Playbooks built by the world's best operations teams

Playbooks built by the world's best operations teams

Playbooks built by the world's best operations teams

Write the logic once in natural language. Console executes it across identity, access, devices, and more.

All

IT

HR

Security

RevOps

Finance

Legal

New Hire Onboarding

Playbooks

/

New Hire Onboarding

New Hire Onboarding

Created by

Console Team

Published

HR

Google Calendar

Slack

Workday

+1

Conditions

Webhook — Workday/HiBob/Rippling worker.hired Variables: $employee.email, $employee.firstName, $employee.lastName, $employee.preferredName, $employee.startDate, $employee.managerEmail, $employee.team, $employee.location, $employee.title, $employee.personalEmail

Instructions

  1. #Lookup Users to resolve the manager record from $employee.managerEmail.

  2. Determine the buddy:

    • #Search Graph the HR ingest for active team members on $employee.team with tenure >6 months.

    • Pick one not already buddying for someone else; capture buddy email.

  3. Pre-day-1 (fires immediately on webhook):

    • #Send Email to $employee.personalEmail with the welcome packet: handbook link, benefits enrollment link, day-1 logistics, dress code, what-to-bring, parking/transit info, manager intro.

    • Attach the team intro doc and the location-specific office welcome PDF.

  4. Day-1 calendar (fires 3 business days before $employee.startDate):

  5. Slack onboarding (fires on $employee.startDate at 9:00 AM local):

    • #Add Users To Channel for #welcome, #all-hands, #{{team}}, and #{{location}}-office.

    • #Send Channel Message to #welcome introducing the new hire with their preferred name, title, team, fun fact (collected via pre-start form if available), and a "say hi" prompt.

  6. Team channel intro:

  7. Manager + buddy nudge:

    • #Send Direct Message to the manager: pre-start checklist (set up 1:1 cadence, prep first-week agenda, intro to key collaborators).

    • #Send Direct Message to the buddy: their role (informal questions, lunch on day 2, check-in at end of week 1).

  8. schedule_action wake at end of day 1 to confirm with the new hire via #Send Direct Message: "How did day 1 go? Anything blocking you?"

  9. #Leave Internal Note capturing manager, buddy, calendar event IDs

Okta Password / MFA Reset

Playbooks

/

Okta Password / MFA Reset

Okta Password / MFA Reset

Created by

Console Team

Published

IT

Okta

Conditions

Requester reports being locked out, lost MFA device (YubiKey, phone, Authenticator), needs a password reset, or needs a factor reset.

Instructions

  1. #Search Okta User by Email for the requester to confirm the account exists and get the user ID.

  2. #Search Okta System Log Custom for user.account.reset_password and user.mfa.factor.reset events in the last 30 days for this user.

  3. #List User Factors to see current enrollments.

  4. Risk score the request based on:

    • 3+ resets in last 30 days → High

    • Login from new country or unusual IP in last 24h → High

    • Standard request from known device/location → Low

    • Recent suspicious activity in Okta log → Medium

  5. Identity verification per risk:

    • Low → ask 2 security questions inline (custom action to check answers against profile).

    • Medium → #Request Approval from the requester's manager (configured with requestersManager) confirming they spoke to the user.

    • High → #Prompt for Handoff to a security team member for live video ID verification.

  6. If verification fails or is denied: #Send Direct Message to the requester explaining next steps, #Send Channel Message to #sec-alerts, and #Resolve Request. Stop.

  7. Execute the reset based on the issue type:

  8. #Send Direct Message to the requester with confirmation and next-step instructions.

  9. If risk was High OR pattern-flag triggered (3+ resets): #Send Channel Message to #sec-alerts with the user, the reason, and the action taken.

  10. #Leave Internal Note on the request capturing risk score, verification method, and action taken.

  11. #Resolve Request.

Device Recovery / Unlock

Playbooks

/

Device Recovery / Unlock

Device Recovery / Unlock

Created by

Console Team

Published

IT

Okta

Kandji

Conditions

User reports being locked out of their laptop ("forgot FileVault password", "can't get past BitLocker", "MacBook is asking for recovery key").

Instructions

  1. #Lookup Users on the requester with includeManager.

  2. #List Devices (Kandji) filtered by assignedUserEmail = requester.email to find their device(s).

  3. If multiple devices, #Trigger Form to ask which device.

  4. #Get Device Details (Kandji) to confirm the device is enrolled and active.

  5. Risk check: #Search Okta System Log Custom for recent suspicious activity. If anomalous, escalate to Sec-12 flow.

  6. Identity verification:

  7. On approval: #Get Device FileVault Recovery Key (Kandji) for Mac, or custom Get BitLocker Recovery Key for Windows.

  8. #Send Direct Message to the requester with:

    • The recovery key

    • Step-by-step unlock instructions (different for Mac vs Windows)

    • Reminder to reset their password after unlock

  9. Wait for the requester to confirm they're back in via a follow-up message.

  10. After confirmation, #Send Direct Message suggesting they update their password and re-enroll FileVault/BitLocker.

  11. #Leave Internal Note capturing device serial, verification method, and outcome.

  12. #Resolve Request.

Just-In-Time (JIT) Access

Playbooks

/

Just-In-Time (JIT) Access

Just-In-Time (JIT) Access

Created by

Console Team

Published

Security

Okta

AWS

Snowflake

+1

Conditions

Requester asks for time-bound privileged access (AWS root, prod DB, financial systems, admin console).

Instructions

  1. Parse target system, role/entitlement, duration, and justification from the request.

  2. #Lookup Users on the requester with includeManager and includeGroups.

  3. #Trigger Form to collect:

    • Target system (dropdown of JIT-eligible systems)

    • Specific role or scope (e.g. "AWS prod read-only", "Snowflake admin")

    • Duration (max 8 hours, max 24 hours, max 7 days based on system tier)

    • Business justification (free text, min 50 chars)

    • Ticket/incident reference if responding to an incident

  4. Validate the request:

    • Requester is eligible for this system via custom Check JIT Eligibility.

    • Duration is within max allowed for the system tier.

    • Not already holding active JIT access for the same system.

  5. Approval chain:

  6. On full approval:

  7. schedule_action wake at the TTL to execute revocation:

    • Reverse of step 6 (Remove from Group / Detach Policy / Revoke Role).

  8. #Send Direct Message to the requester with: access details, expiry timestamp, system access URL, what they can/cannot do.

  9. #Send Channel Message to #security-jit logging the grant with: requester, system, role, duration, justification, ticket reference.

  10. #Custom Vanta Log JIT Event with the full audit trail.

  11. On revocation wake: #Send Direct Message to the requester confirming auto-expire; #Send Channel Message to #security-jit confirming revoke.

  12. #Leave Internal Note capturing approval trail and grant/revoke timestamps.

New Hire Provisioning

Playbooks

/

New Hire Provisioning

New Hire Provisioning

Created by

Console Team

Published

IT

Okta

Google Calendar

Slack

+5

Conditions

Webhook — Workday/HiBob/Rippling worker.hired Variables: $employee.email, $employee.firstName, $employee.lastName, $employee.role, $employee.department, $employee.startDate, $employee.managerEmail, $employee.location, $employee.shippingAddress

Instructions

  1. Use #Lookup Users to resolve the manager record from $employee.managerEmail.

  2. Determine the provisioning bundle based on $employee.department:

    • Engineering → GitHub, Datadog, AWS sandbox

    • Sales → Salesforce, Gong, Outreach, Sales Nav

    • All → Okta, Google Workspace, Slack

  3. Use #Create Okta User (Staged) with the email, first/last name, department, and manager.

  4. Use #Activate Okta User to activate the account and send the activation email.

  5. For each baseline group, call #Add to Group (Okta): all-employees, the department group, and the location group.

  6. Use #Add to Group (Google) for all@, {{department}}@, and {{location}}@.

  7. If $employee.department == "Engineering": #Invite User to Org (GitHub), #Add User to Team for the right team, #Invite User to Datadog, and grant AWS sandbox via #AWS IAM - List Attached User Policies + custom IAM attach.

  8. If $employee.department == "Sales": invite to Salesforce, Gong, Outreach, Sales Nav (custom actions).

  9. Use #Kandji Assign ADE Device User to pre-assign a device to $employee.email and ship to $employee.shippingAddress.

  10. Use #List Google Calendar Events to find the manager's calendar, then create a day-1 intro event and a buddy lunch via Google Calendar.

  11. Use #Invite to Channel to add the user to #welcome, #all-hands, and their team channel.

  12. Use schedule_action to wake on Monday 9am $employee.location time to post a welcome thread in the team channel via #Send Channel Message.

CRM Data Hygiene & Updates

Playbooks

/

CRM Data Hygiene & Updates

CRM Data Hygiene & Updates

Created by

Console Team

Published

RevOps

HubSpot

Salesforce

+5

Conditions

Requester asks to update a CRM record ("change opp owner to Jeff", "update close date to next Friday", "mark closed-lost to competitor as Serval").

Instructions

  1. Parse the request:

    • Target object (deal / opportunity / contact / company / lead).

    • Target identifier (deal name, ID, account name).

    • Field to update.

    • New value.

  2. #Lookup Users on the requester with includeGroups.

  3. Permission check:

    • #Custom Check CRM Permission for the requester on the target object and field.

    • Rep can update their own records.

    • Manager can update reports' records.

    • Ops can update any.

    • If permission denied → #Request Approval from the record owner.

  4. Locate the record:

  5. #Get HubSpot Deal Details with Activity Timeline (or contact/company equivalent) to confirm current state.

  6. Validate the new value:

    • For owner changes: #Lookup Users to confirm the new owner exists.

    • For close dates: must be future or current quarter unless requester is ops.

    • For stage changes: must follow stage progression (route through Rev-15 if backward jump).

    • For status changes: require closedLostReason if moving to closed-lost.

