How can we help?

Workflow Triggers

Noga Tubi
Noga Tubi
  • Updated


When creating a workflow, you start by selecting a workflow trigger.

Torii has 2 types of triggers:

1. State-based triggers

These triggers define criteria that will be evaluated against Torii the next time data is synced with external sources (integrations). If an entity meets the criteria, the workflow will trigger and run through its actions sequentially.

The following state-based triggers are available:

  1. User meets criteria
  2. User joins
  3. User left
  4. App meets criteria
  5. New app discovered
  6. Closed app in use
  7. License not in use
  8. License Count Threshold
  9. Contract meets criteria

2. Event-based triggers

These triggers define 3d party app events which Torii continuously monitors. If an event happens in an integrated app, the workflow will trigger immediately and run through its actions sequentially.

The following event-based trigger is available:

10. App event

See below for descriptions and examples for each workflow trigger.

1. User meets criteria

  • This is the most powerful trigger, which allows you to define a combination of criteria per user. You can tie criteria to user attributes that are Torii-specific (e.g. number of apps used by a user), or to attributes related to an application that is integrated with Torii (e.g. user status in Okta, user hire date in BambooHR, user license type in Zoom and many more). You can also combine different criteria by adding several filters, to set up a highly specific trigger for unique scenarios in your organization.
  • The two scenarios where this trigger is especially useful are handling user onboarding and offboarding. You can define a unique set of criteria (e.g. active BambooHR users who belong to the Sales department and are located in Germany) and run onboarding actions when such users are first discovered (e.g. to create a Salesforce user, and users in other applications that the new employees will need).

2. User joins

  • Use this trigger to tie your workflow to user creation or hire date in your source of truth for the user lifecycle.
    • If your source of truth is an SSO (Google Workspace, Azure AD, Okta, OneLogin, or Jumpcloud), the workflow will be triggered each time Torii discovers a new user in these IDP providers.
    • If your source of truth is an HRMS, the workflow will be triggered each time Torii discovers a new user with a future hire date.
  • This trigger will help you to handle onboarding processes in your organization.
  • You can define to run various actions for the newly hired employees, e.g., creating users in various applications, sending emails to new employee managers, and many more.

3. User left

Important to know - 

If your source of truth is Google or Okta, past user attributes will be updated in Torii in real-time, and workflows with "User left" trigger will be triggered within 1h after a user was suspended, archived or deleted in Google or Okta. 

For other sources of truth, past user attributes will be updated in Torii only after the app defined as a source of truth is fully synced. 

Important to know - 

If your source of truth is Google or Okta, we recommend using App event trigger to initiate user offboarding in real time and without delays.

4. App meets criteria

  • Similar to the "User meets criteria" trigger, the "App meets criteria" trigger allows the creation of a dynamic set of criteria in the context of applications. See below examples of scenarios in which the trigger can be especially useful:
  1. Budget management facilitation. You can notify budget owners or department heads when an application in their purview exceeds a certain expense threshold.  note that expenses in Torii represent the last 12 months.
  2. Identifying new apps which are gaining popularity. You can send notifications about a new app once its users exceed a certain threshold to immediately draw IT attention to popular apps. You can also decide to automatically move this app to In Review state or Sanctioned state.
  3. Keeping your SAAS stack secure. You can send notifications about newly discovered apps with high-security risks, that were connected to Google Workspace, Azure AD, or Slack. Read more about how Torii calculates application risk levels here.

5. New app discovered

  • Use this trigger to initiate the workflow when Torii discovers a new app.
    The workflow will be triggered when an app is discovered through any connected data source - Torii browser extension, direct integration, your IDP provider, or expense data.
  • You might be interested in using this trigger to initiate application approval procedures. For example, use "New app discovered" to send a security questionnaire for new applications.

6. Closed app in use

  • The trigger fires once a day per app per user.
  • The trigger will only start workflows for users who use a closed app after the workflow's activation time.

7. License not in use

  • Use this trigger to identify employees who have not used applications they are assigned a license for during a fixed period of time. You can select which applications and which type of licenses to monitor. The inactivity period is configurable and can vary from 30 to 180 days.
  • Triggering workflows by "License, not in use" might be especially useful to remove wasted licenses and optimize your spending. For example, you can trigger the workflow when Torii identifies inactive pro-Zoom licenses and then deactivate these.
  • When using this workflow trigger, Torii will ONLY show licenses with a last used date, regardless of whether Torii has tracked any logins to the app in the defined inactivity period.

8. License Count Threshold

  • You can set up thresholds for a number of licenses per each app license type and license status. A workflow will run whenever its threshold is reached.
  • Using this trigger can help you optimize your license management processes to remove wasted licenses or, on the contrary, buy licenses in advance.
    For example, you can define a workflow to trigger when Torii identifies 5 and more Zoom basic licenses that have not been used recently and remove these.

9. Contract meets criteria

  • This trigger allows you to set up a flexible combination of criteria to apply to Torii contracts.
  • It can be especially helpful for effective renewal management. For example, you can trigger a workflow when a contract with more than 5 licenses that was planned to be renewed is approaching its end date and to send yourself a reminder to renew it.

10. App event

This trigger allows you to initiate workflows whenever a specific event happens in an integrated app. 

Torii currently supports:

  • 4 events for Google Workspace:
    • User was archived.
    • User was suspended. We only monitor suspensions carried out by an Admin in the Admin console, and not automatic suspensions executed by Google.
    • User was deleted.
    • User was assigned to org unit.   
  • 2 events for Okta:
    • User was deactivated (and their status was changed to deprovisioned)
    • User was deleted
  • Using this trigger is especially helpful to initiate user offboarding in real-time, in case you rely on Google Workspace or Okta to reflect user status in your org.



Can a Workflow be triggered more than once on the same object? (app, user, contract, or license)
Workflows will only trigger more than once on the same object if the object was changed and no longer match the criteria but then changed again to match the criteria.
  • A workflow triggers on "App has more than 10 users".
    It's triggered for Adobe when the user count reaches 11.
  • As Torii sees the user count for Adobe climb to 12, 13, 14, etc...the workflow will NOT continue to trigger because it already identified Adobe once before.
    If, however, Adobe's user count falls to 6 it no longer matches the workflow criteria. So if the user count jumps from 6 to 13, the workflow WILL trigger again because Adobe matches the criteria again.

Understand How Workflows Work

Manually Run Workflows


Was this article helpful?

0 out of 0 found this helpful

Have more questions? Submit a request