User Groups (Optional)

groups messages manage user to group mappings:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
<uid-message>
  <type>update</type>
  <payload>
    <groups>
      <entry name="group1">
        <members>
          <entry name="user1"/>
          <entry name="domain\user2"/>
        </members>
      </entry>
      <entry name="group2">
        <members>
          <entry name="user3"/>
        </members>
      </entry>
    </groups>
  </payload>
</uid-message>

Groups Updates

Group members must be updated in their entirety; it is not possible to add or delete individual members.

Note

Register-user and Unregister-user - DUG Objects is the preferred method to perform user to group mappings when using PAN-OS 9.1 or greater; Dynamic User Groups can be updated incrementally.

To delete (clear) a group, perform an update with an empty <members/> element node:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
<uid-message>
  <type>update</type>
  <payload>
    <groups>
      <entry name="group2">
        <members/>
      </entry>
    </groups>
  </payload>
</uid-message>

Example: Add User to Group Mappings (groups)

$ cat uid-groups.xml
<uid-message>
  <type>update</type>
  <payload>
    <groups>
      <entry name="group1">
        <members>
          <entry name="user1"/>
          <entry name="domain\user2"/>
        </members>
      </entry>
      <entry name="group2">
        <members>
          <entry name="user3"/>
        </members>
      </entry>
    </groups>
  </payload>
</uid-message>

$ panxapi.py -U uid-groups.xml
dynamic-update: success

admin@PA-VM> show user group list

group1
group2

Total: 2
* : Custom Group

admin@PA-VM> show user group name group1


source type: xmlapi

[1     ] user1
[2     ] domain\user2

admin@PA-VM> show user group name group2


source type: xmlapi

[1     ] user3

Tip

The CLI commands debug user-id clear group all and debug user-id clear group <group> can be used to remove all user group mappings and a specific group’s mappings.

Lab 14

  1. Use panxapi.py to perform a groups request to create group members.
  2. Verify group membership using the CLI.
  3. Verify group membership using panxapi.py -o.
  4. Use panxapi.py to perform a groups request to remove a group.
  5. Verify group membership using the CLI.

Hint

The links to the <uid-message/> XML documents above can be retrieved using curl or wget.

Solution

$ panxapi.py -U uid-groups.xml
dynamic-update: success

admin@PA-VM> show user group name group1


source type: xmlapi

[1     ] user1
[2     ] domain\user2

$ panxapi.py -Xro 'show user group name "group2"'
op: success
source type: xmlapi

[1     ] user3

$ panxapi.py -U uid-groups-clear.xml
dynamic-update: success

admin@PA-VM> show user group name group2

admin@PA-VM>