Edit Workflow

Template Gallery - Workflow - Policy Manager > Turn off audiences on create/edit policies form

Data Sources

▶ Start Workflow

Check to auto save every two minutes

Document Information « Return to Dashboard ▾

Title*

Start Date

Comments

Provide comments for the previous or next user on the current document's status.

Document Preview

Version History ▾

🕔 Workflow Activity Timeline

- Step 1 of 1

br bret test 02/17/2026 3:53 PM

▼ Show Details

Policy: Test Record 19

Version: 📄 0f10a40b-a703-f111-91c1-005056883787

Tracker: 5bfbf4b8... | Parent: 0f10a40b...

No document Open Flipbook

<b>Template Gallery - Workflow - Universal Workflow Report for either Policies or Generic Enhanced DD</b>

Data Sources

Classification ▾

Taxonomy

View Taxonomy Structure

UNIVERSAL

*Workflow Stages

Initiation

Processing & Verification

Claiming & Locking

Rejection & Re-Routing

Completion

Suspension & Resumption

Final Closure

AI Skill Manager

A/B Testing & Experimentation

Academic & Research

Accounts Payable Management

Accounts Receivable Management

Accreditation & Institutional Compliance

Active Directory Integration

ADA & Section 508 Accessibility

Agile & Scrum Facilitation

Agile Coaching & Transformation

AI Acceptable Use Policy

AI Budget & Token Cost Controls

AI Output Approval Workflow Rules

AI Output Confidence Scoring

AI Persona & Expertise Framing

Subject Matter Expert (SME) Persona

AI Prompt Manager — Budget & Cost Controls

AI Prompt Manager — Compliance & Governance Fields

AI Prompt Manager — Condition SQL Patterns

AI Prompt Manager — Delivery Methods

AI Prompt Manager — Prompt Template Design

AI Prompt Manager — Response Caching

AI Prompt Manager — Scheduling & Following Chains

AI Prompt Manager — System Prompt Design

AI Prompt Manager — Trigger Event Types

AI Prompt Manager — Write-Back Patterns

AI Skill Manager — External Export Packaging

AI Skill Manager — Index & Retrieval Configuration

AI Skill Manager — Module Architecture

AI Skill Manager — Retrieval Bucket Priority Model

AI Vector Index — Embedding & Re-indexing

AI Vector Index — Security Model Inheritance

AI Vector Index Architecture

AI-Generated Code Security Review

Alternative URL & Federation Patterns

Alumni & Development Relations

Anti-Bribery & Anti-Corruption (FCPA)

Anti-Money Laundering (AML) & KYC

Approval Workflow Routing

Arabic

Architecture Evolution & Migration

Artificial Intelligence & Machine Learning

Asset Management — Real Estate

Athletics Administration

Attribute Generator Rules

Attribute HTML Cleaner Rules

Audiences — Anonymous vs Authenticated Handling

Audit Trail Requirements

Backlog Management

Board Governance — Nonprofit

Board Member & Director

Board Package

Brand Management

Budget & Appropriations

Budget Management & Forecasting

Bulk vs Incremental Transfer Behavior

Bullet Point Brief

Business Continuity & Disaster Recovery

Business Development

Business Intelligence & Reporting

CAN-SPAM & Email Marketing Compliance

Capital Markets & Investor Relations

Carbon Accounting & Reporting

Care Coordination & Case Management

Case Study

CCPA — California Consumer Privacy Act

Centralpoint — AI Integration Layer

AI Prompt Manager — Module Architecture

Centralpoint — Content & Module Architecture

Module Configuration XML Structure

Centralpoint — CpScripting & Templating

CpScript Syntax Rules & Tag Format

Centralpoint — Data Cleaner & Governance

Data Cleaner Overview & Architecture

Centralpoint — Delivery & Communication

Email Broadcast — Configuration & Scheduling

Centralpoint — Developer & Integration Tools

Web API — ReadResults & ReadDetails

Centralpoint — Event & Automation Engine

Data Triggers — When/If/Do Architecture

Centralpoint — Forms & Workflow

Form Architecture & ff-container Structure

Centralpoint — Learning & Engagement

LMS — Course Design & Configuration

Centralpoint — Platform History & Architecture

Platform Version History (v8.0 — v8.11)

Centralpoint — Security & Identity

Audiences — Architecture & Design Patterns

Change Management

Channel & Partner Management

Chief Compliance Officer (CCO)

Chief Data Officer (CDO)

Chief Financial Officer (CFO)

Chief Human Resources Officer (CHRO)

Chief Information Officer (CIO)

Chief Legal Officer / General Counsel

Chief Marketing Officer (CMO)

Chief of Staff

Chief Operating Officer (COO)

Chief Revenue Officer (CRO)

Chief Technology Officer (CTO)

Client Relationship Management — Legal

Clinical & Medical

Clinical Quality & Patient Safety

Clinical Research & Trials

Cloud Infrastructure & DevOps

Coach & Mentor Persona

Communication & Style Skills

Tone & Register

Executive & Board Level

Compensation & Benefits Design

Competitive Analysis

Competitive Intelligence

Competitor & Political Deflection

Compliance Officer

Compliance Officer Persona

Concise & Direct (Executive Summary Style)

Consent & Privacy Compliance

Constituent Services

Content Strategy & Marketing

Context Assembly & RAG Patterns

Contract Management & Lifecycle

Contract Negotiation — Operations

Contract Negotiation — Sales

Conversational & Employee Facing

COPPA — Children's Online Privacy Protection

Corporate & Transactional Law

Corporate Communications

Corporate Controller

Corporate Governance & Secretary

Corporate Social Responsibility (CSR)

Cost Accounting & Variance Analysis

Court & Judicial Administration

CpScript — Column Binding (Attribute Fields)

CpScript — Column Binding (Standard Fields)

CpScript — Date & Time Formatting

CpScript — Escape Patterns (cpsys_Apos, Brackets)

CpScript — FormState & Form Data

CpScript — Image & File Rendering

CpScript — Literal Scripting & Conditional Filters

CpScript — Navigation & SiteMap Scripts

CpScript — Placeholders & ItemContent

CpScript — Random String & System Constants

CpScript — Taxonomy & Audience Context

CpScript — UserInfo & Session Context

Creative Direction & Design

Credential & Secret Exposure Prevention

Credit Risk Management

Criminal Law

Crisis Communications

Cross-Site Scripting (XSS) Prevention

CSAT & Quality Management

Curriculum Design & Development

Custom Delimiters & Text Qualifiers

Customer Experience & Service

Customer Experience Strategy

Customer Journey Mapping

Customer Loyalty & Retention Programs

Customer Service Representative Persona

Customer Success Management

Customer Support Management

Cybersecurity & Information Security

Data & Analytics

Data Strategy & Governance

Data Broadcast — Configuration & Distribution

Data Classification Standards

Data Engineering & Analytics Engineering

Data Governance

Records Retention Schedules & Policies

Data Lineage & Provenance

Data Quality Standards

Data Residency & Sovereignty

Data Science & Predictive Modeling

Data Transfer Scheduling & Process Log

Data Triggers — Bulk Transfer Silent Behavior

Data Triggers — Chaining & Sequencing

Data Triggers — Condition Builder Logic

Data Triggers — Delete Event Patterns

Data Triggers — IDataTrigger Custom Code Interface

Data Triggers — Insert Event Patterns

Data Triggers — Update Event Patterns

Data Triggers — Z Delivery — Email

Data Triggers — Z Delivery — Field Write-Back

Data Triggers — Z Delivery — In-Portal Notification

Data Triggers — Z Delivery — SMS via Twilio

Data Triggers — Z Delivery — Webhook & Outbound Push

Data Visualization & Dashboard Design

Database Administration

DataSource — Empty Item Content

DataSource — Filtering (QueryString, Taxonomy, User, Date)

DataSource — Item Content Binding Patterns

DataSource — Sorting, Pagination & Export

DataSource — SQL SELECT Command Patterns

DataSource — Standard vs Attribute Field Binding

DataSource — Template Content & ItemContent Placeholder

Deal Desk & Pricing

Deduplication Governance Rules

Deduplication Rules & Merge Logic

Demand Generation & Lead Management

Deployment & Update Patterns

Developer Relations & Community

Digital Marketing & SEO

Disposition & Destruction Certification

Diversity, Equity & Inclusion (DEI)

