check_point / check_point.mgmt / 5.2.2 / module / cp_mgmt_domain_permissions_profile Manages domain-permissions-profile objects on Checkpoint over Web Services API | "added in version" 3.0.0 of check_point.mgmt" Authors: Eden Brillant (@chkp-edenbr) preview | supported by communitycheck_point.mgmt.cp_mgmt_domain_permissions_profile (5.2.2) — module
Install with ansible-galaxy collection install check_point.mgmt:==5.2.2
collections: - name: check_point.mgmt version: 5.2.2
Manages domain-permissions-profile objects on Checkpoint devices including creating, updating and removing objects.
All operations are performed over Web Services API.
- name: add-domain-permissions-profile cp_mgmt_domain_permissions_profile: name: customized profile state: present
- name: set-domain-permissions-profile cp_mgmt_domain_permissions_profile: access_control: policy_layers: By Selected Profile In A Layer Editor name: read profile permission_type: customized state: present
- name: delete-domain-permissions-profile cp_mgmt_domain_permissions_profile: name: profile state: absent
name: description: - Object name. required: true type: str tags: description: - Collection of tag identifiers. elements: str type: list color: choices: - aquamarine - black - blue - crete blue - burlywood - cyan - dark green - khaki - orchid - dark orange - dark sea green - pink - turquoise - dark blue - firebrick - brown - forest green - gold - dark gold - gray - dark gray - light green - lemon chiffon - coral - sea green - sky blue - magenta - purple - slate blue - violet red - navy blue - olive - orange - red - sienna - yellow description: - Color of the object. Should be one of existing colors. type: str state: choices: - present - absent default: present description: - State of the access rule (present or absent). type: str others: description: - Additional permissions.<br>Only a 'Customized' permission-type profile can edit these permissions. suboptions: client_certificates: description: - Create and manage client certificates for Mobile Access. type: bool edit_cp_users_db: description: - Work with user accounts and groups. type: bool https_inspection: choices: - read - write - disabled description: - Enable and configure HTTPS Inspection rules. type: str ldap_users_db: choices: - read - write - disabled description: - Work with the LDAP database and user accounts, groups and OUs. type: str user_authority_access: choices: - read - write - disabled description: - Work with Check Point User Authority authentication. type: str user_device_mgmt_conf: choices: - read - write - disabled description: - Gives access to the UDM (User & Device Management) web-based application that handles security challenges in a "bring your own device" (BYOD) workspace. type: str type: dict version: description: - Version of checkpoint. If not given one, the latest version taken. type: str comments: description: - Comments string. type: str endpoint: description: - Endpoint permissions. Not supported for Multi-Domain Servers.<br>Only a 'Customized' permission-type profile can edit these permissions. suboptions: allow_executing_push_operations: description: - The administrator can start operations that the Security Management Server pushes directly to client computers with no policy installation required. type: bool authorize_preboot_users: description: - The administrator can add and remove the users who are permitted to log on to Endpoint Security client computers with Full Disk Encryption. type: bool edit_endpoint_policies: description: - Available only if manage-policies-and-software-deployment is set to true. type: bool edit_software_deployment: description: - The administrator can define deployment rules, create packages for export, and configure advanced package settings.<br>Available only if manage-policies-and-software-deployment is set to true. type: bool manage_policies_and_software_deployment: description: - The administrator can work with policies, rules and actions. type: bool policies_installation: description: - The administrator can install policies on endpoint computers. type: bool recovery_media: description: - The administrator can create recovery media on endpoint computers and devices. type: bool remote_help: description: - The administrator can use the Remote Help feature to reset user passwords and give access to locked out users. type: bool reset_computer_data: description: - The administrator can reset a computer, which deletes all information about the computer from the Security Management Server. type: bool software_deployment_installation: description: - The administrator can deploy packages and install endpoint clients. type: bool type: dict gateways: description: - Gateways permissions. <br>Only a 'Customized' permission-type profile can edit these permissions. suboptions: lsm_gw_db: choices: - read - write - disabled description: - Access to objects defined in LSM gateway tables. These objects are managed in the SmartProvisioning GUI or LSMcli command-line.<br>Note, 'Write' permission on lsm-gw-db allows administrator to run a script on SmartLSM gateway in Expert mode. type: str manage_provisioning_profiles: choices: - read - write - disabled description: - Administrator can add, edit, delete, and assign provisioning profiles to gateways (both LSM and non-LSM).