  7. Confirm with the requester via #Send Direct Message showing the diff: "Will change {{field}} from {{old}} to {{new}}. Confirm?"

  8. On confirm: #Update HubSpot Deal Properties (or custom Salesforce update action) with the new value.

  9. Log the change:

  10. #Send Direct Message to the requester confirming, including the deal link.

  11. If the owner changed: #Send Direct Message to the new owner with the handoff.

  12. #Leave Internal Note capturing the change and approval trail.

  13. #Resolve Request.

Identity Group Management

Playbooks

/

Identity Group Management

Identity Group Management

Created by

Console Team

Published

IT

Okta

Slack

Conditions

Requester asks to create, modify membership, or change ownership of an Okta/Google/Slack group (e.g. "create Okta group for brand campaign team", "remove Sarah from eng-leadership", "add this week's new hires to #all-eng").

Instructions

  1. Parse the action type (create / add members / remove members / delete / change owner), target group name, downstream systems (Okta / Google / Slack / all), and member list.

  2. Validate group name against naming convention (^[a-z][a-z0-9-]+$, max 40 chars). If invalid:

  3. #Lookup Users on the requester with includeGroups.

  4. Check authorization:

    • Create → requester must be in the group-creators Okta group or an IT admin.

    • Modify/Delete → requester must be the group owner OR an admin. Use #custom Get Group Owner action.

    • If unauthorized → #Request Approval from an IT admin.

  5. For Create:

  6. For Add members:

  7. For Remove members:

  8. For Delete: confirm with the requester via #Trigger Form ("This will delete the group across all systems — confirm?"), then call custom delete actions for Okta + Google + Slack.

  9. For role/manager-based sync (e.g. "add this week's new hires"): query the HR ingest via #Search Graph for matching users, then loop step 6.

  10. #Send Direct Message to the requester with a summary of changes.

  11. #Leave Internal Note capturing the action and downstream sync.

  12. #Resolve Request.

Contractor Access Expiration

Playbooks

/

Contractor Access Expiration

Contractor Access Expiration

Created by

Console Team

Published

IT

Okta

Slack

Workday

+1

Conditions

Scheduled — every day at 8:00 AM America/Chicago

Instructions

  1. Query the #custom Workday/HR ingest via #Search Graph for contractors with endDate between today + 5 days and today + 7 days.

  2. For each contractor, #Lookup Users on the engagement owner's email with includeSlackId.

  3. #Send Direct Message to the engagement owner with a #Trigger Form containing options: "Extend"(collect new end-date), "Expire on schedule", "Expire immediately".

  4. Use schedule_action to wake 5 days later to check the form response.

  5. On wake, branch on the response:

    • Extend → #custom Workday Update Contractor End Date with the new date, then #Send Direct Message confirming.

    • Expire on schedule or no response → schedule_action wake on the contractor's endDate to execute revocation.

    • Expire immediately → execute revocation now.

  6. Revocation sequence:

  7. #Create Linear Issue in the IT-Audit project documenting the revocation.

  8. #Send Channel Message to #it-audit with the contractor name, owner, expiry type, and revoked entitlements.

New Device Order

Playbooks

/

New Device Order

New Device Order

Created by

Console Team

Published

IT

Kandji

Apple Business Manager

+2

Conditions

User requests a new or replacement laptop, monitor, or peripheral.

Instructions

  1. #Lookup Users on the requester with includeManager and includeGroups to get role, department, location.

  2. #Trigger Form to collect:

    • Device type (laptop / monitor / accessory)

    • Reason (new hire / refresh / replacement / additional)

    • Specific model preference

    • Shipping address (default to address on file)

    • Needed-by date

  3. #List Devices (Kandji) to check existing assigned devices and age.

  4. Validate against role's approved spec:

  5. Determine approval tier:

    • <$2k → manager approval only.

    • $2k–$5k → manager + finance approval.

    • >$5k → manager + finance + VP approval.

  6. #Request Approval chained per tier.

  7. On approval, place the order:

  8. Capture the tracking number from the order response.

  9. schedule_action wake daily until delivered to:

  10. On delivery confirmation:

  11. #Leave Internal Note capturing model, price, approvers, tracking.

  12. #Resolve Request on delivery + setup confirmation.

Network Troubleshooting

Playbooks

/

Network Troubleshooting

Network Troubleshooting

Created by

Console Team

Published

IT

Okta

Kandji

Linear

+1

Conditions

Requester reports WiFi/VPN/connectivity issues ("VPN keeps dropping every 20 min", "can't reach internal DNS", "Berlin office connectivity slow").

Instructions

  1. #Lookup Users on the requester with includeManager to get location.

  2. #List Devices (Kandji) to identify their device(s).

  3. #Trigger Form to collect:

    • Symptom (drops / slow / can't connect / DNS / VPN)

    • Office or remote

    • When it started

    • Frequency

  4. Check upstream first:

  5. Check user-side:

  6. Attempt remediation:

    • VPN drops → custom Re-establish VPN Tunnel action.

    • DNS → #Create Kandji Custom Script to flush DNS cache and reset network interfaces.

    • Slow → run iperf script via Kandji and compare to baseline.

  7. Ask via #Send Direct Message if it's resolved after each remediation.

  8. If resolved → #Resolve Request.

  9. If unresolved or upstream issue: #Create Linear Issue in the networking project with the diagnostic bundle.

  10. #Send Channel Message to #network-ops for upstream issues.

  11. #Send Direct Message to the user with escalation and expected timeline.

  12. #Leave Internal Note with full diagnostic trail.

App Registration & SSO Setup

Playbooks

/

App Registration & SSO Setup

App Registration & SSO Setup

Created by

Console Team

Published

IT

Okta

1Password

Linear

+2

Conditions

IT or admin requests onboarding a new SaaS app with SSO ("we want to onboard Linear company-wide", "set up SSO for the new Highspot tenant").

Instructions

  1. #Trigger Form to collect:

    • App name and vendor URL

    • SSO protocol (SAML 2.0 / OIDC)

    • For SAML: ACS URL, entity ID, name ID format, certificate

    • For OIDC: redirect URI, scopes needed

    • SCIM endpoint + bearer token (if available)

    • Default user groups to provision (eng / product / design / all-company)

  2. #Lookup Apps to confirm the app isn't already onboarded. If it exists, ask the requester whether to modify or reject.

  3. #Request Approval from the security team for the new vendor (chain to Sec-18 if not already approved).

  4. Create the Okta app:

    • For SAML → custom Okta Create SAML App with ACS URL, entity ID, attributes mapping.

    • For OIDC → custom Okta Create OIDC App with redirect URI and scopes.

  5. #Create Okta Group (Custom) for default access: {{app-slug}}-users and {{app-slug}}-admins.

  6. #Add to Group to assign the requester to {{app-slug}}-admins.

  7. For each requested default group (eng/product/design/all-company): custom Okta Assign

  8. Group to App to grant baseline access.

  9. If SCIM endpoint provided: custom Okta Configure SCIM with the endpoint + token, then #Update 1Password App Username Template to set the username convention.

  10. Generate test credentials via custom Okta Create Test User and Assign action.

  11. #Send Direct Message to the requester with SSO sign-in URL, test creds, SCIM status, next steps.

  12. #Create Linear Issue in the IT project for follow-up tasks: app catalog entry, access policy creation, KB doc.

  13. #Leave Internal Note capturing the protocol, ACS URL, and groups configured.

  14. #Resolve Request.

AVD Assignment

Playbooks

/

AVD Assignment

AVD Assignment

Created by

Console Team

Published

IT

Azure DevOps

Entrata

+2

Conditions

Contractor in a restricted country or BYOD user needs an Azure Virtual Desktop session.

Instructions

  1. #Lookup Users on the requester with includeManager and includeGroups.

  2. #Search Graph in the custom HR/contractor ingest to find the engagement end-date.

  3. #Trigger Form to collect:

    1. Role-based image needed (eng tools / design tools / GTM tools)

    2. Country of access

    3. Engagement duration (auto-fill from HR ingest if available)

  4. #Request Approval from the requester's engagement owner.

  5. On approval, provision the AVD:

    1. #Custom Azure AVD Create Host Pool Assignment with image template and user UPN.

    2. #Custom Entra Assign User to AVD App scoped to this user only.

    3. #Custom Entra Set Conditional Access restricting sign-in to the engagement country.

  6. Time-box the access:

    1. schedule_action wake on the engagement end-date to call #custom Azure AVD

    2. Remove Assignment and Entra Revoke AVD App Access.

  7. #Send Direct Message to the requester with AVD connection URL, sign-in credentials, expiry date, support path.

  8. #Send Channel Message to #it-contractor-access logging the provision.

  9. #Leave Internal Note capturing image, country, end-date.

  10. #Resolve Request.

Slack Channel & Group Management

Playbooks

/

Slack Channel & Group Management

Slack Channel & Group Management

Created by

Console Team

Published

IT

Okta

Slack

Conditions

Requester asks to create, archive, modify visibility, or manage membership of a Slack channel or usergroup.

Instructions

  1. Parse: action (create / archive / unarchive / change visibility / add members / remove members / rename / set manager), target channel name, member list, visibility setting.

  2. Validate name against policy:

    1. Channels must match ^(launch|project|incident|team|all|fun|help|wg)-[a-z0-9-]+$.

    2. Length ≤ 80 chars.

    3. If invalid → #Send Direct Message explaining the rule.

  3. #Lookup Users on the requester.

  4. Authorization check:

    • Create → any employee.

    • Archive / rename / change visibility → requester must be a channel manager (#Get Channel Managers) or IT admin.

    • Private channel operations → require #Request Approval from a channel manager.

  5. #Search Channels to check if the channel already exists.

  6. Execute the action:

  7. If the request mentions pinning a doc: #Slack Pin Message action with the doc URL.

  8. #Send Direct Message confirming the change with the channel link.

