Selecting and Configuring a Non-Triggering Workflow Action

This page details how to configure a non-triggering Action node within a Workflow using an Enforcement Action from the Select Action pane. For comprehensive information on each Enforcement Action and its associated fields, refer to the Enforcement Actions Library.

To select and configure a non-triggering Workflow Action

1. Select Enforcement Action: In the Select Action right pane, select the desired Enforcement Action for your Workflow's Action node.
   The selected action appears in the Action node on the Workflow canvas.
   The Action Setup pane automatically opens.

2. Name and configure the Action:

   • The default Action name begins with workflow_. You can either use this default name or enter a custom name.
   • (Optionally) Configure dynamic values for this action with values from the Adapter fields, Event fields, and/or Action fields.
   • Fill in the Required Fields and optionally, the additional fields, for the action. Click the ? next to the Enforcement Action name to access detailed documentation for these fields.

4. Configure Action assets: By default, the non-triggering Action operates on the assets resolved from the previous node.
   • You can modify the Action to run on other assets as needed.
   • If this Action runs on All Assets and follows an Action Condition node, by default it only runs on assets that match the latest condition. This can be optionally disabled. Learn more about this option.

Modifying the Action Assets

By default, a non-triggering action is configured to run on the asset resolved in the preceding node:

• An Action following an Event runs on the asset resolved by that Event.
• An Action following an Action node runs on the single asset or all assets resolved from the previous Action node.
• When an action that runs on All Assets follows an Action Condition (anywhere above it in the Workflow path), it defaults to running only on resolved assets that match the latest Action Condition.

You can modify this behavior to run the action on:

• Assets resolved by any previous node in the Workflow (first or all assets).
• The results of a new query (first or all assets).
• The default asset (reverting to the previous node's asset).
• Resolved assets that do not match the latest condition, when following an Action Condition (anywhere above it in the Workflow path).

To modify the asset that the Action runs on

1. Next to the Runs on action (see above screen), click the Edit Asset pencil icon

   

2. Change the action asset to one of the following:

   • A resolved asset from any previous node in the Workflow.
   • The first or all assets that meet the criteria of a Query.
   • The asset(s) resolved from the previous node.

3. Click Apply.

   • If subsequent nodes exist, a warning message appears, stating that the asset change propagates to all subsequent actions in the same path.
   • Click Change Asset to confirm.
   • 'Custom' precedes the name of the new asset.

Running Action on Resolved Assets from Previous Nodes

Workflow data, including resolved assets, is stored in the Workflow Data repository.

Resolved assets are identified as:

• Action[node UUI].<asset type> (for actions)
• Event[node UUI].<asset type> (for events)

You can select resolved assets from previous nodes using the Run action on resolved assets from previous nodes dropdown.

• When an Action running on All Assets follows an Action Condition (anywhere above it in the Workflow path), you can disable the default option so that it also runs on resolved assets that do not match the Condition.

To select resolved assets from a previous node

1. From the Run action on resolved assets from previous nodes dropdown (open by default; if not open, click Select Resolved Assets From Previous Nodes to open it), select a resolved asset.
   Example: You can choose to run the action on User assets from a previous Event node or Vulnerability assets from a previous Action node.
   

2. When an Action running on All Assets follows an Action Condition, you can disable the default option to also run on resolved assets that do not match the Condition. Learn more about this option and how to disable it.

Running Action on Assets Matching Latest Condition

When an Action node running on All Assets follows a Condition node, the Only assets that match the latest condition option appears and is enabled by default.

• An orange icon indicates this in the node itself and after the checkbox text.
  
• This option is only available if previous actions (above this action) following this Action Condition also have this option enabled.
• If you add an Action node above or below a filtered Action node, it is filtered by default.
• If you remove filtering from an Action node following a condition, filtering is removed from all its child nodes.
• You can't add filtering to an Action node following an Action node without filtering.
• If you add filtering to an Action node following a condition, filtering is added to the Action nodes following it. Similarly, if an Action below an Action Condition does not have filtering enabled, filtering is not available for nested Action Conditions.
• Clear the checkbox to disable this option. In this case, the action runs on all resolved assets, even those that do not match the latest condition. All nodes in the same path following this action have this checkbox disabled automatically.

Selecting Different Action Assets Using the Query Wizard

You can configure the action to run on different assets, using the Query Wizard and selecting a new or existing query.

You can choose whether to run the action on either of the following:

• The first asset resulting from a query at the time that it runs (split run; the default). The Workflow runs once per asset. In this case, the Workflow proceeds to the next node after it runs on this single asset.
• Each asset returned from the query at the time that it runs (bulk run). In this case, the Workflow proceeds to the next node only after it runs on all assets returned from the query.

Bulk runs enable automating tasks that require enumerating multiple assets, supporting a wider range of scenarios.

The Bulk run feature supports the following use cases:

• Disabling service accounts in an offboarding workflow.
• Sending asset lists.
• Sending one Slack channel a list of 100 users.
• Case management - Ability to unify to a single Workflow,.
• Running multiple Enforcement Actions on different queries in a single Workflow

To select an asset using the Query Wizard

1. Open Query Wizard: Click Select Asset Using the Query Wizard.
2. Configure Query:
   • Under Run action on asset that matches the query, from the Module dropdown, select an asset type.
   • From the Adapter dropdown, select an adapter.
   • Use an existing query or create a query to filter out an asset that meets specified criteria.
     • Existing query - From the Field dropdown, select Saved Query. Then, from the Select Query dropdown that opens, select a predefined query.
     • New query - From the Field dropdown, select a field name from the selected adapter. Then, select from the Function dropdown, a function, and in the adjacent Field Value box that opens, type a value or copy a field value from the Workflow Data dialog.
   • Ensure the field value is relevant for the selected field type and operator/function of the query. Learn more about creating a new Query using the Query Wizard.
3. Set Asset count: In the Additional Settings section, under Number of Assets, set the number of assets that the action runs on:
   • First Asset (default) - The first asset that the query returns at the time that it runs. Runs the Workflow once per asset.
   • All Assets - All assets that the query returns at the time that it runs. In this case, the Workflow proceeds to the next node only after it runs on all assets returned from the query.

Resetting Action to Run on Default Assets

You can click Reset to default from either tab to reset an action configured to run on resolved assets from any previous node or on query results, to run on its default assets, i.e., those resolved in the previous node.

This resets the current node and all subsequent nodes in the same path.