title: Workflow Triggers category: Workflows & Automation tags: triggers, events, automation, conditions, scheduling priority: Normal
Workflow Triggers
Workflow Triggers determine when and why a workflow executes. Located at /access-review/workflow-triggers, the Triggers page lets administrators connect workflows to real-time events, scheduled intervals, manual actions, or policy violations so that approval processes start automatically at the right moment.
What is a Trigger?
A trigger is a rule that watches for a specific condition or event and launches a workflow when that condition is met. Without triggers, workflows are inert designs; triggers bring them to life.
| Component | Description |
|---|---|
| Trigger Type | How the trigger fires (manual, scheduled, event, policy) |
| Conditions | Optional filters that narrow when the trigger fires |
| Workflow | The workflow that executes when the trigger fires |
| Status | Whether the trigger is enabled or disabled |
Trigger Types
Manual Triggers
Manual triggers are invoked on-demand by an administrator or an end user.
| Scenario | How It Works |
|---|---|
| Admin-Initiated | An admin clicks "Run Workflow" from the administration console |
| Self-Service Request | A user submits an access request through the Access Catalog |
| Bulk Action | An admin selects multiple objects and applies a workflow |
Manual triggers are useful during initial rollout or for ad-hoc requests that do not follow a predictable pattern.
Scheduled Triggers
Scheduled triggers fire on a recurring cadence defined by a cron expression or a simple interval.
| Schedule Pattern | Cron Expression | Description |
|---|---|---|
| Daily at 8 AM | 0 0 8 * * ? |
Run every morning |
| Weekly on Monday | 0 0 9 ? * MON |
Run every Monday at 9 AM |
| Monthly on the 1st | 0 0 6 1 * ? |
Run the first day of each month |
| Quarterly | 0 0 6 1 1,4,7,10 ? |
Run at the start of each quarter |
Common uses for scheduled triggers:
- Periodic access recertification reminders
- Weekly stale-account review workflows
- Monthly privileged access audit
Tip: Align scheduled triggers with your organization's compliance calendar. If quarterly access reviews are required by SOX, create a quarterly trigger that launches the review campaign workflow automatically.
Event-Based Triggers
Event-based triggers respond to real-time changes detected during synchronization or through direct system events.
| Event | Description | Example Workflow |
|---|---|---|
| New User Created | A new AD account is synced for the first time | Onboarding approval and provisioning |
| Group Membership Change | A user is added to or removed from a group | Review privileged group additions |
| Privileged Access Granted | A user is added to a privileged group (Domain Admins, etc.) | Security team review and CISO approval |
| Role Change | A user's title or job role attribute changes | Access re-review by new manager |
| Department Change | A user's department attribute changes | Transfer workflow with access cleanup |
| Manager Change | A user's manager attribute changes | New manager reviews existing access |
| Account Disabled | An account is disabled in AD | Offboarding and access revocation workflow |
| Account Enabled | A previously disabled account is re-enabled | Return-from-leave approval |
| Password Expired | A user's password has expired | Notification and remediation |
| Attribute Modified | Any tracked attribute changes | Custom review based on the attribute |
Event triggers are the foundation of real-time identity governance. They eliminate delays between an identity change and the appropriate governance response.
Policy-Based Triggers
Policy-based triggers fire when a policy evaluation produces a violation.
| Scenario | Description |
|---|---|
| New Violation Detected | A policy evaluation finds a new compliance violation |
| Severity Threshold | Only trigger for violations at or above a specified severity |
| Specific Policy | Trigger only for violations from a named policy |
Policy-based triggers bridge the gap between detection and remediation. When a policy flags a stale account, a policy-based trigger can automatically launch a workflow that notifies the manager and requests a decision.
For more on policies and violations, see Policies Overview and Lifecycle Management.
Condition-Based Filtering
Every trigger type supports optional conditions that narrow when the trigger fires. Conditions prevent irrelevant workflows from launching.
