Skip to main content
Early access:This new feature is in early access while we gather feedback and fine-tune its details. Let us know if you’re eager to give it a try!
Automations in ConductorOne empower you to build custom workflows for repetitive tasks, significantly streamlining your operational processes. Automations are ideal for kicking off critical processes when an employee’s status changes, providing seamless onboarding, secure offboarding, efficient role transfers, and timely access reviews. Automations ensure consistency, reduce manual effort, and improve compliance. Find and manage all your automations on the Automations page.

Automation structure

Here’s a sample automation’s details page:
An automation's details page with numbered callouts one through four highlighting the items described in the text below.
Let’s break down the structure:
  1. Automation trigger: This determines what causes an automation to run. This automation’s trigger is turned on, so it will run automatically. You can also manually start an automation run at any time by clicking Run at the top of the page.
  2. Automation steps: These are the actions your automation performs. This automation has only one step, but you can add as many as you need.
  3. Publication status: Each automation is in either a draft or published state. Here, the Publish button is greyed out to indicate that this automation is published.
  4. Version number: Automations are versioned (this one is v2), and you can restore a previous version of an automation if necessary.

Create a new automation

A user with the Super Admin role in ConductorOne must complete this task.
1
Navigate to Admin > Automations and click New automation.
2
Give your automation a name and add a description, if desired.
3
Click Set automation trigger and choose the event that will trigger this automation. Refer to the automation triggers reference below for details on the available triggers.
4
Set the Automation toggle to On if you want to start triggering the automation when the event you’ve selected occurs as soon as the automation is published. You can also leave the toggle off for now, if desired.Automations in their draft state do not run automatically, even if this toggle is enabled.
5
Click Add step and select the first step for the automation. Refer to the automation steps reference below for details on the available automation steps.
6
Fill out the automation step form and click Save.
7
Click + Add step again and repeat the process to add additional steps, as needed.If you need to reorder the automation steps, hover over the step and use the arrow keys.To delete a step entirely, hover over the step and click the trash can icon.
8
To test your automation, click Run draft at the top of the page.You’ll be asked to provide context for the test run, and will see a panel showing the details of the execution as it proceeds.
9
When you’re ready, click Publish to put the automation into use.Make sure to check on the status of the automation trigger, and turn it to On if you want to start triggering the automation when the event you’ve selected occurs.
That’s it! The automation is now ready for use. To see all executions of this automation, click the (more actions) menu and select Show execution history.

Fine-tuning your automation

On the Advanced tab of each automation step’s setup drawer, you can add a CEL expression that instructs the automation to skip the step if a condition is met. This section also displays the step’s Step ID, which is used to reference the current step’s output in later steps. On the Available data tab, you’ll find data gathered from previous steps in the automations, which can be used to write CEL expressions to refine or define conditions in later steps.

Editing an automation

When first published, new automations are marked v1. If you make edits to the automation, it will create a new draft version of the automation, which you can test and publish (as v2) when you’re ready. To see all versions of the automation, click the (more actions) menu and select Show version history. You can restore a different version of the automation from this list.

App-specific automations

A user who is an application owner with the App Admin role can create and manage app-specific automations for the apps they own.
You can create and manage automations that are scoped to a specific app on that application’s Automations tab. To create an app-specific automation:
1
Navigate to Admin > Applications and click the name of an application you own.
2
Click Automations. Any existing app-specific automations are listed here.
3
Click New automation, then follow the steps in Create a new automation.
All app-specific automations are also listed on the Automations page. Only users with the Super Admin role can see and manage these automations from this page.

