bt-cli 0.4.37__tar.gz → 0.4.39__tar.gz

{bt_cli-0.4.37 → bt_cli-0.4.39}/.claude/skills/epml/SKILL.md

@@ -133,8 +133,13 @@ bt epml rbp tmdategrps tmdates replace <tmdategrp_id> --file tmdates.json
 # Roles + assignments
 bt epml rbp roles list
 bt epml rbp roles create --name "Helpdesk Role" --action A \
+  --description "..." --comment "..." --tag "AdminAccess" \
+  --risk 6 --rpt 1 \
   --iolog '/iologs/%date%/%uniqueid%.iolog' \
-  --message "This session is logged."
+  --banner-text "Helpdesk Role"             # builds standard ###-framed banner
+# or --message "raw multi-line message"
+# or --banner                               # banner with %rbprole% template
+bt epml rbp roles update <id> --tag NewTag --risk 9 --rpt 1     # in-place edit
 bt epml rbp roles duplicate <role_id>
 bt epml rbp roles cmdgrps   add <role_id> --ids 1,2          # cmdgrps & tmdategrps: just IDs
 bt epml rbp roles tmdategrps add <role_id> --ids 1
@@ -158,6 +163,54 @@ bt epml rbp policy revert
 bt epml rbp policy delete-all --yes-i-mean-it      # destructive, gated
 ```
 
+## Worked example: build a role from scratch
+
+End-to-end recipe for a "users in group X can run shells on all hosts at any time" role with I/O logging and a session banner. Mirrors the pattern of the tenant's existing roles (Postgres, Docker Admin, etc.).
+
+```bash
+# 1. Command group containing the commands the role allows
+bt epml rbp cmdgrps create --name "RootShells" --description "Root shells with arguments"
+# captures: id 35
+bt epml rbp cmdgrps commands add 35 --commands "bash *,sh *,ksh *,zsh *,csh *,bash,sh,ksh,zsh,csh"
+
+# 2. Role itself, all metadata in one shot
+bt epml rbp roles create \
+  --name "RootShells" \
+  --description "Root shell access — I/O logged" \
+  --comment    "Root shell access — I/O logged"  \
+  --tag        "RootAccess" \
+  --risk        9 \
+  --rpt         1 \
+  --action      A \
+  --iolog      '/iologs/%date%/%uniqueid%.iolog' \
+  --banner-text "Root Shell Access"
+# captures: id 126
+
+# 3. Wire up the four group assignments
+bt epml rbp roles cmdgrps   add 126 --ids 35              # cmdgrp: just IDs
+bt epml rbp roles hostgrps  add 126 --ids 1 --kind B      # All Hosts, both Submit and Run-as
+bt epml rbp roles usergrps  add 126 --ids 4 --kind S      # Administrators as Submit (who requests)
+bt epml rbp roles usergrps  add 126 --ids 3 --kind R      # 'root' as Run-as (whose identity)
+bt epml rbp roles tmdategrps add 126 --ids 1              # Any Time
+
+# 4. Verify
+bt epml rbp roles list -o json | python3 -c 'import json,sys;[print(json.dumps(r,indent=2)) for r in json.load(sys.stdin) if r["id"]==126]'
+bt epml rbp roles cmdgrps   list 126
+bt epml rbp roles hostgrps  list 126
+bt epml rbp roles usergrps  list 126
+bt epml rbp roles tmdategrps list 126
+bt epml rbp entitlement run -o json | grep RootShells     # rpt=1 makes it surface
+```
+
+The resulting banner displayed to users (server-substituted at session time):
+```
+############################################################
+ Policy:           Root Shell Access
+ Status:           %event%
+ Session Recorded: Yes
+############################################################
+```
+
 ## Test suites + transactions (the killer workflow)
 