Available Condition Fields
| Field | Operators | Example |
|---|---|---|
| Department | equals, not equals, contains | Only trigger for IT department |
| Title | equals, contains, starts with | Only trigger for managers |
| Location | equals, not equals | Only trigger for HQ employees |
| Risk Level | equals, greater than | Only trigger for High or Critical |
| Object Type | equals | Only trigger for user accounts (not computers) |
| Group Name | equals, contains | Only trigger for Domain Admins changes |
| Source Connection | equals | Only trigger for a specific AD forest |
Combining Conditions
Conditions can be combined with AND/OR logic:
Trigger: Group Membership Change
Conditions:
- Group Name contains "Admin" AND
- Department equals "IT"
Result: Only fires when an IT user is added to an admin group
Trigger: New Violation Detected
Conditions:
- Severity equals "Critical" OR
- Policy Name equals "Privileged Access Monitor"
Result: Fires for any critical violation or any violation from the privileged access policy
Template Library
IdentityCenter includes a library of pre-built trigger templates for common governance scenarios.
| Template | Trigger Type | Description |
|---|---|---|
| New Hire Onboarding | Event: New User Created | Launch onboarding workflow for new accounts |
| Privileged Access Alert | Event: Privileged Access Granted | Route to security team for approval |
| Quarterly Access Review | Scheduled: Quarterly | Launch access certification campaign |
| Stale Account Cleanup | Scheduled: Monthly | Evaluate and route inactive accounts |
| SoD Violation Response | Policy: Violation Detected | Route segregation-of-duties violations to compliance |
| Manager Transfer Review | Event: Manager Change | New manager reviews inherited access |
| Offboarding | Event: Account Disabled | Revoke access and notify stakeholders |
To use a template:
- Navigate to Workflow Triggers
- Click New from Template
- Select the desired template
- Customize conditions and the assigned workflow
- Save and enable
Creating a Trigger
Step 1: Define the Trigger
- Navigate to Access Reviews > Workflow Triggers
- Click New Trigger
- Enter a Name and Description
- Select the Trigger Type (Manual, Scheduled, Event, Policy)
Step 2: Configure the Trigger
For Scheduled triggers, set the cron expression or select a simple interval. For Event triggers, select the event type from the dropdown. For Policy triggers, select the policy or severity threshold.
Step 3: Add Conditions (Optional)
- Click Add Condition
- Select the field, operator, and value
- Add additional conditions as needed
- Set the logical operator (AND/OR) between conditions
Step 4: Assign a Workflow
- Select the workflow to execute from the dropdown
- Only Active workflows appear in the list
- If no suitable workflow exists, create one first in the Workflow Designer
Step 5: Save and Enable
- Click Save to create the trigger in a disabled state
- Review the configuration
- Click Enable to activate the trigger
Testing Triggers
Before enabling a trigger in production, test it to verify correct behavior.
Test Methods
| Method | Description |
|---|---|
| Simulate | Click Test on the trigger to simulate it with sample data |
| Dry Run | Enable the trigger with the workflow in test mode (no real actions) |
| Limited Scope | Add a narrow condition (e.g., one specific user) to test with real data |
| Audit Log Review | After a test run, review the audit log to confirm expected behavior |
Testing Checklist
- Trigger fires for the correct events or schedule
- Conditions correctly filter out irrelevant cases
- The correct workflow is launched
- Approver resolution within the workflow works as expected
- Notifications are sent to the right recipients
Enable and Disable
Toggle a trigger's status at any time:
- Enable -- The trigger begins watching for its condition and will launch workflows
- Disable -- The trigger stops watching; in-flight workflows already launched are not affected
Disabling a trigger is useful during maintenance windows, organizational changes, or when troubleshooting unexpected workflow launches.
Best Practices
- Start with templates -- Customize pre-built templates rather than building from scratch
- Use conditions aggressively -- Narrow triggers to avoid launching unnecessary workflows
- Test before enabling -- Always simulate or dry-run a trigger before going live
- Monitor trigger frequency -- Review the audit log regularly to ensure triggers fire at the expected rate
- Pair event triggers with scheduled triggers -- Event triggers catch real-time changes; scheduled triggers catch anything that slipped through
- Document trigger-to-workflow mapping -- Maintain a reference of which triggers launch which workflows for the operations team
Next Steps
- Workflow Designer -- Build the workflows that triggers execute
- Approver Resolution -- How approvers are determined within workflows
- Escalation & SLA Tracking -- Timeout and escalation rules for triggered workflows
- Access Catalog Overview -- Self-service portal that generates manual triggers
- Lifecycle Management -- Policy-driven remediation workflows