Re: add user groups in R80.10 usign the web api

gabriel_v · ‎2018-09-05

Hi, I need to add user groups to a R80.10 via the web api. I've been taking a look to this article ( https://community.checkpoint.com/docs/DOC-2844 ) that explain how to add users to an existing group using the generic object api. Unfortunately I cannot find any source of documentation for the generic object api syntax specifically for creating new user groups. Please, could someone help me with that ?

Thanks in advance.

Robert_Decker · ‎2018-09-05

Hi,

Generic objects API is a temporary solution until there will be an appropriate API command for a specific class type.

Therefore, you should use the exact class-path for user group object and its fields - probably from GuiDbEdit utility.

Once you have this, you use the same syntax as in the referenced post.

Robert.

gabriel_v · ‎2018-09-05

Hi Robert, thanks for your quick response. I'm not familiar with the generic object api and I couldn't find any available documentation about it so I don't know how to determine the appropriate class for the group objects. I can use GuiDbEdit to get the required fields but anyways there are fields present in the json that are missing in group object on GuiDbEdit like "userc". Any help would be appreciated 🙂

Thanks,

PhoneBoy · ‎2018-09-05

The generic object API is not really documented.

You may be able to work out the right bits as well from this thread: Missing API possibility to set vpn-community-star objects

Keep in mind the Generic Objects API has several caveats:

Disclaimer
These APIs provide direct access to different objects and fields in the database. As a result if an objects schema change, scripts that relied on specific schema fields may break.

As the generic-object(s) API calls have direct access to change different objects and fields in the database, they do not always provide data validation to ensure that the data added to the fields are following required format for this field. Therefore you have to ensure that the script or 3rd party system you are using to integrate with the management server is doing appropriate data validation before sending the API call.

When you have the option, always prefer to use the documented API calls and not the generic API calls as
They are doing data validation
They are documented
They are future compatible
They are tested
They are supported by Technical Assistance Center (TAC)

With this in mind, you might find it easier to use dbedit to do this, which can be invoked using a run-script API call: how to use the web api to run the run-script‌

Relevant documentation on dbedit: Editing the objects_5_0.C file via Check Point database editing utilities

I can't find the exact syntax for adding a user to a group offhand, but the basic syntax to modify an attribute of a user (in this case, user joe.roberts, changing his color to black) is:

modify users joe.roberts color black
update_all

You can do multiple modify commands before doing a single update_all at the end.
You can also put all the dbedit commands in a file and do something like the following from the management to run it:

dbedit -local -f commands.txt

I would modify a couple of users by hand in SmartConsole so you know exactly what changes you need to make by reviewing $FWDIR/conf/users.C on the management.

dbedit has similar caveats to using the generic-object API.

gabriel_v · ‎2018-09-06

Hi Dameon, It was imposible to add an user to a user group using dbedit, it always end up in a dbedit core dump, my guess is that something has changed in the database schema on 80.10 and dbedit is not handling it properly. I found a workaround using the generic object api and guessing the class name.

{
 "create":"com.checkpoint.objects.classes.dummy.CpmiUserGroup",
 "name":"api-test-group-3"
}

this request seems to create a valid user group ( looks good on SmartConsole at least ).

Thanks,

PhoneBoy · ‎2018-09-06

Great to hear you got it working.

Are you a member of CheckMates?

add user groups in R80.10 usign the web api