Try SpotterManages domain-permissions-profile objects on Checkpoint over Web Services API
| "added in version" 3.0.0 of check_point.mgmt"
Authors: Eden Brillant (@chkp-edenbr)
preview | supported by community
Install with ansible-galaxy collection install check_point.mgmt:==5.2.3
collections:
- name: check_point.mgmt
version: 5.2.3Manages domain-permissions-profile objects on Checkpoint devices including creating, updating and removing objects.
All operations are performed over Web Services API.
- name: add-domain-permissions-profile
cp_mgmt_domain_permissions_profile:
name: customized profile
state: present
- name: set-domain-permissions-profile
cp_mgmt_domain_permissions_profile:
access_control:
policy_layers: By Selected Profile In A Layer Editor
name: read profile
permission_type: customized
state: present
- name: delete-domain-permissions-profile
cp_mgmt_domain_permissions_profile:
name: profile
state: absent
name:
description:
- Object name.
required: true
type: str
tags:
description:
- Collection of tag identifiers.
elements: str
type: list
color:
choices:
- aquamarine
- black
- blue
- crete blue
- burlywood
- cyan
- dark green
- khaki
- orchid
- dark orange
- dark sea green
- pink
- turquoise
- dark blue
- firebrick
- brown
- forest green
- gold
- dark gold
- gray
- dark gray
- light green
- lemon chiffon
- coral
- sea green
- sky blue
- magenta
- purple
- slate blue
- violet red
- navy blue
- olive
- orange
- red
- sienna
- yellow
description:
- Color of the object. Should be one of existing colors.
type: str
state:
choices:
- present
- absent
default: present
description:
- State of the access rule (present or absent).
type: str
others:
description:
- Additional permissions.<br>Only a 'Customized' permission-type profile can edit
these permissions.
suboptions:
client_certificates:
description:
- Create and manage client certificates for Mobile Access.
type: bool
edit_cp_users_db:
description:
- Work with user accounts and groups.
type: bool
https_inspection:
choices:
- read
- write
- disabled
description:
- Enable and configure HTTPS Inspection rules.
type: str
ldap_users_db:
choices:
- read
- write
- disabled
description:
- Work with the LDAP database and user accounts, groups and OUs.
type: str
user_authority_access:
choices:
- read
- write
- disabled
description:
- Work with Check Point User Authority authentication.
type: str
user_device_mgmt_conf:
choices:
- read
- write
- disabled
description:
- Gives access to the UDM (User & Device Management) web-based application that
handles security challenges in a "bring your own device" (BYOD) workspace.
type: str
type: dict
version:
description:
- Version of checkpoint. If not given one, the latest version taken.
type: str
comments:
description:
- Comments string.
type: str
endpoint:
description:
- Endpoint permissions. Not supported for Multi-Domain Servers.<br>Only a 'Customized'
permission-type profile can edit these permissions.
suboptions:
allow_executing_push_operations:
description:
- The administrator can start operations that the Security Management Server pushes
directly to client computers with no policy installation required.
type: bool
authorize_preboot_users:
description:
- The administrator can add and remove the users who are permitted to log on to
Endpoint Security client computers with Full Disk Encryption.
type: bool
edit_endpoint_policies:
description:
- Available only if manage-policies-and-software-deployment is set to true.
type: bool
edit_software_deployment:
description:
- The administrator can define deployment rules, create packages for export, and
configure advanced package settings.<br>Available only if manage-policies-and-software-deployment
is set to true.
type: bool
manage_policies_and_software_deployment:
description:
- The administrator can work with policies, rules and actions.
type: bool
policies_installation:
description:
- The administrator can install policies on endpoint computers.
type: bool
recovery_media:
description:
- The administrator can create recovery media on endpoint computers and devices.
type: bool
remote_help:
description:
- The administrator can use the Remote Help feature to reset user passwords and
give access to locked out users.
type: bool
reset_computer_data:
description:
- The administrator can reset a computer, which deletes all information about
the computer from the Security Management Server.
type: bool
software_deployment_installation:
description:
- The administrator can deploy packages and install endpoint clients.
type: bool
type: dict
gateways:
description:
- Gateways permissions. <br>Only a 'Customized' permission-type profile can edit these
permissions.
suboptions:
lsm_gw_db:
choices:
- read
- write
- disabled
description:
- Access to objects defined in LSM gateway tables. These objects are managed in
the SmartProvisioning GUI or LSMcli command-line.<br>Note, 'Write' permission
on lsm-gw-db allows administrator to run a script on SmartLSM gateway in Expert
mode.
type: str
manage_provisioning_profiles:
choices:
- read
- write
- disabled
description:
- Administrator can add, edit, delete, and assign provisioning profiles to gateways
(both LSM and non-LSM).<br>Available for edit only if lsm-gw-db is set with
'Write' permission.<br>Note, 'Read' permission on lsm-gw-db enables 'Read' permission
for manage-provisioning-profiles.
