Skip to main content
Access Templates define which applications and permissions a new hire receives based on their job role. When combined with an HRIS integration and auto-assignment rules, templates enable zero-touch onboarding—new employees automatically receive the right access without manual intervention. Org Admins and HR manage templates in the admin interface.
For how templates are used during onboarding (via Slack, web, or HRIS), see User Onboarding.

Creating an Access Template

  1. Go to Settings → Templates.
  2. Click New Access Template.
  3. Enter a Title (e.g., “Sales Manager”) and Description.
  4. Add applications and permissions:
    • Click Add Application and select from your managed applications.
    • Add Objects (repositories, vaults, channels) and their Roles/Permissions.
  5. Click Save.
Applications must be a managed application to appear in the dropdown.

Configuring Applications and Permissions

Each template can include multiple applications. For each application, you define:
  • Objects: Resources within an application (GitHub repositories, 1Password vaults, Slack channels).
  • Roles/Permissions: Permission levels for each object (Admin, Member, Read-only).

Single-select vs Multi-select

Some objects allow only one entitlement (e.g., a single role per application), while others allow multiple selections (e.g., membership in several teams).
Changes to a template apply immediately to all future onboardings. Existing user access is not affected.

Auto-Assignment Rules (HRIS)

Auto-assignment rules only apply to onboardings via an HRIS integration. For manual onboardings via Slack or web, templates are selected directly by the person handling the onboarding.
Auto-assignment rules determine which templates apply to a new hire based on their HRIS attributes. When a user is onboarded via an HRIS integration and their attributes match the rules, the template is applied automatically—enabling zero-touch provisioning.

Supported Attributes

  • Department — e.g., “Engineering”, “Sales”
  • Employment Type — e.g. Full-time, part-time, contractor
  • Role — e.g. “Senior Software Engineer”
  • Location — e.g. “Berlin”
  • Teams — e.g. “Payment”, “Claims”

Rule Conditions

Each rule has three parts:
ComponentDescription
AttributeThe HRIS field to match
OperatorHow to compare: Equals, Not Equals, Contains, Does not contain, Is set
ValueThe value to match against (not used for Is set)
You can add multiple conditions to a template. All conditions must match for the template to apply.
Use “Contains” for job titles to catch variations. Role contains "Engineer" matches “Software Engineer”, “Senior Engineer”, and “Engineering Manager”.

Enabling Auto-Assignment

  1. Open an access template and go to the Auto Assignment tab.
  2. Toggle Auto-assign this template to enable.
  3. Add one or more conditions.
  4. Click Save.
When disabled, the template can still be selected manually during onboarding but won’t be applied automatically via HRIS.

Attribute Priority (HRIS)

Attribute priority only affects automatic template matching via HRIS. For manual onboardings, you select the templates directly.
When multiple templates match a user’s HRIS attributes, AccessOwl uses attribute priority to resolve conflicting permissions.

How It Works

Templates are grouped by which attribute triggered the match. Higher-priority attributes override lower-priority ones for conflicting permissions:
  • Single-select permissions: The template from the higher-priority attribute wins.
  • Multi-select permissions: Entitlements are combined from all matching templates.
Example: If “Team” has higher priority than “Department”, a team-specific template overrides a department-wide template when both match.

Configuring Attribute Order

  1. On the Access Templates page, click Attribute Priority.
  2. Drag and drop to reorder. The top attribute has the highest priority.

Testing with the Simulator (HRIS)

The simulator tests auto-assignment rules for HRIS onboardings. It does not apply to manual template selection via Slack or web.
Use the Automation Simulator to preview which templates would apply to a hypothetical user before actual onboarding.
  1. On the Access Templates page, click Test Automation.
  2. Enter user attributes (Department, Role, Team, etc.).
  3. Click Simulate.
The results show:
  • Matched Templates: Which templates would apply, grouped by the triggering attribute.
  • Final Access Grants: The complete list of applications and permissions.
An “Undefined order” warning indicates multiple templates matched at the same priority level. Adjust your rules or attribute priority to resolve conflicts.

Best Practices

Template Organization

  • Create a General template for applications everyone needs (email, chat, calendar). Use the “Employment Type” attribute to apply access to all employees (with the Is set-operator).
  • Start with department-specific templates for different departments.
  • Use clear naming: “Engineering”, “Sales”.

Rule Design (HRIS)

  • Start broad and refine as needed.
  • Test rules with the simulator before using them for onboardings.
  • Review templates periodically to match organizational changes.

FAQ

AccessOwl receives the employee’s attributes (department, team, job title, etc.) from your HRIS integration. If any templates have auto-assignment rules that match these attributes, those templates are automatically applied. The employee receives all configured applications and permissions on their start date—no manual selection required. AccessOwl notified via HR Slack notification channel about onboarded people.
Yes. When multiple templates match (via HRIS auto-assignment) and include the same application, permissions are resolved based on attribute priority. Single-select permissions use the highest-priority template; multi-select permissions are combined.
If multiple templates define conflicting permissions at the same priority level and the conflict cannot be automatically resolved, AccessOwl creates a custom request for that application during onboarding. The application admin then receives a notification and can define the final permissions manually.
If no templates match the user’s attributes, no applications are pre-selected. The person handling onboarding can still manually select templates or individual applications.
Create a contractor-specific template and use the “Employment Type” attribute: Employment Type equals Contractor.