Unused access automations

Availability and functionality of unused access automationsSome older connectors do not support the data needed to run unused access automations. The Unused access section is not displayed on these apps’ details pages.Be aware that while the Unused access section is displayed on all current-generation connectors’ app pages, only those connectors that report last login data (and their child apps, as relevant) can correctly track login data and use it to strategically take action on unused accounts via an unused access automation. View the list of connectors that report last login information on the connector capabilities table.CAUTION: If an unused access automation is set up on an app whose connector does not report last login information, the automation will take action on all app accounts.
Unused access automations are tailored to help you manage unused app access. These automations fire when a user has not logged into their app account for the length of time you specify. Create and manage unused access automations in the Unused access section of the app’s Controls tab. This section shows the number of accounts that have not been accessed in the past 30 days (click through to see the full list of these accounts on the Access explorer page), and is the home of controls for quickly creating an automation for unused access.
The Unused access section of an app's details page, showing 26 accounts unused in the past 30+ days and the controls to set up a new unused access automation.
To set up a new unused access automation:
1
Locate the Unused access section of the app’s Controls tab and click Add automation.
2
Choose from the list of automation templates:
  • Send a notification after 30 days
  • Revoke access after 45 days
  • Create a custom usage-based automation from scratch
3
The automation draft is set up for you. Click the Unused access trigger, review the details and make any adjustments.You can choose how to treat accounts with no login activity, set how to perform the initial runs of the automation, and narrow the automation’s scope, if desired.
4
Click Save.
5
If needed, review the automation’s steps and add additional steps as desired.
6
When you’re ready, click Publish.The automation is now ready for use. To see all executions of this automation, click the (more actions) menu and select Show execution history.
That’s it! You can review and update this automation on the Unused access section of the app’s Controls tab (users with the Super Admin role can also see it on the Automations tab). You can also add additional usage-based automations to this app to further fine-tune how unused access is managed.
The Unused access section of an app's details page, showing an automation that creates a revoke task for unused access.

Automation triggers reference

Each automation can be triggered by an event such as the creation of a new application account or a change in a user or account’s status. Alternatively, you can skip adding an automation trigger and instead run the automation manually.
TriggerRequiresExample
User updatedUser attribute
(Optional) Conditional expression		Trigger on a change to a user’s employment status
Account createdApp name
(Optional) Conditional expression		Trigger on the creation of a new GitHub account
Account updatedApp name
Account attribute
(Optional) Conditional expression		Trigger on a change to the email address associated with an Okta account
Unused accessApp name
Days since last login
(Optional) Type of account
(Optional) Whether to include accounts with no login activity
(Optional) Conditions for inclusion/exclusion
Cold start behavior (see below)		Trigger when a user has not logged into GitHub for 45 days
User created(Optional) Conditional expressionTrigger when a new user is created
Grant foundAccount type
Entitlements or app name
Grant source
Grant type
Grant origin		Trigger when a user is granted access to the OpsGenie on-call rotation
Grant deletedAccount type
Entitlements or app name
Grant source
Grant type
Grant origin		Trigger when a user loses access to their Google Workspace account
Incoming webhookAuthentication method (HMAC or JWT)Trigger when an employee’s status changes to Inactive in Workday
Cold start behavior on an unused access trigger sets whether app accounts that meet the unused access trigger’s condition when the automation is first enabled will immediately have the automation’s actions performed, or if the automation should proceed only after a delay (during which time you could, for example, alert the impacted users that their access will be removed if unused).

Automation steps reference

An automation needs at least one step, and can have as many steps as you need. You can reorder steps if needed by using the arrow controls.
StepRequiresExample
Send emailRecipient
Email title
Email subject
Email message		Send an email to three IT admins
Send Slack messageSlack channel name
Message		Send a Slack message to the “New employees” channel
Wait for durationTime to wait before proceedingWait 30 minutes
Create campaignAccess review template
User whose access will be reviewed		Create a new UAR campaign to review a departed user’s access
Revoke entitlementsTarget user
Entitlements to revoke
Entitlements to exclude		Create revoke tasks for all AWS entitlements except app access
Grant entitlementsTarget user
Entitlements to grant		Grant access to the “Engineering team” role in Jira
Modify delegateTarget userRemove this user as a delegate
Remove access profilesTarget user
Access profiles to unenroll from (or check the box to unenroll from all)		Unenroll the user from three key access profiles
Modify user statusTarget user
New user status		Change a user’s status to Disabled in ConductorOne
Run automationAutomation name
(Optional) Context in JSON format		Trigger a run of the “Secondary Offboarding Tasks” automation
Perform task actionWhose tasks to take action on
Task type
Action to take		Assign all a user’s open review tasks to the head of Security
Run webhookWebhook name
Payload		Trigger a webhook that creates a ticket to deprovision Figma access
Perform connector action (see below)Connector name
Action name
Additional fields as determined by the connector action’s format		Lock an Active Directory account
Create account (see below)Connector name
Creation method
Additional values, depending on method		Create a new Greenhouse account
Connector actions are custom capabilities set up on a connector. Let our Customer Success team know if you’re interested in learning more or need help setting up a connector action. Account creation with the Custom user creation method uses the same connector-specific schema described in the automatic account provisioning documentation. If you select the From ConductorOne user creation method, ConductorOne will attempt to use the information it has about the user to create the new account.