Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
ChckPnt82
Explorer

Export User Access Roles and Import to new CMA

Is there a way to export User Access Roles via the API and then add them to a different CMA?  I would prefer not to have to recreate them manually. I have some examples for network objects, but cannot figure out the access roles.

0 Kudos
3 Replies
PhoneBoy
Admin
Admin

Yeah, you can list the access roles with show access-roles:  https://sc1.checkpoint.com/documents/latest/APIs/#cli/show-access-roles~v1.8%20 
You'd probably have to then list each one with show access-role uid xxxx,
And, presumably, create them with add access-role.

mcatanzaro
Employee
Employee

One of my customers has this exact requirement and I believe I found a solution in my lab.

 

Lab environment:

 

 

[Expert@mds:0]# clish -c 'show asset system' | grep Model
Model: Smart-1 5050
[Expert@mds:0]# cat /etc/*-release
Multi-Domain Security Management R80.40

 

 

 

Step 1. Getting the objects from the appropriate domain:

 

 

[Expert@mds:0]# mgmt_cli login user your_user password your_password domain "your_domain1" > id.txt

[Expert@mds:0]# mgmt_cli show access-roles details-level "full" --format json -s id.txt | $CPDIR/jq/jq '.objects[] | [ .["name"], .["networks"], .["users"], .["machines"], .["remote-access-clients"] ] | @csv' -r > access-roles.csv

 

 

 

Step 2. Adding values to top row of .csv file:

 

 

[Expert@mds:0]# cat access-roles.csv
"test_ar1","any","any","any",
"test_ar2","any","any","any",
"test_ar3","any","any","any",
[Expert@mds:0]# vim access-roles.csv
[Expert@mds:0]# cat access-roles.csv
"name","networks","users","machines","remote-access-clients",
"test_ar1","any","any","any",
"test_ar2","any","any","any",
"test_ar3","any","any","any",

 

 

 

Step 3. Log into target domain and add objects:

 

 

[Expert@mds:0]# mgmt_cli login user your_user password your_password domain "your_domain2" > id.txt
[Expert@mds:0]# mgmt_cli show access-roles details-level "full" --format json -s id.txt | $CPDIR/jq/jq '.objects[] | [ .["name"], .["networks"], .["users"], .["machines"], .["remote-access-clients"] ] | @csv' -r
[Expert@mds:0]#
[Expert@mds:0]# mgmt_cli add access-role --batch access-roles.csv -s id.txt
[Expert@mds:0]# mgmt_cli show access-roles details-level "full" --format json -s id.txt | $CPDIR/jq/jq '.objects[] | [ .["name"], .["networks"], .["users"], .["machines"], .["remote-access-clients"] ] | @csv' -r
"test_ar1","any","any","any",
"test_ar2","any","any","any",
"test_ar3","any","any","any",

 

 

 

I would recommend testing this method out in a non-production environment to be safe. It all appears to work fine in my lab. 

0 Kudos
JozkoMrkvicka
Leader
Leader

Step 4: publish

Step 5: logout

😉

You can also skip Step 2 - create empty file where you will add headers and then append the file with the output from API command. No need to do manual work anymore.

Kind regards,
Jozko Mrkvicka
0 Kudos