Document Generation from Form Submissions

Donor Relations & Stewardship

Dutch

eCommerce Operations & Management

Economic Development

Education

K-12 School Administration

Email Broadcast — Audience Targeting

Email Broadcast — CAN-SPAM Compliance

Email Broadcast — Click Tracking & Bounce Management

Email Broadcast — CpScripting in Body

Email Broadcast — Linked AI Prompt Output

Email Communication

Email Formatting — Mobile Responsive Design

Email Formatting — Outlook-Safe HTML Templates

Email Marketing

Emergency Management

Empathetic & Supportive

Employee Relations

Employee Wellness & Benefits Programs

Employment & Labor Law

Employment Law

Encryption & Certificate Management

English — United Kingdom

Enterprise Account Management

Enterprise Architecture

Environmental Compliance

Environmental Health & Safety (EHS)

Escalation & Human-in-the-Loop Rules

Escalation Management

ESG & Sustainability

Sustainability Strategy

ESG Disclosure & Reporting (GRI, SASB, TCFD)

Ethics & Code of Conduct

Event Marketing & Management

EventBrite Webhook Integration

Excel Integration

Executive Dashboard Design

Executive Summary

Executive Vice President

Export Controls & Trade Compliance

External API Credential Handling

External Audit & Assurance

Facilitator & Moderator Persona

Facilities Management

Faculty & Staff Development

FAQ Format

Feature Definition & User Stories

Feature Introduction Timeline

FERPA — Family Educational Rights & Privacy

Field Map XML & Processing Tab

Field Sales & Territory Management

Finance & Accounting

Financial Planning & Analysis (FP&A)

Financial Aid Management

Financial Reporting & Period Close

Financial Services

Banking Operations

Financial Systems & ERP Management

FINRA & SEC Financial Services Compliance

FitBit & Wellness Integration

Fleet Management

Following — Multi-Threaded Fan-Out Patterns

Following — Subscription & Pipeline Architecture

Form Field Types — FormHiddenField & System Auto-Population

Form Field Types — FormListBox & FormRadioButtonList

Form Field Types — FormTaxonomy & FormAudience

Form Field Types — FormTextBox & FormEditor

Form Field Types — FormUpload & FormSignature

Form Validation Patterns

Formal & Diplomatic

Format Conversion — PDF to Word

Format Conversion — Word to HTML

Format Conversion — Word to OOXML

FormState Retrieval & Serialization

Form-to-Module Field Mapping

French

FTC — Advertising Standards & Endorsements

Full 477-Script Reference Library

Fundraising & Development

Gamification — Badges & Milestone Achievements

Gamification — Knowledge Leader Rankings

Gamification — Points & Activity Quantification

GenericEnhanced Module Patterns

German

GLBA — Gramm-Leach-Bliley Financial Privacy

Go-to-Market Planning

Governance Skills

AI Behavioral Governance

Hallucination Prevention & Honest Unknown Response

AI Orchestraional

Government & Public Sector

Municipal Government Administration

Grant Management & Reporting

Grant Writing & Grant Management

Grant Writing & Research Funding

Guardrail Conflict Resolution

Health Plan Administration

Healthcare Compliance — HIPAA & Joint Commission

Help Desk & End User Support

Help Desk & Ticket Management

Higher Education Administration

Hindi

HIPAA — Health Insurance Portability & Accountability

Hospital Administration

HR Analytics & People Reporting

HTML Cleaner Rules

Human Resources & People Operations

HR Strategy & Business Partnership

Impact Measurement & Reporting

Indexing vs Ingestion Strategy

Industry Skills

Healthcare

Clinical Documentation Specialist

Information Technology

IT Strategy & Governance

Innovation Management

Inside Sales & Sales Development (SDR/BDR)

Installation & Server Configuration

Instructional Technology & eLearning

Insurance & Risk Finance

Insurance Underwriting & Claims

Intellectual Property Law

Intellectual Property Management

Internal Audit

Internal Communications

Inventory & Loss Prevention

Inventory Management

Investment Management & Portfolio Analysis

IP Manager & Authorization

Issue Brief

IT Compliance & Audit

IT Project Management

IT Service Management (ITSM)

Italian

ITAR & Export Controls

Jailbreak & Prompt Injection Defense

Japanese

Journalist & Investigator Persona

Journalistic & News Writing

Keyword Generator Rules

Knowledge Base Management

Korean

KPI & OKR Framework Design

Lab Management

Labor Relations & Union Management

Language & Localization

English — United States

Lean Manufacturing & Continuous Improvement

Learning & Development

Lease Administration

Legal & Compliance

General Counsel

Legal & Regulatory

Legal Billing & Matter Management

Legal Hold Management

Legal Memo

Legal Services

Law Firm Management

Legislative & Policy Analysis

Litigation Management

Litigation Practice

LMS — Assessment & Scoring

LMS — Compliance Tracking & Reporting

LMS — Course & Question Import Format

LMS — Role-Based Course Assignment

Logistics & Distribution

Maintenance & Reliability Engineering

Managing Director

Mandarin Chinese — Simplified

Mandarin Chinese — Traditional

Manufacturing

Production Planning & Scheduling

Market Research & Consumer Insights

Marketing & Communications

Marketing Strategy & Leadership

Marketing & Persuasive

Marketing Analytics & Attribution

Marketplace Management (Amazon, eBay)

Master Data Management

Master Management Console Architecture

Medical Coding & Billing (ICD-10, CPT)

Meeting Minutes

Mergers & Acquisitions (M&A)

Module & Field Access Whitelist Enforcement

Module Designer — Action EXT with Wizard

Module Designer — Actionable EXT Grid

Module Designer — Standard

Mortgage & Lending Operations

Multi-Site & Tenant Architecture

Multi-Tenant Architecture

Navigation & SiteMap Architecture

Network & Systems Administration

Neutral Analyst Persona

Nonprofit

Nonprofit Executive Leadership

Numbered Procedure / SOP

Nursing Leadership

Occupational Skills

Executive Leadership

Chief Executive Officer (CEO)

Offboarding & Separation

Office 365 & Microsoft Graph Integration

Onboarding & Orientation Design

OOXML Word Manipulation

Open Source Management

Operations & Supply Chain

Operations Strategy & Management

Organizational

Organizational Development

OSHA & Workplace Safety Reporting

Output Disclaimer Requirements

Output Format & Structure

Narrative Report

Paralegal & Legal Operations

Parks & Recreation Administration

Password Policy & Retention

Patent & IP Development

Patient Communication & Education

Payroll & HRIS Administration

Payroll Management

PCI-DSS — Payment Card Industry Data Security

Peer Collaborator Persona

Performance & Caching Architecture

Performance Management

Pharmacy Management

PII & Confidentiality Enforcement

PII Redaction — Email & Phone

PII Redaction — Financial Account Numbers

PII Redaction — Medical & Health Identifiers

PII Redaction — SSN & Tax ID

Placeholder Variables & Dynamic Injection

Plain Language & Public Facing

Plant Operations Management

Platform & Marketplace Operations

Platform Skills

Centralpoint — Data Aggregation & Transformation

Data Transfer & Ingestion — Overview

Policy Document

Population Health Management

Portfolio Management

Portuguese — Brazil

Portuguese — Portugal

Presentation Talking Points

President & General Manager

Press Release

Pricing Strategy & Promotions

Privacy Officer & Data Protection Officer (DPO)

Private Equity & Venture Capital

Process Improvement & Lean / Six Sigma

Process Log & Process Monitor

Procurement & Strategic Sourcing

Product Analytics & Metrics

Product Management

Product Strategy & Vision

Product Marketing

Product Requirements & PRD Writing

Program Management

Program Management — Nonprofit

Project & Program Management

Project Management (PMP)

Project Reporting & Status Communications

Prompt Chaining & Pipeline Design

Property Management

Public Records & FOIA Compliance

Public Relations & Media Relations

Public Works & Infrastructure

PWA Push Notification Patterns

QA & Software Testing

Quality Assurance & Control

Quality Control & Six Sigma

Real Estate

Commercial Real Estate Management

Real Estate & Space Planning

Real Estate Development

Real Estate Law

Regulatory & Legal Compliance

GDPR — General Data Protection Regulation

Regulatory Affairs

Regulatory Agency Management

Regulatory Compliance — FINRA, SEC, OCC

Research & Innovation

R&D Strategy & Management

Research Administration

Resource Planning & Capacity

Re-Submit All Module Records Pattern

Retail & eCommerce

Merchandising & Buying

Retail Banking & Branch Operations

Revenue Cycle Management

Revenue Operations (RevOps)

