cancel
Showing results for 
Search instead for 
Did you mean: 
Post a Question

Query Multi-Domain Super Users

Hello,

Is there any API command to show only multi-domain super users? I have been unable to find one. 

If there is not, I'm wondering how others, for auditing purposes, obtain a list of admins who have read/write access, if any are willing to share their methods. 

Labels (1)
7 Replies
Employee+
Employee+

Re: Query Multi-Domain Super Users

Use show-administrators against MDS with details-level full and parse for the relevant profile.

Short python example.

Re: Query Multi-Domain Super Users

Thanks Joshua! I'll give this a shot but I believe this will give the desired result. 

0 Kudos
Danny
Jade

Re: Query Multi-Domain Super Users

Or just run mdsconfig

0 Kudos

Re: Query Multi-Domain Super Users

Danny,

Thanks. I'm looking for a way to automate and gather this information on a reoccurring basis without the intervention of my team. By using 'mdsconfig', or a screen shot from SmartConsole, we are inherently forcing the team to manually perform these tasks when the auditors ask. With the API I was hoping to write a script, or in this case harvest Joshua's, and run this job every quarter and email out the results. 

0 Kudos
Danny
Jade

Re: Query Multi-Domain Super Users

Mike,

mdsconfig is just an interactive tool to quickly access various Check Point commands.

Your interest is in option 6 - Administrators which simply executes mdsquerydb.

Example:

mdsquerydb Administrators‍‍‍‍‍‍

Addtional queries to collect the admin type can be configured within $MDSDIR/conf/queries.conf

So a simple One-liner added as cron job via GAiA's built-in job scheduler would easily address your needs to send you the list as a mail.

mdsquerydb Administrators | $FWDIR/bin/sendmail -s 'Multi-Domain Super Users' -t MAILSERVER -f SENDER_EMAIL_ADDRESS RECEIVER_EMAIL_ADDRESS;‍‍‍‍‍‍

In order to run a python ($FWDIR/Python/bin/python) script you would first need to whitelist it within /etc/fw/conf/whitelist to be able to run it.

0 Kudos

Re: Query Multi-Domain Super Users

Danny,

The 'mdsquerydb Administrators' will output the list of names, I modified the queries.conf file and added "type" after the __name__ attribute. The response I get when adding "type" is 'mike-andretta pv1_administrator' for every user. Im looking at sk65181 at the various attributes that could be used in queries.conf but it does not look like, other than type, there is an attribute that will show more of a "Profile Type" which would indicate the Domain Manager vs Multi-Domain Super User. 

Am I missing an attribute that would give me more of what im looking for by using mdsquerydb? 

0 Kudos

Re: Query Multi-Domain Super Users

Danny,

I was able to find "msp_perm" that is returning a number. It looks like 2x numbers are possibly returned, in my scenario 80000000 which looks to equal super user and 10000000 which matches up with my Domain Managers. Is there a better way, table/attribute, to gather this information? 

[Expert@XXXX:0]# cat $MDSDIR/conf/queries.conf | grep Admin
MDS "mdsdb" Administrators attr pv1_administrators "" __name__,msp_perm # Get names of all Administrators

[Expert@XXXX:0]# mdsquerydb Administrators | grep mike-andretta
mike-andretta 80000000