<br>Available for edit only if lsm-gw-db is set with 'Write' permission.<br>Note, 'Read' permission on lsm-gw-db enables 'Read' permission for manage-provisioning-profiles. type: str manage_repository_scripts: choices: - read - write - disabled description: - Add, change and remove scripts in the repository. type: str open_shell: description: - Use the SmartConsole CLI to run commands. type: bool run_one_time_script: description: - Run user scripts from the command line. type: bool run_repository_script: description: - Run scripts from the repository. type: bool smart_update: choices: - read - write - disabled description: - Install, update and delete Check Point licenses. This includes permissions to use SmartUpdate to manage licenses. type: str system_backup: description: - Backup Security Gateways. type: bool system_restore: description: - Restore Security Gateways from saved backups. type: bool vsx_provisioning: description: - Create and configure Virtual Systems and other VSX virtual objects. type: bool type: dict management: description: - Management permissions. suboptions: approve_or_reject_sessions: description: - Approve / reject other sessions. type: bool cme_operations: choices: - read - write - disabled description: - Permission to read / edit the Cloud Management Extension (CME) configuration.<br>Not supported for Multi-Domain Servers. type: str high_availability_operations: description: - Configure and work with Domain High Availability.<br>Only a 'Customized' permission-type profile can edit this permission. type: bool manage_admins: description: - Controls the ability to manage Administrators, Permission Profiles, Trusted clients,API settings and Policy settings.<br>Only a "Read Write All" permission-type profile can edit this permission.<br>Not supported for Multi-Domain Servers. type: bool manage_integration_with_cloud_services: description: - Manage integration with Cloud Services. type: bool manage_sessions: description: - Lets you disconnect, discard, publish, or take over other administrator sessions.<br>Only a "Read Write All" permission-type profile can edit this permission. type: bool management_api_login: description: - Permission to log in to the Security Management Server and run API commands using thesetools, mgmt_cli (Linux and Windows binaries), Gaia CLI (clish) and Web Services (REST). Useful if you want to prevent administrators from running automatic scripts on the Management.<br>Note, This permission is not required to run commands from within the API terminal in SmartConsole.<br>Not supported for Multi-Domain Servers. type: bool publish_sessions: description: - Allow session publishing without an approval. type: bool type: dict details_level: choices: - uid - standard - full description: - The level of detail for some of the fields in the response can vary from showing only the UID value of the object to a fully detailed representation of the object. type: str ignore_errors: description: - Apply changes ignoring errors. You won't be able to publish such a changes. If ignore-warnings flag was omitted - warnings will also be ignored. type: bool wait_for_task: default: true description: - Wait for the task to end. Such as publish task. type: bool access_control: description: - Access Control permissions.<br>Only a 'Customized' permission-type profile can edit these permissions. suboptions: access_control_objects_and_settings: choices: - read - write - disabled description: - Allow editing of the following objet types, VPN Community, Access Role, Custom application group,Custom application, Custom category, Limit, Application - Match Settings, Application Category - Match Settings,Override Categorization, Application and URL filtering blade - Advanced Settings, Content Awareness blade - Advanced Settings. type: str app_control_and_url_filtering_update: description: - Install Application and URL Filtering updates. type: bool dlp_policy: choices: - read - write - disabled description: - Configure DLP rules and Policies. type: str geo_control_policy: choices: - read - write - disabled description: - Work with Access Control rules that control traffic to and from specified countries. type: str install_policy: description: - Install Access Control Policies. type: bool nat_policy: choices: - read - write - disabled description: - Work with NAT in Access Control rules. type: str policy_layers: description: - Layer editing permissions.<br>Available only if show-policy is set to true. suboptions: app_control_and_url_filtering: description: - Use Application and URL Filtering in Access Control rules.<br>Available only if edit-layers is set to "By Software Blades". type: bool content_awareness: description: - Use specified data types in Access Control rules.<br>Available only if edit-layers is set to "By Software Blades". type: bool edit_layers: choices: - By Software Blades - By Selected Profile In A Layer Editor description: - a "By Software Blades" - Edit Access Control layers that contain the blades enabled in the Permissions Profile.<br>"By Selected Profile In A Layer Editor" - Administrators can only edit the layer if the Access Control layer editor gives editing permission to their profiles. type: str firewall: description: - Work with Access Control and other Software Blades that do not have their own Policies.