RFP / RFQ Response

Risk Management — Project

Roadmap Planning & Prioritization

Role & Audience Reclassification by Content

Roles — RBAC Configuration

Russian

Safety & OSHA Compliance — Manufacturing

SailPoint Integration

Sales & Business Development

Sales Strategy & Leadership

Sales Analytics & Forecasting

Sales Engineering & Pre-Sales

Scheduled Task Configuration

Scope Boundary Enforcement

SDK — Centralpoint.Utilities Namespace

SDK — Centralpoint.Web Namespace

SDK — Centralpoint.Web.UI Namespace

Security Guardrails

SQL Injection Prevention

SELECT-Only SQL Enforcement

Self-Service & Chatbot Strategy

Sensitive Data Handling Protocols

Sensitive Record Access Control

Shadow AI Prevention

SMARTLINKS & Keyword Aliases

SMS & Short Message

SMS & Text Alert — Twilio Integration

Social Impact Measurement

Social Media — Inbound Monitoring & Aggregation

Social Media — Outbound Publishing Patterns

Social Media — Sentiment Threshold Triggers

Social Media Management

Social Post — Facebook

Social Post — LinkedIn

Social Post — Twitter / X

Software Development & Engineering

Solutions Architecture

Source Connector — Access Database

Source Connector — Active Directory

Source Connector — Centralpoint to Centralpoint

Source Connector — Custom Provider & Web API

Source Connector — Excel & Delimited Files

Source Connector — File Path & Network Drive Spidering

Source Connector — ODBC & OLEDB

Source Connector — Office 365 & OneDrive

Source Connector — RSS & Atom Feeds

Source Connector — SharePoint

Source Connector — SQL & Oracle

Source Connector — XML (ReadXML & CpCollection)

SOX — Sarbanes-Oxley Financial Controls

Spanish — Latin America

Spanish — Spain

Special Education Administration

Sprint Planning & Retrospectives

SSO & SAML Configuration

Stakeholder Management

Standard Fields vs XQuery Attributes

Standard Operating Procedure

Startup Operations & Growth

State & Local Regulatory Requirements

Statistical Analysis

Status Report — RAG Format

Store Operations Management

Student Services & Academic Advising

Supply Chain — Manufacturing

Supply Chain Management

Supply Chain Sustainability

Survey Design & Analysis

Tableau Charts Integration

Talent Acquisition & Recruiting

Tax Management & Strategy

Taxonomy Architecture & Hierarchy Design

Taxonomy Generator Rules

Technical & Developer Audience

Technical Documentation

Technical Writer Persona

Technology Industry

SaaS Product Management

Telehealth & Digital Health

Term Transformation & Standardization

Third-Party LLM Usage Rules

Threshold & Match Scoring

Treasury & Cash Management

Trusted Advisor Persona

Universal DataSource — AI SQL Generation

Universal DataSource — Architecture & Shell

Universal DataSource — SQL Validation & Security

Universal DataSource — Visualization Types

User Research & Usability

User Research & UX Design

Vendor & License Management

Vendor Management & Relations

Visual Merchandising

Voice of Customer & NPS Programs

Volunteer Management

Vulnerability Protection & Security Headers

Wealth Management & Financial Advisory

Web API — Custom C# Methods

Web API — Security Modes & Access Tokens

Web API — Syndication & Outbound Push

Web API — UpsertData & DeleteData

Web API — User Management Methods

White Paper

Word Add-In Integration

Workflow Email Templates — Body & ApprovalBody

Workforce Planning & Headcount

WW Universal Dynamic Module Designer

Document Types (Basic)

Agreement

Attestation

Complaint

Confidentiality

Contract

FAQ

Glossary Term

Notice

Press Release

Proposal

RFP

Waiver

File Types (Extended)

Category

Alert / Notification

Analysis

Behavioral Compliance

Chat

Classification

Coaching

Content Generation

Customer Success

Data Governance

Deduplication

Document Generation

Executive Leadership

External Data Monitor

Facilities / Operations

Field Sales

Finance / CFO

Guardrail / Safety

Help Desk / Support

HR / People Ops

Onboarding

Partner Channel

Procurement

Product Management

Q&A

QA / Testing

Report Narrative

Risk & Compliance

Solutions Architecture

Summarization

Channel / Audience

Compliance Officer

Customer

Employee

Executive

Partner

Public

Delivery Method

Chart / Dashboard Render

Chat Response

Conditional Write Routing

Data Broadcast

External System Write

Field Write-back

Governance Rule Assignment

Metadata Enrichment

Module-to-Module Transfer

NLS Search Enrichment

Page / Record Display

Portal Notification

PWA Push

Response Cache

SMS / Text

Social Media Outbound

Taxonomy Write

Webhook

Library Tier

Client Custom

Client-Authored

Oxcyon Core

Risk Level

Critical

High

Low

Medium

Triage/Routing

Trigger Source

External Data Feed

Form Submission

Inbound API / Web Service

Page / Record Load

Pipeline Step

Record Delete

Record Insert

Record Update

Scheduled / Batch

Social Listening

User Chat / NLS Search

Alert Categories

Add your global alert categories here (delete this record)

Blog

Meaningful Use

Privacy

CRM

Budget Calendar

Quarter 01

Quarter 02

Quarter 03

Quarter 04

Competitive Landscape

Competitor 01

Competitor 02

Competitor 03

Industry Vertical

Banking

Distribution

Government

Healthcare

Manufacturing

NPO

Lead Sources

Google

Referral

Capterra

Gartner

Software Advice

Upsell

Website

Opportunity Type(s)

Custom Integration

Data Migration, Mining

Document Management

Enterprise CMS Portal

Intranet

Public Website(s)

Opportunity Value

0 - $5000

$6000 - $25,000

$25,001 - $50,000

$50,001 - $75,000

$75,001 - $100,000

$100,001 - $200,000

$250,000+

Sales Representative

James Kekic

James Venus

John Hunter

Kevin Michnicki

Sales Stage

Need to Book

Demo Scheduled

Demonstration Completed

Interest Level 01

Interest Level 02

Interest Level 03

Demo Done

Timeframe

Immediate

Next 30 Days

Next 60 Days

Next 90 Days

Next 120 Days

Next 180 Days

Follow Up

Ready to Close

Won or Lost

Closed - Lost

Closed - Won! (CLIENT)

Title

CEO

CIO

CTO

Marcom

CXO

CFO

CMO

Decision Trees

Employee Access & Permissions Management

Activate alerts

Ask: “Should privileged activity trigger behavioral or anomaly alerts?”

Validate

No Alerts Needed

Proceed

Activate behavioral and anomaly alerts

Ask: “Should privileged activity trigger behavioral or anomaly alerts?”

Validate alert requirement

Configure Alerts

Confirm

Proceed

Add new access or permissions to an existing user

Ask: “Can you confirm the username or employee ID?”

Verify identity in AD/HRIS

Confirm Active Status

If Active

Begin adding requested permissions

Apply new access in system |

Verify in AD/HRIS

Invalid request

Inform caller user cannot be located

Request correct employee info |

Ask: “Do you have manager/system-owner approval for this access?”

Confirm documentation

Authorization

If Valid

Apply access in requested system

Add to audit log |

Unauthorized

Inform caller approval is required

Request manager submission |

Ask: “Does this access require prerequisite systems or training?”

Prerequisite Check

If Completed

Proceed with additional access

Add to compliance log

Notify requester |

Missing training

Inform caller prerequisite must be completed

Request completion before assignment |

Ask: “Is this access permanent or temporary?”

Duration Prompt

Approval

Assign

Proceed

Scope Review

Excessive risk

Inform caller permanent access is not allowed

Escalate for exception approval |

If Aligned

Apply access permanently

Update user’s long-term access profile |

Ask: “Which system or application needs additional access?”

Permission Type

If Admin-Level Access

If Not Supported

Explain

Stop

Validate system supports admin tier

Approval Checks

Assign

Proceed

If Edit Access

Ask: “Why does the user need edit capabilities?”

Manager Approval

Assign

Proceed

If Not Justified

Explain

Stop

If Manage-Level Access

If Not Aligned

Explain

Stop

Validate user’s role supports management functions

Approval Workflow

Assign

Proceed

If Read Access

Ensure read-only is sufficient for job role

Assign

Proceed

If Not Valid

Explain

Stop

Apply elevated cloud platform permissions

Ask: “Does this request include elevated cloud platform permissions (Azure, AWS, GCP)?”

