Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Ihenock1011
Advisor

Allowing specific commands from expert mode

Hi All,

I want to grant expert mode access to certain administrators, allowing them to create bulk objects using the mgmt_cli command in expert mode as per SK113078. However, I only want them to have access to the commands for creating objects and making objects members of groups. Is this possible, and if so, how can I achieve it?

Thanks,

0 Kudos
14 Replies
the_rock
Legend
Legend

Hey bro,

What in particular do you want to allow?

Andy

0 Kudos
Ihenock1011
Advisor

Hi Andy,

I want this three commands to be allowed

vi <filename>.csv 

mgmt_cli add host --batch <filename>.csv

mgmt_cli set group --batch <filename>.csv

0 Kudos
the_rock
Legend
Legend

K, thats fair, BUT, what sort of access do they need to have?

Andy

0 Kudos
the_rock
Legend
Legend

Man, I remember this sk back from 2020 when I had TAC case about, when smart-1 cloud was fairly new. Here is what TAC guy told me, he was super nice and helpful about it, see if this helps.

Andy

*********************************************

 


--->To add address-range via API:
mgmt_cli add address-range --batch address-ranges_full.csv

#cat address-ranges_full.csv
name,ip-address-first,ip-address-last
range1,10.0.0.0,10.0.0.100

---> To add a network via API:
mgmt_cli add network --batch networks.csv

#cat networks.csv
name,subnet,subnet-mask
network1,10.10.10.0,255.255.255.0
network2,20.20.20.0,255.255.255.0
network3,30.30.30.0,255.255.255.0

---> To add a host 
mgmt_cli add host --batch test.csv

#cat test.csv
name,ip-address
obj1,192.168.1.1


For more info, please refer the: https://sc1.checkpoint.com/documents/latest/APIs/index.html?#cli/add-host~v1.7%20

0 Kudos
the_rock
Legend
Legend

@Ihenock1011 Forgot to mention, though it goes without saying, commands will not work, unless you create files first. Do touch, give it a name, then you can vi and keep adding entries, it works 100%, I tested it in the lab few times.

Andy

0 Kudos
Ihenock1011
Advisor

@the_rock For administrators to execute this task, they must have expert mode access. I want to implement the principle of least privilege, granting administrators only the necessary permissions in expert mode. Specifically, I want to restrict their access to the commands for creating objects and making objects members of groups.

0 Kudos
the_rock
Legend
Legend

0 Kudos
Ihenock1011
Advisor

@the_rock Granting a user GAIA API access will provide them with broad permissions. Is there a way to restrict this access to specific commands while denying others?

0 Kudos
the_rock
Legend
Legend

Not sure, I would verify with TAC, as I dont see it in the documentation.

Andy

PhoneBoy
Admin
Admin

Similar to the Management API, Gaia has its own Roles that can be assigned to users.
The API permissions follow these same roles, as far as I know.

image.png

PhoneBoy
Admin
Admin

First of all, limiting access to specific commands in Expert Mode is not possible (e.g. only allowing access to mgmt_cli).
However, to access the management API, you do not need access to Expert Mode at all, you can use the "mgmt" command.
You won't be able to use any shell pipes and such, though, but they will not need access to Expert Mode.

For access to what can be done with the Management API, this is done through Administrator profiles.
Assign the relevant administrator users a permission profile that looks something like the following (with other checkboxes removed):

image.png

Lesley
Leader Leader
Leader

Consider to move dynamic CLI: https://support.checkpoint.com/results/sk/sk144112

In this way it might you do not need expert mode anymore for certain users and you can run expert mode like commands via normal clish access

-------
If you like this post please give a thumbs up(kudo)! 🙂
the_rock
Legend
Legend

Interesting, never seen that before.

Andy

0 Kudos
Martin_Raska
Advisor
Advisor

I would suggest creating it as a bash script and run it from SmartConsole

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events