  9. #Leave Internal Note capturing action, channel, members.

  10. #Resolve Request.

License Reclamation

Playbooks

/

License Reclamation

License Reclamation

Created by

Console Team

Published

IT

Okta

Lattice

Linear

+2

Conditions

Scheduled — every day at 9:00 AM America/Chicago

Instructions

  1. Query the custom Productiv ingest via #Search Graph for seats with no logins in 60+ days across Outreach, Gong, Lattice, Figma.

  2. For each stale seat:

    • #Lookup Users on the seat owner with includeManager and includeSlackId.

    • Skip if user was hired in the last 30 days (grace period) or has an active PTO/leave entry in HR ingest.

  3. #Send Direct Message to the user (cc manager in a separate DM): "You haven't logged into {{app}} in 60 days. Still need it? Confirm in 7 days or it gets reclaimed." with a #Trigger Form containing "Keep" / "Reclaim".

  4. schedule_action wake 7 days later to check the form response.

  5. On wake, branch on response:

    • Keep → log to internal note, #Send Direct Message confirming, no further action.

    • Reclaim or no response → execute reclamation:

      • For Okta-managed app → #Remove from Group for the entitlement group.

      • For app with native API → call the custom {{App}} Remove Seat action.

  6. #Send Direct Message to the user confirming reclamation with re-request instructions if needed.

  7. #Send Channel Message to #it-licenses with: user, app, seat reclaimed, savings estimate.

  8. #Create Linear Issue weekly summarizing total seats reclaimed and dollar savings.

Spend Monitoring Detection

Playbooks

/

Spend Monitoring Detection

Spend Monitoring Detection

Created by

Console Team

Published

Finance

Ramp

NetSuite

Conditions

Detection — scheduled scan every day at 6:00 AM America/Chicago

Instructions

  1. Pull spend:

  2. Compute baselines per employee / cost center / vendor / category.

  3. Detect anomalies:

    • Spike: today >3x trailing AND >$500.

    • New vendor: first transaction AND >$10k.

    • Unusual category: cost center with no history AND >$1k.

    • Late-night: card swipes midnight-5am local.

    • High-velocity: >10 transactions on same card in 1h.

    • Round-number suspicious: round numbers >$5k.

  4. For each flagged transaction:

  5. Routing:

    • High confidence (multiple signals): #Send Channel Message to #finance-anomaly + DM to cost-center owner + cardholder + finance lead.

    • Medium: DM cost-center owner with #Trigger Form for clarification.

    • Low: log for weekly batch.

  6. Potential fraud (late-night + high-velocity + round + new vendor):

  7. schedule_action wake at 24h for responses.

  8. Weekly summary to #finance with counts + resolution rate.

  9. #Leave Internal Note per anomaly.

Proactive Device Health

Playbooks

/

Proactive Device Health

Proactive Device Health

Created by

Console Team

Published

IT

Kandji

Linear

Conditions

Detection — scheduled scan every 6 hours Conditions: Device matches: crash count ≥3 in 7 days, OR disk usage ≥90%, OR OS version more than 2 releases behind.

Instructions

  1. #List Devices (Kandji) with all enrolled devices.

  2. For each device, #Get Device Details and #Get Device Parameters to pull telemetry.

  3. Filter to devices matching any trigger condition.

  4. For each matching device:

    • #Lookup Users on device.assignedUserEmail to get the owner.

    • Skip if the user is on PTO/leave (check HR ingest) or if the same device was already pinged in the last 7 days.

  5. #Send Direct Message to the user: "Saw your laptop's been struggling — looks like {{issue summary}}. Want me to run the fix?" with #Trigger Form containing "Run fix" / "Schedule for later" / "Not now".

  6. schedule_action wake at 24 hours to check the form response.

  7. On wake, branch on response:

  8. schedule_action wake at 48 hours after the fix to verify resolution via re-checking telemetry.

  9. If still failing or user declined: #Create Linear Issue in the IT project assigned to a human technician.

  10. #Send Direct Message to the user confirming the outcome.

  11. #Leave Internal Note capturing the diagnosis and action.

Hardware Troubleshooting

Playbooks

/

Hardware Troubleshooting

Hardware Troubleshooting

Created by

Console Team

Published

IT

Kandji

Conditions

User reports a hardware issue (external monitor not detecting, Bluetooth keyboard won't pair, Zoom is choppy, audio drops).

Instructions

  1. #Lookup Users on the requester to identify the user.

  2. #List Devices (Kandji) filtered by assignedUserEmail to find their device(s).

  3. #Trigger Form to collect:

    • Symptom (peripheral / display / audio / network / performance)

    • When it started

    • What they've already tried

  4. #Get Device Details (Kandji) and #Get Device Parameters to pull current state.

  5. #Kandji Get Device Library Items Status to confirm required drivers/profiles are installed.

  6. #Search Knowledge Base for the symptom + device model for any known internal fixes.

  7. If no KB hit: #Web Research vendor docs (apple.com, Microsoft Learn, Dell, Logitech) for the specific symptom.

  8. Walk the user through fixes step-by-step via #Send Direct Message:

    • For peripherals → reset / re-pair / reinstall driver

    • For display → NVRAM reset, check cable, try alternate port

    • For audio/video → reset Core Audio / Windows audio service via Kandji script

    • For performance → free up RAM, check Activity Monitor / Task Manager

  9. After each step, ask "did that fix it?" via #Send Direct Message.

  10. If fixed → #Resolve Request.

  11. If hardware-failure signature detected → kick off IT-15 RMA & Repair flow.

  12. If still unresolved after exhausting steps → #Escalate Request to a human IT technician.

  13. #Leave Internal Note capturing the diagnosis trail and resolution path.

Lost Device → Remote Lock

Playbooks

/

Lost Device → Remote Lock

Lost Device → Remote Lock

Created by

Console Team

Published

IT

Okta

Kandji

Linear

Conditions

User reports a lost or stolen device ("left MacBook at airport", "phone with corporate apps stolen").

Instructions

  1. #Lookup Users on the requester with includeManager.

  2. #List Devices (Kandji) filtered by assignedUserEmail to find their device(s).

  3. #Trigger Form to collect:

    • Which device

    • Where it was last seen

    • When

    • Whether it might be recoverable or is confirmed lost/stolen

    • Whether they want a replacement

  4. #Get Device Details to confirm device state.

  5. Execute immediate containment in parallel:

  6. #Revoke All User Sessions (Okta) to invalidate any active sessions.

  7. If the user indicated the device is confirmed stolen:

  8. #Create Linear Issue in the security project with severity High, including device serial, last-seen location, user, timestamp.

  9. #Send Channel Message to #security with the incident summary and Linear link.

  10. #Send Channel Message to #it-alerts with the device + user.

  11. If replacement requested → trigger IT-14 New Device Order by creating a follow-up request.

  12. #Send Direct Message to the requester with:

    • Confirmation of containment actions taken

    • Replacement order status (if applicable)

    • Police report instructions (if stolen)

    • Insurance claim instructions

  13. schedule_action wake at 7 days to check if the device was recovered.

  14. #Leave Internal Note capturing all actions and timestamps.

RMA & Repair

Playbooks

/

RMA & Repair

RMA & Repair

Created by

Console Team

Published

IT

Kandji

Apple Business Manager

+3

Conditions

User reports a device needing repair ("laptop won't power on", "screen cracked", "keyboard sticking", "battery swelling").

Instructions

  1. #Lookup Users on the requester.

  2. #List Devices (Kandji) filtered by assignedUserEmail.

  3. #Trigger Form to collect:

    • Which device

    • Symptom description

    • Severity (can't work at all / partial use / cosmetic)

    • Whether they need a loaner immediately

  4. #Get Device Details to confirm device, serial number, purchase date, warranty status.

  5. Determine RMA path based on vendor:

  6. Capture the RMA case number and shipping label.

  7. If user needs a loaner (severity = can't work):

  8. #Send Direct Message to the user with RMA case, shipping label, loaner tracking, send-in instructions, expected turnaround.

  9. schedule_action daily wake to:

  10. On repair completion + return:

  11. #Leave Internal Note capturing RMA case, loaner ID, dates.

  12. #Resolve Request after loaner return.

Asset / Inventory Sync

Playbooks

/

Asset / Inventory Sync

Asset / Inventory Sync

Created by

Console Team

Published

IT

Kandji

Jira

Linear

+2

Conditions

Scheduled — daily incremental diff at 6:00 AM, full reconciliation quarterly on the 1st at 6:00 AM

Instructions

  1. Pull all data sources in parallel:

  2. Build a unified view by serial number and assigned user.

  3. Compute mismatches:

    • Lost-not-recovered: marked lost in any system but still active elsewhere.

    • Retired-but-active: marked retired in asset register but checking in to Kandji/Intune.

    • Employee-without-device: active employee in HR but no device assigned.

    • Device-without-owner: active device but unassigned or owner is offboarded.

    • Owner-mismatch: different owner in Kandji vs Jira Assets.

  4. For each mismatch:

    • Determine the asset owner (IT team member responsible).

    • #Send Direct Message to the asset owner with the mismatch, proposed fix, and a

    • #Trigger Form to approve / modify / dismiss.

  5. schedule_action wake at 7 days for each mismatch to check resolution.

  6. On wake: if mismatch still exists, #Create Linear Issue for IT to resolve.

  7. After full daily reconciliation:

  8. Quarterly run also produces a Linear summary issue with trend data via #Run Query.

Web-Sourced Troubleshooting

Playbooks

/

Web-Sourced Troubleshooting

Web-Sourced Troubleshooting

Created by

Console Team

Published

IT

Kandji

Conditions

Requester reports an issue with a vendor SaaS or OS ("Xcode failing on macOS 15", "Office keeps prompting for activation", "Chrome extension X not working").

