Cisco Cisco Process Orchestrator 3.0 User Guide
7-19
Cisco Process Orchestrator User Guide
OL-30196-01
Chapter 7 Authoring Processes
Adding Targets and Target Groups
Using Hidden String Variables
Hidden variables are used to specify protected secrets (such as HR information or security information,
such as a password) when they are outside of the use cases of runtime users. For example, you might
need to pass a password to a script. Runtime users in Process Orchestrator are fully protected, so no
process can retrieve the password from any runtime user. Hidden strings provide an alternative for these
use cases. Another example is a password that must be passed to a web service invocation.
such as a password) when they are outside of the use cases of runtime users. For example, you might
need to pass a password to a script. Runtime users in Process Orchestrator are fully protected, so no
process can retrieve the password from any runtime user. Hidden strings provide an alternative for these
use cases. Another example is a password that must be passed to a web service invocation.
When values for hidden variables are entered or displayed, their values are obscured. When they are
stored, their values are encrypted so that they cannot be compromised by UI or database access.
stored, their values are encrypted so that they cannot be compromised by UI or database access.
A common use case is when a password is required to access some service. Typically there will be a
target that is associated with the connection, such as a web service. Using service-oriented orchestration
principles, you can either:
target that is associated with the connection, such as a web service. Using service-oriented orchestration
principles, you can either:
•
Extend the existing target type to add a “password” property of a hidden text type.
•
Create a new specialized target type that inherits from the target type and create a “password”
property on the new target type.
property on the new target type.
For example, say that you use a web target to connect to a Cisco Prime Network Services Controller
REST API, and that the API requires a password. You could create a new “Cisco Prime Network Services
Controller” target type which inherits from web target, then add a hidden text target property “password”
on that type. You can then securely store passwords only for Prime Network Services Controller
connections and not for all web services in general.
REST API, and that the API requires a password. You could create a new “Cisco Prime Network Services
Controller” target type which inherits from web target, then add a hidden text target property “password”
on that type. You can then securely store passwords only for Prime Network Services Controller
connections and not for all web services in general.
Caution
In some cases, hidden strings can be passed outside Process Orchestrator. For example, a hidden text
variable might be passed to a Windows script or a web service invocation. The variable value is passed
in clear text outside the tool. Care must be taken in this regard. For example, if someone put a network
sniffer on the web service call and you used HTTP rather than HTTPS for the call, the sniffer would be
able to see the value. Process Orchestrator protects the value of the variable within the product itself and
its logs, but it is the responsibility of the author and their IT department to protect these secrets outside
of the product.
variable might be passed to a Windows script or a web service invocation. The variable value is passed
in clear text outside the tool. Care must be taken in this regard. For example, if someone put a network
sniffer on the web service call and you used HTTP rather than HTTPS for the call, the sniffer would be
able to see the value. Process Orchestrator protects the value of the variable within the product itself and
its logs, but it is the responsibility of the author and their IT department to protect these secrets outside
of the product.
Related Topics
Adding Targets and Target Groups
When you create a process, you must specify where you want the process to run. You can also specify
that the process runs on a specific target or target group.
that the process runs on a specific target or target group.
Note
When you move process definitions from environment to environment using automation packs, the
specific targets will be different in the new environment. Therefore, if you plan to export your process
in an automation pack, you will want to avoid references to specific targets. Instead, use a target group
in your process definition, and place the environment-specific targets in that target group. Use direct
target references only in environment-specific processes.
specific targets will be different in the new environment. Therefore, if you plan to export your process
in an automation pack, you will want to avoid references to specific targets. Instead, use a target group
in your process definition, and place the environment-specific targets in that target group. Use direct
target references only in environment-specific processes.
The target group can be defined once and reused in several processes. For example, you might have a
database maintenance process that is scheduled to run every month on all database servers. Instead of
scheduling the process multiple times to run on each database server, you can create a target group that
includes all the database servers and schedule the process to run on all the servers at the same time.
database maintenance process that is scheduled to run every month on all database servers. Instead of
scheduling the process multiple times to run on each database server, you can create a target group that
includes all the database servers and schedule the process to run on all the servers at the same time.