 ```bash
@@ -206,7 +259,8 @@ bt epml quick tests-then-deploy --suite <suite_id>      # commits if pass; rollb
 - **Children share the parent's `id`** in GET responses — the listed `id` field is the cmdgrp/hostgrp/usergrp ID, not unique per child. The actual identifier is the `cmd`/`host`/`user` text.
 - **Role assignments take a single object per request, not an array**. The CLI loops under the hood; the wire body is e.g. `{"cmds": 35}`, `{"hosts": 1, "type": "S"}`, `{"users": 4, "type": "R"}`, `{"tmdates": 1}`.
 - **Hostgrp / usergrp assignments require a `type` field** (`S` = Submit / who requests, `R` = Run-as / whose identity the command runs under). Without `type` the request 400s with "RBP role type not in: [S,R]". CLI: `--kind S|R|B` on `roles hostgrps add` and `roles usergrps add`. `B` (default) creates both an S row and an R row for the same id — appropriate when the same group plays both roles. For "Admin requests, runs as root", do `--ids 4 --kind S` and `--ids 3 --kind R` separately.
-- **Roles need `rpt: 1`** to appear in `bt epml rbp entitlement run`. The role still functions for policy evaluation either way, but only `rpt=1` roles are surfaced in the report. Not yet exposed by the CLI — file-level edit via export/import is the workaround.
+- **Roles need `rpt: 1`** to appear in `bt epml rbp entitlement run`. The role still functions for policy evaluation either way, but only `rpt=1` roles are surfaced in the report. Set with `--rpt 1` on `roles create` / `roles update` (added in 0.4.38).
+- **Role update is upsert-on-id, not partial**: hitting POST `/roles` with `{id, ...}` *overwrites* the matching record — fields you omit get cleared. The CLI's `roles update` does read-modify-write (fetch the role, merge changes, post the whole record) so this feels partial. Role-child relations (rolecmds/roleusers/etc.) are filtered out of the merge so assignments survive an update. **If you hit the API directly via curl**, you must send the full record yourself.
 
 ## Known gaps (TODO)
 

{bt_cli-0.4.37 → bt_cli-0.4.39}/CLAUDE.md

@@ -1,6 +1,6 @@
 # BT-CLI
 
-BeyondTrust Platform CLI for Password Safe, Entitle, PRA, EPM Windows, and EPM Linux. **Version: 0.4.37**
+BeyondTrust Platform CLI for Password Safe, Entitle, PRA, EPM Windows, and EPM Linux. **Version: 0.4.39**
 
 ## Setup
 

{bt_cli-0.4.37 → bt_cli-0.4.39}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: bt-cli
-Version: 0.4.37
+Version: 0.4.39
 Summary: BeyondTrust Platform CLI (unofficial) - Password Safe, Entitle, PRA, EPM
 Author-email: Dave Grendysz <dgrendysz@beyondtrust.com>
 License: MIT

{bt_cli-0.4.37 → bt_cli-0.4.39}/pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "hatchling.build"
 
 [project]
 name = "bt-cli"
-version = "0.4.37"
+version = "0.4.39"
 description = "BeyondTrust Platform CLI (unofficial) - Password Safe, Entitle, PRA, EPM"
 readme = "README.md"
 requires-python = ">=3.9"

{bt_cli-0.4.37 → bt_cli-0.4.39}/src/bt_cli/__init__.py

@@ -1,3 +1,3 @@
 """BeyondTrust Unified Admin CLI."""
 
-__version__ = "0.4.37"
+__version__ = "0.4.39"

{bt_cli-0.4.37 → bt_cli-0.4.39}/src/bt_cli/data/CLAUDE.md

@@ -1,6 +1,6 @@
 # BT-CLI
 
-BeyondTrust Platform CLI for Password Safe, Entitle, PRA, EPM Windows, and EPM Linux. **Version: 0.4.37**
+BeyondTrust Platform CLI for Password Safe, Entitle, PRA, EPM Windows, and EPM Linux. **Version: 0.4.39**
 