Validate requirement

Cloud Privilege Not Needed

Proceed

Apply elevated permissions within cloud platforms

Ask: “Does this request include elevated cloud platform permissions (Azure, AWS, GCP)?”

Validate cloud privilege level

Assign Cloud Role

Confirm

Proceed

Apply MFA enhancements

Ask: “Does this privileged role require enhanced MFA?”

Validate

No MFA Enhancement

Proceed

Apply MFA enhancements required for privileged accounts

Ask: “Does this privileged role require enhanced MFA?”

Validate MFA enforcement policy

Activate Enhanced MFA

Confirm

Proceed

Apply monitoring

Ask: “Which monitoring controls are required for this privileged role?”

Validate controls

No Monitoring Required

Proceed

Apply monitoring required for privileged accounts

Ask: “Which monitoring controls are required for this privileged role?”

Validate controls (session logging, alerts, MFA, SIEM)

Enable Logging

Confirm

Proceed

Apply server-level or local admin rights

Ask: “Does the user need local admin or server-level admin rights?”

Check requirement

No Server Admin Needed

Proceed

Validate requirement

Assign Local/Server Admin

Confirm

Proceed

Assign additional application or system access beyond baseline

Ask: “Is this access permanent or temporary?”

Define duration

Ask for start/end dates

Confirm manager acknowledgment of temporary access

Assign time-bound permissions

Set auto-expiration in system |

Validate scope

Ensure permanent access aligns with job duties

Assign Access

Proceed

Excessive permission risk

Inform caller permanent access is not allowed

Escalate to executive or system owner |

Ask: “What business purpose requires these additional permissions?”

Compare request against job description

Authorization Check

If Approved

Verify request aligns with data-security policies

Assign additional permissions |

Insufficient justification

Inform caller the request is not supported

Request revised justification from manager |

Ask: “Which specific system or application needs additional access assigned?”

Attempt clarification

Ask caller for more details

System cannot be validated

Inform caller system cannot be found

Request system owner to formally identify application |

Ask caller to provide screenshot, link, or system owner name

Identify system

If Found

Continue with permission-level validation |

Confirm permission type

Ask permission level

Validate edit rights

Confirm user needs to add/update content

Invalid request

Inform caller edit permissions cannot be assigned

Confirm user needs to add/update system content

Confirm manager approval

Assign edit-level access |

Ask: “Is this read, edit, manage, or admin-level access?”

Validate read-only requirement

Ensure read-only aligns with job duties

Confirm manager approval

Assign read-only permissions |

If not aligned, inform caller

Request updated justification |

Ask: “Which system needs additional access?”

Confirm permission level

Ask for required permission tier

Validate admin rights

Confirm system has admin tier

No admin role available

Inform caller admin roles do not exist for the system

Confirm system has administrative role

Approval Requirement

Proceed

Validate manage rights

Ensure role qualifies

Access not permitted

Inform caller this level requires higher role

Ensure role qualifies to manage users/content

Approval Workflow

Proceed

Assign default access based on user’s department

Ask: “Which department will the new hire be working in?”

Retrieve Finance baseline profile

Load Finance baseline permissions

Confirm role matches Finance profile

Mismatch

Inform caller Finance baseline doesn’t match job role

Request updated HR job role for verification |

Load Finance baseline permissions (ERP read, shared drives, reporting tools)

Confirm role matches Finance profile

Assign Permissions

Policy Enforcement

Proceed

Retrieve HR baseline profile

Load HR baseline permissions

Confirm role matches HR baseline

Mismatch

Inform caller HR baseline does not match role

Request manager confirmation |

Load HR baseline permissions (HRIS access, documents share, onboarding tools)

Confirm role matches HR baseline

Assign Permissions

Policy Enforcement

Proceed

Retrieve IT baseline profile

Load IT baseline

Ask sub-role

Invalid

Inform caller IT needs correct sub-role

Request manager clarification |

Ask: “Is this a support tech, developer, engineer, or analyst?”

Assign Permissions

Security Policy

Proceed

Load IT baseline (ticketing system, admin tools, knowledge base)

Ask: “Is this a support tech, developer, engineer, or analyst?”

Assign Permissions

Security Policy

Proceed

Retrieve Ops baseline profile

Load Ops baseline

Confirm if field ops or internal ops

Assign Permissions

Compliance Settings

Proceed

Load Ops baseline (inventory system, workflow tools)

Confirm if field ops or internal ops

Assign Permissions

Compliance Settings

Proceed

Retrieve Sales baseline profile

Load Sales baseline

Ask: “Is the user assigned to a specific territory or region?”

Missing territory

Inform caller territory is required

Request manager to provide territory assignment |

Load Sales baseline (CRM, shared drives, sales dashboards)

Ask: “Is the user assigned to a specific territory or region?”

Load Territory Set

Assign Permissions

Proceed

Unable to assign baseline

Inform caller baseline package cannot be determined

Request HR/manager to confirm department classification |

Assign privileged roles

Ask: “Which privileged role has been approved for provisioning?”

Check approvals

Missing Role

Stop

Assign privileged roles approved for the user

Ask: “Which privileged role has been approved for provisioning?”

Review approval details

Locate Privileged Group

Provision

Confirm

Proceed

Check for conflict-of-interest restrictions

Ask: “Does this request introduce separation-of-duties risk?”

Validate duties (e.g., same user approving & administering)

Conflict Response

Stop

Validate SOD

Clear of Conflicts

Proceed

Complete final least-privilege audit

Ask: “Have all permissions been reviewed for necessity, justification, and compliance?”

Document Results

Notify Manager

Proceed

Missing Review

Correct

Stop

Conduct IT security risk review

Ask: “Has IT Security reviewed this request for risk alignment?”

Validate record

Security Review Needed

Stop

Validate security review record

Security Clearance

Proceed

Configure periodic access review reminders

Ask: “Does this privileged role require scheduled access review audits?”

Validate

No Review Scheduling

Proceed

Validate requirement

Enable Review Reminders

Confirm

Proceed

Configure SIEM ingestion

Ask: “Must privileged activity be forwarded to the SIEM?”

Validate

No SIEM Routing

Proceed

Configure SIEM ingestion for privileged activity

Ask: “Must privileged activity be forwarded to the SIEM?”

Validate SIEM ingestion requirement

Enable SIEM Ingestion

Confirm

Proceed

Confirm access alignment following job movement

Ask: “Which permissions or systems are impacted by the user’s new job role?”

Ask: “Is the user’s current job role different from the role originally assigned to these permissions?”

Assess Relevance

If Not Required

Confirm with HR or manager

Route permission to removal workflow |

If Required

Document role-based justification

Retain permissions and log alignment |

Confirm all accounts and permissions were successfully created

Ask: “Has the Active Directory account provisioned successfully?”

Validate AD account in directory

Issue found

Identify if creation failed due to attributes or sync

Correct AD attributes

Retry AD creation before continuing |

Verify group assignments

Confirm baseline and additional groups applied

Proceed

Notification

Ask: “Has the mailbox successfully created and synced?”

Validate Exchange/M365 mailbox availability

License Validity

If Valid

Apply retention, spam, and security policies

Add mailbox to completion summary |

Validate mailbox

Error

Remediate

Stop

Ask: “Has the user synced to the SSO provider?”

Validate user appears in SSO directory

MFA Enrollment

If MFA Ready

Access Validation

Proceed

Validate user in SSO directory

Error

Correct

Stop

Ask: “Have all additional systems applied the user’s permissions?”

Validate additional permissions

Identify failing system

Determine reason (license, role, sync delay)

Correct then re-run provisioning

Retry after correction |

Validate additional system provisioning logs

Access Confirmation

Documentation

Proceed

Conduct verification audit

Ensure all required accounts (AD, Email, SSO, apps) are active

Prepare Notification

Notify Requester

Proceed

Ensure all required accounts are active

Missing components

Troubleshoot

Stop

Prepare message

Include AD, email, SSO, baseline access, additional access

Send Notification

If Sent Successfully

Mark provisioning ticket as resolved

Close workflow |

Include relevant details

Missing Info

Inform caller manager email not listed

Request HR or department admin to provide contact |

Confirm inactive or unused permissions should be removed

Ask: “Which permissions show no recent usage?”

Ask: “Has the user accessed this permission or system within the allowed usage timeframe?”

Removal Candidate

If Confirmed

Revoke permission

Document unused-permission removal |

Confirm inactive or unused permissions should be retained

Ask: “Which permissions show no recent usage?”

