How to assign a parent/base policy to an access policy with FMC API

Difan_Zhao · ‎01-27-2023

Hi team,

I am trying to assign a parent or base policy for a newly created access policy with the FMC API. I used the PUT method. My URL is '/api/fmc_config/v1/domain/abb07252-1ece-43d2-d526-000000000002/policy/accesspolicies/90E2BAC8-8AE5-0ed3-0001-851131828565/inheritancesettings/90E2BAC8-8AE5-0ed3-0001-851131828565'. The URL works when I use the GET method (which returns no "basePolicy" field as expected)

Here is my put_data:

{
   "type":"AccessPolicyInheritanceSetting",
   "id":"90E2BAC8-8AE5-0ed3-0001-851131828565",
   "basePolicy":{
      "name":"SAP-HEC_Retired",
      "id":"90E2BAC8-8AE5-0ed3-0000-292058203644",
      "type":"AccessPolicy"
   }
}

I got this error:

{
   "error":{
      "category":"FRAMEWORK",
      "messages":[
         {
            "description":"External proxy invoked LwPolicyApi getACPGEntry method and ran into an unexpected error com.cisco.nm.vms.rpc.shared.exception.InvalidDomainException: Object does not belong to current domain."
         }
      ],
      "severity":"ERROR"
   }
}

The parent policy is in the same domain as the current policy. Do you know what error means? Thanks!

marce1000 · ‎01-28-2023

- The error message "Object does not belong to current domain" suggests that the parent policy (basePolicy) you are trying to assign to the newly created access policy does not belong to the same domain as the current policy. Make sure that both policies are in the same domain and that the domain ID in the URL is correct. Also, double-check the ID of the parent policy (basePolicy) to ensure that it is correct. If everything is correct, please check if there is any restriction on the policy objects that belong to the domain and make sure the user who making the API call has the required permissions.

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Difan_Zhao · ‎01-28-2023

Hi Marce, I just tried again and I double-checked the ID. both the base policy and the new policy are in the same domain. I am still getting the same error... There is no problem with my permission too. I used the same account and changed the inheritance setting with the mgmt webpage without errors.

Could you elaborate more about "if there is any restriction on the policy objects that belong to the domain"? Where do I find the restrictions? Thanks!

Marius Gunnerud · ‎01-28-2023

I just tested this and got it to work. What I think I did differently is that I pulled the existing inheritance policy from the ACP I wanted to update, added my changes to that policy and sent it back. So my code is the following:

def get_inheritance(_url):
    return get_info(_url, "GET")

def update_inheritance(_url, _data):
    send_data("PUT", _url, _data)

_URL = "https://{FMC_IP}/api/fmc_config/v1/domain/e276abec-e0f2-11e3-8169-6d9ed49b625f/policy/accesspolicies/000C29F7-A272-0ed3-0000-021474836544/inheritancesettings/000C29F7-A272-0ed3-0000-021474836544"

basePolicydata = {}
basePolicydata["basePolicy"]= {
        "name": "Base_Policy",
        "id": "000C29F7-A272-0ed3-0000-004294967299",
        "type": "AccessPolicy",
      }

inheritance_policy = get_inheritance(_URL)
inheritance_policy["basePolicy"] = basePolicydata["basePolicy"]

update_inheritance(_URL, inheritance_policy)

--
Please remember to select a correct answer and rate helpful posts

Difan_Zhao · ‎01-28-2023

Thanks Marius for your response.. I am still getting the same result.. So I followed your instruction. I first "GET" the response from the URL

'https://fmc.network.lan/api/fmc_config/v1/domain/abb07252-1ece-43d2-d526-000000000002/policy/accesspolicies/90E2BAC8-8AE5-0ed3-0001-851131830796/inheritancesettings/90E2BAC8-8AE5-0ed3-0001-851131830796'