Instructions

  1. #Lookup Users on the requester.

  2. #List Devices (Kandji) to get OS version and model.

  3. #Trigger Form to collect:

    • Application or service

    • Exact error message

    • When it started

    • What they've tried

  4. #Search Knowledge Base first for the symptom + application.

  5. If no KB hit or stale: #Web Research with a focused query like {{app}} {{error}} {{os_version}} targeting vendor docs.

  6. Synthesize the top fixes from web + KB into 3–5 steps.

  7. Walk the user through them in #Send Direct Message, asking "did that work?" after each.

  8. If a Kandji-side fix is needed: #Create Kandji Custom Script or custom Kandji Reinstall Library Item.

  9. On resolution → #Resolve Request and offer to save the fix back into a new KB article.

  10. If unresolved → #Escalate Request with the full diagnostic trail in #Leave Internal Note.

Outage Detection & Bulk Tagging

Playbooks

/

Outage Detection & Bulk Tagging

Outage Detection & Bulk Tagging

Created by

Console Team

Published

IT

Okta

Slack

GitHub

Conditions

Detection — PagerDuty webhook for major SaaS dependency (Slack, Okta, Google, GitHub) OR scheduled status-page poll every 5 minutes.

Instructions

  1. On trigger, identify the affected service from the alert payload.

  2. #Web Research the vendor's status page to confirm and get expected resolution time.

  3. If unconfirmed → wait 5 minutes and re-check; do not alert on noise.

  4. On confirmation:

  5. #Search Requests for open requests in the last 2 hours mentioning the affected service.

  6. For each matching request:

    • #Leave Internal Note tagging it as related to the outage.

    • Update the category to outage-{{service}} via custom action.

    • #Send Direct Message to the requester: "This looks related to an active {{service}} outage. We'll update you when resolved."

  7. schedule_action wake every 15 minutes to:

  8. On confirmed resolution:

  9. #Create Linear Issue post-outage for a retro doc with duration, impact, tagged-request count.

VIP Fast-Track

Playbooks

/

VIP Fast-Track

VIP Fast-Track

Created by

Console Team

Published

IT

Okta

PagerDuty

Conditions

Console Trigger — REQUEST_STARTED

Instructions

  1. #Lookup Users on the requester with includeGroups and includeManager.

  2. Determine VIP status — requester is VIP if any of:

    • In the vip Okta group (execs, board).

    • Title matches ^(CEO|CFO|CTO|COO|VP|SVP|Chief).

    • In active on-call rotation via #Get PagerDuty Oncall Users.

    • In customer-facing-active group (CSMs in an active meeting).

  3. If not VIP → exit without modification (let normal routing apply).

  4. If VIP:

  5. #Send Direct Message to the requester acknowledging fast-track and giving them the on-call engineer's name + ETA.

  6. #Leave Internal Note capturing VIP determination reason and on-call assignment.

  7. Continue handling the underlying request — do NOT resolve here; the on-call engineer takes over.

Time Off & Leave Requests

Playbooks

/

Time Off & Leave Requests

Time Off & Leave Requests

Created by

Console Team

Published

HR

Google Calendar

Slack

Workday

+2

Conditions

Requester asks for PTO, sick day, bereavement, jury duty, or other leave.

Instructions

  1. Parse start date, end date, leave type (PTO / sick / bereavement / jury / personal), and reason if provided.

  2. #Lookup Users on the requester with includeManager.

  3. #Custom Workday Get PTO Balance (or HiBob/UKG equivalent) for the requester, broken down by leave bucket.

  4. Validate the request:

  5. Branch on leave type:

    • PTO / personal → #Request Approval from manager.

    • Sick (≤3 days) → auto-approve, no approval needed.

    • Sick (>3 days) → auto-approve but custom Workday Trigger STD Eligibility Check.

    • Bereavement → auto-approve up to policy limit (e.g. 5 days); over that, manager approval.

    • Jury duty → auto-approve with proof-of-summons upload via #Trigger Form.

  6. On approval:

  7. #Send Direct Message to the requester confirming with dates, remaining balance, and out-of-office status.

  8. #Send Direct Message to the manager confirming the approved leave so they can plan coverage.

  9. If leave is >5 consecutive days, schedule_action wake 2 days before the user returns to send a "welcome back" prep with their unread Slack threads and the team's status updates.

  10. #Leave Internal Note capturing dates, type, approval path, balance impact.

  11. #Resolve Request.

Parental Leave Intake

Playbooks

/

Parental Leave Intake

Parental Leave Intake

Created by

Console Team

Published

HR

Google Calendar

Slack

Workday

+3

Conditions

Requester announces upcoming parental leave (birth / adoption / foster).

Instructions

  1. #Trigger Form to collect:

    1. Leave type (birth-mother / birth-partner / adoption / foster)

    2. Expected leave start date (or birth/placement date)

    3. Expected duration (auto-suggest based on policy + tenure)

    4. Whether they'll use FMLA (US) / STD / company top-up

    5. Manager email

    6. Backup contact info during leave (personal email)

  2. #Lookup Users on the requester with includeManager.

  3. #Custom Workday Get Parental Leave Policy to surface entitlement based on tenure and location.

  4. #Custom Workday Get PTO Balance to factor in any pre-leave PTO they want to use.

  5. Generate paperwork:

  6. Coordinate manager handoff:

  7. Pre-leave check-in:

    • schedule_action wake 14 days before leave start to #Send Direct Message to requester: "Two weeks until leave starts. Anything we still need to wrap up?"

  8. During leave:

  9. Return-from-leave 1:1:

  10. Coordinate benefits:

  11. #Send Direct Message to the requester confirming everything is set up.

  12. #Leave Internal Note capturing dates, paperwork status, manager handoff confirmation.

  13. #Resolve Request.

HR Policy & Benefits Q&A

Playbooks

/

HR Policy & Benefits Q&A

HR Policy & Benefits Q&A

Created by

Console Team

Published

HR

Conditions

Requester asks a benefits / handbook / leave / pay / policy question.

Instructions

  1. #Lookup Users on the requester to get location (for region-specific policies), department, and tenure.

  2. #Search Knowledge Base with the user's question as the query.

  3. For multi-region benefits content (parental leave, holidays, healthcare), filter to the requester's location. If multiple regions match, surface labeled variants.

  4. #Expand Knowledge Base Article for the top hit if more depth is needed.

  5. Compose the answer in #Send Direct Message:

    • Direct answer first (e.g. "You accrue 1.66 PTO days per month.")

    • Personalized context if available (e.g. "Based on your tenure, you're eligible for...").

    • Quoted source paragraph from the KB.

    • Source link to the policy doc.

  6. Ask if the answer resolved their question via a follow-up message.

  7. If user confirms → #Resolve Request.

  8. If user has follow-up questions or the policy is ambiguous:

    • For simple clarifications, loop back to step 2.

    • For complex / personal cases, #Prompt for Handoff to the benefits coordinator or HRBP based on topic.

  9. If no relevant KB hit at all:

  10. #Leave Internal Note capturing the KB articles surfaced and resolution path.

Employee Data Updates

Playbooks

/

Employee Data Updates

Employee Data Updates

Created by

Console Team

Published

HR

Okta

Slack

Workday

+1

Conditions

Requester wants to update personal info (home address, emergency contact, phone number, marital status, dependents).

Instructions

  1. Parse the update type from the request.

  2. #Lookup Users on the requester.

  3. #Trigger Form to collect the specific new values, depending on update type:

    • Address → street, city, state, zip, country, effective date

    • Emergency contact → name, relationship, phone, email

    • Phone → new number

    • Marital status → status, effective date, spouse info if adding to benefits

    • Dependents → name, DOB, SSN (if applicable), relationship

  4. Validate inputs:

    • Address → custom Validate Address (USPS/Smarty) action.

    • Phone → format check.

    • SSN → format check (no Luhn-style validation; just digit count).

  5. Write to HRIS via #custom Workday Update Worker (or HiBob/Rippling equivalent) with the new values.

  6. Propagate downstream changes:

  7. #Send Direct Message to the requester confirming what was updated, in which systems, and any downstream effects (e.g. "Your address change triggered a payroll tax recalc; you'll see this on your next paystub.").

  8. If marital / dependents change: #Send Email with QLE benefits enrollment link and 30-day deadline.

  9. #Leave Internal Note capturing fields changed and systems synced.

  10. #Resolve Request.

Role & Manager Changes

Playbooks

/

Role & Manager Changes

Role & Manager Changes

Created by

Console Team

Published

HR

Okta

Slack

Workday

Conditions

Internal transfer, promotion, reporting line change, or department change.

Instructions

  1. #Trigger Form to collect:

    • Employee being changed

    • New role / title

    • New manager

    • New department / team

    • Effective date

    • Comp change (yes/no, new amount, new band)

    • Justification

  2. #Lookup Users on the affected employee with includeManager and includeGroups.

  3. #Lookup Users on the requester (assume manager initiating) to validate authority.

  4. #Lookup Users on the new manager to confirm valid Okta record.

  5. Approval chain:

  6. On full approval, execute changes on effective date (use schedule_action if effective date is in the future):

  7. #Add Users To Channel for the new team's Slack channels; #Remove User From Channel for old team channels (with grace period of 30 days for handoff).

  8. #Send Direct Message to the employee confirming all changes.

  9. #Send Direct Message to both old and new managers explaining the transition.

  10. #Send Channel Message to #org-changes announcing the move.

  11. #Leave Internal Note capturing all changes and approval trail.

  12. #Resolve Request.

Compensation Requests

Playbooks

/

Compensation Requests

Compensation Requests

Created by

Console Team

Published

HR

Workday

+1

Conditions

Manager submits an off-cycle merit, market adjustment, sign-on bonus, retention bonus, or promotion comp request.