Ask: “Has the user accessed this permission or system within the allowed usage timeframe?”

Required Permission

Proceed

Confirm legitimacy of a manager-initiated request

Ask: “What initiated this offboarding request?”

Validate Manager Identity

Manager Check

If Not Verified

Explain

Stop

If Verified

Ask: “Is this termination, resignation, or internal transfer?”

Proceed

Confirm offboarding for internal transfers

Ask: “What initiated this offboarding request?”

Validate HR Transfer Event

HRIS Check

If Found

Ask: “Is this a cross-department transfer or within the same department?”

Begin role-based deactivation and re-provisioning |

If Not Found

Explain

Stop

Confirm offboarding from contractor/vendor management

Ask: “What initiated this offboarding request?”

Validate Contract End

Contract Check

If Ended

Ask: “Have badges and other assets been collected?”

Proceed

If Not Ended

Explain

Stop

Confirm permissions remain appropriate after a project finishes

Ask: “Which project-based permissions or temporary roles need to be reviewed?”

Ask: “Has the project or temporary assignment ended?”

Assess Necessity

If Not Needed

Remove project-based access

Document access sunset |

If Still Needed

Validate continued project-related need

Retain access but flag for next review cycle |

Confirm role meets least-privilege compliance

Ask: “Is privileged access the minimum required to complete the task?”

Compare task requirement vs. privilege scope

Accept Necessity

Proceed

Validate privilege need

Decline Elevated Access

Stop

Confirm that user’s current access matches minimum required privileges

Ask: “Which permissions or systems need to be revalidated for least-privilege review?”

Ask: “Is the user’s current job role still the same?”

Assess Necessity

If Not Required

Confirm with manager to validate removal

Route permission to removal workflow |

If Required

Ensure permission remains justified

Retain permission and document review |

Confirm the access change request is legitimate and properly authorized

Ask: “Is this access needed immediately or on a future date?”

Confirm urgency

Ensure emergency justification is valid

Approval Check

Proceed

If Not Valid

Explain

Stop

Ask: “Who submitted this request for access changes?”

Confirm Manager Approval

If Approved

Validate approval via email or ticket

Identify Reason

Proceed

If Not Approved

Explain

Stop

Confirm reason

Ask about requirement

Invalid audit claim

Inform caller request cannot be categorized as audit-driven

Reclassify as standard access request before proceeding |

Ask: “Is this access change required due to an audit finding or compliance requirement?”

Validate Documentation

If Valid

Determine if immediate remediation is required

Route to removal/addition accordingly |

Identify HR Event

HRIS Review

If Event Found

Confirm requested changes match HR update

Route to access-add/remove review |

If Event Not Found

Explain

Stop

Verify manager identity

Validate information

Authorization Issue

Inform caller only verified managers can request access changes

Escalate to IT Security |

Validate name and reporting structure in HRIS

Identify Reason

If Valid Reason

Ensure manager has provided written approval

Route to access-add/remove evaluation |

Ask: “Why is this access change needed?”

Check job description alignment

Confirm necessity

Manager Confirmation

Proceed

Check role alignment

Excessive permission risk

Inform caller justification does not match job duties

Request updated justification or deny request |

Confirm the legitimacy and source of the offboarding trigger

Ask: “What initiated this offboarding request?”

Validate HR Record

HRIS Check

If Found

Ask: “What is the official termination date?”

Proceed

If Not Found

Explain

Stop

Confirm the request originated from an authorized and legitimate source

Ask: “Who submitted this access request?”

Attempt Verification

Directory Lookup

If Found But No Authority

Explain

Stop

If Not Found

Explain

Stop

Confirm Authorization

If No

Inform employee manager approval is required

Request manager to submit authorization |

If Yes

Ask employee to provide approval email or ticket

Validate authenticity

If Valid

Route to access-level review |

Identify HR Event

HRIS Event Lookup

If Event Found

Effective Date Review

If Valid

Ensure HRIS→IT event sync completed

If Event Not Found

Inform HR

Stop

Validate System Trigger

Workflow Metadata Check

If Invalid

Explain

Stop

If Valid

Confirm automation corresponds to HR or system event

Ensure trigger matches expected workflow

Treat request as system-authorized |

Verify manager identity

Confirm name and reporting structure in HRIS

Identity mismatch

Inform caller you cannot process unauthorized requests

Escalate to IT Security for identity verification |

Validate reason for request

Ask manager: “What is the purpose of this access?”

Confirm documented approval exists

Verify approval in ticket or email

Confirm user training & certification requirements

Ask: “Has the user completed required privileged-access security training?”

Validate training

Training Needed

Stop

Validate training records

Training Verified

Proceed

Create new user accounts across identity systems

Ask: “Can you confirm the new hire’s start date and department?”

Validate new hire exists in HRIS

Confirm spelling of first/last name

Ensure legal name matches HR record

Search for existing AD profile

Proceed

Missing record

Inform caller HR must finalize the employee record

Request HR to correct data before continuing |

Begin identity mapping

Ensure AD attributes sync to SSO

Assign SSO Group

MFA Required

Proceed

SSO Error

Correct

Stop

Confirm authentication readiness

Attempt first login to ensure account is active

Authentication Failure

Remediate

Stop

Credentials Working

Finalize

Proceed

Populate required fields

Assign department based on HR record

Assign manager field in AD

Ensure fields meet AD schema requirements

Attribute Issue

Stop

Proceed

Start AD provisioning

Follow naming convention

Ensure username is not already in use

Conflict

Proceed

Follow naming convention (first initial + last name)

Ensure username is not already in use

Account Creation Process

Proceed

Start mailbox provisioning

Assign M365/Exchange license type

Licensing Block

Inform caller there are no licenses remaining

Request purchasing to add licenses |

Mailbox Creation

Policy Assignment

Proceed

Determine if compliance team approval is required

Ask: “Does this request involve a regulated system (SOX, HIPAA, PCI)?”

Validate category

No Compliance Review Needed

Proceed

Validate system category

Confirm Compliance Approval Needed

If Approved

Document compliance approval

Complete approval routing |

If Not Approved

Inform caller compliance approval is required

Await compliance decision |

Determine which system or application access is being requested

Ask: “Which system or application does the user need access to?”

Determine privilege type

Ask: “Is this standard access, elevated access, or administrative access?”

Ensure privilege tier exists for this system

Privilege denied

Inform caller privileged roles do not exist for this system

Direct caller to system owner for alternatives |

Proceed

Provide categories

Ask: “Is it related to Finance, HR, Collaboration, Operations, IT Tools, or Development?”

Insufficient info

Inform caller you cannot proceed without knowing the system

Request manager to specify system name |

Offer list of systems in that category

Ask caller to pick the correct one

Move to access-level determination |

Request folder path

Ask: “Can you provide the exact folder path or screenshot?”

Check security group ownership

Confirm purpose for access

Ensure access aligns with job duties

Route to access-level review |

Invalid path

Inform caller the folder cannot be located

Request confirmation from folder owner |

Separate requests

Validate each requested system independently

Confirm combined access need

Ask: “Are these part of a project or cross-functional role?”

Create grouped access ticket bundle |

Identify failing system

Inform caller which system(s) are not recognized

Require corrected system list |

Validate name

Check system against approved enterprise application list

Confirm correct system variant (cloud, legacy, module-specific)

Ask: “Is this for the full application or a specific module?”

Proceed

Name Not Recognized

Inform caller system name does not match internal catalog

Request screenshot or documentation for clarification |

Disable access to key applications

Ask: “Which application accounts need to be disabled?”

Validate user account in application

Disable App Access

Confirm

If Successful

Add application disable to removal log |

Validate user in application

No Account

Inform caller no account exists in that application

Continue with additional systems |

Disable core identity accounts after offboarding trigger

Ask: “Can you confirm the username or employee ID for AD deactivation?”

Verify user in AD

AD Disable Action

Confirm

If Successful

Add AD disable step to log |

Invalid User

Inform caller AD account cannot be located

Request correct identifier |

Disable email mailbox and block email login

Ask: “Does the user have an active mailbox?”

Validate mailbox

No Mailbox

Inform caller no mailbox exists to disable

Continue to next system disable step |

Validate mailbox exists in Exchange/M365

Mailbox Disable

License Removal

If Successful

Document mailbox disable |

Disable multi-factor authentication (MFA)

Ask: “Is the user enrolled in MFA?”