Here is the response

{
   "metadata":{
      "timestamp":1674939326779
   },
   "links":{
      "self":"https://fmc.network.lan/api/fmc_config/v1/domain/abb07252-1ece-43d2-d526-000000000002/policy/accesspolicies/90E2BAC8-8AE5-0ed3-0001-851131830796/inheritancesettings/90E2BAC8-8AE5-0ed3-0001-851131830796"
   },
   "id":"90E2BAC8-8AE5-0ed3-0001-851131830796",
   "type":"AccessPolicyInheritanceSetting"
}

Then I added the "basePolicy" part

put_data["basePolicy"] = {
    "name": inherit_setting["name"],
    "id": inherit_setting["id"],
    "type": "AccessPolicy"
}

As the result, the put_data becomes

{
   "metadata":{
      "timestamp":1674939326779
   },
   "links":{
      "self":"https://fmc.network.lan/api/fmc_config/v1/domain/abb07252-1ece-43d2-d526-000000000002/policy/accesspolicies/90E2BAC8-8AE5-0ed3-0001-851131830796/inheritancesettings/90E2BAC8-8AE5-0ed3-0001-851131830796"
   },
   "id":"90E2BAC8-8AE5-0ed3-0001-851131830796",
   "type":"AccessPolicyInheritanceSetting",
   "basePolicy":{
      "name":"SAP-HEC_Retired",
      "id":"90E2BAC8-8AE5-0ed3-0000-292058203644",
      "type":"AccessPolicy"
   }
}

Then I use the PUT method with the same URL and I got this

Status code is: 400
Error occurred in PUT --> {"error":{"category":"FRAMEWORK","messages":[{"description":"External proxy invoked LwPolicyApi getACPGEntry method and ran into an unexpected error com.cisco.nm.vms.rpc.shared.exception.InvalidDomainException: Object does not belong to current domain."}],"severity":"ERROR"}}

I double checked. The basepolicy is in the same domain:

    {
       "type": "AccessPolicy",
       "links": {
          "self": "https://fmc.network.lan/api/fmc_config/v1/domain/abb07252-1ece-43d2-d526-000000000002/policy/accesspolicies/90E2BAC8-8AE5-0ed3-0000-292058203644"
       },
       "name": "SAP-HEC_Retired",
       "id": "90E2BAC8-8AE5-0ed3-0000-292058203644"
    },

What did I miss...?

Marius Gunnerud · ‎01-29-2023

Could there be another PUT function that is sending the data? Or perhaps another function that is assigning different data to the inheritance policy?

if you look at the self links from what you got from the FMC compared to what you are sending is different. You are "GET"ing a access control policy ID of 90E2BAC8-8AE5-0ed3-0001-851131830796 but the object you referring to when you check the domain is the same is 90E2BAC8-8AE5-0ed3-0000-292058203644.

--
Please remember to select a correct answer and rate helpful posts

Difan_Zhao · ‎01-30-2023

Hi Marius, thanks for reading carefully with my messages...

90E2BAC8-8AE5-0ed3-0001-851131830796 -> The new policy (or the child policy)

90E2BAC8-8AE5-0ed3-0000-292058203644 -> The parent policy (aka the base policy)

abb07252-1ece-43d2-d526-000000000002 -> domain ID

Sorry but could you let me know where I used the ID wrong?

The PUT function essentially just a one-liner... I mean, I used this command instead of the function and I am getting the same result...

r = requests.put(url, data=json.dumps(put_data), headers=headers, verify=False)

Marius Gunnerud · ‎01-30-2023

Sorry, I misread the object IDs, no issue there. I have managed to recreate the issue in my lab where the base policy and child policy are within the same domain which is not the Global domain. This is an interesting issue as I am able to assign the base policy to the child policy via GUI but as of yet I have not been able to do the same via API (getting the same error as you are). I am not yet sure if this is a limitation or if we are just missing some key:value pairs that tie the policies to the correct domain.

Will let you know if I manage to figure it out

--
Please remember to select a correct answer and rate helpful posts

Difan_Zhao · ‎01-30-2023

Thank you so much, Marius! I am so glad that you could reproduce the issue. You are absolutely right that I forgot to mention that I tried with the GUI and it worked fine so it must be supported but just some small pieces I missed. Please keep me posted!