Skip to content

Workflow Templates

Workflow templates are pre-built workflows that you can edit to meet your needs.

Search for templates by name or description. Select one or more category tags to filter the templates by category. Select a template to start building a workflow.

This list of templates is subject to change. Some templates require integration with SaaS Management or Data Intelligence. For more information about Workflows and SaaS Management, refer to SaaS Management's documentation.

Below, you can find a list of all templates currently available for workflows.

Create a Certification Campaign for Detected Outliers (0.7-0.9)

This workflow is triggered when an outlier score is at or above 0.7 but less than 0.9. An email notification is sent to the outlier identity's manager and a certification campaign is assigned to the manager to review the outlier identity's access.

  • This workflow is triggered when an outlier is detected.

  • The workflow compares the outlier score to ensure it is at or above 0.7 but lower than 0.9.

  • When an outlier score is detected in this range, the workflow returns information on the outlier identity and their manager.

  • A certification campaign is created, and the identity’s manager is notified so they can review the identity’s access.

  • The workflow ends successfully when the manager has been successfully notified.

  • If the evaluated outlier score is not within this range, no further action is needed, and the workflow completes successfully

Create and Activate a Certification Campaign

This workflow is triggered when an identity changes departments. The workflow creates and activates a certification campaign so their manager can verify their new access.

  • This workflow is triggered when an identity’s attributes change.

  • The workflow determines whether the identity’s department has changed.

  • When an identity changes departments, the workflow creates and activates a certification campaign so their manager can verify their new access.

  • The manager is notified that a certification campaign is pending.

  • The workflow ends successfully when the manager has been notified.

  • If the identity did not change departments, no further action is needed, and the workflow completes successfully.

Deprovision Inactive Users Detected in SaaS Management

This workflow is triggered by a SaaS Management report generated for accounts with zero days of activity over 90 days from initial activation. This workflow will deprovision those accounts to reduce risk and license costs.

  • This workflow is triggered by a SaaS Management report generated for accounts with zero days of activity during the last 90 days.

  • This workflow returns account data and deprovisions those accounts to reduce risk and license costs.

  • The workflow ends successfully when all reported accounts have been deprovisioned.

Disable Accounts and Send an Email Notification for Detected Outlier Identities (0.9+)

This workflow is triggered when a detected outlier score is at or above 0.9. When the score is this high, all accounts for the identity are disabled and an email notification is sent to their manager to review access and investigate the exceptions.

  • This workflow is triggered when an outlier is detected.

  • The workflow compares the outlier score to ensure it is at or above 0.9.

  • When an outlier score is this high, the workflow returns all attributes, access associated with the outlier identity, and their manager.

  • Their manager is notified that the outlier is deemed an excessive risk, and all accounts are disabled until a full review can be completed.

  • The workflow ends successfully when the manager has been successfully notified and all accounts have been disabled.

  • If the evaluated outlier score is not at or above 0.9, no further action is needed, and the workflow completes successfully.

Initiate Onboarding Process When a New Identity is Created

This workflow is triggered when a new identity is created. The workflow activates accounts associated with the new identity and generates a certification campaign so their manager can verify their access.

  • This workflow is triggered when a new identity is created.

  • An HTTP step in this workflow allows you to configure a request to an external system, such as an IT system for hardware access.

  • The workflow activates the accounts associated with the identity and generates a certification campaign so their manager can verify their access.

  • Email notifications throughout the workflow can be configured to notify the user and their manager of the onboarding process’s progress.

  • The workflow ends successfully when the certification campaign has been created.

  • If the HTTP Request step fails, an email is sent to the new identity’s manager, and the workflow ends in a failed state.

Remove Access When an Identity Becomes Inactive

This workflow is triggered when an identity’s lifecycle state changes to Inactive. The workflow disables the identity’s remaining accounts and notifies their manager of their inactive status.

  • This workflow is triggered when an identity’s lifecycle state changes.

  • The workflow determines if the lifecycle state attribute changed to Inactive.

  • When this attribute changes to Inactive, the workflow disables the identity’s accounts and notifies their manager of their inactive status.

  • An HTTP request allows you to configure appropriate actions to be taken on external systems.

