Access Provisioning

Action flows for provisioning IAM users or role mappings

Approvable Relationships and Approval Chains

Each approvable relationship has one or more ApprovalChain(s). Regardless of what ApprovalChain is used for obtaining approval, each approvable relationship only has one ActionChain for provisioning and one for deprovisioning to avoid complexity and confusion. In other words, there is only one API call to create a user, however you can use any ApprovalChain to obtain approval.

Action Chains and Action Flows

An ActionChain is the template for an ActionFlow. Each ActionChain has one or more ActionChainScripts that are templates for ActionFlowScripts. When an approvable relationship is created and the ApprovalFlow is completed, an ActionFlow is created and has a 1:1 relationship with the new relationship many-to-many record.

Action Chain Scripts and Action Flow Scripts

An ActionChainScript defines the type of background job and specific metadata for performing actions for provisioning, updating, or deprovisioning any of the approvable relationships that a SaaS Provider has. In other words, an ActionChainScript is a template for a task to run that specifies which API endpoint to call and what data to pass to it.

When an ActionFlow is created using the ActionChain template, ActionFlowScript(s) are created using the ActionChainScripts that are associated with that ActionChain.

Action Chain Script Types

Type	Description
`none`	No action required.
`{provider}_api_create_entity`	Use SaaS Provider API to create an entity
`{provider}_api_delete_entity`	Use SaaS Provider API to delete an entity
`{provider}_api_create_group`	Use SaaS Provider API to create a group
`{provider}_api_delete_group`	Use SaaS Provider API to delete a group
`{provider}_api_create_role`	Use SaaS Provider API to create a role
`{provider}_api_delete_role`	Use SaaS Provider API to delete a role
`{provider}_api_create_user`	Use SaaS Provider API to create a new user
`{provider}_api_disable_user`	Use SaaS Provider API to block or disable a user
`{provider}_api_delete_user`	Use SaaS Provider API to delete a user
`{provider}_api_add_user_to_entity`	Use SaaS Provider API to add user to an entity (multi-tenant SSO only)
`{provider}_api_add_user_to_group`	Use SaaS Provider API to add user to a group
`{provider}_api_add_user_to_role`	Use SaaS Provider API to add user to a pre-defined role
`{provider}_api_allocate_license`	Use SaaS Provider API to allocate user license/seat
`{provider}_api_remove_user_from_entity`	Use SaaS Provider API to remove user from an entity
`{provider}_api_remove_user_from_group`	Use SaaS Provider API to remove user from a group
`{provider}_api_remove_user_from_role`	Use SaaS Provider API to remove user from a role
`{provider}_api_{endpoint}`	Placeholder for additional API endpoints
`{provider}_webhook_{endpoint}`	Placeholder for additional webhooks
`slack_notification`	Send read-only notification to specific user ID or channel
`slack_approval`	Send interactive prompt to a specific user ID (ex. green/red/action button)
`email_notification`	Send read-only email notification to a specific user
`email_approval`	Send interactive prompt to specific user ID (ex. green/red/action button)
`gitlab_issue_create`	Create a GitLab issue using issue template with variable placeholders
`gitlab_issue_add_comment`	Add a comment on an existing issue
`gitlab_issue_add_label`	Add a label to an existing issue
`gitlab_issue_remove_label`	Remove a label from an existing issue
`gitlab_issue_close`	Close an existing issue (ex. after tasks are completed)
`gitlab_issue_assign_user`	Assign an issue to a specific user
`gitlab_issue_unassign_user`	Unassign an issue from a specific user
`sleep`	Add a delay between multiple scripts to allow async jobs to complete.

Access Manager

Access Provisioning

Approvable Relationships and Approval Chains

Action Chains and Action Flows

Action Chain Scripts and Action Flow Scripts

Action Chain Script Types

Related Topics