User Groups (Optional)

groups messages manage user to group mappings:

 1<uid-message>
 2  <type>update</type>
 3  <payload>
 4    <groups>
 5      <entry name="group1">
 6        <members>
 7          <entry name="user1"/>
 8          <entry name="domain\user2"/>
 9        </members>
10      </entry>
11      <entry name="group2">
12        <members>
13          <entry name="user3"/>
14        </members>
15      </entry>
16    </groups>
17  </payload>
18</uid-message>

Groups Updates

Group members must be updated in their entirety; it is not possible to add or delete individual members.

Note

Register-user and Unregister-user - DUG Objects is the preferred method to perform user to group mappings when using PAN-OS 9.1 or greater; Dynamic User Groups can be updated incrementally.

To delete (clear) a group, perform an update with an empty <members/> element node:

 1<uid-message>
 2  <type>update</type>
 3  <payload>
 4    <groups>
 5      <entry name="group2">
 6        <members/>
 7      </entry>
 8    </groups>
 9  </payload>
10</uid-message>

Example: Add User to Group Mappings (groups)

$ cat uid-groups.xml
<uid-message>
  <type>update</type>
  <payload>
    <groups>
      <entry name="group1">
        <members>
          <entry name="user1"/>
          <entry name="domain\user2"/>
        </members>
      </entry>
      <entry name="group2">
        <members>
          <entry name="user3"/>
        </members>
      </entry>
    </groups>
  </payload>
</uid-message>

$ panxapi.py -U uid-groups.xml
dynamic-update: success

admin@PA-VM> show user group list

group1
group2

Total: 2
* : Custom Group

admin@PA-VM> show user group name group1


source type: xmlapi

[1     ] user1
[2     ] domain\user2

admin@PA-VM> show user group name group2


source type: xmlapi

[1     ] user3

Tip

The CLI commands debug user-id clear group all and debug user-id clear group <group> can be used to remove all user group mappings and a specific group’s mappings.

Lab 14

  1. Use panxapi.py to perform a groups request to create group members.

  2. Verify group membership using the CLI.

  3. Verify group membership using panxapi.py -o.

  4. Use panxapi.py to perform a groups request to remove a group.

  5. Verify group membership using the CLI.

Hint

The links to the <uid-message/> XML documents above can be retrieved using curl or wget.

Solution

$ panxapi.py -U uid-groups.xml
dynamic-update: success

admin@PA-VM> show user group name group1


source type: xmlapi

[1     ] user1
[2     ] domain\user2

$ panxapi.py -Xro 'show user group name "group2"'
op: success
source type: xmlapi

[1     ] user3

$ panxapi.py -U uid-groups-clear.xml
dynamic-update: success

admin@PA-VM> show user group name group2

admin@PA-VM>