Instructions

  1. #Trigger Form to collect:

    1. Employee being adjusted

    2. Adjustment type (merit / market / sign-on / retention / promotion)

    3. Current comp (auto-fill from Workday)

    4. Proposed new comp

    5. Justification (free text)

    6. Market data attachment (if market adjustment)

    7. Effective date

  2. #Lookup Users on the employee and the requesting manager.

  3. #Custom Workday Get Comp Band for the employee's role and level to check if the proposed comp falls within band.

  4. #Custom Workday Get Compa-Ratio to show current and proposed compa-ratio.

  5. Validate request:

    1. In-band → standard approval path.

    2. Above band → require additional VP approval.

    3. Outside policy window (e.g. off-cycle merit when only quarterly cycles allowed) → require HRBP exception approval.

  6. Approval chain:

    1. #Request Approval from manager's manager (skip-level).

    2. #Request Approval from HRBP with justification + market data attached.

    3. #Request Approval from finance with budget impact calculation.

    4. If above band → #Request Approval from the VP/Chief.

  7. On full approval, on effective date:

    1. #Custom Workday Submit Comp Change with new comp, type, effective date.

    2. #Custom Workday Trigger Payroll Update for next pay cycle.

    3. If sign-on or retention bonus, custom Workday Schedule Bonus Payment.

  8. #Send Direct Message to the employee with a comp letter or update notification — composed from a template.

  9. #Send Direct Message to the manager confirming the change and the next paystub the employee will see.

  10. #Send Channel Message to #hrbp-comp for tracking.

  11. #Leave Internal Note capturing approval trail, justification, market data.

  12. #Resolve Request

Employment Verification

Playbooks

/

Employment Verification

Employment Verification

Created by

Console Team

Published

HR

Workday

DocuSign

Conditions

Requester needs an employment or income verification letter ("for my mortgage", "for my landlord", "for the visa lawyer").

Instructions

  1. #Trigger Form to collect:

    • Purpose (mortgage / rental / visa / loan / other)

    • Verifying party name, email, fax

    • What to include (employment only / employment + salary / employment + salary + bonus)

    • Any specific format required by the verifier

    • Delivery preference (email to verifier directly, or email to requester)

  2. #Lookup Users on the requester.

  3. #Custom Workday Get Employment Data to pull: hire date, current title, current comp, employment status (FT/PT), location, manager.

  4. If the request includes bonus / commission detail, #custom Workday Get YTD Compensation for the relevant breakdown.

  5. Generate the letter:

  6. Route for signature:

  7. On signature:

  8. #Send Direct Message to the requester confirming delivery method, date sent, and verifier contact.

  9. #Leave Internal Note capturing purpose, verifier, data included, delivery confirmation.

  10. #Resolve Request.

New Hire Onboarding

Playbooks

/

New Hire Onboarding

New Hire Onboarding

Created by

Console Team

Published

HR

Google Calendar

Slack

Workday

+1

Conditions

Webhook — Workday/HiBob/Rippling worker.hired Variables: $employee.email, $employee.firstName, $employee.lastName, $employee.preferredName, $employee.startDate, $employee.managerEmail, $employee.team, $employee.location, $employee.title, $employee.personalEmail

Instructions

  1. #Lookup Users to resolve the manager record from $employee.managerEmail.

  2. Determine the buddy:

    • #Search Graph the HR ingest for active team members on $employee.team with tenure >6 months.

    • Pick one not already buddying for someone else; capture buddy email.

  3. Pre-day-1 (fires immediately on webhook):

    • #Send Email to $employee.personalEmail with the welcome packet: handbook link, benefits enrollment link, day-1 logistics, dress code, what-to-bring, parking/transit info, manager intro.

    • Attach the team intro doc and the location-specific office welcome PDF.

  4. Day-1 calendar (fires 3 business days before $employee.startDate):

  5. Slack onboarding (fires on $employee.startDate at 9:00 AM local):

    • #Add Users To Channel for #welcome, #all-hands, #{{team}}, and #{{location}}-office.

    • #Send Channel Message to #welcome introducing the new hire with their preferred name, title, team, fun fact (collected via pre-start form if available), and a "say hi" prompt.

  6. Team channel intro:

  7. Manager + buddy nudge:

    • #Send Direct Message to the manager: pre-start checklist (set up 1:1 cadence, prep first-week agenda, intro to key collaborators).

    • #Send Direct Message to the buddy: their role (informal questions, lunch on day 2, check-in at end of week 1).

  8. schedule_action wake at end of day 1 to confirm with the new hire via #Send Direct Message: "How did day 1 go? Anything blocking you?"

  9. #Leave Internal Note capturing manager, buddy, calendar event IDs

Okta Password / MFA Reset

Playbooks

/

Okta Password / MFA Reset

Okta Password / MFA Reset

Created by

Console Team

Published

IT

Okta

Conditions

Requester reports being locked out, lost MFA device (YubiKey, phone, Authenticator), needs a password reset, or needs a factor reset.

Instructions

  1. #Search Okta User by Email for the requester to confirm the account exists and get the user ID.

  2. #Search Okta System Log Custom for user.account.reset_password and user.mfa.factor.reset events in the last 30 days for this user.

  3. #List User Factors to see current enrollments.

  4. Risk score the request based on:

    • 3+ resets in last 30 days → High

    • Login from new country or unusual IP in last 24h → High

    • Standard request from known device/location → Low

    • Recent suspicious activity in Okta log → Medium

  5. Identity verification per risk:

    • Low → ask 2 security questions inline (custom action to check answers against profile).

    • Medium → #Request Approval from the requester's manager (configured with requestersManager) confirming they spoke to the user.

    • High → #Prompt for Handoff to a security team member for live video ID verification.

  6. If verification fails or is denied: #Send Direct Message to the requester explaining next steps, #Send Channel Message to #sec-alerts, and #Resolve Request. Stop.

  7. Execute the reset based on the issue type:

  8. #Send Direct Message to the requester with confirmation and next-step instructions.

  9. If risk was High OR pattern-flag triggered (3+ resets): #Send Channel Message to #sec-alerts with the user, the reason, and the action taken.

  10. #Leave Internal Note on the request capturing risk score, verification method, and action taken.

  11. #Resolve Request.

Device Recovery / Unlock

Playbooks

/

Device Recovery / Unlock

Device Recovery / Unlock

Created by

Console Team

Published

IT

Okta

Kandji

Conditions

User reports being locked out of their laptop ("forgot FileVault password", "can't get past BitLocker", "MacBook is asking for recovery key").

Instructions

  1. #Lookup Users on the requester with includeManager.

  2. #List Devices (Kandji) filtered by assignedUserEmail = requester.email to find their device(s).

  3. If multiple devices, #Trigger Form to ask which device.

  4. #Get Device Details (Kandji) to confirm the device is enrolled and active.

  5. Risk check: #Search Okta System Log Custom for recent suspicious activity. If anomalous, escalate to Sec-12 flow.

  6. Identity verification:

  7. On approval: #Get Device FileVault Recovery Key (Kandji) for Mac, or custom Get BitLocker Recovery Key for Windows.

  8. #Send Direct Message to the requester with:

    • The recovery key

    • Step-by-step unlock instructions (different for Mac vs Windows)

    • Reminder to reset their password after unlock

  9. Wait for the requester to confirm they're back in via a follow-up message.

  10. After confirmation, #Send Direct Message suggesting they update their password and re-enroll FileVault/BitLocker.

  11. #Leave Internal Note capturing device serial, verification method, and outcome.

  12. #Resolve Request.

Just-In-Time (JIT) Access

Playbooks

/

Just-In-Time (JIT) Access

Just-In-Time (JIT) Access

Created by

Console Team

Published

Security

Okta

AWS

Snowflake

+1

Conditions

Requester asks for time-bound privileged access (AWS root, prod DB, financial systems, admin console).

Instructions

  1. Parse target system, role/entitlement, duration, and justification from the request.

  2. #Lookup Users on the requester with includeManager and includeGroups.

  3. #Trigger Form to collect:

    • Target system (dropdown of JIT-eligible systems)

    • Specific role or scope (e.g. "AWS prod read-only", "Snowflake admin")

    • Duration (max 8 hours, max 24 hours, max 7 days based on system tier)

    • Business justification (free text, min 50 chars)

    • Ticket/incident reference if responding to an incident

  4. Validate the request:

    • Requester is eligible for this system via custom Check JIT Eligibility.

    • Duration is within max allowed for the system tier.

    • Not already holding active JIT access for the same system.

  5. Approval chain:

  6. On full approval:

  7. schedule_action wake at the TTL to execute revocation:

    • Reverse of step 6 (Remove from Group / Detach Policy / Revoke Role).

  8. #Send Direct Message to the requester with: access details, expiry timestamp, system access URL, what they can/cannot do.

  9. #Send Channel Message to #security-jit logging the grant with: requester, system, role, duration, justification, ticket reference.

  10. #Custom Vanta Log JIT Event with the full audit trail.

  11. On revocation wake: #Send Direct Message to the requester confirming auto-expire; #Send Channel Message to #security-jit confirming revoke.

  12. #Leave Internal Note capturing approval trail and grant/revoke timestamps.

New Hire Provisioning

Playbooks

/

New Hire Provisioning

New Hire Provisioning

Created by

Console Team

Published

IT

Okta

Google Calendar

Slack

+5

Conditions

Webhook — Workday/HiBob/Rippling worker.hired Variables: $employee.email, $employee.firstName, $employee.lastName, $employee.role, $employee.department, $employee.startDate, $employee.managerEmail, $employee.location, $employee.shippingAddress

Instructions

  1. Use #Lookup Users to resolve the manager record from $employee.managerEmail.

  2. Determine the provisioning bundle based on $employee.department:

    • Engineering → GitHub, Datadog, AWS sandbox

    • Sales → Salesforce, Gong, Outreach, Sales Nav

    • All → Okta, Google Workspace, Slack

  3. Use #Create Okta User (Staged) with the email, first/last name, department, and manager.

  4. Use #Activate Okta User to activate the account and send the activation email.

  5. For each baseline group, call #Add to Group (Okta): all-employees, the department group, and the location group.

  6. Use #Add to Group (Google) for all@, {{department}}@, and {{location}}@.

  7. If $employee.department == "Engineering": #Invite User to Org (GitHub), #Add User to Team for the right team, #Invite User to Datadog, and grant AWS sandbox via #AWS IAM - List Attached User Policies + custom IAM attach.