 ## Setup
 

{bt_cli-0.4.37 → bt_cli-0.4.39}/src/bt_cli/data/skills/epml/SKILL.md

@@ -133,8 +133,13 @@ bt epml rbp tmdategrps tmdates replace <tmdategrp_id> --file tmdates.json
 # Roles + assignments
 bt epml rbp roles list
 bt epml rbp roles create --name "Helpdesk Role" --action A \
+  --description "..." --comment "..." --tag "AdminAccess" \
+  --risk 6 --rpt 1 \
   --iolog '/iologs/%date%/%uniqueid%.iolog' \
-  --message "This session is logged."
+  --banner-text "Helpdesk Role"             # builds standard ###-framed banner
+# or --message "raw multi-line message"
+# or --banner                               # banner with %rbprole% template
+bt epml rbp roles update <id> --tag NewTag --risk 9 --rpt 1     # in-place edit
 bt epml rbp roles duplicate <role_id>
 bt epml rbp roles cmdgrps   add <role_id> --ids 1,2          # cmdgrps & tmdategrps: just IDs
 bt epml rbp roles tmdategrps add <role_id> --ids 1
@@ -158,6 +163,54 @@ bt epml rbp policy revert
 bt epml rbp policy delete-all --yes-i-mean-it      # destructive, gated
 ```
 
+## Worked example: build a role from scratch
+
+End-to-end recipe for a "users in group X can run shells on all hosts at any time" role with I/O logging and a session banner. Mirrors the pattern of the tenant's existing roles (Postgres, Docker Admin, etc.).
+
+```bash
+# 1. Command group containing the commands the role allows
+bt epml rbp cmdgrps create --name "RootShells" --description "Root shells with arguments"
+# captures: id 35
+bt epml rbp cmdgrps commands add 35 --commands "bash *,sh *,ksh *,zsh *,csh *,bash,sh,ksh,zsh,csh"
+
+# 2. Role itself, all metadata in one shot
+bt epml rbp roles create \
+  --name "RootShells" \
+  --description "Root shell access — I/O logged" \
+  --comment    "Root shell access — I/O logged"  \
+  --tag        "RootAccess" \
+  --risk        9 \
+  --rpt         1 \
+  --action      A \
+  --iolog      '/iologs/%date%/%uniqueid%.iolog' \
+  --banner-text "Root Shell Access"
+# captures: id 126
+
+# 3. Wire up the four group assignments
+bt epml rbp roles cmdgrps   add 126 --ids 35              # cmdgrp: just IDs
+bt epml rbp roles hostgrps  add 126 --ids 1 --kind B      # All Hosts, both Submit and Run-as
+bt epml rbp roles usergrps  add 126 --ids 4 --kind S      # Administrators as Submit (who requests)
+bt epml rbp roles usergrps  add 126 --ids 3 --kind R      # 'root' as Run-as (whose identity)
+bt epml rbp roles tmdategrps add 126 --ids 1              # Any Time
+
+# 4. Verify
+bt epml rbp roles list -o json | python3 -c 'import json,sys;[print(json.dumps(r,indent=2)) for r in json.load(sys.stdin) if r["id"]==126]'
+bt epml rbp roles cmdgrps   list 126
+bt epml rbp roles hostgrps  list 126
+bt epml rbp roles usergrps  list 126
+bt epml rbp roles tmdategrps list 126
+bt epml rbp entitlement run -o json | grep RootShells     # rpt=1 makes it surface
+```
+
+The resulting banner displayed to users (server-substituted at session time):
+```
+############################################################
+ Policy:           Root Shell Access
+ Status:           %event%
+ Session Recorded: Yes
+############################################################
+```
+
 ## Test suites + transactions (the killer workflow)
 
 ```bash
@@ -206,7 +259,8 @@ bt epml quick tests-then-deploy --suite <suite_id>      # commits if pass; rollb
 - **Children share the parent's `id`** in GET responses — the listed `id` field is the cmdgrp/hostgrp/usergrp ID, not unique per child. The actual identifier is the `cmd`/`host`/`user` text.
 - **Role assignments take a single object per request, not an array**. The CLI loops under the hood; the wire body is e.g. `{"cmds": 35}`, `{"hosts": 1, "type": "S"}`, `{"users": 4, "type": "R"}`, `{"tmdates": 1}`.
 - **Hostgrp / usergrp assignments require a `type` field** (`S` = Submit / who requests, `R` = Run-as / whose identity the command runs under). Without `type` the request 400s with "RBP role type not in: [S,R]". CLI: `--kind S|R|B` on `roles hostgrps add` and `roles usergrps add`. `B` (default) creates both an S row and an R row for the same id — appropriate when the same group plays both roles. For "Admin requests, runs as root", do `--ids 4 --kind S` and `--ids 3 --kind R` separately.
-- **Roles need `rpt: 1`** to appear in `bt epml rbp entitlement run`. The role still functions for policy evaluation either way, but only `rpt=1` roles are surfaced in the report. Not yet exposed by the CLI — file-level edit via export/import is the workaround.
+- **Roles need `rpt: 1`** to appear in `bt epml rbp entitlement run`. The role still functions for policy evaluation either way, but only `rpt=1` roles are surfaced in the report. Set with `--rpt 1` on `roles create` / `roles update` (added in 0.4.38).
+- **Role update is upsert-on-id, not partial**: hitting POST `/roles` with `{id, ...}` *overwrites* the matching record — fields you omit get cleared. The CLI's `roles update` does read-modify-write (fetch the role, merge changes, post the whole record) so this feels partial. Role-child relations (rolecmds/roleusers/etc.) are filtered out of the merge so assignments survive an update. **If you hit the API directly via curl**, you must send the full record yourself.
 
