thalesgroup.ciphertrust.cte_client_group module – Manage CTE client groups

Note

This module is part of the thalesgroup.ciphertrust collection (version 1.0.2).

It is not included in ansible-core. To check whether it is installed, run ansible-galaxy collection list.

To install it, use: ansible-galaxy collection install thalesgroup.ciphertrust.

To use it in a playbook, specify: thalesgroup.ciphertrust.cte_client_group.

New in thalesgroup.ciphertrust 1.0.0

Synopsis

  • This module lets administrator create r manage client groups so that group level policies can be applied to multiple clients

Parameters

Parameter

Comments

auth_binaries

string

Array of authorized binaries in the privilege-filename pair JSON format

client_id

string

Identifier of the client within the group that needs to be acted upon

client_list

list / elements=string

List of Client identifier which are to be associated with clientgroup

This identifier can be the Name, ID, URI, or slug of the client

client_locked

boolean

Is FS Agent locked?

Enables locking the configuration of the File System Agent on the client

This will prevent updates to any policies on the client

Default value is false

Choices:

  • false ← (default)

  • true

cluster_type

string

Cluster type of the ClientGroup, valid values are NON-CLUSTER and HDFS.

Choices:

  • "NON-CLUSTER"

  • "HDFS"

communication_enabled

boolean

Whether the File System communication is enabled

Choices:

  • false

  • true

description

string

Description of the ClientGroup

dps_id

string

ID/name of the Designated Primary Set.

enable_domain_sharing

boolean

Whether to enable domain sharing for ClientGroup

Choices:

  • false

  • true

enabled_capabilities

string

Comma separated agent capabilities which are enabled

Currently only RESIGN for re-signing client settings can be enabled

guard_enabled

boolean

Whether the GuardPoint is enabled.

Choices:

  • false

  • true

guard_paths

list / elements=string

List of GuardPaths to be created

guard_point_id

string

Unique identifier for the guardpoint to be updated

guard_point_id_list

list / elements=string

Comma-separated IDs of GuardPoints to be dissociated from a ClientGroup. The IDs can be the Name, ID (a UUIDv4), URI, or slug of the ClientGroup.

guard_point_params

dictionary

Parameters for creating a GuardPoint

automount_enabled

boolean

Whether automount is enabled with the GuardPoint

Supported for Standard and LDT policies

Choices:

  • false

  • true

cifs_enabled

boolean

Whether to enable CIFS

Available on LDT enabled windows clients only

The default value is false

If you enable the setting, it cannot be disabled

Supported for only LDT policies.

Choices:

  • false

  • true

data_classification_enabled

boolean

Whether data classification (tagging) is enabled

Enabled by default if the aligned policy contains ClassificationTags

Supported for Standard and LDT policies.

Choices:

  • false

  • true

data_lineage_enabled

boolean

Whether data lineage (tracking) is enabled

Enabled only if data classification is enabled

Supported for Standard and LDT policies.

Choices:

  • false

  • true

disk_name

string

Name of the disk if the selected raw partition is a member of an Oracle ASM disk group

diskgroup_name

string

Name of the disk group if the selected raw partition is a member of an Oracle ASM disk group

dps_id

string

ID/name of the Designated Primary Set.

early_access

boolean

Whether secure start (early access) is turned on

Secure start is applicable to Windows clients only

Supported for Standard and LDT policies

The default value is false

Choices:

  • false

  • true

guard_point_type

string

Type of the GuardPoint.

Choices:

  • "directory_auto"

  • "directory_manual"

  • "rawdevice_manual"

  • "rawdevice_auto"

  • "cloudstorage_auto"

  • "cloudstorage_manual"

intelligent_protection

boolean

Flag to enable intelligent protection for this GuardPoint

This flag is valid for GuardPoints with classification based policy only

Can only be set during GuardPoint creation

Choices:

  • false

  • true

is_idt_capable_device

boolean

Whether the device where GuardPoint is applied is IDT capable or not

Supported for IDT policies.

