cancel
Showing results for 
Search instead for 
Did you mean: 
Post a Question

Define user with specific privileges

Jump to solution

I need to define a user with only the privileges to execute the "pdp control revoke_ip x.x.x.x" command.
Do you know if is it possible?

0 Kudos
1 Solution

Accepted Solutions
Admin
Admin

Re: Define user with specific privileges

Jump to solution

You missed a parameter in your command:

gw> add command revokeip path /opt/CPsuite-R80.20/fw1/bin/pdp description "Revoke session from the given IP"
Command (revokeip) was added.
Save the configuration and re sign in for changes to take place. 
gw> save config

Once you log out/back in, you can use your revokeip command, which calls the pdp binary.

gw> revokeip
Command: root

Available options:
  debug           - control debug messages
  tracker         - tracker options
  connections     - pdp connections information
  network         - pdp network information
  status          - pdp status information
  control         - pdp control commands
  monitor         - display monitoring data
  update          - recalculate users and machines group membership (deleted accounts will not be updated)
  vpn             - display connected vpn gateways that send vpn client identity data
  ad              - operations related to AD Query
  timers          - show pdp timers information
  nested_groups   - nested groups configuration
  auth            - authentication/authorization options
  radius          - radius accounting options
  ifmap           - monitor/control IFMAP
  idc             - operations related to Identity Collector
  tasks_manager   - the task manager menu
  topology_map    - show topology mapping debug info. usage: topology_map [raw]

gw>

If you want to restrict the pdp binary to specific options, then create a shell scrip that calls the pdp binary with the specific options you're interested in.

0 Kudos
5 Replies
Admin
Admin

Re: Define user with specific privileges

Jump to solution

Yes, using the Dynamic CLI and Role Based Access. Create the relevant command via the Dynamic CLI feature, assign the specific command to a specific role in Gaia, and assign the desired user that specific role.

0 Kudos

Re: Define user with specific privileges

Jump to solution
Thank you, I've installed the Dynamic CLI but I can't find an equivalent command to "pdp control".
Could you explain how to create it via Dynamic CLI ?
0 Kudos
Admin
Admin

Re: Define user with specific privileges

Jump to solution

I was mistaken that Dynamic CLI is required. Instead, you need to use a feature in Gaia called "User Defined (Extended) Commands" as described in the Gaia Admin Guide: https://sc1.checkpoint.com/documents/R80.20.M2/WebAdminGuides/EN/CP_R80.20_M2_Gaia_AdminGuide/html_f...

0 Kudos

Re: Define user with specific privileges

Jump to solution

I checked the list of available extended commands but I didn't find the "pdp".

I tried anyway to add the new command:

> add command revokeip path /opt/CPsuite-R80.20/fw1/bin/pdp "Revoke session from the given ip"

but I get this error:

CLINFR0329 Invalid command

0 Kudos
Admin
Admin

Re: Define user with specific privileges

Jump to solution

You missed a parameter in your command:

gw> add command revokeip path /opt/CPsuite-R80.20/fw1/bin/pdp description "Revoke session from the given IP"
Command (revokeip) was added.
Save the configuration and re sign in for changes to take place. 
gw> save config

Once you log out/back in, you can use your revokeip command, which calls the pdp binary.

gw> revokeip
Command: root

Available options:
  debug           - control debug messages
  tracker         - tracker options
  connections     - pdp connections information
  network         - pdp network information
  status          - pdp status information
  control         - pdp control commands
  monitor         - display monitoring data
  update          - recalculate users and machines group membership (deleted accounts will not be updated)
  vpn             - display connected vpn gateways that send vpn client identity data
  ad              - operations related to AD Query
  timers          - show pdp timers information
  nested_groups   - nested groups configuration
  auth            - authentication/authorization options
  radius          - radius accounting options
  ifmap           - monitor/control IFMAP
  idc             - operations related to Identity Collector
  tasks_manager   - the task manager menu
  topology_map    - show topology mapping debug info. usage: topology_map [raw]

gw>

If you want to restrict the pdp binary to specific options, then create a shell scrip that calls the pdp binary with the specific options you're interested in.

0 Kudos