 ## Known gaps (TODO)
 

{bt_cli-0.4.37 → bt_cli-0.4.39}/src/bt_cli/epml/client/base.py

@@ -476,6 +476,29 @@ class EPMLClient:
         body.setdefault("action", "A")
         return self.post(f"/api/pbul/{h}/rbp/roles", json=body)
 
+    def update_role(self, role_id: int, partial: Dict[str, Any], host_id: Optional[int] = None) -> Any:
+        """Update an existing role (read-modify-write).
+
+        The API's create/update endpoint OVERWRITES on `id` match — fields not
+        in the body get zeroed/cleared. To make an update feel like a partial
+        modification, this helper fetches the current role, merges in your
+        changes, and posts the merged record. Avoids accidentally clobbering
+        `action`, `name`, `iolog`, etc. when you only meant to change `tag`.
+
+        Caveat: the v1 API has no GET-single-role, so we list and filter.
+        """
+        h = self.host(host_id)
+        roles = self.list_roles(host_id=host_id) or []
+        current = next((r for r in roles if r.get("id") == role_id), None)
+        if current is None:
+            raise ValueError(f"role id {role_id} not found")
+        # role child relations (rolecmds/roleusers/etc.) get filtered out so we
+        # don't accidentally rewrite assignments — those have their own endpoints.
+        merged = {k: v for k, v in current.items() if not k.startswith("role")}
+        merged.update(partial)
+        merged["id"] = role_id
+        return self.post(f"/api/pbul/{h}/rbp/roles", json=merged)
+
     def delete_roles(self, ids: List[int], host_id: Optional[int] = None) -> None:
         h = self.host(host_id)
         for rid in ids:

{bt_cli-0.4.37 → bt_cli-0.4.39}/src/bt_cli/epml/commands/rbp_roles.py

@@ -14,6 +14,37 @@ def _host_opt():
     return typer.Option(None, "--host", "-H", help="PMUL host id (default: BT_EPML_DEFAULT_HOST)")
 
 
+_BAR = "#" * 60
+
+
+def _build_banner(title: Optional[str] = None) -> str:
+    """Build a banner-style policy message.
+
+    Server substitutes `%rbprole%` and `%event%` at session time. Pass a
+    title string to replace the role-name line with literal text.
+    """
+    title_line = f" Policy:           {title}\r\n" if title else " Policy:           %rbprole%\r\n"
+    return (
+        "\r\n"
+        + _BAR + "\r\n"
+        + title_line
+        + " Status:           %event%\r\n"
+        + " Session Recorded: Yes\r\n"
+        + _BAR + "\r\n"
+    )
+
+
+def _resolve_message(message: Optional[str], banner: bool, banner_text: Optional[str]) -> Optional[str]:
+    """Pick the final message: explicit --message wins; else build a banner if asked."""
+    if message is not None:
+        return message
+    if banner_text is not None:
+        return _build_banner(banner_text)
+    if banner:
+        return _build_banner()
+    return None  # leave message unset
+
+
 @app.command("list")
 def list_roles(
     host: Optional[int] = _host_opt(),
@@ -45,13 +76,18 @@ def list_roles(
 def create_role(
     name: str = typer.Option(..., "--name", "-n"),
     description: str = typer.Option("", "--description", "-d"),
+    comment: Optional[str] = typer.Option(None, "--comment", "-c", help="Internal comment (defaults to description if omitted)"),
+    tag: Optional[str] = typer.Option(None, "--tag", help="Free-form tag for filtering/reporting"),
+    risk: Optional[int] = typer.Option(None, "--risk", "-r", help="Risk score 0-9 (Postgres-style example uses 6)"),
+    rpt: Optional[int] = typer.Option(None, "--rpt", help="Entitlement reporting: 1 to surface in `entitlement run`, 0 to hide"),
     action: str = typer.Option("A", "--action", "-a", help="Role verdict: A=Allow, R=Reject"),
     iolog: Optional[str] = typer.Option(
         None, "--iolog",
         help="I/O log path template (e.g. /iologs/%date%/%uniqueid%.iolog). Omit to disable.",
     ),
-    message: Optional[str] = typer.Option(None, "--message", "-m", help="Message shown to the requesting user"),
-    comment: Optional[str] = typer.Option(None, "--comment", help="Internal comment"),
+    message: Optional[str] = typer.Option(None, "--message", "-m", help="Raw message shown to the requesting user (multi-line OK; verbatim)"),
+    banner: bool = typer.Option(False, "--banner", help="Use a standard ###-framed banner with %rbprole% and %event% template variables"),
+    banner_text: Optional[str] = typer.Option(None, "--banner-text", help="Like --banner but use the given title text instead of %rbprole% substitution"),
     disabled: bool = typer.Option(False, "--disabled", help="Create the role disabled"),
     host: Optional[int] = _host_opt(),
 ):
@@ -62,18 +98,42 @@ def create_role(
 
