Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Leonardo_Tessar
Participant
Jump to solution

Define user with specific privileges

I need to define a user with only the privileges to execute the "pdp control revoke_ip x.x.x.x" command.
Do you know if is it possible?

0 Kudos
2 Solutions

Accepted Solutions
PhoneBoy
Admin
Admin

You missed a parameter in your command:

gw> add command revokeip path /opt/CPsuite-R80.20/fw1/bin/pdp description "Revoke session from the given IP"
Command (revokeip) was added.
Save the configuration and re sign in for changes to take place. 
gw> save config

Once you log out/back in, you can use your revokeip command, which calls the pdp binary.

gw> revokeip
Command: root

Available options:
  debug           - control debug messages
  tracker         - tracker options
  connections     - pdp connections information
  network         - pdp network information
  status          - pdp status information
  control         - pdp control commands
  monitor         - display monitoring data
  update          - recalculate users and machines group membership (deleted accounts will not be updated)
  vpn             - display connected vpn gateways that send vpn client identity data
  ad              - operations related to AD Query
  timers          - show pdp timers information
  nested_groups   - nested groups configuration
  auth            - authentication/authorization options
  radius          - radius accounting options
  ifmap           - monitor/control IFMAP
  idc             - operations related to Identity Collector
  tasks_manager   - the task manager menu
  topology_map    - show topology mapping debug info. usage: topology_map [raw]

gw>

If you want to restrict the pdp binary to specific options, then create a shell scrip that calls the pdp binary with the specific options you're interested in.

View solution in original post

0 Kudos
PhoneBoy
Admin
Admin
The easiest thing to do is write a script that calls the binary with the specific allowed options.
Then you can add that script as a command as shown here.

View solution in original post

7 Replies
PhoneBoy
Admin
Admin

Yes, using the Dynamic CLI and Role Based Access. Create the relevant command via the Dynamic CLI feature, assign the specific command to a specific role in Gaia, and assign the desired user that specific role.

0 Kudos
Leonardo_Tessar
Participant
Thank you, I've installed the Dynamic CLI but I can't find an equivalent command to "pdp control".
Could you explain how to create it via Dynamic CLI ?
0 Kudos
PhoneBoy
Admin
Admin

I was mistaken that Dynamic CLI is required. Instead, you need to use a feature in Gaia called "User Defined (Extended) Commands" as described in the Gaia Admin Guide: https://sc1.checkpoint.com/documents/R80.20.M2/WebAdminGuides/EN/CP_R80.20_M2_Gaia_AdminGuide/html_f...

0 Kudos
Leonardo_Tessar
Participant

I checked the list of available extended commands but I didn't find the "pdp".

I tried anyway to add the new command:

> add command revokeip path /opt/CPsuite-R80.20/fw1/bin/pdp "Revoke session from the given ip"

but I get this error:

CLINFR0329 Invalid command

0 Kudos
PhoneBoy
Admin
Admin

You missed a parameter in your command:

gw> add command revokeip path /opt/CPsuite-R80.20/fw1/bin/pdp description "Revoke session from the given IP"
Command (revokeip) was added.
Save the configuration and re sign in for changes to take place. 
gw> save config

Once you log out/back in, you can use your revokeip command, which calls the pdp binary.

gw> revokeip
Command: root

Available options:
  debug           - control debug messages
  tracker         - tracker options
  connections     - pdp connections information
  network         - pdp network information
  status          - pdp status information
  control         - pdp control commands
  monitor         - display monitoring data
  update          - recalculate users and machines group membership (deleted accounts will not be updated)
  vpn             - display connected vpn gateways that send vpn client identity data
  ad              - operations related to AD Query
  timers          - show pdp timers information
  nested_groups   - nested groups configuration
  auth            - authentication/authorization options
  radius          - radius accounting options
  ifmap           - monitor/control IFMAP
  idc             - operations related to Identity Collector
  tasks_manager   - the task manager menu
  topology_map    - show topology mapping debug info. usage: topology_map [raw]

gw>

If you want to restrict the pdp binary to specific options, then create a shell scrip that calls the pdp binary with the specific options you're interested in.

0 Kudos
asher
Contributor

Hi

 

"If you want to restrict the pdp binary to specific options, then create a shell scrip that calls the pdp binary with the specific options you're interested"

Can you please explain how to allow user run only spesific option on command?

 

We have user that access to bin bash shell from phyton and we want to allow him run only: fw hashta and not all fw tree options.

 

 

0 Kudos
PhoneBoy
Admin
Admin
The easiest thing to do is write a script that calls the binary with the specific allowed options.
Then you can add that script as a command as shown here.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events