I think I can answer this from my expirience: "It depends" 🙂

If you "move" AD users or groups by putting them into different AD groups than before without changing their "position" in AD tree (changing OU), then you do not have to re-add the access rules members if your filter definition is still valid. You just have to wait until group memberships are recalculated which is done automatically (when exactly is version and setting dependend).

But I think with "moving" you mean moving objects to a different position in AD tree by changing the OU. And there you have a problem with R80.40 or older. The reason: Check Point DEVs created Identity Awareness as an feature with LDAP support in mind, not directly Active Dictory. They needed a primary key for storing selected LDAP Objects in Picker (the one where you select AD objects in SmartDashboard / SmartConsole) in CP database. And they choose the LDAP DN attribute. This attributes is a string which includes the whole position in LDAP tree and the object name. Thats the reason why moving objects around (OU change) and also renaming of objects (CN) in AD forest results in unmatching Access Roles on Check Point side - the DN does not match anymore. You had to delete the objects from the roles and add them back again using the picker so they are re-added to the CP database with the new DN. Followed by a policy installation on the relevevant gateways with PDP role.

I guess 99% of CP IDA environments are MS AD and not other LDAP services and so choosing DN as primary attribute was not the best decision looking from today. MS uses SID as primary key which makes much more sense. The SID of an object in MS AD never changes during its lifetime regardless of state, name or position in forest.

After many years, it looks like CP DEVs thought it the same way and with R81 they introduced the optional switch from DN to SID.

See here:

https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_IdentityAwareness_AdminGuide/Topic...

Hi guys,

I also encountered this issue on R80.40. Does anyone know if there is a quick and easy way to perform this update? So far, I'm stuck with deleting and re-creating the user roles for this.

Thanks!

What do you mean with "this issue"? I talked about two different problems.

If you meant the one with the DN-Change: Upgrade to R81 and reconfigure Identity Awareness to use SID instead of DN like described in the link I posted above. If you cannot or do not want to upgrade to R81, you have no other option than to remove the problematic objects from access rules and add them back in using the picker. No need to delete and recreate the role objects. In case you changed the DN for a large number of objects, you could manipulate CP database directly (CPMI) and overwrite the old DNs with the new ones to save time for manual work.

Hi,

My apologies for this, I was typing while on a meeting. Yes, I was referring to the DN change part and you've answered it: there's no need to recreate the role, but I'll have to update the role by adding the "new users". There is no edit or batch option to do this (I suppose a script could be wipped up to do it), but there isn't one out of the box

My apologies for the misunderstanding

Sorry for the harsh wording.

You can automate this by either using the modern API (REST) or the old dbedit approach (CPMI). Unfortunatly, I'm also not aware of any out of the box script to do this.