Validate enrollment in MFA provider

Revoke MFA

Confirm

Proceed

Validate MFA enrollment

No MFA

Proceed

Disable shared-account or generic account access tied to user

Ask: “Was the user assigned access to any shared or generic accounts?”

Validate assignment

No Shared Access

Proceed

Validate assignment logs

Revoke Shared Access

Confirm

Proceed

Disable SSO/IdP access for the user

Ask: “Is the user visible in the SSO directory?”

Validate SSO identity

Missing SSO Record

Inform caller SSO directory does not list the user

Request confirmation of correct username |

Validate user presence in SSO provider

SSO Disable Action

Confirm

If Successful

Add SSO disable to audit log |

Disable user accounts across integrated subsystems

Ask: “Does the user have access through integrated or downstream systems?”

Validate access via provisioning tool or IAM system

Disable Integrated Accounts

Confirm

Proceed

Validate through IAM

No Integrated Access

Proceed

Disable VPN access

Ask: “Does the user have VPN or remote access assigned?”

Validate presence

No VPN Access

Proceed

Validate presence in VPN system

Remove VPN Access

Confirm

If Successful

Add VPN disable to log |

Enable session recording

Ask: “Does this role require privileged session recording?”

Validate

No Recording Needed

Proceed

Enable session recording for privileged actions

Ask: “Does this role require privileged session recording?”

Validate requirement

Configure Session Recording

Confirm

Proceed

Enforce enhanced MFA

Ask: “Does this privileged role require enhanced MFA?”

Validate

No Enhanced MFA

Proceed

Enforce enhanced MFA for privileged accounts

Ask: “Does this privileged role require enhanced MFA?”

Validate requirement

Apply Enhanced MFA

Confirm

Proceed

Ensure all data transfers completed

Ask: “Have all data sources been transferred or archived?”

Documentation

Notify

Complete

Identify Missing

Address

Stop

Ensure all user files are archived or transferred

Ask: “Which systems contain the user’s files or owned content?”

Review OneDrive, SharePoint, File Shares

OneDrive Handling

If Archive Needed

Move OneDrive content to long-term archive repository

Validate archive storage completion |

Validate OneDrive content

No OneDrive Data

Proceed

Ensure all user files are archived or transferred before deletion

Ask: “Which systems contain the user’s files or owned content?”

Review OneDrive, SharePoint, File Shares, Local Drives

OneDrive Handling

If Transfer Needed

Reassign OneDrive ownership to manager or successor

Validate new owner has access |

Ensure request meets business, security, and compliance requirements

Ask: “Which privileged access is being requested?”

Check for admin role

Not Privileged Access

Stop

Identify admin role (Domain Admin, Local Admin, App Admin)

Capture Business Justification

Validate

Proceed

Final justification compliance decision

Ask: “Does the request satisfy business, security, and compliance requirements?”

Approval Criteria Met

Proceed

Criteria Not Met

Stop

Final privileged-access verification

Ask: “Have all privileged roles and shared-mailbox rights been removed?”

Documentation Review

Notify

Complete

Identify Missing

Correct

Stop

Final verification

Ask: “Have all required monitoring controls been implemented successfully?”

Monitoring Incomplete

Correct

Stop

Final verification of monitoring setup completion

Ask: “Have all required monitoring controls been implemented successfully?”

Monitoring Complete

Notify

Complete

Handle application-level data

Ask: “Which business applications contain user-owned tasks, workflows, or dashboards?”

Validate presence

No App-Level Data

Proceed

Handle application-level data (task ownership, workflows, dashboards)

Ask: “Which business applications contain user-owned tasks, workflows, or dashboards?”

Validate presence of assignable items

Transfer App Data

Confirm

Handle calendars owned by the user

Ask: “Did the user own or manage any shared calendars?”

Identify calendar ownership

Transfer Calendar Ownership

Confirm

Validate calendar existence

No Calendar Transfer

Proceed

Handle mailbox content

Ask: “Does the mailbox contain messages needing transfer (workflows, approvals, project communications)?”

Identify content

No Mailbox Action

Proceed

Handle mailbox content (email ownership, project threads, approvals)

Ask: “Does the mailbox contain messages needing transfer (workflows, approvals, project communications)?”

Identify folders requiring reassignment

Transfer Mailbox Content

Confirm

Handle shared network drive files

Ask: “Did the user store files on mapped network drives or department file shares?”

Identify file ownership

Archive Files

Confirm

Identify folder paths owned or modified by user

File Share Processing

If Transfer Needed

Move files into manager/successor’s folder

Validate receiving party access |

Validate presence of files

No File Share Content

Proceed

Handle SharePoint-owned document libraries

Ask: “Did the user own or manage SharePoint sites or document libraries?”

Validate site/document library ownership

No SharePoint Transfer

Proceed

Validate user’s role in each identified site

Transfer Site Ownership

Confirm

Identify the correct permission tier for the user

Ask: “Is the user requesting standard, elevated, or administrative access?”

Identify admin type

Ask: “Is this for system administration, user management, or configuration?”

Check if application supports admin role

Admin role confirmed

Check additional security requirements (MFA, logging)

Route to privileged-access workflow |

Unsupported role

Inform caller admin access does not exist for this system

Refer to system owner for alternative access options |

Identify reason

Ask: “Is this temporary or permanent access?”

No permanent justification

Inform caller permanent elevated access is not allowed

Require executive-level approval |

Time-Bound Access

Ask: “What dates should this access begin and end?”

Confirm manager approval for temporary privilege

Route to temporary access provisioning |

Provide clarification

Explain: “Standard = use; elevated = manage content; admin = configure system”

Confirm selected level

Assign standard baseline package

Move to provisioning |

Validate business justification

Route to elevated-access workflow |

Validate privileged requirements

Route to privileged-access workflow |

Validate job role

Compare job role to standard access package

Role mismatch

Inform caller custom review is required

Escalate to role owner for decision |

Standard role confirmed

Assign baseline read/use privileges

Verify no elevated permissions included

Route to access provisioning |

Validate purpose

Ask: “Why does the user require elevated permissions?”

Business Need Confirmed

Confirm manager approval

Validate approval email/ticket

Route to elevated-access workflow |

No valid justification

Inform caller elevated permissions cannot be granted

Request updated justification or deny request |

Initial evaluation of the submitted access request

Ask: “Is the user a new hire, existing employee, contractor, or vendor?”

Validate contractor engagement

Check contract details

Contractor invalid

Direct caller to vendor management to update contract record |

Confirm contract dates and vendor assignment

Contractor approved

Confirm contractor only needs minimal/time-bound access

Initiate contractor-access workflow |

Validate employee's active status

Confirm employee is active in HRIS

Approve identity

Ask: “Is this for promotion, transfer, or additional responsibilities?”

Route to access-change workflow |

Conflict found

Escalate to HR to resolve status mismatch |

Validate HR-provided new hire record

Confirm start date and department

Approve new-hire identity

Assign baseline access package

Initiate new-hire provisioning |

HR data mismatch

Request HR to correct hire record before continuing |

Validate vendor authorization

Confirm vendor company and statement of work

Vendor approved

Apply vendor-limited access rules

Initiate vendor-access workflow |

Vendor cannot be validated

Escalate to procurement/vendor management |

Provision AD admin roles

Ask: “Does this request involve an Active Directory privileged role?”

Validate role type

Skip AD Provisioning

Proceed

Provision AD-based admin roles

Ask: “Does this request involve an Active Directory privileged role?”

Validate if role is AD-based

Add to AD Group

Confirm

Proceed

Provision application-level admin roles

Ask: “Does provisioning require admin access within a specific application?”

Validate application access level

Assign App Admin Role

Confirm

Proceed

Validate requirement

Skip App Role Provisioning

Proceed

Remove access and document completion

Access Check

If Failure

Identify failure cause (sync delay, role cache, permissions mismatch)

Resolve the failure

Retry removal after correction |

If Successful

Document removal in ticket and audit logs

Send confirmation to requester

Close workflow |

Remove access based on least-privilege alignment

Ask: “Does current role still require this permission?”

Justification Review

If Confirmed

Revoke system permissions

Note change in audit log |

Not removal candidate

Inform caller access is still required

Keep permissions unchanged |

Remove access based on role update

Ask: “Why is access being removed?”

Identify HR Event

HRIS Validation

If Found

Ensure requested removal matches new role

Remove permissions |

If Not Found

Explain

Stop

Remove access based on termination-related events

Ask: “Is the user still employed?”

