
OK
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help
Maor_Benamer
Explorer
‎2019-06-05 12:47 AM

Add users to existing access-role

Hello,

I am trying to add an AD user to an existing group.
Code I tried:
set access-role name "Test_Access_Role" users "test1" machines "any" networks "any" remote-access-clients "any"

Every command I enter returns an error message.

what am I missing?

0 Kudos
Reply
6 Replies
PhoneBoy
Admin
Admin
‎2019-06-07 01:51 PM

Because you're calling the API incorrectly for users.
It should be users.add.source and then the AD name, if I'm reading the documentation properly.
Refer to the API documentation: https://sc1.checkpoint.com/documents/latest/APIs/index.html#cli/set-access-role~v1.5%20
Reply
Maor_Benamer
Explorer
‎2019-06-10 11:16 PM
In response to PhoneBoy

Hi,

I tried to write as you wrote but I get the following error message:

set access-role name "Test_Access_Role" users.add.source "test1" machines "any" networks "any" remote-access-clients "any"

code: "generic_err_missing_required_parameters"
message: "Missing parameter: [selection]"

Any idea?

Tnx 

0 Kudos
Reply
wislleym
Contributor
‎2019-08-15 11:35 AM
In response to Maor_Benamer

I am trying to create an access role and am having difficulties. I am trying to add the active directory group called DIRECTORS. I used the command add access-role name "DIRECTORS" networks "any" machines "any" users.add.source "DIRECTORS". The output of the command indicates that the select parameter is missing, but reading the MANAGEMENT API I could not identify what this parameter would be.

Preview file
56 KB
0 Kudos
Reply
PhoneBoy
Admin
Admin
‎2019-08-15 12:23 PM
In response to wislleym

Definitely something missing in the API documentation as I have no idea what "selection" refers to here.
@Amiad_Stern any ideas?

Reply
wislleym
Contributor
‎2019-08-16 12:25 PM
In response to PhoneBoy

Hello PhoneBoy. After some trying i created the access role. I used the command add access-role name "DIRETORIA" networks "any" machines "any" remote-access-client "any" users.add.source "PAINT.LOCAL__AD" users.selection "Diretoria" where PAINT.LOCAL is the name from my domain and where Diretoria is the name of my active directory group. A message was displayed stating that the requested object name [Diretoria] was not unique and that i should use the base-dn parameter to add the access role. Then i used the command add access-role name "DIRETORIA" networks "any" machines "any" remote-access-client "any" users.source "PAINT.LOCAL__AD" users.selection "Diretoria" users.base-dn "CN=Diretoria,OU=Diretoria,OU=MATRIZ,DC=paint,DC=local" color "yellow"

34.jpg

Reply
PhoneBoy
Admin
Admin
‎2019-08-16 01:17 PM
In response to wislleym

The error message was a little misleading but it does appear that's documented.
Glad you got it working.
Reply