Service Group Configuration Object

Table of Contents

1. Overview
2. Core Methods
3. Service Group Model Attributes
4. Exceptions
5. Basic Configuration
6. Usage Examples
   • Creating Service Groups
   • Retrieving Service Groups
   • Updating Service Groups
   • Listing Service Groups
   • Filtering Responses
   • Controlling Pagination with max_limit
   • Deleting Service Groups
7. Managing Configuration Changes
   • Performing Commits
   • Monitoring Jobs
8. Error Handling
9. Best Practices
10. Full Script Examples
11. Related Models

Overview

The ServiceGroup class provides functionality to manage service groups in Palo Alto Networks' Strata Cloud Manager. This class inherits from BaseObject and provides methods for creating, retrieving, updating, and deleting service groups that can be used to organize and manage collections of services for security policies and NAT rules.

Core Methods

Method	Description	Parameters	Return Type
create()	Creates a new service group	data: Dict[str, Any]	ServiceGroupResponseModel
get()	Retrieves a group by ID	object_id: str	ServiceGroupResponseModel
update()	Updates an existing group	service_group: ServiceGroupUpdateModel	ServiceGroupResponseModel
delete()	Deletes a group	object_id: str	None
list()	Lists groups with filtering	folder: str, **filters	List[ServiceGroupResponseModel]
fetch()	Gets group by name and container	name: str, folder: str	ServiceGroupResponseModel

Service Group Model Attributes

Attribute	Type	Required	Description
name	str	Yes	Name of group (max 63 chars)
id	UUID	Yes*	Unique identifier (*response only)
members	List[str]	Yes	List of service members
tag	List[str]	No	List of tags (max 64 chars each)
folder	str	Yes**	Folder location (**one container required)
snippet	str	Yes**	Snippet location (**one container required)
device	str	Yes**	Device location (**one container required)

Exceptions

Exception	HTTP Code	Description
InvalidObjectError	400	Invalid group data or format
MissingQueryParameterError	400	Missing required parameters
NameNotUniqueError	409	Group name already exists
ObjectNotPresentError	404	Group not found
ReferenceNotZeroError	409	Group still referenced by policies
AuthenticationError	401	Authentication failed
ServerError	500	Internal server error

Basic Configuration

from scm.client import Scm
from scm.config.objects import ServiceGroup
# Initialize clientclient = Scm(
client_id="your_client_id",
client_secret="your_client_secret",
tsg_id="your_tsg_id"
)
# Initialize ServiceGroup objectservice_groups = ServiceGroup(client)

Usage Examples

Creating Service Groups

# Basic service group configurationbasic_group = {
"name": "web-services",
"members": ["HTTP", "HTTPS"],
"folder": "Texas",
"tag": ["Web"]
}
# Create basic groupbasic_group_obj = service_groups.create(basic_group)
# Extended service group configurationextended_group = {
"name": "app-services",
"members": ["HTTP", "HTTPS", "SSH", "FTP"],
"folder": "Texas",
"tag": ["Application", "Production"]
}
# Create extended groupextended_group_obj = service_groups.create(extended_group)

Retrieving Service Groups

# Fetch by name and foldergroup = service_groups.fetch(name="web-services", folder="Texas")
print(f"Found group: {group.name}")
# Get by IDgroup_by_id = service_groups.get(group.id)
print(f"Retrieved group: {group_by_id.name}")
print(f"Members: {', '.join(group_by_id.members)}")

Updating Service Groups

# Fetch existing groupexisting_group = service_groups.fetch(name="web-services", folder="Texas")
# Update membersexisting_group.members = ["HTTP", "HTTPS", "HTTP-8080"]
existing_group.tag = ["Web", "Updated"]
# Perform updateupdated_group = service_groups.update(existing_group)

Listing Service Groups

# List with direct filter parametersfiltered_groups = service_groups.list(
folder='Texas',
values=['HTTP', 'HTTPS'],
tags=['Production']
)
# Process resultsfor group in filtered_groups:
print(f"Name: {group.name}")
print(f"Members: {', '.join(group.members)}")
# Define filter parameters as dictionarylist_params = {
"folder": "Texas",
"values": ["SSH", "FTP"],
"tags": ["Application"]
}
# List with filters as kwargsfiltered_groups = service_groups.list(**list_params)

Filtering Responses

The list() method supports additional parameters to refine your query results even further. Alongside basic filters (like types, values, and tags), you can leverage the exact_match, exclude_folders, exclude_snippets, and exclude_devices parameters to control which objects are included or excluded after the initial API response is fetched.

Parameters:

• exact_match (bool): When True, only objects defined exactly in the specified container (folder, snippet, or device) are returned. Inherited or propagated objects are filtered out.
• exclude_folders (List[str]): Provide a list of folder names that you do not want included in the results.
• exclude_snippets (List[str]): Provide a list of snippet values to exclude from the results.
• exclude_devices (List[str]): Provide a list of device values to exclude from the results.