Urgency Check

If Yes

Disable access across all systems

Log termination removal |

Standard Removal

Proceed

Remove access for account cleanup

Ask system name

Determine Reason

If Audit Finding

Audit Prompt

If Valid

Remove access per audit directive

Document in compliance log |

Validate Audit Proof

Invalid audit request

Inform caller audit evidence is required

Request proper audit directive |

Remove access from user

Ask: “Why is access being removed?”

Validate Manager

If Not Verified

Explain

Stop

Verify manager in HRIS

Approval

Confirmed

Proceed

Remove access safely

Ask: “Does this access depend on or impact other systems?”

Safe Removal

Confirm

Proceed

Remove access safely without impacting system function

Ask: “Does this access depend on or impact other systems?”

Impact Review

If Removing Affects Other Systems

Inform caller of system impact

Remove access with caution & document dependency note |

Remove all elevated or administrative rights

Ask: “Which privileged or admin roles are assigned to this user?”

Validate privileged-group membership

No Privileged Access

Proceed

Remove all elevated or administrative rights assigned to user

Ask: “Which privileged or admin roles are assigned to this user?”

Validate presence in privileged groups (Domain Admin, Local Admin, Security Groups)

Privileged Access Removal

Confirm

Document

Remove distribution group/role-based group memberships

Ask: “Is the user a member of any distribution lists or role-based access groups?”

Check AD group memberships

Remove Group Access

Confirm

Proceed

Validate group assignments

No Group Memberships

Proceed

Remove elevated access inside applications

Ask: “Which applications assigned the user elevated roles (admin, supervisor, configurator)?”

Validate elevated-role assignment

No Elevated App Access

Proceed

Remove elevated access inside applications (admin consoles, reporting, dashboards)

Ask: “Which applications assigned the user elevated roles (admin, supervisor, configurator)?”

Validate app role assignment

Remove Elevated Role

Confirm

Proceed

Remove elevated workstation/local machine rights

Ask: “Was the user added as a local admin on any workstation or server?”

Check workstation group membership

Remove Local Admin

Confirm

Proceed

Remove elevated workstation/local rights

Ask: “Was the user added as a local admin on any workstation or server?”

Check workstation/group listings

No Local Admin Access

Proceed

Remove emergency access

Ask: “Was the user ever issued emergency or break-glass credentials?”

Validate emergency assignment

No Break Glass Access

Proceed

Remove emergency access ("break glass") accounts

Ask: “Was the user ever issued emergency or break-glass credentials?”

Validate emergency-access assignment

Revoke Emergency Access

Confirm

Proceed

Remove service accounts tied to the user

Ask: “Was the user the owner or operator of any service accounts?”

Validate service-account association

Transfer or Disable Service Account

Confirm

Proceed

Validate service-account linkage

No Service Accounts

Proceed

Remove shared mailbox access

Ask: “Which shared mailboxes was the user assigned to?”

Check permission list

No Shared Mailbox Access

Proceed

Validate presence in mailbox permission list

Remove Shared Mailbox Rights

Confirm

Proceed

Remove system or application access for an existing user

Ask: “Which system or application needs access removed?”

Verify User

Identity Check

If Verified

Ask: “Why does this access need to be removed?”

Align

Proceed

Validate identity

Invalid user

Inform caller user cannot be located

Request correct employee info |

Remove temporary access

Ask: “Was this access temporary?”

Check Expiration

If Expired

Remove expired temporary permissions

Update compliance log |

Still needed

Inform caller access cannot be removed early without approval

Request manager authorization |

Route privileged-access request through required approval chain

Ask: “Has the user’s direct manager approved this request?”

Validate approval

Missing Manager Approval

Stop

Validate approval presence

Capture Approval

Proceed

Validate approvals match internal controls

Ask: “Have all required approvals been collected?”

Validate approvals

Approvals Incomplete

Stop

Validate manager, owner, security, and compliance (if required)

Approvals Confirmed

Proceed

Validate correctness of privileged or elevated access

Ask: “Which privileged or elevated permissions are under review?”

Ask: “Does the user’s role still justify privileged-level access?”

Confirm Scope

If Matched

Keep privileged access active

Record justification in privilege log |

Privilege Removal

If Confirmed

Revoke elevated access

Log removal in privileged-access audit |

Validate emergency security-driven deactivation

Ask: “What initiated this offboarding request?”

Validate Incident

Incident Check

If Confirmed

Ask: “Is immediate deactivation required?”

Proceed

If Not Confirmed

Explain

Stop

Validate offboarding for long-term inactivity

Ask: “What initiated this offboarding request?”

Validate Inactivity

Inactivity Review

If Confirmed

Document inactivity-based removal

Begin deactivation workflow |

If Not Confirmed

Explain

Stop

Validate permissions against compliance rules

Ask: “Do any permissions conflict with security, compliance, or audit rules?”

Compliant

Proceed

Validate provisioning completion

Ask: “Has all privileged role provisioning been completed successfully?”

Provisioning Complete

Notify

Complete

Provisioning Incomplete

Correct

Stop

Validate regulatory constraints

Ask: “Does this request fall under regulated systems?”

Check system category

Restriction Review

If Not Eligible

Inform caller they do not meet compliance requirements

Route to compliance/security advisory |

Identify regulation scope

No Regulatory Restrictions

Proceed

Validate regulatory constraints (SOX, HIPAA, PCI, internal audit)

Ask: “Does this request fall under regulated systems (finance, healthcare, cardholder data)?”

Identify any regulatory system association

Restriction Review

If Eligible

Allow request to move forward

Continue validation |

Validate resignation events

Ask: “What initiated this offboarding request?”

Validate Documentation

Doc Check

If Not Valid

Explain

Stop

If Valid

Ask: “What is the employee’s final working day?”

Begin offboarding workflow |

Validate system owner approval when required

Ask: “Does the requested system require owner approval?”

Validate requirement

No Owner Approval Needed

Proceed

Verify System Owner Approval

If Not Approved

Inform caller owner approval is required

Await owner approval |

Validate system-specific approval rules

Verify System Owner Approval

If Approved

Document approval in privileged-access workflow

Route to IT Security |

Validate that security policies and compliance rules are met

Ask: “Do any permissions conflict with security, compliance, or audit rules?”

Conflict Validation

If Confirmed

Revoke conflicting permissions

Document compliance-based removal |

Verify all required accounts have been disabled

Ask: “Have all required accounts (AD, SSO, email, apps) been disabled?”

Identify Missing

Correct

Stop

Validate Documentation

Notify Requester

Proceed

Verify group membership before provisioning

Ask: “Is the user already a member of this privileged group?”

Validate assignment

Eligible for Provisioning

Proceed

Validate current role assignments

No Action Required

Proceed

Verify requester identity & authority

Ask: “Is the requester the user’s manager or a system owner?”

Validate authority

Unauthorized Request

Stop

Validate role of requester

Accept Requester

Proceed

IT Support

Are multiple users affected in the same application module?

YES

Is this issue blocking the user from performing critical work tasks?

YES

Have initial troubleshooting steps (reboot, reconnect, basic checks) already been completed?

YES

Are multiple users logging into this same device?

YES

Is this issue blocking the user from performing critical work tasks?

YES

Have initial troubleshooting steps (reboot, reconnect, basic checks) already been completed?

YES

Are multiple users reporting the same issue or symptom?

YES

Is this issue blocking the user from performing critical work tasks?

YES

Have initial troubleshooting steps (reboot, reconnect, basic checks) already been completed?

YES

Can other devices connect to the same Wi‑Fi network?

YES

Is this issue blocking the user from performing critical work tasks?

YES

Have initial troubleshooting steps (reboot, reconnect, basic checks) already been completed?

YES

Can the user access email from webmail/OWA?

YES

Is this issue blocking the user from performing critical work tasks?

YES

Have initial troubleshooting steps (reboot, reconnect, basic checks) already been completed?

YES

Can the user connect to any network resources without VPN?

YES

Is this issue blocking the user from performing critical work tasks?

YES

Have initial troubleshooting steps (reboot, reconnect, basic checks) already been completed?

YES

Can the user print a test page from another application?

YES

Is this issue blocking the user from performing critical work tasks?

YES

Have initial troubleshooting steps (reboot, reconnect, basic checks) already been completed?

YES

Can the user reach the remote host by ping or name?

YES

Is this issue blocking the user from performing critical work tasks?

YES

Have initial troubleshooting steps (reboot, reconnect, basic checks) already been completed?

