Prerequisites
- Role with jobs.view / jobs.manage for job operations
- Role with scripts.view / scripts.manage for script operations
- Role with workflows.view / workflows.manage for workflow operations
- For PAM-integrated workflows: pam_vaults.view / pam_vaults.manage and configured identities
- Target hosts must be online with active agents
Creating scripts
- Navigate to Scripts > Create Script
- Enter a descriptive name
- Select the language: PowerShell, Bash, or Python
- Write or paste the script content
- Set the timeout (maximum execution time in seconds, default: 300)
- Define input parameters (name, type, required flag, default value)
- Optionally set a Run-as Identity for privileged execution via PAM
- Toggle Requires Elevation if the script needs sudo/admin
- Click Save
Script libraries
Create reusable function libraries at Scripts > Libraries. Link a library to a script and its content is automatically prepended to the script before execution. Use libraries for shared utility functions across multiple scripts.
Executing a script
- On the script detail page, click Execute
- Select target host(s)
- Fill in any required parameters
- Click Run -- the system creates one job per host
Viewing results
Navigate to Scripts > [Script] > Executions. Each execution shows the host name, exit code, stdout/stderr output, duration, and success/failure status.
Running ad-hoc jobs
Jobs are the fundamental execution unit. Every agent operation -- scripts, commands, service control, patching -- is backed by a Job record.
Job types
| Type | Description | Priority |
|---|---|---|
script | Execute PowerShell, Bash, or Python scripts | Normal |
command | Execute a single command | Normal |
service_control | Start, stop, restart, enable, or disable services | Critical |
process_control | Kill or force-kill processes | Critical |
network_diagnostic | Ping, traceroute, nslookup, dig, netstat, port check | High |
software_install | Install software packages | Normal |
user_control | Create, delete, enable, disable, reset password for local users | Critical |
group_control | Create, delete, add/remove members for local groups | Critical |
Job lifecycle
Status flow
Job actions
| Action | When Available | Effect |
|---|---|---|
| Cancel | Queued, Pending, Running | Stops execution. Agent may still complete current work. |
| Retry | Failed, Timeout | Re-queues the job with an incremented retry count |
| Delete | Completed, Failed, Cancelled | Removes the job record |
Timeouts
- Running jobs: timed out if elapsed time exceeds 2x the payload timeout
- Stale queued jobs: auto-failed after 30 minutes past the scheduled time with "Agent did not pick up job" message
Creating workflow definitions
Workflows chain multiple steps into repeatable automation sequences with branching, approval gates, and credential management.
- Navigate to Workflows > Create Workflow
- Enter a name and description
- Add steps using the visual editor
- Configure each step's success and failure routing
- Click Save
Available step types
| Step Type | Description | Workflow State |
|---|---|---|
script / command | Execute a script or command on target hosts. Creates one Job per host. | Running (until all jobs complete) |
approval | Require human approval to continue. Configurable approval types. | Paused (until approved/rejected) |
conditional | Branch based on previous step results or variable values. | No pause -- advances immediately |
delay | Wait for a specified duration before proceeding. | Paused (until delay expires) |
pam_checkout | Check out privileged credentials from a PAM vault. | Running (or Paused if approval needed) |
pam_checkin | Return previously checked-out credentials. | Running |
Step configuration
Each step has the following properties:
Script step example
{
"id": "health_check",
"type": "script",
"name": "Run health check",
"script_id": 42,
"parameters": {"threshold": "90"},
"on_success": "deploy_step",
"on_failure": "notify_failure"
}
Approval step example
{
"id": "approve_deploy",
"type": "approval",
"title": "Approve production deployment",
"approval_type": "one_of_many",
"approvers": ["role:admin", "user:5"],
"timeout_minutes": 60,
"on_success": "deploy_step",
"on_failure": "cancelled"
}
Variable substitution
Use {{path.to.value}} syntax in script parameters, command strings, approval titles, and checkout reasons to reference data from previous steps.
