Configuring Dynamic Assignment Custom Script for Decommission Network Object

This topic is intended for SecureChange workflow owners, who are responsible for creating and maintaining workflows.

Overview

For dynamic assignment scenarios for Decommission Network Object requests that require many conditions or depend on information from external systems, you can use a custom script to define the conditions of the dynamic assignment.

SecureChange sends input information to the script, including the specified server (ID and IP address) and the targets for decommission (ID). The script must read all of the input and only then return the output.

The input format is:

<scripted_decommission_task_request>
  <servers>
    <server>
      <id>...</id>
      <ip_addresses>
         <ip_address>...</ip_address>
      </ip_addresses>
     </server>
  <servers>
  <targets>
    <target>...</target>
    <target>...</target>
  </targets>
</scripted_decommission_task_request>

Response URL Arguments:

Name	Description
id	SecureTrack ID of the server specified for decommissioning.
ip_address	IP address, range, or subnet of the server specified for decommissioning.
target	Network device from which the server must be removed.

In the script you can, for example:

• Run REST API calls to SecureChange to gather information

• Gather information from external systems

• Process the gathered information to define the necessary tasks

• Define the assignment mode for each task, which can be either:

  • self (Self-assignment) - The task is shown for all participants, and any participant can accept the task to be the handler.

  • manual (Manually assigned) - The assigner specified for the task assigns the task to a specific handler. This mode requires the assigner_username field.

The script must return to SecureChange an XML formatted list of the tasks to create for the step and the assignment mode for each task in the format:

<tasks>
<task>
  <name>...</name>
    <participants>
        <participant_username>...</participant_username>
        <participant_username>...</participant_username>
    </participants>
    <assignment>
        <assignment_mode>self</assignment_mode>
    </assignment>
    <decommission_servers_request>
        <servers/>
        <targets>
            <target>...</target>
            <target>...</target>
        </targets>
     </decommission_servers_request>
</task>

OR

<tasks>
    <task>
        <name>...</name>
        <participants>
            <participant_username>...</participant_username>
            <participant_username>...</participant_username>
        </participants>
        <assignment>
            <assignment_mode>manual</assignment_mode>
            <assigner_username>...</assigner_username>
        </assignment>
        <decommission_servers_request>
            <servers>
                <server>
                     <id>...</id>
                     <ip_addresses>
                          <ip_address>...</ip_address>
                     </ip_addresses>
                </server>
            <servers>
            <targets>
                <target>...</target>
                <target>...</target>
            </targets>
         </decommission_servers_request>
    </task>
</tasks>

Response URL Arguments

Name	Description
name	Name of the task.
participant_username	Name of a SecureChange users that is a participants for the task.
assignment_mode	Assignment mode for the task, either: self or manual.
assigner_username	(For manual assignment) Name of the SecureChange user that can assign the task to a handler.
id	SecureTrack ID of the server specified for decommissioning.
ip_address	IP address of the server specified for decommissioning.
target	Network device from which the server must be removed.

Technical Notes

• The script must be accessible to the root user with read and execute permissions.

• When a ticket moves to the step, the first and only argument sent to the script is the ticket ID.

• Errors:

  • If the script does not return a response within 60 minutes, the step creates the default task as it is defined in dynamic assignment. An entry is added to the message board.

  • If the script does not run or it fails for any reason, an entry is added to the message board.

  • If there are schema validation errors, an entry is added to the audit trail.

Configure a Custom Script for Dynamic Assignment

1. In the assignment mode, select Dynamic assignment and Scripted Tasks.

   

2. Enter the full path to the script.

   

3. You can click Test to confirm that SecureChange can access the script with the correct permissions and that the script returns a properly formed XML response. Test calls the script with test as the first and only argument. To pass the test, the XML response must be in the form of:

   <tasks></tasks>

4. Configure the default task:

   1. Enter a unique Task Name.

   2. Select participants for the task.

   3. Select an Assignment mode:

      • Self-assigned: The task is shown for all participants, and any participant can accept the task to be the handler.

      • Auto-assigned: SecureChange assigns tasks to each participant in turn. You can select Prefer previous handler to automatically assign the task to the handler of the previous task.

      • Manually assigned: The assigner specified for the task assigns the task to a specific handler. Then, click to browse and select a SecureChange user to be the designated assigner for this task. This assigner will receive a task of assigning the task for this step to a step participant:

        

5. Click Save.

How Do I Get Here?

SecureChange > Workflows