Skip to main content
An automation needs at least one step, and can have as many steps as you need. You can reorder steps using the arrow controls. Each step can access data from the trigger and from previous steps using CEL expressions and the {{ }} template syntax. On the Advanced tab of each step, you’ll find the step’s Step ID, which is how downstream steps reference its output (for example, ctx.my_step_name.field). On the Available data tab, you can browse data from previous steps. See workflow expressions for full syntax. In the field tables below:
  • Required fields must be configured for the step to save.
  • CEL indicates the field accepts CEL expressions or {{ }} template syntax.

Send email

Alerts stakeholders about important events via email. Error behavior: If the recipient expression resolves to an empty value or invalid email, the step fails and the automation stops.

Send Slack message

Posts a notification to a Slack channel or as a direct message to one or more users. Channel Direct message Error behavior: Fails if the channel doesn’t exist or the C1 app for Slack doesn’t have access, or if a recipient doesn’t have a linked Slack account. Requires the C1 app for Slack to be configured.

Wait for duration

Pauses the automation workflow for a specified period before continuing to the next step. Useful for giving users time to respond to notifications before taking automated action. Error behavior: The step does not fail. The automation execution remains in a waiting state until the duration elapses, then proceeds to the next step.
If a new version of the automation is published while an execution is waiting, the waiting execution completes using the version it started with.

Create campaign

Automatically initiates an access review campaign from a template. Error behavior: Fails if the review template doesn’t exist or the target user can’t be resolved.

Revoke entitlements

Removes specified access permissions from a user while optionally excluding certain entitlements. Exclusions: When revoking “all” entitlements, use exclusions to preserve specific access (for example, keep compliance-required archival access while revoking everything else). Error behavior: If an entitlement doesn’t exist or the user doesn’t have it, the step skips that entitlement and continues. The step only fails if the target user can’t be resolved.
Revoking an entitlement creates a revoke task. If the app’s connector supports provisioning, the revocation is carried out automatically. Otherwise, it creates a manual task for an app owner.

Grant entitlements

Automatically assigns specified entitlements to a user. Commonly used in onboarding workflows. Error behavior: Fails if the target user can’t be resolved or the entitlement doesn’t exist.
Granting an entitlement creates a grant task. If the app’s connector supports provisioning, the grant is carried out automatically. Otherwise, it creates a manual task for an app owner.

Modify delegate

Updates delegation settings for a user.

Remove access profiles

Unenrolls a user from one or more access profiles, stopping automatic access provisioning from those profiles.

Modify user status

Changes a user’s account status in C1.

Run automation

Triggers another automation, allowing you to chain workflows together.

Passing context to child automations

The optional Context field lets you pass data from the current automation to the child. The context must be valid JSON. Use {{ }} template syntax to include dynamic values:
In the child automation, access the passed context via ctx.trigger:
Error behavior: Fails if the target automation doesn’t exist or isn’t published. The parent automation does not wait for the child to complete; it proceeds to the next step immediately.
When debugging chained automations, check execution history on both the parent and child automations separately. The parent’s log shows that the Run automation step succeeded (meaning it triggered the child), but you need to check the child’s execution history to see if the child’s steps succeeded.

Perform task action

Manages existing C1 tasks by taking actions like reassigning, completing, or canceling them.

Run webhook

Sends an HTTP request to an external system. Use this to integrate with ticketing systems, notification platforms, or custom APIs.

Request format

The webhook sends an HTTP POST to the configured URL with the JSON payload as the request body. Use template syntax to include dynamic data:
Error behavior: Fails if the webhook returns a non-2xx HTTP status code or times out. The error details (status code, response body) are visible in the execution log.
Output data. The webhook response is available to downstream steps via ctx.<step_name>.response. This lets you act on data returned by external systems.

Perform connector action

Executes app-specific operations through a connector. The available actions depend on what the connector supports.

Finding available actions

The actions available for each connector depend on the connector’s capabilities. When you select a connector, the action dropdown shows only the actions that connector supports. Check the connector capabilities table for an overview.

Common connector actions by app

The specific field requirements vary by action. After selecting an action, the step form displays the fields required for that action. Error behavior: Fails if the connector is offline, the action is not supported, or required fields are missing. Check the connector’s sync status on the application page if this step fails.

Create account

Provisions a new account in a connected application.

Creation methods

  • From C1 user data: Automatically maps the C1 user’s profile fields (name, email, department, and so on) to the target app’s account schema. Use this when the target app’s fields align with standard user attributes.
  • Custom: Manually specify each field value. Use this when the target app requires fields that don’t map directly from the user profile, or when you need to compute values (for example, generating a username from the email prefix using CEL).
Error behavior: Fails if the connector doesn’t support account creation, required fields are missing, or an account already exists for the user in the target app (behavior depends on the connector).

Call function

Executes a C1 Function with specified input parameters, enabling custom logic and transformations within your automation.

Passing inputs

Function input parameters are defined by the Function’s code. Use CEL expressions to pass dynamic values:

Using function output

The Function’s return value is available to downstream steps via ctx.<step_name>. For example, if a Function named risk_check returns { "risk_score": 8, "should_review": true }, downstream steps can reference:
Use these in step conditions to create conditional logic:
For a full walkthrough of building Functions and using them in automations, see using Functions in automations. Error behavior: Fails if the Function throws an unhandled error or exceeds its execution timeout. The error message from the Function is visible in the execution log. Debug Function errors in the Functions UI, which has its own invocation logs.

Generate password

Generates a random password using either a preset 32-character random password or a custom policy.

Set credential

This step is in early access. If you’re interested in using it, please contact the C1 Support team to request access.
Apply a credential to a user’s account in a connected application.
Set credential is only supported for self-hosted connectors. Cloud-hosted connectors do not support credential actions.
Error behavior: Fails if the target account can’t be resolved, the account isn’t connected to the selected connector, or the connector is offline. Check the connector’s sync status on the application page if this step fails.

Store credential

Store a generated credential in a C1 vault and optionally deliver it to a recipient. Error behavior: Fails if any recipient can’t be resolved. For Email verified auth type, also fails if a recipient has no email address. The step retries automatically on transient vault service errors.