Create a Post
Showing results for 
Search instead for 
Did you mean: 

Management API | Export and import access-role objects

Hello guys,

I need to copy several hundred access-roles objects from one domain to another one (running within the same MDM server). As there is no pre-built solution to copy objects between domains (as far as I know) I wanted to accomplish this via the management api.

In order to do this I was planning to perform the following steps:

> execute the "show access roles" command within a loop in order to obtain the uid of each access role object that exists

> take the uid of the previous command and parse it into the "show access-role uid <id>" command + obtain the object information via a jq parsing in the following style:

mgmt_cli show access-role uid $line --format json -s > json_role_data.tmp
cat json_role_data.tmp | jq -r '[.uid, .name, .users[].name] | @csv' >> access_role_objects.csv

This is also working fine (please note, that I only require the fields, as we work with LDAP groups only, the machine or network information is not relevant for now. Now to the reason for this thread ... how can I import/create new access role objects with the information that I have already obtained?

The API documentation regarding the "add access role" command mentions the following requirements in order to write a new access-role object via users parameter:

Parameter name Value Description

stringActive Directory name or UID or Identity Tag or Internal User Groups or LDAP groups or Guests.
stringName or UID of an object selected from source.

I honestly do not understand what this is meaning, as I am also unable to find any example.

Is the "source" the ldap path while the "selection" is equal to the actual group name? If yes it seems to be impossible to accomplish my task of copying the objects via the api as I am just able to read the group name but not the full ldap path (which is visible via the SmartConsole object manager).

Edit: Via "details-level" I am able to see more details (for example the LDAP DN) but still not the values "source" and "selection" which are required in order to create new objects.

Edit 2: I just found out that "users.source" is the LDAP server which is getting querried, e.g. while "users.selection" is the actual name of the ad group (or user) on the specific ldap server. Once you add the group to the access role object it is getting saved and display as "ad_group_<groupname>" where <groupename> is the actual group name/value of the "users.selection" parameter (aka the actual group name as defined per ldap). Thus I need to export the following things...

> access role object name

> user/group name

> dn information ("ldap path")

Afterwards I need to remove the "ad_group" part from the exported group name in order to receive the name that is getting querried [input for the add access role command]. Finally I also need to split the "DN" information in order to rebuild the LDAP server name which is also required for the creation of an access role. And in the end I need a way to bulk create the objects which have a different amount of ad groups attached to them (csv bulk import is not possible I guess, as the "csv header" length is kinda variable due to the just mentioned different amount of ad groups per access role object).

Is there any other way to accomplish this task without having to reformat every single exported value as the import expects different information? I would also be fine with different solutions that do not rely on the API but a different tool.


I am sure that I am missing something...

Thanks in advance for any hint!

4 Replies

I have the same task here on my endcustomers site. MDM, multiple Domains. One having all the Access Roles. Another one requiring them due to an expansion of Identity Awareness (IA) to another domain, now also using IA, in this case  for remote access.

We would like to build a similar but not the same construct of access to the Network, that we have for the internal clients/users/user groups.

0 Kudos

Why are you not using the relevant object UIDs which don’t require any reformatting to be reused?
That would be the canonical way to do it.

0 Kudos

Could you explain a little bit more about this procedure? I'm currently unable to understand what you are meaning.


Maybe my initial question was badly worded due to the edits of the post. My current problem is basically that I have issues with the (automated) access role object creation via the management cli. The reason for that is that the "show access-roles uid <uid>" command shows different values than the one required for the object creation via "add/set access-role". That's why I need to do manual formatting of the DN field of the show command in order to change the field to the actual LDAP server object which is getting querried (and required for the object creation). Additionaly I need to make changes to the group information within the access role object as the mgmt api returns the names with "ad_group_" or "ad_user_" prepended to it - while, again - the object needs to be created with the group name as defined in the ldap server (without the ad_group/user stuff in the beginning).

Such issues do not exist with object manipulation/automation of different object kinds like for example host, service or group objects.

0 Kudos

I believe we are talking about a sustainable way of exporting and importing hundrests or thousands of Access Roles (including their content).

A simple request, becoming very complicated with the tools at hand. It's a bit like beding lampposts with the little finger.