IT OPS
New-Hire Cloudflare Access Grant-Gap Checker
On a new-hire event from HR, checks which baseline Cloudflare Access apps the role should have, compares against what is actually granted.
How it runs
The automated pipeline, trigger to output.
- TriggerHR new-hire webhook receivedHTTP webhook
- ActionLook up role access baseline in PostgresPostgres
- ActionQuery current Cloudflare Access grants for emailCloudflare
- LogicCompute baseline apps not yet granted
- ActionOpen PagerDuty alert for provisioning on-callPagerDuty
- OutputPost gap list to IT provisioning Slack channelSlack
What it does
Catches under-provisioning, the inverse of orphaned access. When HR adds a new hire, it looks up the access baseline their role requires, compares it to what Cloudflare Access actually grants them, and alerts IT to any gaps so the new employee isn't blocked on day one.
When to use it
Use this when slow or incomplete provisioning is the pain rather than lingering access. It pairs naturally with the offboarding reconciler to cover both ends of the employee lifecycle against the same HR source of truth.
How it works
- 1An HR new-hire webhook delivers the employee email and role.
- 2A logic step looks up the role's required Access app baseline from Postgres.
- 3It queries Cloudflare for the grants the email currently holds.
- 4A logic step computes the set of baseline apps not yet granted.
- 5If gaps exist, it opens a PagerDuty alert for the provisioning on-call.
- 6It posts the gap list to the IT provisioning Slack channel with the employee, role, and missing apps.
Set it up
What you configure once, before turning it on.
- 1Connect HTTP webhookTrigger any URL on agent actions.
- 2Connect PostgresAny Postgres URL — query, write, migrate.
- 3Connect CloudflareWorkers, Pages, R2, KV — the edge stack.
- 4Connect PagerDutyIncidents, on-call, escalations.
- 5Connect SlackChannels, DMs, threads, mentions.
- 6Set each agent's modelWe leave models unset so you pick the tier — fast + cheap, or top-quality.
- 7Tune it to your dataEdit the prompts, filters, and field mappings so it matches how your team works.
- 8Test, then turn it onRun once against a sample, confirm the output, then enable the trigger.
More IT Ops workflows
Recurring Sensor Fault Root-Cause Investigator
On a schedule, an agent reviews recent Monday work orders and BigQuery telemetry to identify equipment with repeating faults, drafts a root-cause hypothesis with a recommended fix.
Daily Building Anomaly Digest to MS Teams
Each morning queries BigQuery for the prior day's flagged sensor anomalies, summarizes them by site and system into a ranked briefing.
Agentic Inactive-Seat Reclamation Review
An agent investigates each idle SaaS seat by correlating SSO login gaps with HR status and ticket history, classifies it as reclaim, hold, or escalate, and drafts a reasoned…
Reconcile SSO logins against expense spend to find unmanaged tools
Joins SSO usage data with expense/payment records in Snowflake to surface tools that are being used but not paid for, or paid for but never logged.
Approved-Seat Deprovision Execution
Fires when an IT approver confirms a seat for removal, then executes deprovisioning via the IdP API and logs the action to an audit table and a Linear cleanup ticket.
HVAC Anomaly Detection to Severity-Routed Work Orders
Ingests building HVAC telemetry via webhook, flags out-of-band temperature, pressure, or runtime readings.
Run it inside a business
This workflow drops into a full company template. Import the org, and this is one of the playbooks its agents run.
Run this workflow in your colony.
14-day trial. No DevOps. No Sales call. Provisioned in under a minute.