Examples:

# Only return service_groups defined exactly in 'Texas'exact_service_groups = service_groups.list(
folder='Texas',
exact_match=True
)

for app in exact_service_groups:
print(f"Exact match: {app.name} in {app.folder}")
# Exclude all service_groups from the 'All' folderno_all_service_groups = service_groups.list(
folder='Texas',
exclude_folders=['All']
)

for app in no_all_service_groups:
assert app.folder != 'All'
print(f"Filtered out 'All': {app.name}")
# Exclude service_groups that come from 'default' snippetno_default_snippet = service_groups.list(
folder='Texas',
exclude_snippets=['default']
)

for app in no_default_snippet:
assert app.snippet != 'default'
print(f"Filtered out 'default' snippet: {app.name}")
# Exclude service_groups associated with 'DeviceA'no_deviceA = service_groups.list(
folder='Texas',
exclude_devices=['DeviceA']
)

for app in no_deviceA:
assert app.device != 'DeviceA'
print(f"Filtered out 'DeviceA': {app.name}")
# Combine exact_match with multiple exclusionscombined_filters = service_groups.list(
folder='Texas',
exact_match=True,
exclude_folders=['All'],
exclude_snippets=['default'],
exclude_devices=['DeviceA']
)

for app in combined_filters:
print(f"Combined filters result: {app.name} in {app.folder}")

Controlling Pagination with max_limit

The SDK supports pagination through the max_limit parameter, which defines how many objects are retrieved per API call. By default, max_limit is set to 2500. The API itself imposes a maximum allowed value of 5000. If you set max_limit higher than 5000, it will be capped to the API's maximum. The list() method will continue to iterate through all objects until all results have been retrieved. Adjusting max_limit can help manage retrieval performance and memory usage when working with large datasets.

# Initialize the ServiceGroup object with a custom max_limit# This will retrieve up to 4321 objects per API call, up to the API limit of 5000.service_group_client = ServiceGroup(api_client=client, max_limit=4321)
# Now when we call list(), it will use the specified max_limit for each request# while auto-paginating through all available objects.all_groups = service_group_client.list(folder='Texas')
# 'all_groups' contains all objects from 'Texas', fetched in chunks of up to 4321 at a time.

Deleting Service Groups

# Delete by IDgroup_id = "123e4567-e89b-12d3-a456-426655440000"
service_groups.delete(group_id)

Managing Configuration Changes

Performing Commits

# Prepare commit parameterscommit_params = {
"folders": ["Texas"],
"description": "Updated service groups",
"sync": True,
"timeout": 300 # 5 minute timeout
}
# Commit the changesresult = service_groups.commit(**commit_params)

print(f"Commit job ID: {result.job_id}")

Monitoring Jobs

# Get status of specific jobjob_status = service_groups.get_job_status(result.job_id)
print(f"Job status: {job_status.data[0].status_str}")
# List recent jobsrecent_jobs = service_groups.list_jobs(limit=10)
for job in recent_jobs.data:
print(f"Job {job.id}: {job.type_str} - {job.status_str}")

Error Handling

from scm.exceptions import (
InvalidObjectError,
MissingQueryParameterError,
NameNotUniqueError,
ObjectNotPresentError,
ReferenceNotZeroError
)

try:
# Create group configuration
group_config = {
"name": "test-group",
"members": ["HTTP", "HTTPS"],
"folder": "Texas",
"tag": ["Test"]
}

# Create the group
new_group = service_groups.create(group_config)

# Commit changes
result = service_groups.commit(
folders=["Texas"],
description="Added test group",
sync=True
)

# Check job status
status = service_groups.get_job_status(result.job_id)

except InvalidObjectError as e:
print(f"Invalid group data: {e.message}")
except NameNotUniqueError as e:
print(f"Group name already exists: {e.message}")
except ObjectNotPresentError as e:
print(f"Group not found: {e.message}")
except ReferenceNotZeroError as e:
print(f"Group still in use: {e.message}")
except MissingQueryParameterError as e:
print(f"Missing parameter: {e.message}")

Best Practices

1. Member Management

   • Use descriptive member names
   • Keep member lists organized
   • Document member purposes
   • Validate member existence
   • Monitor member changes

2. Container Management

   • Always specify exactly one container (folder, snippet, or device)
   • Use consistent container names
   • Validate container existence
   • Group related service groups

3. Error Handling

   • Implement comprehensive error handling
   • Check job status after commits
   • Handle specific exceptions
   • Log error details
   • Monitor commit status

4. Performance

   • Use appropriate pagination
   • Cache frequently accessed groups
   • Implement proper retry logic
   • Monitor group sizes

5. Security

   • Follow least privilege principle
   • Validate input data
   • Use secure connection settings
   • Implement proper authentication
   • Monitor policy references

Full Script Examples

Refer to the service_group.py example.

Related Models

• ServiceGroupCreateModel
• ServiceGroupUpdateModel
• ServiceGroupResponseModel