Use the Scripts > entitlement scripts UI to create a new script.
Using Entitlement scripts
Entitlement scripts have three different uses when configuring Entitlements. The same syntax is used for all three types of Entitlement script:
Host definition | Use for |
|---|---|
script://script_name | Defines Host. Defines a resolvable name or IP address. If resource names are returned, then later the name resolver will resolve these to IP addresses. |
script://script_name | Defines Port or Type. Defines one or more port numbers or ICMP types. |
script://script_name | Defines the name, description, URL and icon color for the App Shortcut that will be displayed in the Client. |
Why use?
Entitlements that contains scripts (based on user/device claims) are initially run when the user connects to each Gateway. The script might be designed to create a resource name by concatenating together a claim value (such as an AD attribute) with some static syntax or a value returned from an external system. If the result was esx://vm:<VALUE> then this will subsequently be resolved to IPs using the vSphere name resolver. This ability to resolve different VMs based on some <VALUE> allows one Entitlement to effectively adapt at use-time, which can massively reduce the number of Policies and Entitlements needed to configure the system.
Functionality
These scripts can utilize any existing user, device and system claims including those provided by the Controller in the claims token. It runs in a sandboxed JavaScript engine which supports external httpGet/Post/Put/Delete calls.They should return the appropriate response (depending on the script type). For a host Entitlement script this would be IP addresses, hostnames, resource names, etc thus allowing the system to automatically populate <Hosts> which in turn is used for the Gateway's firewall rules and Client's routes.
Scripts may request information from other systems that require credentials (which will have to be included in the JavaScript). Scripts used in Entitlements and Conditions are therefore passed in the encrypted portion of the Entitlement token.
To configure
Entitlement Scripts are added in Scripts > Entitlement scripts where you select between the three options: Host - Port or Type - App Shortcuts.
Specify the scripts in Entitlements, (in Actions in the case of <Hosts> and/or <Ports/Types>).
Host Entitlement Script example
const tags = [];
const len = claims.user.groups ? claims.user.groups.length : 0;
for (let i = 0; i < len; i++) {
tags.push("aws://tag-value:" + claims.user.groups[i].replace(/ /g, ''));
}
return tags;In this example the claims.user.groups value is taken from the Claims token. This is parsed/cleaned and then concatenated with "aws://tag-value:" to return: aws://tag-value:<ad-groupname>
This is now in a recognizable name resolver format which the system will then use - in this case to get the IP addresses of hosts which have been tagged with the same name as the user's Identity Provider's Group attribute.
App shortcut Entitlement Script example
const name = "RDP-MyWorkstation";
const description = "App Shortcut to RDP to users workstation";
const fqdn = claims.user.MyWorkstation
const url = "rdp://full%20address=s:" + fqdn + ":3389"
const colorCode = 1
return [{
"name": name,
"description": description,
"url": url,
"groupName": "Workstation",
"colorCode": colorCode
}];