check_point.mgmt.cp_mgmt_domain_permissions_profile module – Manages domain-permissions-profile objects on Checkpoint over Web Services API
Note
This module is part of the check_point.mgmt collection (version 6.5.0).
You might already have this collection installed if you are using the ansible package.
It is not included in ansible-core.
To check whether it is installed, run ansible-galaxy collection list.
To install it, use: ansible-galaxy collection install check_point.mgmt.
To use it in a playbook, specify: check_point.mgmt.cp_mgmt_domain_permissions_profile.
New in check_point.mgmt 3.0.0
Synopsis
Manages domain-permissions-profile objects on Checkpoint devices including creating, updating and removing objects.
All operations are performed over Web Services API.
Available from R81.20 management version.
Parameters
Parameter |
Comments |
|---|---|
Access Control permissions.<br>Only a ‘Customized’ permission-type profile can edit these permissions. |
|
Allow editing of the following objet types, VPN Community, Access Role, Custom application group,Custom application, Custom category, Limit, Application - Match Settings, Application Category - Match Settings,Override Categorization, Application and URL filtering blade - Advanced Settings, Content Awareness blade - Advanced Settings. Choices:
|
|
Install Application and URL Filtering updates. Choices:
|
|
Configure DLP rules and Policies. Choices:
|
|
Work with Access Control rules that control traffic to and from specified countries. Choices:
|
|
Install Access Control Policies. Choices:
|
|
Work with NAT in Access Control rules. Choices:
|
|
Layer editing permissions.<br>Available only if show-policy is set to true. |
|
Use Application and URL Filtering in Access Control rules.<br>Available only if edit-layers is set to “By Software Blades”. Choices:
|
|
Use specified data types in Access Control rules.<br>Available only if edit-layers is set to “By Software Blades”. Choices:
|
|
a “By Software Blades” - Edit Access Control layers that contain the blades enabled in the Permissions Profile.<br>”By Selected Profile In A Layer Editor” - Administrators can only edit the layer if the Access Control layer editor gives editing permission to their profiles. Choices:
|
|
Work with Access Control and other Software Blades that do not have their own Policies.<br>Available only if edit-layers is set to “By Software Blades”. Choices:
|
|
Work with Mobile Access rules.<br>Available only if edit-layers is set to “By Software Blades”. Choices:
|
|
Work with QoS Policies and rules. Choices:
|
|
Select to let administrators work with Access Control rules and NAT rules. If not selected, administrators cannot see these rules. Choices:
|
|
Publish the current session if changes have been performed after task completes. Choices:
|
|
Color of the object. Should be one of existing colors. Choices:
|
|
Comments string. |
|
The level of detail for some of the fields in the response can vary from showing only the UID value of the object to a fully detailed representation of the object. Choices:
|
|
Define and manage objects in the Check Point database, Network Objects, Services, Custom Application Site, VPN Community, Users, Servers, Resources, Time, UserCheck, and Limit.<br>Only a ‘Customized’ permission-type profile can edit this permission. Choices:
|
|
Endpoint permissions. Not supported for Multi-Domain Servers.<br>Only a ‘Customized’ permission-type profile can edit these permissions. |
|
The administrator can start operations that the Security Management Server pushes directly to client computers with no policy installation required. Choices:
|
|
The administrator can add and remove the users who are permitted to log on to Endpoint Security client computers with Full Disk Encryption. Choices:
|
|
Available only if manage-policies-and-software-deployment is set to true. Choices:
|
|
The administrator can define deployment rules, create packages for export, and configure advanced package settings.<br>Available only if manage-policies-and-software-deployment is set to true. Choices:
|
|
The administrator can work with policies, rules and actions. Choices:
|
|
The administrator can install policies on endpoint computers. Choices:
|
|
The administrator can create recovery media on endpoint computers and devices. Choices:
|
|
The administrator can use the Remote Help feature to reset user passwords and give access to locked out users. Choices:
|
|
The administrator can reset a computer, which deletes all information about the computer from the Security Management Server. Choices:
|
|
The administrator can deploy packages and install endpoint clients. Choices:
|
|
Events and Reports permissions.<br>Only a ‘Customized’ permission-type profile can edit these permissions. |
|
Work with event queries on the Events tab. Create custom event queries.<br>Available only if smart-event is set to ‘Custom’. Choices:
|
|
Configure SmartEvent Policy rules and install SmartEvent Policies.<br>Available only if smart-event is set to ‘Custom’. Choices:
|
|
Create and run SmartEvent reports.<br>Available only if smart-event is set to ‘Custom’. Choices:
|
|
a ‘Custom’ - Configure SmartEvent permissions. Choices:
|
|
Gateways permissions. <br>Only a ‘Customized’ permission-type profile can edit these permissions. |
|
Access to objects defined in LSM gateway tables. These objects are managed in the SmartProvisioning GUI or LSMcli command-line.<br>Note, ‘Write’ permission on lsm-gw-db allows administrator to run a script on SmartLSM gateway in Expert mode. Choices:
|
|
Administrator can add, edit, delete, and assign provisioning profiles to gateways (both LSM and non-LSM).<br>Available for edit only if lsm-gw-db is set with ‘Write’ permission.<br>Note, ‘Read’ permission on lsm-gw-db enables ‘Read’ permission for manage-provisioning-profiles. Choices:
