Solved: Re: Unable to add administrators via mgmt_cli

Firewall_Head · ‎2024-09-03

Dear Checkmates,

OS:R81.10 JHF_156

I am trying to import a list of administrators using a .csv file via the mgmt_cli but it doesn't work and shows the error:

" Line 2: code: "err_inappropriate_domain_type"
message: "This command can work only on domains of type MDS. Cannot execute it in the current domain (current domain type is Domain)."

API details:

[Expert@SA_1:0]# mgmt_cli -r true login
uid: "7b8f6efd-fef1-4ab9-a152-f6205edbaffc"
sid: "jBl4yyzlVFA52kP2MWfisetNXQpGFHx6HfkRVEsQd_4"
url: "https://127.0.0.1:443/web_api"
session-timeout: 600
last-login-was-at:
posix: 1725397582
iso-8601: "2024-09-04T02:36+0530"
read-only: false
standby: false
api-server-version: "1.8.1"

I am attaching a snap of the csv file which I have created, please let me know how to get this working.

Thanks in advance!

==========

WR,

FH

PhoneBoy · ‎2024-09-03

Yes, because administrator users must be added only in the System Data domain as stated in the documentation.
Which means, at the login step, the domain must be specified (e.g. mgmt_cli -r true -d 'System Data').
This is true regardless of whether it's Multi-Domain or not.

View solution in original post

PhoneBoy · ‎2024-09-04

The domain is only relevant on and is specified as part of the login call.
In all other cases, the session ID is sufficient.
In this case, I am piping the output out the login call to sid.txt so it can be read by subsequent calls (-s sid.txt).
Using the CSV file you provided, the following commands worked on my system:

mgmt_cli -r true -s 'System Data' > sid.txt
mgmt_cli -s sid.txt add administrator -b admins.csv
mgmt_cli -s sid.txt publish

The publish is required for committing any changes made through the API.
Otherwise, the changes will be locked in the created session until it is published or discarded.
Here is the result the API provided when I queried the user:

[Expert@R82-EA1:0]# mgmt_cli -s sid.txt show administrator name sayooj --format json
{
  "uid" : "1bb02495-4e3e-4c0e-9660-e2bc52224d5a",
  "name" : "sayooj",
  "type" : "administrator",
  "domain" : {
    "uid" : "a0eebc99-afed-4ef8-bb6d-fedfedfedfed",
    "name" : "System Data",
    "domain-type" : "mds"
  },
  "email" : "",
  "phone-number" : "",
  "authentication-method" : "check point password",
  "must-change-password" : true,
  "permissions-profile" : {
  "uid" : "ff2c8363-eedd-4d06-a140-a2ede779f09e",
  "name" : "Super User",
  "type" : "domain-permissions-profile",
  "domain" : {
    "uid" : "a0bbbc99-adef-4ef8-bb6d-defdefdefdef",
    "name" : "Check Point Data",
    "domain-type" : "data domain"
  },
  "icon" : "General/Role",
  "color" : "black"
},
"sic-name" : "",
"comments" : "",
"color" : "black",
"icon" : "General/Administrator",
"tags" : [ ],
"meta-info" : {
  "lock" : "unlocked",
  "validation-state" : "ok",
  "last-modify-time" : {
    "posix" : 1725486662429,
    "iso-8601" : "2024-09-04T16:51-0500"
  },
  "last-modifier" : "WEB_API",
  "creation-time" : {
    "posix" : 1725486662429,
    "iso-8601" : "2024-09-04T16:51-0500"
  },
  "creator" : "WEB_API"
},
"read-only" : false,
"available-actions" : {
  "edit" : "true",
  "delete" : "true",
  "clone" : "true"
  }
}
[Expert@R82-EA1:0]#

View solution in original post

PhoneBoy · ‎2024-09-03

Yes, because administrator users must be added only in the System Data domain as stated in the documentation.
Which means, at the login step, the domain must be specified (e.g. mgmt_cli -r true -d 'System Data').
This is true regardless of whether it's Multi-Domain or not.

Firewall_Head · ‎2024-09-04

@PhoneBoy Thanks for your reply.

When i tried to do the same using the steps mentioned again I am encountering problems.

Attaching image for your reference, can you help me with the right usage of the command if am wrong.