  8. If $employee.department == "Sales": invite to Salesforce, Gong, Outreach, Sales Nav (custom actions).

  9. Use #Kandji Assign ADE Device User to pre-assign a device to $employee.email and ship to $employee.shippingAddress.

  10. Use #List Google Calendar Events to find the manager's calendar, then create a day-1 intro event and a buddy lunch via Google Calendar.

  11. Use #Invite to Channel to add the user to #welcome, #all-hands, and their team channel.

  12. Use schedule_action to wake on Monday 9am $employee.location time to post a welcome thread in the team channel via #Send Channel Message.

CRM Data Hygiene & Updates

Playbooks

/

CRM Data Hygiene & Updates

CRM Data Hygiene & Updates

Created by

Console Team

Published

RevOps

HubSpot

Salesforce

+5

Conditions

Requester asks to update a CRM record ("change opp owner to Jeff", "update close date to next Friday", "mark closed-lost to competitor as Serval").

Instructions

  1. Parse the request:

    • Target object (deal / opportunity / contact / company / lead).

    • Target identifier (deal name, ID, account name).

    • Field to update.

    • New value.

  2. #Lookup Users on the requester with includeGroups.

  3. Permission check:

    • #Custom Check CRM Permission for the requester on the target object and field.

    • Rep can update their own records.

    • Manager can update reports' records.

    • Ops can update any.

    • If permission denied → #Request Approval from the record owner.

  4. Locate the record:

  5. #Get HubSpot Deal Details with Activity Timeline (or contact/company equivalent) to confirm current state.

  6. Validate the new value:

    • For owner changes: #Lookup Users to confirm the new owner exists.

    • For close dates: must be future or current quarter unless requester is ops.

    • For stage changes: must follow stage progression (route through Rev-15 if backward jump).

    • For status changes: require closedLostReason if moving to closed-lost.

  7. Confirm with the requester via #Send Direct Message showing the diff: "Will change {{field}} from {{old}} to {{new}}. Confirm?"

  8. On confirm: #Update HubSpot Deal Properties (or custom Salesforce update action) with the new value.

  9. Log the change:

  10. #Send Direct Message to the requester confirming, including the deal link.

  11. If the owner changed: #Send Direct Message to the new owner with the handoff.

  12. #Leave Internal Note capturing the change and approval trail.

  13. #Resolve Request.

Identity Group Management

Playbooks

/

Identity Group Management

Identity Group Management

Created by

Console Team

Published

IT

Okta

Slack

Conditions

Requester asks to create, modify membership, or change ownership of an Okta/Google/Slack group (e.g. "create Okta group for brand campaign team", "remove Sarah from eng-leadership", "add this week's new hires to #all-eng").

Instructions

  1. Parse the action type (create / add members / remove members / delete / change owner), target group name, downstream systems (Okta / Google / Slack / all), and member list.

  2. Validate group name against naming convention (^[a-z][a-z0-9-]+$, max 40 chars). If invalid:

  3. #Lookup Users on the requester with includeGroups.

  4. Check authorization:

    • Create → requester must be in the group-creators Okta group or an IT admin.

    • Modify/Delete → requester must be the group owner OR an admin. Use #custom Get Group Owner action.

    • If unauthorized → #Request Approval from an IT admin.

  5. For Create:

  6. For Add members:

  7. For Remove members:

  8. For Delete: confirm with the requester via #Trigger Form ("This will delete the group across all systems — confirm?"), then call custom delete actions for Okta + Google + Slack.

  9. For role/manager-based sync (e.g. "add this week's new hires"): query the HR ingest via #Search Graph for matching users, then loop step 6.

  10. #Send Direct Message to the requester with a summary of changes.

  11. #Leave Internal Note capturing the action and downstream sync.

  12. #Resolve Request.

Contractor Access Expiration

Playbooks

/

Contractor Access Expiration

Contractor Access Expiration

Created by

Console Team

Published

IT

Okta

Slack

Workday

+1

Conditions

Scheduled — every day at 8:00 AM America/Chicago

Instructions

  1. Query the #custom Workday/HR ingest via #Search Graph for contractors with endDate between today + 5 days and today + 7 days.

  2. For each contractor, #Lookup Users on the engagement owner's email with includeSlackId.

  3. #Send Direct Message to the engagement owner with a #Trigger Form containing options: "Extend"(collect new end-date), "Expire on schedule", "Expire immediately".

  4. Use schedule_action to wake 5 days later to check the form response.

  5. On wake, branch on the response:

    • Extend → #custom Workday Update Contractor End Date with the new date, then #Send Direct Message confirming.

    • Expire on schedule or no response → schedule_action wake on the contractor's endDate to execute revocation.

    • Expire immediately → execute revocation now.

  6. Revocation sequence:

  7. #Create Linear Issue in the IT-Audit project documenting the revocation.

  8. #Send Channel Message to #it-audit with the contractor name, owner, expiry type, and revoked entitlements.

New Device Order

Playbooks

/

New Device Order

New Device Order

Created by

Console Team

Published

IT

Kandji

Apple Business Manager

+2

Conditions

User requests a new or replacement laptop, monitor, or peripheral.

Instructions

  1. #Lookup Users on the requester with includeManager and includeGroups to get role, department, location.

  2. #Trigger Form to collect:

    • Device type (laptop / monitor / accessory)

    • Reason (new hire / refresh / replacement / additional)

    • Specific model preference

    • Shipping address (default to address on file)

    • Needed-by date

  3. #List Devices (Kandji) to check existing assigned devices and age.

  4. Validate against role's approved spec:

  5. Determine approval tier:

    • <$2k → manager approval only.

    • $2k–$5k → manager + finance approval.

    • >$5k → manager + finance + VP approval.

  6. #Request Approval chained per tier.

  7. On approval, place the order:

  8. Capture the tracking number from the order response.

  9. schedule_action wake daily until delivered to:

  10. On delivery confirmation:

  11. #Leave Internal Note capturing model, price, approvers, tracking.

  12. #Resolve Request on delivery + setup confirmation.

Network Troubleshooting

Playbooks

/

Network Troubleshooting

Network Troubleshooting

Created by

Console Team

Published

IT

Okta

Kandji

Linear

+1

Conditions

Requester reports WiFi/VPN/connectivity issues ("VPN keeps dropping every 20 min", "can't reach internal DNS", "Berlin office connectivity slow").

Instructions

  1. #Lookup Users on the requester with includeManager to get location.

  2. #List Devices (Kandji) to identify their device(s).

  3. #Trigger Form to collect:

    • Symptom (drops / slow / can't connect / DNS / VPN)

    • Office or remote

    • When it started

    • Frequency

  4. Check upstream first:

  5. Check user-side:

  6. Attempt remediation:

    • VPN drops → custom Re-establish VPN Tunnel action.

    • DNS → #Create Kandji Custom Script to flush DNS cache and reset network interfaces.

    • Slow → run iperf script via Kandji and compare to baseline.

  7. Ask via #Send Direct Message if it's resolved after each remediation.

  8. If resolved → #Resolve Request.

  9. If unresolved or upstream issue: #Create Linear Issue in the networking project with the diagnostic bundle.

  10. #Send Channel Message to #network-ops for upstream issues.

  11. #Send Direct Message to the user with escalation and expected timeline.

  12. #Leave Internal Note with full diagnostic trail.

App Registration & SSO Setup

Playbooks

/

App Registration & SSO Setup

App Registration & SSO Setup

Created by

Console Team

Published

IT

Okta

1Password

Linear

+2

Conditions

IT or admin requests onboarding a new SaaS app with SSO ("we want to onboard Linear company-wide", "set up SSO for the new Highspot tenant").

Instructions

  1. #Trigger Form to collect:

    • App name and vendor URL

    • SSO protocol (SAML 2.0 / OIDC)

    • For SAML: ACS URL, entity ID, name ID format, certificate

    • For OIDC: redirect URI, scopes needed

    • SCIM endpoint + bearer token (if available)

    • Default user groups to provision (eng / product / design / all-company)

  2. #Lookup Apps to confirm the app isn't already onboarded. If it exists, ask the requester whether to modify or reject.

  3. #Request Approval from the security team for the new vendor (chain to Sec-18 if not already approved).

  4. Create the Okta app:

    • For SAML → custom Okta Create SAML App with ACS URL, entity ID, attributes mapping.

    • For OIDC → custom Okta Create OIDC App with redirect URI and scopes.

  5. #Create Okta Group (Custom) for default access: {{app-slug}}-users and {{app-slug}}-admins.

  6. #Add to Group to assign the requester to {{app-slug}}-admins.

  7. For each requested default group (eng/product/design/all-company): custom Okta Assign

  8. Group to App to grant baseline access.

  9. If SCIM endpoint provided: custom Okta Configure SCIM with the endpoint + token, then #Update 1Password App Username Template to set the username convention.

  10. Generate test credentials via custom Okta Create Test User and Assign action.

  11. #Send Direct Message to the requester with SSO sign-in URL, test creds, SCIM status, next steps.

  12. #Create Linear Issue in the IT project for follow-up tasks: app catalog entry, access policy creation, KB doc.

  13. #Leave Internal Note capturing the protocol, ACS URL, and groups configured.

  14. #Resolve Request.