|
|
Add, change and remove scripts in the repository. Choices:
|
|
Use the SmartConsole CLI to run commands. Choices:
|
|
Run user scripts from the command line. Choices:
|
|
Run scripts from the repository. Choices:
|
|
Install, update and delete Check Point licenses. This includes permissions to use SmartUpdate to manage licenses. Choices:
|
|
Backup Security Gateways. Choices:
|
|
Restore Security Gateways from saved backups. Choices:
|
|
Create and configure Virtual Systems and other VSX virtual objects. Choices:
|
|
Apply changes ignoring errors. You won’t be able to publish such a changes. If ignore-warnings flag was omitted - warnings will also be ignored. Choices:
|
|
Apply changes ignoring warnings. Choices:
|
|
Management permissions. |
|
Approve / reject other sessions. Choices:
|
|
Permission to read / edit the Cloud Management Extension (CME) configuration.<br>Not supported for Multi-Domain Servers. Choices:
|
|
Configure and work with Domain High Availability.<br>Only a ‘Customized’ permission-type profile can edit this permission. Choices:
|
|
Controls the ability to manage Administrators, Permission Profiles, Trusted clients,API settings and Policy settings.<br>Only a “Read Write All” permission-type profile can edit this permission.<br>Not supported for Multi-Domain Servers. Choices:
|
|
Manage integration with Cloud Services. Choices:
|
|
Lets you disconnect, discard, publish, or take over other administrator sessions.<br>Only a “Read Write All” permission-type profile can edit this permission. Choices:
|
|
Permission to log in to the Security Management Server and run API commands using thesetools, mgmt_cli (Linux and Windows binaries), Gaia CLI (clish) and Web Services (REST). Useful if you want to prevent administrators from running automatic scripts on the Management.<br>Note, This permission is not required to run commands from within the API terminal in SmartConsole.<br>Not supported for Multi-Domain Servers. Choices:
|
|
Allow session publishing without an approval. Choices:
|
|
Monitoring and Logging permissions.<br>’Customized’ permission-type profile can edit all these permissions. “Read Write All” permission-type can edit only dlp-logs-including-confidential-fields and manage-dlp-messages permissions. |
|
Work with Application and URL Filtering logs. Choices:
|
|
Show DLP logs including confidential fields. Choices:
|
|
See logs generated by HTTPS Inspection. Choices:
|
|
Show user and computer identity information in logs. Choices:
|
|
View/Release/Discard DLP messages.<br>Available only if dlp-logs-including-confidential-fields is set to true. Choices:
|
|
See Multi-Domain Server audit logs. Choices:
|
|
See monitoring views and reports. Choices:
|
|
See logs generated by the IPS and Forensics features. Choices:
|
|
Show user and computer identity information in logs by default. Choices:
|
|
Enable packet capture by default. Choices:
|
|
Use the log tracking features in SmartConsole. Choices:
|
|
Object name. |
|
Additional permissions.<br>Only a ‘Customized’ permission-type profile can edit these permissions. |
|
Create and manage client certificates for Mobile Access. Choices:
|
|
Work with user accounts and groups. Choices:
|
|
Enable and configure HTTPS Inspection rules. Choices:
|
|
Work with the LDAP database and user accounts, groups and OUs. Choices:
|
|
Work with Check Point User Authority authentication. Choices:
|
|
Gives access to the UDM (User & Device Management) web-based application that handles security challenges in a “bring your own device” (BYOD) workspace. Choices:
|
|
The type of the Permissions Profile. Choices:
|
|
State of the access rule (present or absent). Choices:
|
|
Collection of tag identifiers. |
|
Threat Prevention permissions.<br>Only a ‘Customized’ permission-type profile can edit these permissions. |
|
a ‘ALL’ - Gives permission to edit all layers.<br>”By Selected Profile In A Layer Editor” - Administrators can only edit the layer if the Threat Prevention layer editor gives editing permission to their profiles.<br>Available only if policy-layers is set to ‘Write’. Choices:
|
|
Work with general Threat Prevention settings. Choices:
|
|
Install Policies. Choices:
|
|
Update IPS protections.<br>Note, You do not have to log into the User Center to receive IPS updates. Choices:
|
|
Configure exceptions to Threat Prevention rules.<br>Note, To have policy-exceptions you must set the protections permission. Choices:
|
|
Configure Threat Prevention Policy rules.<br>Note, To have policy-layers permissions you must set policy-exceptionsand profiles permissions. To have ‘Write’ permissions for policy-layers, policy-exceptions must be set with ‘Write’ permission as well. Choices:
|
|
Configure Threat Prevention profiles. Choices:
|
|
Work with malware protections. Choices:
|
|
Version of checkpoint. If not given one, the latest version taken. |
|
Wait for the task to end. Such as publish task. Choices:
|
|
How many minutes to wait until throwing a timeout error. Default: |
Examples
- name: add-domain-permissions-profile
cp_mgmt_domain_permissions_profile:
name: customized profile
state: present
- name: set-domain-permissions-profile
cp_mgmt_domain_permissions_profile:
access_control:
policy_layers: By Selected Profile In A Layer Editor
name: read profile
permission_type: customized
state: present
- name: delete-domain-permissions-profile
cp_mgmt_domain_permissions_profile:
name: profile
state: absent
Return Values
Common return values are documented here, the following are the fields unique to this module:
Key |
Description |
|---|---|
The checkpoint object created or updated. Returned: always, except when deleting the object. |