Configuring Roles in Gaia Clish

To add an RBA role

add rba role <New Role Name> domain-type System

      all-features

      readonly-features <List of RO Features>

      readwrite-features <List of RW Features>}

Note - You can add "readonly-features" and "readwrite-features" in the same command.

To choose which VSX Virtual Systems this role can access

add rba role <Existing Role Name>

      virtual-system-access 0

      virtual-system-access all

      virtual-system-access VSID1,VSID2,...,VSIDn

To assign Gaia access mechanisms to a user

add rba user <User Name>

      access-mechanisms Web-UI

      access-mechanisms CLI

      access-mechanisms Web-UI,CLI

To assign an RBA role to a user

add rba user <User Name> roles <Role1,Role2,...,RoleN>

To show RBA roles information

show rba

all

      role <Role Name>

      roles

      user <User Name>

      users

To delete an entire RBA role

delete rba role <Role Name>

To delete features from an RBA role

delete rba role <Role Name>

      readonly-features <List of RO Features>

      readwrite-features <List of RW Features>

Note - You can delete "readonly-features" and "readwrite-features" in the same command.

To remove Gaia access mechanisms from a user

delete rba user <User Name>

      access-mechanisms Web-UI

      access-mechanisms CLI

      access-mechanisms Web-UI,CLI

To remove an RBA role from a user

delete rba user <User Name> roles <Role1,Role2,...,RoleN>

CLI Parameters

Parameter

Description

role <Role Name>

Role name as a character string that contains letters, numbers or the underscore (_) character.

The role name must start with a letter.

domain-type System

Reserved for future use.

virtual-system-access {0 | all | VSID1, VSID2, ..., VSIDn}

Specifies which VSX Virtual System Extension. Check Point virtual networking solution, hosted on a computer or cluster with virtual abstractions of Check Point Security Gateways and other network devices. These Virtual Devices provide the same functionality as their physical counterparts. Virtual Systems this role can access:

0 - Access only to VSX Gateway Physical server that hosts VSX virtual networks, including all Virtual Devices that provide the functionality of physical network devices. It holds at least one Virtual System, which is called VS0. (VSX Cluster Member Security Gateway that is part of a cluster.) itself (context of VS0).
all - Access to all Virtual Systems.
VSID1,VSID2,...,VSIDn - Access only to specified Virtual Systems. This is a comma-separated list of Virtual Systems IDs (spaces are not allowed in this syntax).

all-features

Grants read-write permissions to all features.

Important - This is equivalent to the admin role!

readonly-features <List of RO Features>

A comma-separated list of Gaia Check Point security operating system that combines the strengths of both SecurePlatform and IPSO operating systems. features that have read-only permissions in the specified role.

See:

Notes:

Press <SPACE><TAB> to see the list of available features.
You can add read-only and read-write feature lists in the same "add rba role <Role Name> domain-type System ..." command.

readwrite-features <List of RW Features>

A comma-separated list of Gaia features that have read-write permissions in the specified role.

See:

Notes:

Press <SPACE><TAB> to see the list of available features.
You can add read-only and read-write feature lists in the same "add rba role <Role Name> domain-type System ..." command.

Important - A user with read/write permission to the user feature can change a user password, including that of the admin user. Be careful when assigning roles that include this permission!

user <User Name>

User, to which access mechanism permissions and roles are assigned.

roles <Role1,Role2,...,RoleN>

Comma-separated list of role names that are assigned to or removed from the specified user (spaces are not allowed in this syntax).

access-mechanisms {Web-UI | CLI | Web-UI,CLI}

Defines the access mechanisms that users can work with to manage Gaia:

Web-UI - Access only to Gaia Portal Web interface for the Check Point Gaia operating system.
CLI - Access only to Gaia Clish The name of the default command line shell in Check Point Gaia operating system. This is a restricted shell (role-based administration controls the number of commands available in the shell).
Web-UI,CLI - Access to both Gaia Portal and Gaia Clish (spaces are not allowed in this syntax)

Example

gaia> add rba role NewRole domain-type System readonly-features vpn,ospf,rba readwrite-features snmp

gaia> show rba role NewRole

Role

    NewRole

    domain-type System

    read-write-feature snmp

    read-only-feature vpn,ospf,rba

gaia>

gaia> add rba user John roles NewRole

gaia> add rba user John access-mechanisms Web-UI,CLI

gaia> show rba user John

User

    John

    access-mechanism CLI

    access-mechanism Web-UI

    role NewRole

gaia>

gaia> delete rba user John roles NewRole

gaia> delete rba role NewRole