Solved: Re: Query permission profiles where used.

Jeremy_Parker · ‎2019-02-11

Hello,
I'm trying to use the mgmt_cli to query where a permission profile is used but I'm running into a roadblock.

I can't see any reference to it on accounts or any reference to accounts on it when I query with show object.

Object type is blank here which I'm guessing is a problem.

.\mgmt_cli.exe show object uid $id details-level full -m $server --format json --session-id $sid
{
  "object" : {
    "uid" : "96040d34-c882-407e-a3db-14dc3e705b62",
    "name" : "Full_Administration",
    "type" : "",
    "domain" : {
      "uid" : "41e821a0-3720-11e3-aa6e-0800200c9fde",
      "name" : "SMC User",
      "domain-type" : "domain"
    },
    "color" : "blue",
    "meta-info" : {
      "validation-state" : "ok",
      "last-modify-time" : {
        "posix" : 1542166849773,
        "iso-8601" : "2018-11-14T11:40+0800"
      },
      "last-modifier" : "System",
      "creation-time" : {
        "posix" : 1510728202381,
        "iso-8601" : "2017-11-15T14:43+0800"
      },
      "creator" : "System"
    },
    "tags" : [ ],
    "icon" : "General/Role",
    "comments" : "All Admin rights",
    "display-name" : "",
    "customFields" : null
  }
}‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍

Since in the GUI it shows where-used correctly I thought this might be the answer but the where-used command doesn't find it.

.\mgmt_cli.exe where-used uid $id details-level full -m $server --format json --session-id $sid

{
  "code" : "generic_err_object_not_found",
  "message" : "Requested object [96040d34-c882-407e-a3db-14dc3e705b62] not found"
}‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍

Is it possible to figure out from the API where a permission profile is applied?

Thanks
Jeremy

EDIT: Running 80.20

PhoneBoy · ‎2019-02-14

System Data is an built-in domain that contains MDS-level data.

It exists even on non-MDS systems.

However, the only way you can "show" that domain is to log into the "System Data" domain to show it:

[Expert@mgmt:0]# mgmt_cli -r true --domain 'System Data' --format json show domains
{
 "objects" : [ {
 "uid" : "41e821a0-3720-11e3-aa6e-0800200c9fde",
 "name" : "SMC User",
 "type" : "domain",
 "domain" : {
 "uid" : "a0eebc99-afed-4ef8-bb6d-fedfedfedfed",
 "name" : "System Data",
 "domain-type" : "mds"
 }
 } ],
 "from" : 1,
 "to" : 1,
 "total" : 1
}
[Expert@mumford:0]#

FYI, -r true will not work from mgmt_cli.exe.

It is a shortcut to create a session as "root" but will only work from the CLI of the management server itself, which I am doing in this example.

And, if you log into the "System Data" domain when you create your session, you can see the administrators.

So:

mgmt_cli -u user -p password -m x.y.z.w --domain "System Data"

mgmt_cli -m x.y.z.w --session-id $sid show-administrators

And yes, I did verify this works on Windows as well

View solution in original post

PhoneBoy · ‎2019-02-12

What version of management?

Amiad Stern‌

Jeremy_Parker · ‎2019-02-13

80.20, Sorry should have mentioned!

PhoneBoy · ‎2019-02-14

First of all, you need to be querying against the 'System Data' domain.

For example, I can see the profile associated with my user:

[Expert@mgmt:0]# mgmt_cli -r true --domain 'System Data' --format json show-administrator name phoneboy

{

"uid" : "5758dc57-9eac-4f8e-8041-0570652a8f19",

"name" : "phoneboy",

"type" : "administrator",

"domain" : {

"uid" : "a0eebc99-afed-4ef8-bb6d-fedfedfedfed",

"name" : "System Data",

"domain-type" : "mds"

},

"email" : "",

"phone-number" : "",

"authentication-method" : "check point password",

"must-change-password" : false,

"permissions-profile" : {

"uid" : "3c8bf435-6bdc-4dec-aab0-5af53bbf946b",

"name" : "Read Write All",

"type" : "PermissionRole",

"domain" : {

"uid" : "a0bbbc99-adef-4ef8-bb6d-defdefdefdef",

"name" : "Check Point Data",

"domain-type" : "data domain"

}

},

"sic-name" : "",

"comments" : "",

"color" : "black",

"icon" : "General/Administrator",

"tags" : [ ],

"meta-info" : {

"lock" : "unlocked",

"validation-state" : "ok",

"last-modify-time" : {

"posix" : 1550159709995,

"iso-8601" : "2019-02-14T15:55+0000"

},

"last-modifier" : "admin",

"creation-time" : {

"posix" : 1550159709995,

"iso-8601" : "2019-02-14T15:55+0000"

},

"creator" : "admin"

},

"read-only" : false

}

Of course, that doesn't solve the next question, which is, why isn't where-used working with permission profiles.

[Expert@mgmt:0]# mgmt_cli --r true --domain 'System Data' --format json where-used uid 3c8bf435-6bdc-4dec-aab0-5af53bbf946b

{

"code" : "generic_err_object_not_found",

"message" : "Requested object [3c8bf435-6bdc-4dec-aab0-5af53bbf946b] not found"

}

Amiad Stern‌ any ideas here?

Amiad_Stern · ‎2019-02-14

Looks like a missing functionality in API. I will open task on that in our system.

I have a WA to suggest (not elegant but will do the trick) - list all administrators which their profile match to specific UID.

Here is an example of command i did on my setup:

mgmt_cli -r true -d "System Data" show administrators details-level full -f json | jq '.objects[] | select ((."permissions-profile".uid) == "76bf1ca0-5333-46d1-ad06-fb8e9c758cd9")| [.name , .uid, .type] | @csv ' -r

And its output:

"amiadAdmin","14e0ae1d-fd17-44fc-ad29-42289a7a3c7d","administrator"

Jeremy_Parker · ‎2019-02-14

Is the System Data an inbuilt domain? Might it's name be different?

Looks like that's the right way to go about it but my commands don't seem to find it.

.\mgmt_cli.exe show-administrators --domain 'System Data' -r true --session-id $sid --format json
{
"code" : "err_inappropriate_domain_type",
"message" : "This command can work only on domains of type MDS. Cannot execute it in the current domain (current domain type is Domain)."
}

Doesn't find that domain, or it's not the correct type.

.\mgmt_cli.exe show-administrators -r true --session-id $sid --format json
{
"code" : "err_inappropriate_domain_type",
"message" : "This command can work only on domains of type MDS. Cannot execute it in the current domain (current domain type is Domain)."
}

Leaving the domain out is the same thing.

I thought maybe I could check for a rename with show domains.

.\mgmt_cli.exe show domains limit 50 offset 0 --session-id $sid --format json
{
"objects" : [ ],
"total" : 0
}

But that also returns no results.

And just for good measure tried to find that domain with show domain

.\mgmt_cli.exe show domain name 'System Data' --session-id $sid --format json
{
"code" : "generic_err_object_not_found",
"message" : "Requested object [System Data] not found"
}

Any suggestions on how to proceed?
Could just be something weird or different in our environment. It wouldn't be the first time work has changed something in the past for some obscure historical reason and left it like that for 10 years.

PhoneBoy · ‎2019-02-14