Step result variables
Auto-created when a script or command step completes successfully:
| Syntax | Description | Example |
|---|---|---|
{{step_ID.stdout}} | Standard output from step | {{step_health_check.stdout}} |
{{step_ID.exit_code}} | Exit code (integer) | {{step_scan.exit_code}} |
{{step_ID.json.KEY}} | Parsed JSON key (if stdout was JSON) | {{step_scan.json.ip_address}} |
PAM credential variables
Auto-created on PAM checkout. Variables are stored under both the explicit variable_name from step config and the identity's name.
| Syntax | Description |
|---|---|
{{db_admin.username}} | Username of the checked-out identity |
{{db_admin.credential_type}} | Credential type (password, ssh_key, etc.) |
{{db_admin.domain}} | Domain (if identity has one) |
{{db_admin.password}} | BLOCKED -- returns ***CREDENTIAL_BLOCKED*** |
{{X.password}} variable is blocked for security. Credentials flow via the run_as mechanism (transport-encrypted), never as plaintext in job payloads. Use run_as: "{{db_admin}}" on script/command steps to execute as the checked-out identity.
Conditional expressions
Conditionals can reference any variable:
{
"id": "check_result",
"type": "conditional",
"config": {
"condition": "{{step_scan.exit_code}} == 0",
"on_true": "continue",
"on_false": "rollback"
}
}
Legacy syntax
The variables. prefix also works for backward compatibility: {{variables.step_scan.stdout}}, {{variables.db_admin.username}}.
Approval workflows
Approval steps pause the workflow and wait for human authorization. Pending approvals appear in Workflows > Approvals.
Approval types
| Type | Behavior |
|---|---|
singular | One designated person decides |
one_of_many | Any one of the listed approvers can approve |
two_of_many | Two approvers must agree |
all | Every listed approver must approve |
majority | More than half of listed approvers must approve |
Each approval request has an optional timeout (in minutes). If nobody responds before the deadline, the approval auto-rejects and routes to the failure path.
Running workflow instances
- Navigate to the workflow definition
- Click Start
- Select target hosts
- The system creates a workflow instance and begins processing steps
Instance statuses
On the instance detail page, monitor the current step, view completed step results, and respond to pending approval requests.
PAM integration in workflows
Use pam_checkout and pam_checkin steps to integrate privileged credential management directly into your workflows.
Checkout step
- Creates a privileged session for the specified identity
- If the identity requires approval, the workflow pauses until approved
- Credential data is stored in the workflow instance for use by subsequent steps
- Use
run_as: "{{identity_name}}"on script/command steps to execute with the checked-out credential
Checkin step
- Ends the privileged session(s) created by the checkout step
- If the identity has "Rotate After Use" enabled, triggers automatic password rotation
run_as mechanism passes credentials via transport encryption directly to the agent.
Recurring jobs
Schedule jobs to repeat automatically using cron expressions.
- Create a job (script, command, etc.) as usual
- Toggle Recurring
- Enter a Cron Expression (standard 5-field syntax, e.g.,
0 2 * * *for daily at 2 AM) - Optionally set Max Recurrences (total execution limit)
- Optionally set an End Date
- Click Save
The scheduler creates child jobs at each cron tick. View execution history via the parent job's children. The template job tracks the next run time and recurrence count, and stops when limits are reached.
Permissions reference
| Permission | Grants |
|---|---|
| jobs.view | View jobs and job details |
| jobs.manage | Create, cancel, retry, delete jobs |
| scripts.view | View scripts, libraries, and execution history |
| scripts.manage | Create/update/delete scripts, execute scripts, manage libraries |
| workflows.view | View workflow definitions, instances, and approvals |
| workflows.manage | Create/update/delete workflows, start instances, respond to approvals |
Workflow execution lifecycle
Troubleshooting
| Symptom | Cause | Fix |
|---|---|---|
| Job stuck in "queued" | Agent offline or not polling | Check agent heartbeat. Stale jobs auto-fail after 30 minutes. |
| Job timed out | Execution exceeded timeout | Increase the timeout in the script settings. Server uses 2x the agent timeout. |
| Script returns wrong exit code | Script error handling issue | Check stderr in job result. Ensure script uses exit with correct code. |
| Workflow stuck in "paused" | Waiting for approval or delay | Check approval requests. For delay steps: the scheduler resumes automatically when the delay expires. |
| Recurring job not creating children | Scheduler issue | Check the next run time on the template job. Verify cron expression syntax. |
| "Agent did not pick up job" | Agent offline, auth failure, or host decommissioned | Check agent status. Verify org secret. Check server logs for auth failures. |
| Approval timed out | Nobody responded before deadline | Set a longer timeout or notify approvers. Auto-rejected approvals route to the failure path. |