type: str
manage_repository_scripts:
choices:
- read
- write
- disabled
description:
- Add, change and remove scripts in the repository.
type: str
open_shell:
description:
- Use the SmartConsole CLI to run commands.
type: bool
run_one_time_script:
description:
- Run user scripts from the command line.
type: bool
run_repository_script:
description:
- Run scripts from the repository.
type: bool
smart_update:
choices:
- read
- write
- disabled
description:
- Install, update and delete Check Point licenses. This includes permissions to
use SmartUpdate to manage licenses.
type: str
system_backup:
description:
- Backup Security Gateways.
type: bool
system_restore:
description:
- Restore Security Gateways from saved backups.
type: bool
vsx_provisioning:
description:
- Create and configure Virtual Systems and other VSX virtual objects.
type: bool
type: dict
management:
description:
- Management permissions.
suboptions:
approve_or_reject_sessions:
description:
- Approve / reject other sessions.
type: bool
cme_operations:
choices:
- read
- write
- disabled
description:
- Permission to read / edit the Cloud Management Extension (CME) configuration.<br>Not
supported for Multi-Domain Servers.
type: str
high_availability_operations:
description:
- Configure and work with Domain High Availability.<br>Only a 'Customized' permission-type
profile can edit this permission.
type: bool
manage_admins:
description:
- Controls the ability to manage Administrators, Permission Profiles, Trusted
clients,API settings and Policy settings.<br>Only a "Read Write All" permission-type
profile can edit this permission.<br>Not supported for Multi-Domain Servers.
type: bool
manage_integration_with_cloud_services:
description:
- Manage integration with Cloud Services.
type: bool
manage_sessions:
description:
- Lets you disconnect, discard, publish, or take over other administrator sessions.<br>Only
a "Read Write All" permission-type profile can edit this permission.
type: bool
management_api_login:
description:
- Permission to log in to the Security Management Server and run API commands
using thesetools, mgmt_cli (Linux and Windows binaries), Gaia CLI (clish) and
Web Services (REST). Useful if you want to prevent administrators from running
automatic scripts on the Management.<br>Note, This permission is not required
to run commands from within the API terminal in SmartConsole.<br>Not supported
for Multi-Domain Servers.
type: bool
publish_sessions:
description:
- Allow session publishing without an approval.
type: bool
type: dict
details_level:
choices:
- uid
- standard
- full
description:
- The level of detail for some of the fields in the response can vary from showing
only the UID value of the object to a fully detailed representation of the object.
type: str
ignore_errors:
description:
- Apply changes ignoring errors. You won't be able to publish such a changes. If ignore-warnings
flag was omitted - warnings will also be ignored.
type: bool
wait_for_task:
default: true
description:
- Wait for the task to end. Such as publish task.
type: bool
access_control:
description:
- Access Control permissions.<br>Only a 'Customized' permission-type profile can edit
these permissions.
suboptions:
access_control_objects_and_settings:
choices:
- read
- write
- disabled
description:
- Allow editing of the following objet types, VPN Community, Access Role, Custom
application group,Custom application, Custom category, Limit, Application -
Match Settings, Application Category - Match Settings,Override Categorization,
Application and URL filtering blade - Advanced Settings, Content Awareness blade
- Advanced Settings.
type: str
app_control_and_url_filtering_update:
description:
- Install Application and URL Filtering updates.
type: bool
dlp_policy:
choices:
- read
- write
- disabled
description:
- Configure DLP rules and Policies.
type: str
geo_control_policy:
choices:
- read
- write
- disabled
description:
- Work with Access Control rules that control traffic to and from specified countries.
type: str
install_policy:
description:
- Install Access Control Policies.
type: bool
nat_policy:
choices:
- read
- write
- disabled
description:
- Work with NAT in Access Control rules.
type: str
policy_layers:
description:
- Layer editing permissions.<br>Available only if show-policy is set to true.
suboptions:
app_control_and_url_filtering:
description:
- Use Application and URL Filtering in Access Control rules.<br>Available
only if edit-layers is set to "By Software Blades".
type: bool
content_awareness:
description:
- Use specified data types in Access Control rules.<br>Available only if edit-layers
is set to "By Software Blades".
type: bool
edit_layers:
choices:
- By Software Blades
- By Selected Profile In A Layer Editor
description:
- a "By Software Blades" - Edit Access Control layers that contain the blades
enabled in the Permissions Profile.<br>"By Selected Profile In A Layer Editor"
- Administrators can only edit the layer if the Access Control layer editor
gives editing permission to their profiles.
type: str
firewall:
description:
- Work with Access Control and other Software Blades that do not have their
own Policies.<br>Available only if edit-layers is set to "By Software Blades".