  • The workflow ends successfully when the accounts have been disabled.

  • If the lifecycle state attribute has not changed to Inactive, no further action is needed, and the workflow ends successfully.

Revoke Entitlement Additions Detected as Native Change Account Created

This workflow is triggered when a Native Change Account Created event containing entitlement additions is detected. Each new entitlement is revoked, and a summary email is sent to the source owner.

  • This workflow is triggered when a Native Change Account Created event containing entitlement additions is detected.

  • The workflow revokes each new entitlement, and a summary email is sent to the source owner.

  • The workflow ends successfully after the source owner has been notified.

Revoke Entitlement Additions Detected as Native Change Account Updated

This workflow is triggered when a Native Change Account Updated event containing entitlement additions is detected. Each new entitlement is revoked, and a summary email is sent to the source owner.

  • This workflow is triggered when a Native Change Account Updated event containing entitlement additions is detected.

  • The workflow revokes each new entitlement, and a summary email is sent to the source owner.

  • The workflow ends successfully after the source owner has been notified.

Send an Email Notification About Inactive Accounts Detected in SaaS Management

This workflow is triggered by a report generated in SaaS Management for applications where accounts have zero days of activity over the last 30-60 days. This notifies the application owner so they can determine if access is still needed for these inactive accounts.

  • This workflow is triggered by a report generated in SaaS Management for applications where accounts have zero days of activity during the last 30-60 days.

  • The workflow notifies the application owner so they can determine if access is still needed for these inactive accounts.

  • The workflow ends successfully after the notification has been sent.

Send an Email Notification for Detected Outlier Identity (0.5-0.7)

This workflow is triggered when an outlier score of higher than 0.5 but lower than 0.7 is detected. An email notification is sent to their manager to inform them the identity is an outlier.

  • This workflow is triggered when an outlier is detected.

  • The workflow compares the outlier score to ensure it is above 0.5 but lower than 0.7.

  • When an outlier score is detected in this range, the workflow returns information on the outlier identity and their manager.

  • The manager is notified that the identity is an outlier.

  • The workflow ends successfully when the manager has been successfully notified.

  • If the evaluated outlier score is not within this range, no further action is needed, and the workflow completes successfully.

Send an Email when an Access Request is Decided

This workflow is triggered when an access request is approved or denied. An email is sent to the user and their manager to notify them of the access change.

  • This workflow is triggered when an access request is decided.

  • The workflow sends an email to the user and their manager to notify them of the access change.

  • This workflow ends successfully when the identity’s manager has been notified.

Start a Certification Campaign for Inactive Users Detected in SaaS Management

This workflow is triggered by a SaaS Management report generated for accounts with zero days of activity for 60-90 days from activation. A certification campaign is initiated so the application, or source, owner can verify their access.

  • This workflow is triggered by a SaaS Management report identifying accounts with zero days of activity for 60-90 days from activation.

  • The workflow creates a certification campaign so the application, or source, owner can verify their access.

  • The workflow ends successfully after the email has been sent.

Update and Certify Access When an Identity Changes Departments

This workflow is triggered when an identity changes departments. The workflow retrieves the access associated with their new role and grants that access to the identity. It also starts a certification campaign to ensure that the access no longer relevant to them is removed.

  • This workflow is triggered when one or more identity attributes have changed.

  • The workflow pauses to allow provisioning activities to be completed.

  • The workflow then compares the attributes to assess whether the department attribute was updated.

  • When the department attribute has changed for an identity, this workflow returns role and access information for the identity’s new department.

  • The new access is added for the identity and their manager is notified of their new access.

  • A certification campaign is created so the manager can verify the identity has the correct access needed for their new department.

  • The workflow ends successfully when the certification campaign has been created.

  • If the identity’s department was not changed, no further action is needed, and the workflow ends successfully.

Documentation Feedback

Feedback is provided as an informational resource only and does not form part of SailPoint’s official product documentation. SailPoint does not warrant or make any guarantees about the feedback (including without limitation as to its accuracy, relevance, or reliability). All feedback is subject to the terms set forth at https://developer.sailpoint.com/discuss/tos.