Using Scripts to Enhance Workflows

Overview

SecureChange workflow admins with development and technical backgrounds can use scripts to enhance functionality of workflows. For example, a script can be triggered to send email updates every time a ticket is closed.

When uploading a script to SecureChange, select triggering event(s) and define any arguments that you would like to pass to the script.

Script Triggers

Scripts are configured to run following certain events, such as the closing of a ticket. These events are called triggers. When a selected trigger happens, SecureChange attempts to run the script asynchronously, up to a maximum of five times.

The following events can be selected to trigger scripts in a workflow:

Trigger

Action

Advance

Runs a script when a handled ticket has advanced to a new step on the specified workflow.

Automatic step failed

Runs a script when an automatic step has failed in a ticket.

Create

Runs a script when a ticket is created.

Close

Runs a script when a ticket is closed.

Cancel

Runs a script when a ticket is canceled.

Redo

Runs a script when a handler of a ticket has returned to an earlier step on a specified workflow.

Reject

Runs a script when a ticket is rejected.

Reopen

Runs a script when the requester reopens a ticket after the handlers have completed their tasks.

Resolve

Runs a script when all handlers have completed their tasks and is pending confirmation by the requester.

Resubmit

Runs a script when an expired ticket is resubmitted.

XML Input From Scripts

When invoked, SecureChange passes ticket information to the script in XML format containing the following attributes:

  • completion_step_id
  • completion_step_name
  • completion_step_name
  • createDate
  • current_stage_id
  • current_stage_name
  • id
  • open_request_id
  • open_request_name
  • subject, updateDate.

Custom Scripts

In TOS Aurora, SecureChange service runs in a Kubernetes pod, which does not retain changes upon restart. If your script is not pure bash, you must run it outside the TOS cluster using an external process. A mediator script connects this process and SecureChange. Tufin can provides a sample implementation of a mediator script, although this script is not an integral part of TOS Aurora. For more information, see Enabling Custom Scripts.

Add a Script to SecureChange

Note that this procedure is only relevant for pure bash scripts that do not depend on any other library or infrastructure.
  1. Upload your script to the cluster:

    [<ADMIN> ~]$ sudo tos scripts sc push <path on local host> <relative path on SecureChange> [--overwrite]
    sudo tos scripts sc push <path on local host> <relative path on SecureChange> [--overwrite]

    For more details, see tos scripts sc push.

  2. Log into SecureChange.

  3. Go to: Settings > SecureChange API

  4. Click: Add script

  5. Enter the full path to the script, for example:

    /opt/tufin/data/securechange/scripts/example.py

  6. Add any arguments that you want to pass to the script.

  7. Click Test to make sure that SecureChange can run the script.

  8. Select the SecureChange workflow that triggers the script.

  9. Select the workflow events that trigger the script.

  10. Click Save to save the script configuration.

If SecureChange does not succeed in starting the script following a selected trigger, a message is added to Settings > Message Board

How do I Get Here?

SecureChange > Settings > SecureChange API