<br>Available only if edit-layers is set to "By Software Blades". type: bool mobile_access: description: - Work with Mobile Access rules.<br>Available only if edit-layers is set to "By Software Blades". type: bool type: dict qos_policy: choices: - read - write - disabled description: - Work with QoS Policies and rules. type: str show_policy: description: - Select to let administrators work with Access Control rules and NAT rules. If not selected, administrators cannot see these rules. type: bool type: dict ignore_warnings: description: - Apply changes ignoring warnings. type: bool permission_type: choices: - read write all - read only all - customized description: - The type of the Permissions Profile. type: str threat_prevention: description: - Threat Prevention permissions.<br>Only a 'Customized' permission-type profile can edit these permissions. suboptions: edit_layers: choices: - By Selected Profile In A Layer Editor - All description: - a 'ALL' - Gives permission to edit all layers.<br>"By Selected Profile In A Layer Editor" - Administrators can only edit the layer if the Threat Prevention layer editor gives editing permission to their profiles.<br>Available only if policy-layers is set to 'Write'. type: str edit_settings: description: - Work with general Threat Prevention settings. type: bool install_policy: description: - Install Policies. type: bool ips_update: description: - Update IPS protections.<br>Note, You do not have to log into the User Center to receive IPS updates. type: bool policy_exceptions: choices: - read - write - disabled description: - Configure exceptions to Threat Prevention rules.<br>Note, To have policy-exceptions you must set the protections permission. type: str policy_layers: choices: - read - write - disabled description: - Configure Threat Prevention Policy rules.<br>Note, To have policy-layers permissions you must set policy-exceptionsand profiles permissions. To have 'Write' permissions for policy-layers, policy-exceptions must be set with 'Write' permission as well. type: str profiles: choices: - read - write - disabled description: - Configure Threat Prevention profiles. type: str protections: choices: - read - write - disabled description: - Work with malware protections. type: str type: dict events_and_reports: description: - Events and Reports permissions.<br>Only a 'Customized' permission-type profile can edit these permissions. suboptions: events: choices: - read - write - disabled description: - Work with event queries on the Events tab. Create custom event queries.<br>Available only if smart-event is set to 'Custom'. type: str policy: choices: - read - write - disabled description: - Configure SmartEvent Policy rules and install SmartEvent Policies.<br>Available only if smart-event is set to 'Custom'. type: str reports: description: - Create and run SmartEvent reports.<br>Available only if smart-event is set to 'Custom'. type: bool smart_event: choices: - custom - app control and url filtering reports only description: - a 'Custom' - Configure SmartEvent permissions. type: str type: dict edit_common_objects: description: - Define and manage objects in the Check Point database, Network Objects, Services, Custom Application Site, VPN Community, Users, Servers, Resources, Time, UserCheck, and Limit.<br>Only a 'Customized' permission-type profile can edit this permission. type: bool auto_publish_session: default: false description: - Publish the current session if changes have been performed after task completes. type: bool wait_for_task_timeout: default: 30 description: - How many minutes to wait until throwing a timeout error. type: int monitoring_and_logging: description: - Monitoring and Logging permissions.<br>'Customized' permission-type profile can edit all these permissions. "Read Write All" permission-type can edit only dlp-logs-including-confidential-fields and manage-dlp-messages permissions. suboptions: app_and_url_filtering_logs: description: - Work with Application and URL Filtering logs. type: bool dlp_logs_including_confidential_fields: description: - Show DLP logs including confidential fields. type: bool https_inspection_logs: description: - See logs generated by HTTPS Inspection. type: bool identities: description: - Show user and computer identity information in logs. type: bool manage_dlp_messages: description: - View/Release/Discard DLP messages.<br>Available only if dlp-logs-including-confidential-fields is set to true. type: bool management_logs: choices: - read - write - disabled description: - See Multi-Domain Server audit logs. type: str monitoring: choices: - read - write - disabled description: - See monitoring views and reports. type: str packet_capture_and_forensics: description: - See logs generated by the IPS and Forensics features. type: bool show_identities_by_default: description: - Show user and computer identity information in logs by default. type: bool show_packet_capture_by_default: description: - Enable packet capture by default. type: bool track_logs: choices: - read - write - disabled description: - Use the log tracking features in SmartConsole. type: str type: dict
cp_mgmt_domain_permissions_profile: description: The checkpoint object created or updated. returned: always, except when deleting the object. type: dict