Configuring Dynamic Assignment Custom Script for Access Requests

Workflow Owner This topic is intended for SecureChange workflow owners, who are responsible for creating and maintaining workflows.

Overview

For dynamic assignment scenarios that require many conditions or depend on information for external systems, you can use a custom script to define the conditions of the dynamic assignment.

The script receives the ticket ID from SecureChange. In the script you can, for example:

  • Run REST API calls to SecureChange to gather information
  • Gather information from external systems
  • Process the gathered information to define the necessary tasks

  • Define the assignment mode for each task, which can be either:

    • self (Self-assignment) - The task is shown for all participants, and any participant can accept the task to be the handler.
    • manual (Manually assigned) - The assigner specified for the task assigns the task to a specific handler. This mode requires the assigner_username field.

The script must return to SecureChange an XML formatted list of the tasks to create for the step and the assignment mode for each task. Any access requests that are not specified in the response are handled in the default task.

The response format must be either:

<tasks>
    <task>
        <name>...</name>
        <participants>
            <participant_username>...</participant_username>
            <participant_username>...</participant_username>
        </participants>
        <assignment>
            <assignment_mode>self</assignment_mode>
        </assignment>
        <access_requests>
            <access_request_id>...</access_request_id>
        </access_requests>
    </task>
</tasks>

OR

<tasks>
    <task>
        <name>...</name>
        <participants>
            <participant_username>...</participant_username>
            <participant_username>...</participant_username>
        </participants>
        <assignment>
            <assignment_mode>manual</assignment_mode>
            <assigner_username>...</assigner_username>
        </assignment>
        <access_requests>
            <access_request_id>...</access_request_id>
       <access_request_id>...</access_request_id>
        </access_requests>
    </task>
</tasks>

Response URL Arguments

Name

Description

name

The name of the task

participant_username

The name of a SecureChange users that is a participants for the task

assignment_mode

The assignment mode for the task, either: self or manual

assigner_username

(For manual assignment) The name of the SecureChange user that can assign the task to a handler

access_request_id

The access request ID that is included in the task (Each access request is listed in an access_request_id field, according to the IDs in the previous step)

Technical Notes

  • The script must be accessible to the tomcat user with read and execute permissions.

  • When a ticket moves to the step, the first and only argument sent to the script is the ticket ID.

  • Errors:

    • If the script does not return a response within 60 minutes, the step creates the default task as it is defined in dynamic assignment. An entry is added to the message board.
    • If the script does not run or it fails for any reason, an entry is added to the message board.
    • If there are schema validation errors, an entry is added to the audit trail.

What Can I Do Here?

Configuring a Custom Script for Dynamic Assignment

  1. In the assignment mode, select Dynamic assignment and Scripted Tasks.

  2. Enter the full path to the script.

  3. You can click Test to confirm that SecureChange can access the script with the correct permissions and that the script returns a properly formed XML response. Test calls the script with test as the first and only argument. To pass the test, the XML response must be in the form of:

    <tasks></tasks>

  4. Configure the default task:

    1. Enter a unique Task Name.

    2. Select participants for the task.

    3. Select an Assignment mode:

      • Self-assigned: The task is shown for all participants, and any participant can accept the task to be the handler.

      • Auto-assigned: SecureChange assigns tasks to each participant in turn. You can select Prefer previous handler to automatically assign the task to the handler of the previous task.

      • Manually assigned: The assigner specified for the task assigns the task to a specific handler. Then, click assigner to browse and select a SecureChange user to be the designated assigner for this task. This assigner will receive a task of assigning the task for this step to a step participant:

  5. Click Save.