Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Explorer

R80.20 restrict user access to perform only specific commands

Jump to solution

Hey,

I got a very specific requirement to allow a user access the gateway and get info about 3 things:
a) session table
b) NAT session table
c) arp table

So i am looking how i could create a user profile that could execute 3 (and only 3) specific commands on CLI.

I would be glad if you could come with any ideas.

Thank you!

0 Kudos
Reply
1 Solution

Accepted Solutions
Admin
Admin
Giving access to generic binary like "fw" gives you access to a LOT of things.

To ensure only the appropriate commands can be run, you have to write a script that calls the necessary command(s).
This script would not be terribly complex.
In addition to the command you wish to run, make sure the appropriate environment variables are included, as shown here: https://community.checkpoint.com/t5/API-CLI-Discussion-and-Samples/Add-sources-inside-bash-scripts/m...

Another approach is to see if what you're after can be achieved through Dynamic CLI which adds a bunch of other commands to clish, which can be subject to Role-Based Access.
See: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

View solution in original post

0 Kudos
Reply
3 Replies
Admin
Admin
Two topics you need to refer to in the Gaia Admin Guide: https://sc1.checkpoint.com/documents/R80.20_GA/WebAdminGuides/EN/CP_R80.20_Gaia_AdminGuide/html_fram...
User Defined (Extended) Commands
Role Based Access

Between those two features, you can achieve what you're after.
Explorer

I saw this info earlier already. Point is that User Defined (Extended) Commands requires path to the script.
I am not good at scripting, and what if i would like to create extended command for already existing command like 'fw ctl conntab'?  Is there already script written for that in the system that i could point to in the extended command?

0 Kudos
Reply
Admin
Admin
Giving access to generic binary like "fw" gives you access to a LOT of things.

To ensure only the appropriate commands can be run, you have to write a script that calls the necessary command(s).
This script would not be terribly complex.
In addition to the command you wish to run, make sure the appropriate environment variables are included, as shown here: https://community.checkpoint.com/t5/API-CLI-Discussion-and-Samples/Add-sources-inside-bash-scripts/m...

Another approach is to see if what you're after can be achieved through Dynamic CLI which adds a bunch of other commands to clish, which can be subject to Role-Based Access.
See: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

View solution in original post

0 Kudos
Reply