Creating an Adaptable Workflow

Creating and configuring an Adaptable Workflow object is similar to creating any other workflow, except that you must specify the PowerShell script you want to use.

To create and configure a new Adaptable Workflow object

  1. From the TLS Protect menu bar, click Policy Tree.
  2. On the Policy tree, browse to the object that contains the certificates you want to process with the Adaptable Workflow.
  3. Click Add > WorkflowAdaptable Workflow.
  4. Enter the values on Add New: Adaptable Workflow page.

    Section

    Field

    Description

    General

     

     

    Adaptable Workflow Name

    Enter a name for this workflow configuration.

    Adaptable Workflow Settings

     

     

    PowerShell Script

    Select the PowerShell script that you want to run with this workflow.

    You can only see scripts that are located in the <Venafi Home>\Scripts\AdaptableWorkflow\ folder, but not any of its subfolders.

     

    Service Address

    Identifies the endpoint (URL, host, port, etc.) of the calling Adaptable Workflow object.

     

    Credential

    Use to select the primary credential (username and password combination) to pass to the script.

    NOTE  If you're connecting to the Venafi Web SDK, leave both credential files empty since you'll be specifying a credential in the WebSDK OAuth Token Configuration settings.

     

    Secondary Credential

    Use to select a secondary credential to pass to the script, for example, to authenticate to the remote system.

     

    Enable Debug Logging

    (Optional) If you want to enhance troubleshooting capabilities of your Adaptable WorkflowAdaptable Flow, select the Enable Debug Logging check box.

    For information about how enabling this option works with the PowerShell script, see About debug logging in the Adaptable WorkflowAdaptable Flow PowerShell script reference.

    Conditions

     

     

    If Stage is

    Applies the workflow actions at the designated stage of the object lifecycle.

    For more details on certificate workflow stage codes, see Workflow object settings.

    Approvals

     

     

    Request Approval From

    Under the designated conditions, Trust Protection Platform submits an approval request to the workflow approver.

    You can request approvals for certificate renewals.

    The following options allow you to define the workflow approver.

    • Approver assigned to object
    • Specified approver
    • Approver specified in PowerShell script

    If you select either of the first two options, Trust Protection Platform will send the appovers list to the script. If you choose the third option, then you either don't need approvers, or the approvers are specified in the script or in the external system that you are connecting with.

     

    Specified Approvers

    Defines a static approver for the workflow object.

    When selecting identities, press Ctrl+click to select multiple users and/or groups.

    If the Adaptable Workflow PowerShell script contains the "WorkflowApprovers" parameter, that value overrides the value set here on the workflow object, allowing the script to modify the approvers and pass back the updated list to Trust Protection Platform.

    If the script contains the WorkflowApprovers variable, that's what is used. If the script doesn't contain WorkflowApprovers, then Trust Protection Platform uses the approvers specified in the Trust Protection Platform interface.

     

    Approval Reason Code

    Reason Code you want to include with the notification that is sent to the workflow approver. The maximum Approval Reason Code value is 999.

    NOTE  This option is not required if you choose Approvers specified in PowerShell script. Otherwise it is required.

    Approval Reason Codes also accompany customized explanations or instructions for workflow approvers. The drop-down list displays the Reason Codes defined in the Workflow tree. For more information, see Defining reason codes for certificate approvals.

    WebSDK OAuth Token Configuration

    NOTE  If your application doesn't connect to the Web SDK, leave all of these fields blank.

     

    OAuth Token Application ID

    Enter the application ID of the API application integration you should have created previously, as described in Adaptable Log Channel prerequisites.

     

    OAuth Token Credential

    Select the username credential of the service account that has been granted access to the Client ID of the API Application. See Adaptable Log Channel prerequisites.

    In this context, the username credential identifies the user (identity) for whom the token is being requested. It also verifies whether you have the required permissions within your organization to enable the script to authenticate as the selected user. This security measure prevents users from impersonating another user.

     

    OAuth Token Scope

    (Optional) Enter one or more of the scopes assigned to your API application. For example, Certificates: Manage. Leave this field blank if you want to include all defined scopes.

    To learn more about scopes and restrictions, see Scopes for token.

    NOTE  If you have specified custom fields in the PowerShell script, they will also be visible on this screen. Custom fields support macros that will be evaluated and the results will be passed to the PowerShell script. For example, the $SelfDN$ macro will resolve to the DN of the certificate or application being processed for approval. For more information on Macros, see Macro overview . For more information on Configuration Macros, see Configuration macros.