type: bool
mobile_access:
description:
- Work with Mobile Access rules.<br>Available only if edit-layers is set to
"By Software Blades".
type: bool
type: dict
qos_policy:
choices:
- read
- write
- disabled
description:
- Work with QoS Policies and rules.
type: str
show_policy:
description:
- Select to let administrators work with Access Control rules and NAT rules. If
not selected, administrators cannot see these rules.
type: bool
type: dict
ignore_warnings:
description:
- Apply changes ignoring warnings.
type: bool
permission_type:
choices:
- read write all
- read only all
- customized
description:
- The type of the Permissions Profile.
type: str
threat_prevention:
description:
- Threat Prevention permissions.<br>Only a 'Customized' permission-type profile can
edit these permissions.
suboptions:
edit_layers:
choices:
- By Selected Profile In A Layer Editor
- All
description:
- a 'ALL' - Gives permission to edit all layers.<br>"By Selected Profile In A
Layer Editor" - Administrators can only edit the layer if the Threat Prevention
layer editor gives editing permission to their profiles.<br>Available only if
policy-layers is set to 'Write'.
type: str
edit_settings:
description:
- Work with general Threat Prevention settings.
type: bool
install_policy:
description:
- Install Policies.
type: bool
ips_update:
description:
- Update IPS protections.<br>Note, You do not have to log into the User Center
to receive IPS updates.
type: bool
policy_exceptions:
choices:
- read
- write
- disabled
description:
- Configure exceptions to Threat Prevention rules.<br>Note, To have policy-exceptions
you must set the protections permission.
type: str
policy_layers:
choices:
- read
- write
- disabled
description:
- Configure Threat Prevention Policy rules.<br>Note, To have policy-layers permissions
you must set policy-exceptionsand profiles permissions. To have 'Write' permissions
for policy-layers, policy-exceptions must be set with 'Write' permission as
well.
type: str
profiles:
choices:
- read
- write
- disabled
description:
- Configure Threat Prevention profiles.
type: str
protections:
choices:
- read
- write
- disabled
description:
- Work with malware protections.
type: str
type: dict
events_and_reports:
description:
- Events and Reports permissions.<br>Only a 'Customized' permission-type profile can
edit these permissions.
suboptions:
events:
choices:
- read
- write
- disabled
description:
- Work with event queries on the Events tab. Create custom event queries.<br>Available
only if smart-event is set to 'Custom'.
type: str
policy:
choices:
- read
- write
- disabled
description:
- Configure SmartEvent Policy rules and install SmartEvent Policies.<br>Available
only if smart-event is set to 'Custom'.
type: str
reports:
description:
- Create and run SmartEvent reports.<br>Available only if smart-event is set to
'Custom'.
type: bool
smart_event:
choices:
- custom
- app control and url filtering reports only
description:
- a 'Custom' - Configure SmartEvent permissions.
type: str
type: dict
edit_common_objects:
description:
- Define and manage objects in the Check Point database, Network Objects, Services,
Custom Application Site, VPN Community, Users, Servers, Resources, Time, UserCheck,
and Limit.<br>Only a 'Customized' permission-type profile can edit this permission.
type: bool
auto_publish_session:
default: false
description:
- Publish the current session if changes have been performed after task completes.
type: bool
wait_for_task_timeout:
default: 30
description:
- How many minutes to wait until throwing a timeout error.
type: int
monitoring_and_logging:
description:
- Monitoring and Logging permissions.<br>'Customized' permission-type profile can
edit all these permissions. "Read Write All" permission-type can edit only dlp-logs-including-confidential-fields
and manage-dlp-messages permissions.
suboptions:
app_and_url_filtering_logs:
description:
- Work with Application and URL Filtering logs.
type: bool
dlp_logs_including_confidential_fields:
description:
- Show DLP logs including confidential fields.
type: bool
https_inspection_logs:
description:
- See logs generated by HTTPS Inspection.
type: bool
identities:
description:
- Show user and computer identity information in logs.
type: bool
manage_dlp_messages:
description:
- View/Release/Discard DLP messages.<br>Available only if dlp-logs-including-confidential-fields
is set to true.
type: bool
management_logs:
choices:
- read
- write
- disabled
description:
- See Multi-Domain Server audit logs.
type: str
monitoring:
choices:
- read
- write
- disabled
description:
- See monitoring views and reports.
type: str
packet_capture_and_forensics:
description:
- See logs generated by the IPS and Forensics features.
type: bool
show_identities_by_default:
description:
- Show user and computer identity information in logs by default.
type: bool
show_packet_capture_by_default:
description:
- Enable packet capture by default.
type: bool
track_logs:
choices:
- read
- write
- disabled
description:
- Use the log tracking features in SmartConsole.
type: str
type: dict
cp_mgmt_domain_permissions_profile: description: The checkpoint object created or updated. returned: always, except when deleting the object. type: dict