=======

WR,
FH

PhoneBoy · ‎2024-09-04

First of all, subsequent mgmt_cli commands must reference the session that was obtained from the login API call.
This is either done with the --session-id or -s parameter to mgmt_cli.
None of the following commands did that, which is why most of your commands after the login are failing.

Second, you may not have defined the CSV file correctly.
The first line in the CSV must correspond to the parameter names for the relevant API call: https://sc1.checkpoint.com/documents/latest/APIs/#cli/add-administrator~v1.9.1%20
The subsequent lines are the relevant values that are passed to each one.

To troubleshoot issues with the CSV file, I'd need to see it (or a sample of it).

Firewall_Head · ‎2024-09-04

Hi @PhoneBoy ,

I tried as you suggested but no luck, I am pasting my session output below for your reference.

[Expert@SA_1:0]# mgmt_cli -r true login
uid: "c192f3fd-6405-4ceb-a8ef-d9412408eec6"
sid: "obw7pv2mp6o7-C6LMIKCQfad9QV87W9dd-x8tsHruwM"
url: "https://127.0.0.1:443/web_api"
session-timeout: 600
last-login-was-at:
posix: 1725484400
iso-8601: "2024-09-05T02:43+0530"
read-only: false
standby: false
api-server-version: "1.8.1"

[Expert@SA_1:0]# mgmt_cli add administrator -b admins.csv --session-id obw7pv2mp6o7-C6LMIKCQfad9QV87W9dd-x8tsHruwM -d 'System Data'
Line 2: code: "err_inappropriate_domain_type"
message: "This command can work only on domains of type MDS. Cannot execute it in the current domain (current domain type is Domain)."

[Expert@SA_1:0]# cat admins.csv
name,password,authentication-method,permissions-profile
sayooj,e3w2q1,check point password,Super User
[Expert@SA_1:0]#

======

WR,

FH

PhoneBoy · ‎2024-09-04

The domain is only relevant on and is specified as part of the login call.
In all other cases, the session ID is sufficient.
In this case, I am piping the output out the login call to sid.txt so it can be read by subsequent calls (-s sid.txt).
Using the CSV file you provided, the following commands worked on my system:

mgmt_cli -r true -s 'System Data' > sid.txt
mgmt_cli -s sid.txt add administrator -b admins.csv
mgmt_cli -s sid.txt publish

The publish is required for committing any changes made through the API.
Otherwise, the changes will be locked in the created session until it is published or discarded.
Here is the result the API provided when I queried the user:

[Expert@R82-EA1:0]# mgmt_cli -s sid.txt show administrator name sayooj --format json
{
  "uid" : "1bb02495-4e3e-4c0e-9660-e2bc52224d5a",
  "name" : "sayooj",
  "type" : "administrator",
  "domain" : {
    "uid" : "a0eebc99-afed-4ef8-bb6d-fedfedfedfed",
    "name" : "System Data",
    "domain-type" : "mds"
  },
  "email" : "",
  "phone-number" : "",
  "authentication-method" : "check point password",
  "must-change-password" : true,
  "permissions-profile" : {
  "uid" : "ff2c8363-eedd-4d06-a140-a2ede779f09e",
  "name" : "Super User",
  "type" : "domain-permissions-profile",
  "domain" : {
    "uid" : "a0bbbc99-adef-4ef8-bb6d-defdefdefdef",
    "name" : "Check Point Data",
    "domain-type" : "data domain"
  },
  "icon" : "General/Role",
  "color" : "black"
},
"sic-name" : "",
"comments" : "",
"color" : "black",
"icon" : "General/Administrator",
"tags" : [ ],
"meta-info" : {
  "lock" : "unlocked",
  "validation-state" : "ok",
  "last-modify-time" : {
    "posix" : 1725486662429,
    "iso-8601" : "2024-09-04T16:51-0500"
  },
  "last-modifier" : "WEB_API",
  "creation-time" : {
    "posix" : 1725486662429,
    "iso-8601" : "2024-09-04T16:51-0500"
  },
  "creator" : "WEB_API"
},
"read-only" : false,
"available-actions" : {
  "edit" : "true",
  "delete" : "true",
  "clone" : "true"
  }
}
[Expert@R82-EA1:0]#

Firewall_Head · ‎2024-09-04

Nailed it @PhoneBoy .

Thank you so much for helping me out on this 🤗.

Have a great day!

=======

WR,

FH

Are you a member of CheckMates?

Unable to add administrators via mgmt_cli