Configuring Dynamic Assignment Conditions

Workflow Owner This topic is intended for SecureChange workflow owners, who are responsible for creating and maintaining workflows.

Overview

In the Assignments tab in a step, you can select Dynamic assignment and Conditions List to let you configure the conditions that create parallel and conditional tasks. In each row of the conditions list you define the condition that creates a task and you select the method for task assignment. You can add up to 40 tasks to a step.

The last row of the conditions list defines the default task. This task is created if any single access request in the ticket does not meet the other conditions. The default task cannot be removed.

What Can I Do Here?

Adding and configuring a Task with Dynamic Assignmemt

  1. In the Assignments tab, select Dynamic assignment and Conditions List.

  2. Click Add Task.

  3. In the row of conditions, enter a unique Task Name:

    always

  4. Define one or more conditions for the task to be generated. To create a task that is not dependent on a condition, select the Always condition.

    1. To configure a condition, select an access request condition, its relationship to a value, and the value.

      Conditions can be based on access request or ticket details, including any predefined field (such as Approve/Reject), SLA or verification status, a custom script or these customizable fields: checkbox, dropdown, text area, text field

      • For a custom field (such as checkbox, dropdown, text area, or text field) - You can select a custom field from a previous step. The fields of previous steps are listed with the step name and field name. You can specify or negate if:

        • a checkbox is checked or not
        • which dropdown option is selected
        • If the text field or area contains specified text, does not contain specified text, or matches a specified text exactly.

      • For an access request, you can run the risk tool or verifier tool and skip the step in one of the following scenarios:

        • Is: after running the tool, at least one access request's status matches the status you select
        • Is not: after running the tool, at least one access request does not have the status you select
        • Is all: after running the tool, all of the access requests' statuses match the status that you select

        tickets search results

        tickets search results

      • For a custom script - You can enter the name of a script that you copied to the TOS server and base the condition on whether the result of the script is true or false.

        • Enter the full path to the script, for example: /opt/tufin/data/securechange/scripts/script
        • SecureChange passes the ticket ID to the script

        • The script result must be in the format:

          <response>
<condition_result> true </condition_result>
</response>

        • You must give the tomcat user execution permission to the script
        • If the script writes data to disk, you must give the tomcat user write permission to the location
      • For a Target condition - Click Target and select from the available targets.

      • For Source, Destination, and Service condition - Click either IP or Service to manually define the value, or click Obj to search for a value.

        The available relationships for Source, Destination, and Service conditions are:

        • In: All of the Access Request value is included in the value configured here.
        • Not in: No part of the Access Request value is in the value configured here.
        • Intersects with: Some part of the Access Request value is in the value configured here.

      The last condition is always If no other condition is matched to make sure that the task is handled.

    2. To add a condition, click add condition and configure the condition. To remove a condition, click: remove condition.

    3. If there is more than one condition, define the relationship between them (And/Or):

      conditions

    4. Define Participants for the task, as for a step with regular (non-dynamic) assignment modes.

    5. Select an Assignment mode:

      • Self-assigned: The task is shown for all participants, and any participant can accept the task to be the handler.

      • Auto-assigned: SecureChange assigns tasks to each participant in turn. You can select Prefer previous handler to automatically assign the task to the handler of the previous task.

      • Manually assigned: The assigner specified for the task assigns the task to a specific handler. Then, click assigner to browse and select a SecureChange user to be the designated assigner for this task. This assigner will receive a task of assigning the task for this step to a step participant:

        manual assigner

  5. Save the workflow.

Dynamic assignment by script is supported only for the following workflow types:

  • Access Request
  • Rule Modification
  • Rule Recertification
  • Server Clone
  • Decommission Network Object