AVD Assignment

Playbooks

/

AVD Assignment

AVD Assignment

Created by

Console Team

Published

IT

Azure DevOps

Entrata

+2

Conditions

Contractor in a restricted country or BYOD user needs an Azure Virtual Desktop session.

Instructions

  1. #Lookup Users on the requester with includeManager and includeGroups.

  2. #Search Graph in the custom HR/contractor ingest to find the engagement end-date.

  3. #Trigger Form to collect:

    1. Role-based image needed (eng tools / design tools / GTM tools)

    2. Country of access

    3. Engagement duration (auto-fill from HR ingest if available)

  4. #Request Approval from the requester's engagement owner.

  5. On approval, provision the AVD:

    1. #Custom Azure AVD Create Host Pool Assignment with image template and user UPN.

    2. #Custom Entra Assign User to AVD App scoped to this user only.

    3. #Custom Entra Set Conditional Access restricting sign-in to the engagement country.

  6. Time-box the access:

    1. schedule_action wake on the engagement end-date to call #custom Azure AVD

    2. Remove Assignment and Entra Revoke AVD App Access.

  7. #Send Direct Message to the requester with AVD connection URL, sign-in credentials, expiry date, support path.

  8. #Send Channel Message to #it-contractor-access logging the provision.

  9. #Leave Internal Note capturing image, country, end-date.

  10. #Resolve Request.

Slack Channel & Group Management

Playbooks

/

Slack Channel & Group Management

Slack Channel & Group Management

Created by

Console Team

Published

IT

Okta

Slack

Conditions

Requester asks to create, archive, modify visibility, or manage membership of a Slack channel or usergroup.

Instructions

  1. Parse: action (create / archive / unarchive / change visibility / add members / remove members / rename / set manager), target channel name, member list, visibility setting.

  2. Validate name against policy:

    1. Channels must match ^(launch|project|incident|team|all|fun|help|wg)-[a-z0-9-]+$.

    2. Length ≤ 80 chars.

    3. If invalid → #Send Direct Message explaining the rule.

  3. #Lookup Users on the requester.

  4. Authorization check:

    • Create → any employee.

    • Archive / rename / change visibility → requester must be a channel manager (#Get Channel Managers) or IT admin.

    • Private channel operations → require #Request Approval from a channel manager.

  5. #Search Channels to check if the channel already exists.

  6. Execute the action:

  7. If the request mentions pinning a doc: #Slack Pin Message action with the doc URL.

  8. #Send Direct Message confirming the change with the channel link.

  9. #Leave Internal Note capturing action, channel, members.

  10. #Resolve Request.

License Reclamation

Playbooks

/

License Reclamation

License Reclamation

Created by

Console Team

Published

IT

Okta

Lattice

Linear

+2

Conditions

Scheduled — every day at 9:00 AM America/Chicago

Instructions

  1. Query the custom Productiv ingest via #Search Graph for seats with no logins in 60+ days across Outreach, Gong, Lattice, Figma.

  2. For each stale seat:

    • #Lookup Users on the seat owner with includeManager and includeSlackId.

    • Skip if user was hired in the last 30 days (grace period) or has an active PTO/leave entry in HR ingest.

  3. #Send Direct Message to the user (cc manager in a separate DM): "You haven't logged into {{app}} in 60 days. Still need it? Confirm in 7 days or it gets reclaimed." with a #Trigger Form containing "Keep" / "Reclaim".

  4. schedule_action wake 7 days later to check the form response.

  5. On wake, branch on response:

    • Keep → log to internal note, #Send Direct Message confirming, no further action.

    • Reclaim or no response → execute reclamation:

      • For Okta-managed app → #Remove from Group for the entitlement group.

      • For app with native API → call the custom {{App}} Remove Seat action.

  6. #Send Direct Message to the user confirming reclamation with re-request instructions if needed.

  7. #Send Channel Message to #it-licenses with: user, app, seat reclaimed, savings estimate.

  8. #Create Linear Issue weekly summarizing total seats reclaimed and dollar savings.

Spend Monitoring Detection

Playbooks

/

Spend Monitoring Detection

Spend Monitoring Detection

Created by

Console Team

Published

Finance

Ramp

NetSuite

Conditions

Detection — scheduled scan every day at 6:00 AM America/Chicago

Instructions

  1. Pull spend:

  2. Compute baselines per employee / cost center / vendor / category.

  3. Detect anomalies:

    • Spike: today >3x trailing AND >$500.

    • New vendor: first transaction AND >$10k.

    • Unusual category: cost center with no history AND >$1k.

    • Late-night: card swipes midnight-5am local.

    • High-velocity: >10 transactions on same card in 1h.

    • Round-number suspicious: round numbers >$5k.

  4. For each flagged transaction:

  5. Routing:

    • High confidence (multiple signals): #Send Channel Message to #finance-anomaly + DM to cost-center owner + cardholder + finance lead.

    • Medium: DM cost-center owner with #Trigger Form for clarification.

    • Low: log for weekly batch.

  6. Potential fraud (late-night + high-velocity + round + new vendor):

  7. schedule_action wake at 24h for responses.

  8. Weekly summary to #finance with counts + resolution rate.

  9. #Leave Internal Note per anomaly.

Proactive Device Health

Playbooks

/

Proactive Device Health

Proactive Device Health

Created by

Console Team

Published

IT

Kandji

Linear

Conditions

Detection — scheduled scan every 6 hours Conditions: Device matches: crash count ≥3 in 7 days, OR disk usage ≥90%, OR OS version more than 2 releases behind.

Instructions

  1. #List Devices (Kandji) with all enrolled devices.

  2. For each device, #Get Device Details and #Get Device Parameters to pull telemetry.

  3. Filter to devices matching any trigger condition.

  4. For each matching device:

    • #Lookup Users on device.assignedUserEmail to get the owner.

    • Skip if the user is on PTO/leave (check HR ingest) or if the same device was already pinged in the last 7 days.

  5. #Send Direct Message to the user: "Saw your laptop's been struggling — looks like {{issue summary}}. Want me to run the fix?" with #Trigger Form containing "Run fix" / "Schedule for later" / "Not now".

  6. schedule_action wake at 24 hours to check the form response.

  7. On wake, branch on response:

  8. schedule_action wake at 48 hours after the fix to verify resolution via re-checking telemetry.

  9. If still failing or user declined: #Create Linear Issue in the IT project assigned to a human technician.

  10. #Send Direct Message to the user confirming the outcome.

  11. #Leave Internal Note capturing the diagnosis and action.

Hardware Troubleshooting

Playbooks

/

Hardware Troubleshooting

Hardware Troubleshooting

Created by

Console Team

Published

IT

Kandji

Conditions

User reports a hardware issue (external monitor not detecting, Bluetooth keyboard won't pair, Zoom is choppy, audio drops).

Instructions

  1. #Lookup Users on the requester to identify the user.

  2. #List Devices (Kandji) filtered by assignedUserEmail to find their device(s).

  3. #Trigger Form to collect:

    • Symptom (peripheral / display / audio / network / performance)

    • When it started

    • What they've already tried

  4. #Get Device Details (Kandji) and #Get Device Parameters to pull current state.

  5. #Kandji Get Device Library Items Status to confirm required drivers/profiles are installed.

  6. #Search Knowledge Base for the symptom + device model for any known internal fixes.

  7. If no KB hit: #Web Research vendor docs (apple.com, Microsoft Learn, Dell, Logitech) for the specific symptom.

  8. Walk the user through fixes step-by-step via #Send Direct Message:

    • For peripherals → reset / re-pair / reinstall driver

    • For display → NVRAM reset, check cable, try alternate port

    • For audio/video → reset Core Audio / Windows audio service via Kandji script

    • For performance → free up RAM, check Activity Monitor / Task Manager

  9. After each step, ask "did that fix it?" via #Send Direct Message.

  10. If fixed → #Resolve Request.

  11. If hardware-failure signature detected → kick off IT-15 RMA & Repair flow.

  12. If still unresolved after exhausting steps → #Escalate Request to a human IT technician.

  13. #Leave Internal Note capturing the diagnosis trail and resolution path.

Lost Device → Remote Lock

Playbooks

/

Lost Device → Remote Lock

Lost Device → Remote Lock

Created by

Console Team

Published

IT

Okta

Kandji

Linear

Conditions

User reports a lost or stolen device ("left MacBook at airport", "phone with corporate apps stolen").

Instructions

  1. #Lookup Users on the requester with includeManager.

  2. #List Devices (Kandji) filtered by assignedUserEmail to find their device(s).

  3. #Trigger Form to collect:

    • Which device

    • Where it was last seen

    • When

    • Whether it might be recoverable or is confirmed lost/stolen

    • Whether they want a replacement

  4. #Get Device Details to confirm device state.

  5. Execute immediate containment in parallel:

  6. #Revoke All User Sessions (Okta) to invalidate any active sessions.

  7. If the user indicated the device is confirmed stolen:

  8. #Create Linear Issue in the security project with severity High, including device serial, last-seen location, user, timestamp.

  9. #Send Channel Message to #security with the incident summary and Linear link.

  10. #Send Channel Message to #it-alerts with the device + user.

  11. If replacement requested → trigger IT-14 New Device Order by creating a follow-up request.

  12. #Send Direct Message to the requester with:

    • Confirmation of containment actions taken

    • Replacement order status (if applicable)

    • Police report instructions (if stolen)

    • Insurance claim instructions

  13. schedule_action wake at 7 days to check if the device was recovered.

  14. #Leave Internal Note capturing all actions and timestamps.

New Hire Onboarding

Playbooks

/

New Hire Onboarding

New Hire Onboarding

Created by

Console Team

Published

HR

Google Calendar

Slack

Workday

+1

Conditions

Webhook — Workday/HiBob/Rippling worker.hired Variables: $employee.email, $employee.firstName, $employee.lastName, $employee.preferredName, $employee.startDate, $employee.managerEmail, $employee.team, $employee.location, $employee.title, $employee.personalEmail

Instructions

  1. #Lookup Users to resolve the manager record from $employee.managerEmail.

