Publish Playbooks to a Restricted Workspace
You must raise a publish request for a playbook to be published to a destination workspace that is restricted. A user with approval privileges will receive the publish request, review the request, and take necessary actions before approval.
What is a restricted workspace?
A workspace where playbooks must go through an approval process before it is published to a destination workspace is called a restricted workspace.
Examples of restricted workspaces
The following are examples of restricted workspaces:
You can mark a Production workspace as restricted since it may store critical resources.
A Managed Security Service Provider (MSSP) can mark their customer's workspaces as restricted since the workspaces may store sensitive data.
Raise a Request to Publish Playbook
You must initiate a request to publish a playbook to the destination workspace that is restricted.
The following GIF illustrates the steps of initiating a request to publish a playbook to a restricted workspace.
To raise a request to publish a playbook, do the following:
Steps
Follow the steps mentioned in Publish Playbook to a Workspace.
In the Publish Playbook panel, add a relevant description for the Playbook as analysts can use this for their reference.
Choose to Include Associated Sub-playbooks. By default, this option is enabled.
If you are publishing a playbook for the first time to a destination workspace, then it is recommended to include the associated sub-playbooks for publishing.
If you are re-publishing a playbook to the destination workspace and you have made changes to only the master playbook, then it is recommended to exclude the associated sub-playbooks for publishing.
You must review the following playbooks and app details before initiating a request to publish the playbook to a restricted workspace.
Playbooks: On approval, the listed Master Playbook and the Associated Sub-playbooks will be published to the destination workspace.
Apps: On approval, the listed apps will be installed in the destination workspace.
Click Raise Publish Request.
On approval, the playbook will be published to the destination workspace. To view the published playbook in the destination workspace, you must be a part of a user group with View Workspaces permission in the destination workspace.
If the publish request is rejected by the approver, then you will receive an email notification along with the review comments if shared by the approver. You can also view the publish requests raised by you in Publish Requests. For more information on viewing your publish requests, see Manage Publish Requests.
Note
If you have raised a request to publish a playbook to a destination workspace, then you cannot self-approve the request. Other approvers from the approver user group can approve the publish request.
Approval Process to Publish Playbook
A user from the approver user groups can review and approve the playbook publish request before the playbook is published to a destination workspace. An approver can also reject a request to publish a playbook to a destination workspace.
Before you Start
Ensure that you are part of the approver user groups in the destination workspace.
Steps
The following GIF illustrates the approval process to publish a playbook to a restricted workspace.
To respond to a playbook publish request, do the following:
Go to the top bar and click Playbook Publish Requests and select Approver from the dropdown.
Go to the Pending tab and select a playbook you must review for publishing to the destination workspace.
Click Respond. The review request to publish a playbook is displayed.
Review the playbook details and take action if required.
Click Publish to publish the playbook or click Reject to reject the request to publish the playbook to the destination workspace. You can also add review comments to share feedback or highlight potential issues that may arise due to publishing.
Element | Description |
Master Playbook | If the playbook does not exist in the destination workspace, then on approval the playbook will be published to the destination workspace. |
Sub-Playbooks | If the sub-playbooks do not exist in the destination workspace, then on approval the sub-playbooks will be published to the destination workspace. |
Apps/Custom Apps | If the apps or custom apps that are part of the source playbook do not exist in the destination, they will be installed automatically. The associated app instances are published to the destination workspace. However, you must configure the app configuration parameters manually. |
You must understand the following behavior before taking necessary actions.
Important
When a playbook is published from a source workspace to a destination workspace, a source reference ID of the playbook is stored in the destination workspace. If a requester republishes the same playbook from the source to the destination workspace, then the destination workspace validates the source reference ID of the playbook and prompts the approver to either create a new copy of the playbook, replace the playbook of the same reference ID, or skip publishing (for sub-playbooks) to the destination workspace.
Element | Action | Description |
Existing Master Playbook or Sub-Playbooks | Create New | If a playbook already exists in the destination workspace, and you do not want to override the playbook to avoid interference in its current execution, then you can create a new copy of the playbook. The publishing timestamp is appended to the new playbook name. |
Replace | If a playbook already exists in the destination workspace, then you can replace the playbook in the destination in one of the following scenarios: • If you have a more refined version of the playbook in the source workspace • If there are any errors in the functioning of the playbook in the destination workspace By default, the Replace action is selected. | |
Existing Sub-Playbooks | Skip | If you have edited only the master playbook in the source workspace, then you can skip publishing the sub-playbooks to the destination workspace. |
New Sub-playbooks | No action required | The listed sub-playbooks that are part of the source playbook do not exist and will be published to the destination workspace. |
New Apps and Actions | No action required | The listed apps that are part of the source playbook do not exist in the destination workspace. The apps from the Appstore or custom apps will be installed automatically in the destination workspace. The associated app instances are published to the destination workspace automatically. However, you must configure the app configuration parameters manually. |
Custom Apps with Missing Actions | Configure missing actions of custom apps manually | The listed actions of the custom apps that are part of the source playbook are unavailable in the destination. You must configure these actions manually in the destination workspace. |
Existing Apps and Actions | No action required | The listed app actions that are part of the source playbook already exist in the destination workspace and do not require any further action. |