YES

Does the drive appear after manual mapping?

YES

Is this issue blocking the user from performing critical work tasks?

YES

Have initial troubleshooting steps (reboot, reconnect, basic checks) already been completed?

YES

Does the issue occur in multiple browsers?

YES

Is this issue blocking the user from performing critical work tasks?

YES

Have initial troubleshooting steps (reboot, reconnect, basic checks) already been completed?

YES

Does the requested change impact production systems?

YES

Is this issue blocking the user from performing critical work tasks?

YES

Have initial troubleshooting steps (reboot, reconnect, basic checks) already been completed?

YES

Does the user have access to any shared drives or resources?

YES

Is this issue blocking the user from performing critical work tasks?

YES

Have initial troubleshooting steps (reboot, reconnect, basic checks) already been completed?

YES

Does the user have an assigned license for the affected application?

YES

Is this issue blocking the user from performing critical work tasks?

YES

Have initial troubleshooting steps (reboot, reconnect, basic checks) already been completed?

YES

Does the user see the shared mailbox in their mail client?

YES

Is this issue blocking the user from performing critical work tasks?

YES

Have initial troubleshooting steps (reboot, reconnect, basic checks) already been completed?

YES

Does the user’s role legitimately require local admin rights?

YES

Is this issue blocking the user from performing critical work tasks?

YES

Have initial troubleshooting steps (reboot, reconnect, basic checks) already been completed?

YES

Has the device been restarted after applying updates?

YES

Is this issue blocking the user from performing critical work tasks?

YES

Have initial troubleshooting steps (reboot, reconnect, basic checks) already been completed?

YES

Has the user already left the organization?

YES

Is this issue blocking the user from performing critical work tasks?

YES

Have initial troubleshooting steps (reboot, reconnect, basic checks) already been completed?

YES

Has the user recently changed their password?

YES

Is this issue blocking the user from performing critical work tasks?

YES

Have initial troubleshooting steps (reboot, reconnect, basic checks) already been completed?

YES

Is secure/pull printing already configured for the user?

YES

Is this issue blocking the user from performing critical work tasks?

YES

Have initial troubleshooting steps (reboot, reconnect, basic checks) already been completed?

YES

Is the affected data covered by standard backup policies?

YES

Is this issue blocking the user from performing critical work tasks?

YES

Have initial troubleshooting steps (reboot, reconnect, basic checks) already been completed?

YES

Is the asset tag found in the inventory system?

YES

Is this issue blocking the user from performing critical work tasks?

YES

Have initial troubleshooting steps (reboot, reconnect, basic checks) already been completed?

YES

Is the device currently reporting as non-compliant?

YES

Is this issue blocking the user from performing critical work tasks?

YES

Have initial troubleshooting steps (reboot, reconnect, basic checks) already been completed?

YES

Is the device enrolled in mobile device management (MDM)?

YES

Is this issue blocking the user from performing critical work tasks?

YES

Have initial troubleshooting steps (reboot, reconnect, basic checks) already been completed?

YES

Is the device past its documented lifecycle date?

YES

Is this issue blocking the user from performing critical work tasks?

YES

Have initial troubleshooting steps (reboot, reconnect, basic checks) already been completed?

YES

Is the device powering on with indicator lights or sounds?

YES

Is this issue blocking the user from performing critical work tasks?

YES

Have initial troubleshooting steps (reboot, reconnect, basic checks) already been completed?

YES

Is the device reporting as encryption-compliant?

YES

Is this issue blocking the user from performing critical work tasks?

YES

Have initial troubleshooting steps (reboot, reconnect, basic checks) already been completed?

YES

Is the endpoint protection client up to date and running?

YES

Is this issue blocking the user from performing critical work tasks?

YES

Have initial troubleshooting steps (reboot, reconnect, basic checks) already been completed?

YES

Is the issue only with audio or video?

YES

Is this issue blocking the user from performing critical work tasks?

YES

Have initial troubleshooting steps (reboot, reconnect, basic checks) already been completed?

YES

Is the issue related to mandatory IT or security training access?

YES

Is this issue blocking the user from performing critical work tasks?

YES

Have initial troubleshooting steps (reboot, reconnect, basic checks) already been completed?

YES

Is the requested software available in the self-service catalog?

YES

Is this issue blocking the user from performing critical work tasks?

YES

Have initial troubleshooting steps (reboot, reconnect, basic checks) already been completed?

YES

Is the slowness isolated to one application?

YES

Is this issue blocking the user from performing critical work tasks?

YES

Have initial troubleshooting steps (reboot, reconnect, basic checks) already been completed?

YES

Is the sync client signed in with the correct account?

YES

Is this issue blocking the user from performing critical work tasks?

YES

Have initial troubleshooting steps (reboot, reconnect, basic checks) already been completed?

YES

Is the system date and time accurate?

YES

Is this issue blocking the user from performing critical work tasks?

YES

Have initial troubleshooting steps (reboot, reconnect, basic checks) already been completed?

YES

Is the ticket already assigned to the correct resolver group?

YES

Is this issue blocking the user from performing critical work tasks?

YES

Have initial troubleshooting steps (reboot, reconnect, basic checks) already been completed?

YES

Is the user able to reach the login page?

YES

Is this issue blocking the user from performing critical work tasks?

YES

Have initial troubleshooting steps (reboot, reconnect, basic checks) already been completed?

YES

Is the user able to ship or drop off the device?

YES

Is this issue blocking the user from performing critical work tasks?

YES

Have initial troubleshooting steps (reboot, reconnect, basic checks) already been completed?

YES

Is the user attempting to reuse an old or weak password?

YES

Is this issue blocking the user from performing critical work tasks?

YES

Have initial troubleshooting steps (reboot, reconnect, basic checks) already been completed?

YES

Is the user completely blocked from performing their job?

YES

Is this issue blocking the user from performing critical work tasks?

YES

Have initial troubleshooting steps (reboot, reconnect, basic checks) already been completed?

YES

Is the user enrolled in self-service password reset?

YES

Is this issue blocking the user from performing critical work tasks?

YES

Have initial troubleshooting steps (reboot, reconnect, basic checks) already been completed?

YES

Is the user exceeding documented storage limits?

YES

Is this issue blocking the user from performing critical work tasks?

YES

Have initial troubleshooting steps (reboot, reconnect, basic checks) already been completed?

YES

Is the user part of the correct security or access group?

YES

Is this issue blocking the user from performing critical work tasks?

YES

Have initial troubleshooting steps (reboot, reconnect, basic checks) already been completed?

YES

Is the user receiving MFA codes or prompts?

YES

Is this issue blocking the user from performing critical work tasks?

YES

Have initial troubleshooting steps (reboot, reconnect, basic checks) already been completed?

YES

Is the user requesting support for non-approved tools or services?

YES

Is this issue blocking the user from performing critical work tasks?

YES

Have initial troubleshooting steps (reboot, reconnect, basic checks) already been completed?

YES

Is the user working on a company-managed device?

YES

Is this issue blocking the user from performing critical work tasks?

YES

Have initial troubleshooting steps (reboot, reconnect, basic checks) already been completed?

YES

Is there a matching knowledge article for this issue?

YES

Is this issue blocking the user from performing critical work tasks?

YES

Have initial troubleshooting steps (reboot, reconnect, basic checks) already been completed?

YES

Is there a valid business justification documented for this access?

YES

Is this issue blocking the user from performing critical work tasks?

YES

Have initial troubleshooting steps (reboot, reconnect, basic checks) already been completed?

YES

Is this a standard endpoint build scenario?

YES

Is this issue blocking the user from performing critical work tasks?

YES

Have initial troubleshooting steps (reboot, reconnect, basic checks) already been completed?

YES

Was the alert generated by an approved security tool?

YES

Is this issue blocking the user from performing critical work tasks?

YES

Have initial troubleshooting steps (reboot, reconnect, basic checks) already been completed?

YES

Was the data stored in approved/managed locations?

YES

Is this issue blocking the user from performing critical work tasks?

YES

Have initial troubleshooting steps (reboot, reconnect, basic checks) already been completed?

YES

Was the standard onboarding checklist completed?

YES

Is this issue blocking the user from performing critical work tasks?

YES

Have initial troubleshooting steps (reboot, reconnect, basic checks) already been completed?

YES

New Business Qualification

Are key stakeholders aligned on the problem and desired outcome?

YES

Does this prospect match our ideal customer profile in terms of industry, size, and use case?

YES