  2. Determine the buddy:

    • #Search Graph the HR ingest for active team members on $employee.team with tenure >6 months.

    • Pick one not already buddying for someone else; capture buddy email.

  3. Pre-day-1 (fires immediately on webhook):

    • #Send Email to $employee.personalEmail with the welcome packet: handbook link, benefits enrollment link, day-1 logistics, dress code, what-to-bring, parking/transit info, manager intro.

    • Attach the team intro doc and the location-specific office welcome PDF.

  4. Day-1 calendar (fires 3 business days before $employee.startDate):

  5. Slack onboarding (fires on $employee.startDate at 9:00 AM local):

    • #Add Users To Channel for #welcome, #all-hands, #{{team}}, and #{{location}}-office.

    • #Send Channel Message to #welcome introducing the new hire with their preferred name, title, team, fun fact (collected via pre-start form if available), and a "say hi" prompt.

  6. Team channel intro:

  7. Manager + buddy nudge:

    • #Send Direct Message to the manager: pre-start checklist (set up 1:1 cadence, prep first-week agenda, intro to key collaborators).

    • #Send Direct Message to the buddy: their role (informal questions, lunch on day 2, check-in at end of week 1).

  8. schedule_action wake at end of day 1 to confirm with the new hire via #Send Direct Message: "How did day 1 go? Anything blocking you?"

  9. #Leave Internal Note capturing manager, buddy, calendar event IDs

Okta Password / MFA Reset

Playbooks

/

Okta Password / MFA Reset

Okta Password / MFA Reset

Created by

Console Team

Published

IT

Okta

Conditions

Requester reports being locked out, lost MFA device (YubiKey, phone, Authenticator), needs a password reset, or needs a factor reset.

Instructions

  1. #Search Okta User by Email for the requester to confirm the account exists and get the user ID.

  2. #Search Okta System Log Custom for user.account.reset_password and user.mfa.factor.reset events in the last 30 days for this user.

  3. #List User Factors to see current enrollments.

  4. Risk score the request based on:

    • 3+ resets in last 30 days → High

    • Login from new country or unusual IP in last 24h → High

    • Standard request from known device/location → Low

    • Recent suspicious activity in Okta log → Medium

  5. Identity verification per risk:

    • Low → ask 2 security questions inline (custom action to check answers against profile).

    • Medium → #Request Approval from the requester's manager (configured with requestersManager) confirming they spoke to the user.

    • High → #Prompt for Handoff to a security team member for live video ID verification.

  6. If verification fails or is denied: #Send Direct Message to the requester explaining next steps, #Send Channel Message to #sec-alerts, and #Resolve Request. Stop.

  7. Execute the reset based on the issue type:

  8. #Send Direct Message to the requester with confirmation and next-step instructions.

  9. If risk was High OR pattern-flag triggered (3+ resets): #Send Channel Message to #sec-alerts with the user, the reason, and the action taken.

  10. #Leave Internal Note on the request capturing risk score, verification method, and action taken.

  11. #Resolve Request.

Device Recovery / Unlock

Playbooks

/

Device Recovery / Unlock

Device Recovery / Unlock

Created by

Console Team

Published

IT

Okta

Kandji

Conditions

User reports being locked out of their laptop ("forgot FileVault password", "can't get past BitLocker", "MacBook is asking for recovery key").

Instructions

  1. #Lookup Users on the requester with includeManager.

  2. #List Devices (Kandji) filtered by assignedUserEmail = requester.email to find their device(s).

  3. If multiple devices, #Trigger Form to ask which device.

  4. #Get Device Details (Kandji) to confirm the device is enrolled and active.

  5. Risk check: #Search Okta System Log Custom for recent suspicious activity. If anomalous, escalate to Sec-12 flow.

  6. Identity verification:

  7. On approval: #Get Device FileVault Recovery Key (Kandji) for Mac, or custom Get BitLocker Recovery Key for Windows.

  8. #Send Direct Message to the requester with:

    • The recovery key

    • Step-by-step unlock instructions (different for Mac vs Windows)

    • Reminder to reset their password after unlock

  9. Wait for the requester to confirm they're back in via a follow-up message.

  10. After confirmation, #Send Direct Message suggesting they update their password and re-enroll FileVault/BitLocker.

  11. #Leave Internal Note capturing device serial, verification method, and outcome.

  12. #Resolve Request.

Just-In-Time (JIT) Access

Playbooks

/

Just-In-Time (JIT) Access

Just-In-Time (JIT) Access

Created by

Console Team

Published

Security

Okta

AWS

Snowflake

+1

Conditions

Requester asks for time-bound privileged access (AWS root, prod DB, financial systems, admin console).

Instructions

  1. Parse target system, role/entitlement, duration, and justification from the request.

  2. #Lookup Users on the requester with includeManager and includeGroups.

  3. #Trigger Form to collect:

    • Target system (dropdown of JIT-eligible systems)

    • Specific role or scope (e.g. "AWS prod read-only", "Snowflake admin")

    • Duration (max 8 hours, max 24 hours, max 7 days based on system tier)

    • Business justification (free text, min 50 chars)

    • Ticket/incident reference if responding to an incident

  4. Validate the request:

    • Requester is eligible for this system via custom Check JIT Eligibility.

    • Duration is within max allowed for the system tier.

    • Not already holding active JIT access for the same system.

  5. Approval chain:

  6. On full approval:

  7. schedule_action wake at the TTL to execute revocation:

    • Reverse of step 6 (Remove from Group / Detach Policy / Revoke Role).

  8. #Send Direct Message to the requester with: access details, expiry timestamp, system access URL, what they can/cannot do.

  9. #Send Channel Message to #security-jit logging the grant with: requester, system, role, duration, justification, ticket reference.

  10. #Custom Vanta Log JIT Event with the full audit trail.

  11. On revocation wake: #Send Direct Message to the requester confirming auto-expire; #Send Channel Message to #security-jit confirming revoke.

  12. #Leave Internal Note capturing approval trail and grant/revoke timestamps.

New Hire Provisioning

Playbooks

/

New Hire Provisioning

New Hire Provisioning

Created by

Console Team

Published

IT

Okta

Google Calendar

Slack

+5

Conditions

Webhook — Workday/HiBob/Rippling worker.hired Variables: $employee.email, $employee.firstName, $employee.lastName, $employee.role, $employee.department, $employee.startDate, $employee.managerEmail, $employee.location, $employee.shippingAddress

Instructions

  1. Use #Lookup Users to resolve the manager record from $employee.managerEmail.

  2. Determine the provisioning bundle based on $employee.department:

    • Engineering → GitHub, Datadog, AWS sandbox

    • Sales → Salesforce, Gong, Outreach, Sales Nav

    • All → Okta, Google Workspace, Slack

  3. Use #Create Okta User (Staged) with the email, first/last name, department, and manager.

  4. Use #Activate Okta User to activate the account and send the activation email.

  5. For each baseline group, call #Add to Group (Okta): all-employees, the department group, and the location group.

  6. Use #Add to Group (Google) for all@, {{department}}@, and {{location}}@.

  7. If $employee.department == "Engineering": #Invite User to Org (GitHub), #Add User to Team for the right team, #Invite User to Datadog, and grant AWS sandbox via #AWS IAM - List Attached User Policies + custom IAM attach.

  8. If $employee.department == "Sales": invite to Salesforce, Gong, Outreach, Sales Nav (custom actions).

  9. Use #Kandji Assign ADE Device User to pre-assign a device to $employee.email and ship to $employee.shippingAddress.

  10. Use #List Google Calendar Events to find the manager's calendar, then create a day-1 intro event and a buddy lunch via Google Calendar.

  11. Use #Invite to Channel to add the user to #welcome, #all-hands, and their team channel.

  12. Use schedule_action to wake on Monday 9am $employee.location time to post a welcome thread in the team channel via #Send Channel Message.

CRM Data Hygiene & Updates

Playbooks

/

CRM Data Hygiene & Updates

CRM Data Hygiene & Updates

Created by

Console Team

Published

RevOps

HubSpot

Salesforce

+5

Conditions

Requester asks to update a CRM record ("change opp owner to Jeff", "update close date to next Friday", "mark closed-lost to competitor as Serval").

Instructions

  1. Parse the request:

    • Target object (deal / opportunity / contact / company / lead).

    • Target identifier (deal name, ID, account name).

    • Field to update.

    • New value.

  2. #Lookup Users on the requester with includeGroups.

  3. Permission check:

    • #Custom Check CRM Permission for the requester on the target object and field.

    • Rep can update their own records.

    • Manager can update reports' records.

    • Ops can update any.

    • If permission denied → #Request Approval from the record owner.

  4. Locate the record:

  5. #Get HubSpot Deal Details with Activity Timeline (or contact/company equivalent) to confirm current state.

  6. Validate the new value:

    • For owner changes: #Lookup Users to confirm the new owner exists.

    • For close dates: must be future or current quarter unless requester is ops.

    • For stage changes: must follow stage progression (route through Rev-15 if backward jump).

    • For status changes: require closedLostReason if moving to closed-lost.

  7. Confirm with the requester via #Send Direct Message showing the diff: "Will change {{field}} from {{old}} to {{new}}. Confirm?"

  8. On confirm: #Update HubSpot Deal Properties (or custom Salesforce update action) with the new value.

  9. Log the change:

  10. #Send Direct Message to the requester confirming, including the deal link.

  11. If the owner changed: #Send Direct Message to the new owner with the handoff.

  12. #Leave Internal Note capturing the change and approval trail.

  13. #Resolve Request.

Your IT team could run like this too

Your IT team could run like this too