This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
ChckPnt82
Explorer
‎2021-09-02 07:00 AM

Export User Access Roles and Import to new CMA

Is there a way to export User Access Roles via the API and then add them to a different CMA?  I would prefer not to have to recreate them manually. I have some examples for network objects, but cannot figure out the access roles.

Preview file
1 KB
0 Kudos
3 Replies
PhoneBoy
Admin
Admin
‎2021-09-02 04:00 PM

Yeah, you can list the access roles with show access-roles:  https://sc1.checkpoint.com/documents/latest/APIs/#cli/show-access-roles~v1.8%20 
You'd probably have to then list each one with show access-role uid xxxx,
And, presumably, create them with add access-role.

mcatanzaro
Employee
Employee
‎2021-09-04 08:49 PM

One of my customers has this exact requirement and I believe I found a solution in my lab.

 

Lab environment:

 

 

[Expert@mds:0]# clish -c 'show asset system' | grep Model
Model: Smart-1 5050
[Expert@mds:0]# cat /etc/*-release
Multi-Domain Security Management R80.40

 

 

 

Step 1. Getting the objects from the appropriate domain:

 

 

[Expert@mds:0]# mgmt_cli login user your_user password your_password domain "your_domain1" > id.txt

[Expert@mds:0]# mgmt_cli show access-roles details-level "full" --format json -s id.txt | $CPDIR/jq/jq '.objects[] | [ .["name"], .["networks"], .["users"], .["machines"], .["remote-access-clients"] ] | @csv' -r > access-roles.csv

 

 

 

Step 2. Adding values to top row of .csv file:

 

 

[Expert@mds:0]# cat access-roles.csv
"test_ar1","any","any","any",
"test_ar2","any","any","any",
"test_ar3","any","any","any",
[Expert@mds:0]# vim access-roles.csv
[Expert@mds:0]# cat access-roles.csv
"name","networks","users","machines","remote-access-clients",
"test_ar1","any","any","any",
"test_ar2","any","any","any",
"test_ar3","any","any","any",

 

 

 

Step 3. Log into target domain and add objects:

 

 

[Expert@mds:0]# mgmt_cli login user your_user password your_password domain "your_domain2" > id.txt
[Expert@mds:0]# mgmt_cli show access-roles details-level "full" --format json -s id.txt | $CPDIR/jq/jq '.objects[] | [ .["name"], .["networks"], .["users"], .["machines"], .["remote-access-clients"] ] | @csv' -r
[Expert@mds:0]#
[Expert@mds:0]# mgmt_cli add access-role --batch access-roles.csv -s id.txt
[Expert@mds:0]# mgmt_cli show access-roles details-level "full" --format json -s id.txt | $CPDIR/jq/jq '.objects[] | [ .["name"], .["networks"], .["users"], .["machines"], .["remote-access-clients"] ] | @csv' -r
"test_ar1","any","any","any",
"test_ar2","any","any","any",
"test_ar3","any","any","any",

 

 

 

I would recommend testing this method out in a non-production environment to be safe. It all appears to work fine in my lab. 

0 Kudos
JozkoMrkvicka
Mentor
Mentor
‎2021-09-14 11:31 AM
In response to mcatanzaro

Step 4: publish

Step 5: logout

😉

You can also skip Step 2 - create empty file where you will add headers and then append the file with the output from API command. No need to do manual work anymore.

Kind regards,
Jozko Mrkvicka
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events