Dynamic User Group Configuration Object

Overview

The DynamicUserGroup class provides functionality to manage dynamic user group objects in Palo Alto Networks' Strata Cloud Manager. This class inherits from BaseObject and provides methods for creating, retrieving, updating, and deleting dynamic user group objects that can be used for user-based policies and filtering.

Core Methods

Method	Description	Parameters	Return Type
`create()`	Creates a new dynamic user group object	`data: Dict[str, Any]`	`DynamicUserGroupResponseModel`
`get()`	Retrieves a dynamic user group by ID	`object_id: str`	`DynamicUserGroupResponseModel`
`update()`	Updates an existing dynamic user group	`dynamic_user_group: DynamicUserGroupUpdateModel`	`DynamicUserGroupResponseModel`
`delete()`	Deletes a dynamic user group	`object_id: str`	`None`
`list()`	Lists dynamic user groups with filtering	`folder: str`, `**filters`	`List[DynamicUserGroupResponseModel]`
`fetch()`	Gets dynamic user group by name and container	`name: str`, `folder: str`	`DynamicUserGroupResponseModel`

Dynamic User Group Model Attributes

Attribute	Type	Required	Description
`name`	str	Yes	Name of dynamic user group object
`id`	UUID	Yes*	Unique identifier (*response only)
`filter`	str	Yes	Filter expression for matching users
`description`	str	No	Object description
`tag`	List[str]	No	List of tags
`folder`	str	Yes**	Folder location (**one container required)
`snippet`	str	Yes**	Snippet location (**one container required)
`device`	str	Yes**	Device location (**one container required)

Exceptions

Exception	HTTP Code	Description
`InvalidObjectError`	400	Invalid dynamic user group data or format
`MissingQueryParameterError`	400	Missing required parameters
`NameNotUniqueError`	409	Dynamic user group name already exists
`ObjectNotPresentError`	404	Dynamic user group not found
`ReferenceNotZeroError`	409	Dynamic user group still referenced
`AuthenticationError`	401	Authentication failed
`ServerError`	500	Internal server error

Basic Configuration

from scm.client import Scm
from scm.config.objects import DynamicUserGroup
# Initialize clientclient = Scm(
client_id="your_client_id",
client_secret="your_client_secret",
tsg_id="your_tsg_id"
)
# Initialize DynamicUserGroup objectdynamic_user_groups = DynamicUserGroup(client)

Usage Examples

Creating Dynamic User Groups

# Prepare dynamic user group configurationdug_config = {
"name": "high_risk_users",
"filter": "tag.criticality.high",
"description": "Users with high risk classification",
"folder": "Security",
"tag": ["RiskManagement", "Automation"]
}
# Create the dynamic user group objectdug = dynamic_user_groups.create(dug_config)
print(f"Created dynamic user group: {dug.name} with ID: {dug.id}")
# Create another dynamic user group with different filteranother_dug_config = {
"name": "external_contractors",
"filter": "tag.user_type.contractor",
"folder": "Security",
"description": "All external contractor accounts"
}
# Create the dynamic user group objectanother_dug = dynamic_user_groups.create(another_dug_config)

Retrieving Dynamic User Groups

# Fetch by name and folderdug = dynamic_user_groups.fetch(name="high_risk_users", folder="Security")
print(f"Found dynamic user group: {dug.name}")
# Get by IDdug_by_id = dynamic_user_groups.get(dug.id)
print(f"Retrieved dynamic user group: {dug_by_id.name}")

Updating Dynamic User Groups

# Fetch existing dynamic user groupexisting_dug = dynamic_user_groups.fetch(name="high_risk_users", folder="Security")
# Update specific attributesexisting_dug.description = "Users with high risk assessment score"
existing_dug.filter = "tag.criticality.high or tag.risk_score.gt.80"
existing_dug.tag = ["RiskManagement", "Automation", "HighPriority"]
# Perform updateupdated_dug = dynamic_user_groups.update(existing_dug)

Listing Dynamic User Groups

# List dynamic user groups in the Security folderall_dugs = dynamic_user_groups.list(folder='Security')
# Process resultsfor dug in all_dugs:
print(f"Name: {dug.name}, Filter: {dug.filter}")
# Pass filters directly into the list methodfiltered_dugs = dynamic_user_groups.list(
folder='Security',
tags=['Automation']
)
# Process resultsfor dug in filtered_dugs:
print(f"Name: {dug.name}, Filter: {dug.filter}")
# Define filter parameters as a dictionarylist_params = {
"folder": "Security",
"filters": ["tag.criticality"]
}
# List dynamic user groups with filters as kwargsfiltered_dugs = dynamic_user_groups.list(**list_params)
# Process resultsfor dug in filtered_dugs:
print(f"Name: {dug.name}, Filter: {dug.filter}")

Filtering Responses

The list() method supports additional parameters to refine your query results even further. Alongside basic filters (like tags and filters), you can leverage the exact_match, exclude_folders, exclude_snippets, and exclude_devices parameters to control which objects are included or excluded after the initial API response is fetched.