Choices:

  • false

  • true

mfa_enabled

boolean

Whether MFA is enabled

Choices:

  • false

  • true

network_share_credentials_id

string

ID/Name of the credentials if the GuardPoint is applied to a network share

Supported for only LDT policies.

policy_id

string

ID of the policy applied with this GuardPoint

This parameter is not valid for Ransomware GuardPoints as they will not be associated with any CTE policy

preserve_sparse_regions

boolean

Whether to preserve sparse file regions

Available on LDT enabled clients only

The default value is true

If you disable the setting, it cannot be enabled again

Supported for only LDT policies.

Choices:

  • false

  • true

id

string

Identifier of the Client Group to be acted upon

inherit_attributes

boolean

Whether the client should inherit attributes from the ClientGroup

Choices:

  • false

  • true

localNode

dictionary / required

this holds the connection parameters required to communicate with an instance of CipherTrust Manager (CM)

holds IP/FQDN of the server, username, password, and port

auth_domain_path

string / required

user’s domain path

password

string / required

admin password of CM

server_ip

string / required

CM Server IP or FQDN

server_port

integer / required

Port on which CM server is listening

server_private_ip

string / required

internal or private IP of the CM Server, if different from the server_ip

user

string / required

admin username of CM

verify

boolean / required

if SSL verification is required

Choices:

  • false

  • true

mfa_enabled

boolean

Whether MFA is enabled

Choices:

  • false

  • true

name

string

Name of the ClientGroup

network_share_credentials_id

string

ID/Name of the credentials if the GuardPoint is applied to a network share

Supported for only LDT policies.

op_type

string / required

Operation to be performed

Choices:

  • "create"

  • "patch"

  • "add_client"

  • "add_guard_point"

  • "update_guardpoint"

  • "unguard_guardpoints"

  • "auth-binaries"

  • "remove_client"

  • "ldt_pause"

password

string

User supplied password if password_creation_method is MANUAL

The password MUST be minimum 8 characters and MUST contain one alphabet, one number, and one special characters

password_creation_method

string

Password creation method, GENERATE or MANUAL

Choices:

  • "GENERATE"

  • "MANUAL"

paused

boolean

Mouse over a property in the schema to view its details

Choices:

  • false

  • true

profile_id

string

ID of the client group profile that is used to schedule custom configuration for logger, logging, and Quality of Service (QoS)

re_sign

boolean

Whether to re-sign the client settings

Choices:

  • false

  • true

shared_domain_list

list / elements=string

List of domains with which ClientGroup needs to be shared

system_locked

boolean

Whether the system is locked

The default value is false

Enable this option to lock the important operating system files of the client

When enabled, patches to the operating system of the client will fail due to the protection of these files

Choices:

  • false

  • true

Examples

- name: "Create CTE Client Group"
  thalesgroup.ciphertrust.cte_client_group:
    localNode:
      server_ip: "IP/FQDN of CipherTrust Manager"
      server_private_ip: "Private IP in case that is different from above"
      server_port: 5432
      user: "CipherTrust Manager Username"
      password: "CipherTrust Manager Password"
      verify: false
      auth_domain_path:
    op_type: create
    cluster_type: NON-CLUSTER
    name: ClientGroup1

- name: "Add client to CTE client group"
  thalesgroup.ciphertrust.cte_client_group:
    localNode:
      server_ip: "IP/FQDN of CipherTrust Manager"
      server_private_ip: "Private IP in case that is different from above"
      server_port: 5432
      user: "CipherTrust Manager Username"
      password: "CipherTrust Manager Password"
      verify: false
      auth_domain_path:
    op_type: add_client
    client_list:
      - Client1
      - Client2
    inherit_attributes: true

- name: "Add guard point to CTE client group"
  thalesgroup.ciphertrust.cte_client_group:
    localNode:
      server_ip: "IP/FQDN of CipherTrust Manager"
      server_private_ip: "Private IP in case that is different from above"
      server_port: 5432
      user: "CipherTrust Manager Username"
      password: "CipherTrust Manager Password"
      verify: false
      auth_domain_path:
    op_type: add_guard_point
    guard_paths:
      - "/opt/path1/"
      - "/opt/path2/"
    guard_point_params:
      guard_point_type: directory_auto
      policy_id: TestPolicy
      data_classification_enabled: false
      data_lineage_enabled: false
      early_access: true
      preserve_sparse_regions: true

Authors

  • Anurag Jain (@anugram)