- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
01-04-2022 10:29 AM
I am looking for a playbook to change a users role to a different group and make them a super user on Panorama. Has anyone accomplished this before?
01-05-2022 08:27 AM
@Matthew_Gee You could do something like that with these tasks at the start of the playbook, before changing the administrator to a superuser:
- name: Get admin user role details, and register the response
paloaltonetworks.panos.panos_op:
provider: "{{ device }}"
cmd: '<show><config><running><xpath>mgt-config/users/entry[@name="{{ admin_user }}"]/permissions/role-based</xpath></running></config></show>'
cmd_is_xml: true
register: adminresult
- name: Parse out role from XML response
community.general.xml:
xmlstring: "{{ adminresult.stdout_xml }}"
xpath: /response[@status='success']/result/role-based/custom/profile
content: text
register: therole
- debug:
msg: "{{ therole.matches[0].profile }}"
01-06-2022 08:36 AM
@Matthew_Gee For panos_op, I find it is easiest to debug the CLI. Find the CLI command for the thing you're trying to do then "debug cli on" and copy the XML syntax there. The CLI uses the same API which Ansible does (via pan-os-python under the hood). More details on this approach here: https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-panorama-api/get-started-with-the-pan-os-xml-ap...
To parse the XML, check the output from the CLI command you executed and then work out the xpath down the XML which you need for your variable. Then I used the XML module here to parse it: https://docs.ansible.com/ansible/latest/collections/community/general/xml_module.html
Hope that helps!
01-05-2022 04:39 AM
@Matthew_Gee Hope this helps. The user needs to exist already per your original ask.
---
#
# Ansible playbook to make an existing administrator in Panorama a superuser
#
# Example usage: ansible-playbook -i inventory make-admin-superuser.yml -e "admin_user=alice"
#
- hosts: '{{ target | default("panorama") }}'
connection: local
vars:
device:
ip_address: "{{ ip_address }}"
username: "{{ username | default(omit) }}"
password: "{{ password | default(omit) }}"
api_key: "{{ api_key | default(omit) }}"
tasks:
- name: Change administrator to superuser
paloaltonetworks.panos.panos_administrator:
provider: '{{ device }}'
admin_username: '{{ admin_user }}'
superuser: true
- name: Commit
paloaltonetworks.panos.panos_commit_panorama:
provider: "{{ device }}"
register: results
- debug:
msg: "Commit with Job ID: {{ results.jobid }} had output: {{ results.details }}"
01-05-2022 05:52 AM
It definitely helps, is there a way to see what custom role and profile the user is before making the change and store it as a variable?
01-05-2022 08:27 AM
@Matthew_Gee You could do something like that with these tasks at the start of the playbook, before changing the administrator to a superuser:
- name: Get admin user role details, and register the response
paloaltonetworks.panos.panos_op:
provider: "{{ device }}"
cmd: '<show><config><running><xpath>mgt-config/users/entry[@name="{{ admin_user }}"]/permissions/role-based</xpath></running></config></show>'
cmd_is_xml: true
register: adminresult
- name: Parse out role from XML response
community.general.xml:
xmlstring: "{{ adminresult.stdout_xml }}"
xpath: /response[@status='success']/result/role-based/custom/profile
content: text
register: therole
- debug:
msg: "{{ therole.matches[0].profile }}"
01-05-2022 11:08 AM
That is 100% what I needed! Thank you sooooo much for saving me a TON of time. I would like to know more about the generating and parsing of the XML so if you have any guides or know of any good training on this please let me know.
01-06-2022 08:36 AM
@Matthew_Gee For panos_op, I find it is easiest to debug the CLI. Find the CLI command for the thing you're trying to do then "debug cli on" and copy the XML syntax there. The CLI uses the same API which Ansible does (via pan-os-python under the hood). More details on this approach here: https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-panorama-api/get-started-with-the-pan-os-xml-ap...
To parse the XML, check the output from the CLI command you executed and then work out the xpath down the XML which you need for your variable. Then I used the XML module here to parse it: https://docs.ansible.com/ansible/latest/collections/community/general/xml_module.html
Hope that helps!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!