     `iolog` accepts the appliance's path template syntax — typical value is
     `/iologs/%date%/%uniqueid%.iolog`. Omit to disable I/O logging on this role.
+
+    Three ways to set the user-visible message (in priority order):
+      --message "raw text"            verbatim
+      --banner-text "Custom Title"    builds the standard banner with this title
+      --banner                        builds the standard banner using %rbprole%
+
+    The standard banner format mirrors the appliance's existing roles:
+      ##############################
+       Policy:           <title or %rbprole%>
+       Status:           %event%
+       Session Recorded: Yes
+      ##############################
     """
     from bt_cli.epml.client import get_client
     if action not in ("A", "R"):
         typer.echo(f"--action must be 'A' or 'R', got {action!r}", err=True)
         raise typer.Exit(2)
+
     body = {"name": name, "description": description, "action": action, "disabled": disabled}
-    if iolog is not None:
-        body["iolog"] = iolog
-    if message is not None:
-        body["message"] = message
     if comment is not None:
         body["comment"] = comment
+    elif description:
+        body["comment"] = description  # mirror description into comment (matches existing roles)
+    if tag is not None:
+        body["tag"] = tag
+    if risk is not None:
+        body["risk"] = risk
+    if rpt is not None:
+        body["rpt"] = rpt
+    if iolog is not None:
+        body["iolog"] = iolog
+
+    final_message = _resolve_message(message, banner, banner_text)
+    if final_message is not None:
+        body["message"] = final_message
+
     try:
         with get_client() as c:
             result = c.create_role(body, host_id=host)
@@ -84,6 +144,62 @@ def create_role(
         print_api_error(e, "create role"); raise typer.Exit(1)
 
 
+@app.command("update")
+def update_role(
+    role_id: int = typer.Argument(..., help="Role ID to update"),
+    name: Optional[str] = typer.Option(None, "--name", "-n", help="Rename the role"),
+    description: Optional[str] = typer.Option(None, "--description", "-d"),
+    comment: Optional[str] = typer.Option(None, "--comment", "-c"),
+    tag: Optional[str] = typer.Option(None, "--tag"),
+    risk: Optional[int] = typer.Option(None, "--risk", "-r"),
+    rpt: Optional[int] = typer.Option(None, "--rpt"),
+    action: Optional[str] = typer.Option(None, "--action", "-a", help="A=Allow / R=Reject"),
+    iolog: Optional[str] = typer.Option(None, "--iolog", help="I/O log template; pass '' to disable"),
+    message: Optional[str] = typer.Option(None, "--message", "-m"),
+    banner: bool = typer.Option(False, "--banner"),
+    banner_text: Optional[str] = typer.Option(None, "--banner-text"),
+    disabled: Optional[bool] = typer.Option(None, "--disabled/--enabled"),
+    host: Optional[int] = _host_opt(),
+):
+    """Update a role's metadata in place. Only fields you pass are modified.
+
+    Examples:
+      bt epml rbp roles update 126 --tag "RootAccess" --risk 9 --rpt 1
+      bt epml rbp roles update 126 --banner-text "Root Shell Access"
+      bt epml rbp roles update 126 --message "Custom session header..."
+    """
+    from bt_cli.epml.client import get_client
+    if action is not None and action not in ("A", "R"):
+        typer.echo(f"--action must be 'A' or 'R', got {action!r}", err=True)
+        raise typer.Exit(2)
+
+    body: dict = {}
+    for key, val in (
+        ("name", name), ("description", description), ("comment", comment),
+        ("tag", tag), ("risk", risk), ("rpt", rpt), ("action", action),
+        ("iolog", iolog), ("disabled", disabled),
+    ):
+        if val is not None:
+            body[key] = val
+
+    final_message = _resolve_message(message, banner, banner_text)
+    if final_message is not None:
+        body["message"] = final_message
+
+    if not body:
+        typer.echo("Nothing to update — pass at least one field flag.", err=True)
+        raise typer.Exit(2)
+
+    try:
+        with get_client() as c:
+            result = c.update_role(role_id, body, host_id=host)
+        print_json(result)
+    except httpx.HTTPStatusError as e:
+        print_api_error(e, "update role"); raise typer.Exit(1)
+    except Exception as e:
+        print_api_error(e, "update role"); raise typer.Exit(1)
+
+
 @app.command("delete")
 def delete_role(
     ids: str = typer.Argument(..., help="Comma-separated role IDs"),