Access Provisioning

Action flows for provisioning IAM users or role mappings

Approvable Relationships and Approval Chains

Each approvable relationship has one or more ApprovalChain(s). Regardless of what ApprovalChain is used for obtaining approval, each approvable relationship only has one ActionChain for provisioning and one for deprovisioning to avoid complexity and confusion. In other words, there is only one API call to create a user, however you can use any ApprovalChain to obtain approval.

Action Chains and Action Flows

An ActionChain is the template for an ActionFlow. Each ActionChain has one or more ActionChainScripts that are templates for ActionFlowScripts. When an approvable relationship is created and the ApprovalFlow is completed, an ActionFlow is created and has a 1:1 relationship with the new relationship many-to-many record.

Action Chain Scripts and Action Flow Scripts

An ActionChainScript defines the type of background job and specific metadata for performing actions for provisioning, updating, or deprovisioning any of the approvable relationships that a SaaS Provider has. In other words, an ActionChainScript is a template for a task to run that specifies which API endpoint to call and what data to pass to it.

When an ActionFlow is created using the ActionChain template, ActionFlowScript(s) are created using the ActionChainScripts that are associated with that ActionChain.

Action Chain Script Types

Type Description
none No action required.
{provider}_api_create_entity Use SaaS Provider API to create an entity
{provider}_api_delete_entity Use SaaS Provider API to delete an entity
{provider}_api_create_group Use SaaS Provider API to create a group
{provider}_api_delete_group Use SaaS Provider API to delete a group
{provider}_api_create_role Use SaaS Provider API to create a role
{provider}_api_delete_role Use SaaS Provider API to delete a role
{provider}_api_create_user Use SaaS Provider API to create a new user
{provider}_api_disable_user Use SaaS Provider API to block or disable a user
{provider}_api_delete_user Use SaaS Provider API to delete a user
{provider}_api_add_user_to_entity Use SaaS Provider API to add user to an entity (multi-tenant SSO only)
{provider}_api_add_user_to_group Use SaaS Provider API to add user to a group
{provider}_api_add_user_to_role Use SaaS Provider API to add user to a pre-defined role
{provider}_api_allocate_license Use SaaS Provider API to allocate user license/seat
{provider}_api_remove_user_from_entity Use SaaS Provider API to remove user from an entity
{provider}_api_remove_user_from_group Use SaaS Provider API to remove user from a group
{provider}_api_remove_user_from_role Use SaaS Provider API to remove user from a role
{provider}_api_{endpoint} Placeholder for additional API endpoints
{provider}_webhook_{endpoint} Placeholder for additional webhooks
slack_notification Send read-only notification to specific user ID or channel
slack_approval Send interactive prompt to a specific user ID (ex. green/red/action button)
email_notification Send read-only email notification to a specific user
email_approval Send interactive prompt to specific user ID (ex. green/red/action button)
gitlab_issue_create Create a GitLab issue using issue template with variable placeholders
gitlab_issue_add_comment Add a comment on an existing issue
gitlab_issue_add_label Add a label to an existing issue
gitlab_issue_remove_label Remove a label from an existing issue
gitlab_issue_close Close an existing issue (ex. after tasks are completed)
gitlab_issue_assign_user Assign an issue to a specific user
gitlab_issue_unassign_user Unassign an issue from a specific user
sleep Add a delay between multiple scripts to allow async jobs to complete.

Related Topics

  • API Integration and SaaS Provider Services - See the API integration documentation to learn more about how we make calls to the SaaS Provider API to provision or deprovision various resources.
  • Deprovisioning - See the deprovisioning documentation to learn more about how we use ActionChain, ActionChainScript, ActionFlow, and ActionFlowScript concepts for deprovisioning users and resources.