Parameters:

exact_match (bool): When True, only objects defined exactly in the specified container (folder, snippet, or device) are returned. Inherited or propagated objects are filtered out.
exclude_folders (List[str]): Provide a list of folder names that you do not want included in the results.
exclude_snippets (List[str]): Provide a list of snippet values to exclude from the results.
exclude_devices (List[str]): Provide a list of device values to exclude from the results.

Examples:

# Only return dynamic user groups defined exactly in 'Security'exact_dugs = dynamic_user_groups.list(
folder='Security',
exact_match=True
)

for dug in exact_dugs:
print(f"Exact match: {dug.name} in {dug.folder}")
# Exclude all dynamic user groups from the 'All' folderno_all_dugs = dynamic_user_groups.list(
folder='Security',
exclude_folders=['All']
)

for dug in no_all_dugs:
assert dug.folder != 'All'
print(f"Filtered out 'All': {dug.name}")
# Exclude dynamic user groups that come from 'default' snippetno_default_snippet = dynamic_user_groups.list(
folder='Security',
exclude_snippets=['default']
)

for dug in no_default_snippet:
assert dug.snippet != 'default'
print(f"Filtered out 'default' snippet: {dug.name}")
# Combine exact_match with multiple exclusionscombined_filters = dynamic_user_groups.list(
folder='Security',
exact_match=True,
exclude_folders=['All'],
exclude_snippets=['default'],
exclude_devices=['DeviceA']
)

for dug in combined_filters:
print(f"Combined filters result: {dug.name} in {dug.folder}")

Controlling Pagination with max_limit

The SDK supports pagination through the max_limit parameter, which defines how many objects are retrieved per API call. By default, max_limit is set to 2500. The API itself imposes a maximum allowed value of 5000. If you set max_limit higher than 5000, it will be capped to the API's maximum. The list() method will continue to iterate through all objects until all results have been retrieved. Adjusting max_limit can help manage retrieval performance and memory usage when working with large datasets.

Example:

# Initialize the DynamicUserGroup object with a custom max_limit# This will retrieve up to 4000 objects per API call, up to the API limit of 5000.dug_client = DynamicUserGroup(api_client=client, max_limit=4000)
# Now when we call list(), it will use the specified max_limit for each request# while auto-paginating through all available objects.all_dugs = dug_client.list(folder='Security')
# 'all_dugs' contains all objects from 'Security', fetched in chunks of up to 4000 at a time.

Deleting Dynamic User Groups

# Delete by IDdug_id = "123e4567-e89b-12d3-a456-426655440000"
dynamic_user_groups.delete(dug_id)

Managing Configuration Changes

Performing Commits

# Prepare commit parameterscommit_params = {
"folders": ["Security"],
"description": "Added new dynamic user groups",
"sync": True,
"timeout": 300 # 5 minute timeout
}
# Commit the changesresult = dynamic_user_groups.commit(**commit_params)

print(f"Commit job ID: {result.job_id}")

Monitoring Jobs

# Get status of specific jobjob_status = dynamic_user_groups.get_job_status(result.job_id)
print(f"Job status: {job_status.data[0].status_str}")
# List recent jobsrecent_jobs = dynamic_user_groups.list_jobs(limit=10)
for job in recent_jobs.data:
print(f"Job {job.id}: {job.type_str} - {job.status_str}")

Error Handling

from scm.exceptions import (
InvalidObjectError,
MissingQueryParameterError,
NameNotUniqueError,
ObjectNotPresentError
)

try:
# Create dynamic user group configuration
dug_config = {
"name": "test_group",
"filter": "tag.department.it",
"folder": "Security",
"description": "IT department users",
"tag": ["Test"]
}

# Create the dynamic user group
new_dug = dynamic_user_groups.create(dug_config)

# Commit changes
result = dynamic_user_groups.commit(
folders=["Security"],
description="Added test dynamic user group",
sync=True
)

# Check job status
status = dynamic_user_groups.get_job_status(result.job_id)

except InvalidObjectError as e:
print(f"Invalid dynamic user group data: {e.message}")
except NameNotUniqueError as e:
print(f"Dynamic user group name already exists: {e.message}")
except ObjectNotPresentError as e:
print(f"Dynamic user group not found: {e.message}")
except MissingQueryParameterError as e:
print(f"Missing parameter: {e.message}")

Best Practices

Container Management
- Always specify exactly one container (folder, snippet, or device)
- Use consistent container names across operations
- Validate container existence before operations
Error Handling
- Implement comprehensive error handling for all operations
- Check job status after commits
- Handle specific exceptions before generic ones
- Log error details for troubleshooting
Filter Expressions
- Ensure filter expressions follow the required syntax
- Test filter expressions before implementing in production
- Document filter expressions for future maintenance
- Use consistent naming conventions for tags referenced in filters
Performance
- Reuse client instances
- Use appropriate pagination for list operations
- Implement proper retry mechanisms
- Cache frequently accessed objects
Security
- Follow the least privilege principle
- Validate input data
- Use secure connection settings
- Implement proper authentication handling