User defined email and REST API based notifications to manage GRC - long

  • Episodes5
  • Duration19m 58s
  • LanguagesEN
Episode 5

Implementing Notifications

Advice on how best to implement Notifications


In this episode we will share recommendations as to how notifications are best implemented.

Configure Email Settings

Before you can use email notifications you will need to send emails, make sure your email settings are working (Install Guides cover this basic setup) before you configure any notification.

Same Notifications Everywhere

As you complete our Risk, Policy, Controls, Exceptions, Etc courses you will see that our recommended notifications are all the time the same.

  • One or more "warning" notifications to let people know about deadlines and provide you with feedback.
  • "Comments & Attachments" notifications to actually get notified when someone provide review, evidence, etc feedback.
  • One or more "filter" or "graphical report" notifications to let you know the list of items (Risks, Controls, Projects, Exceptions, Etc) that you will have to work on the next couple of weeks due deadlines, the list of things that are expired, Etc.
  • One or more "warning" notification to trigger Dynamic Statuses and warn people when things change on their items. A control failed an audit, a project was linked to a new item, an item is missing review evidence, Etc.

You will find yourself all the time configuring the same notifications on all modules as most of the times you want to receive feedback and monitor items in the module (Filters and Dynamic Status).

Test Test and Test

Before you send emails to anyone you can test all your notifications using a single item (create one Risk, one Policy, Etc). We explain this process on most courses in this learning platform but we will repeat the process in this guide again.

Typically all items in eramba have more than one role, an "owner" (which typically is someone from the GRC team) and someone from IT, HR, Finance, Etc that has to provide with you with feedback (Policy Review, Risk Review, Etc). So to test notifications you will need:

  • Two groups (on GRC and other for "Users")
  • Two accounts, one on each of the groups above with emails you can get access too
  • Setup the access permissions for the "Users", you want to make sure when they login because they received a notification their access is limited to what you want them to do.

The above is explained in detail on our "Access Management" course.

  • Then all you need is to create one item (one policy, one risk, etc) on the module you want to test and assign the groups above to the item. Set the deadline (review, audit, project deadline, exception deadline, Etc) for two days ahead of today. For example, if today is 10th of August set the deadline for 12th of August.
  • Then create a -1 Day "warning" notification (it will trigger at midnight) and adjust carefully custom roles and email / subject body. On the "Custom Roles" set the groups you created above. Do not test notifications on a production module with hundreds of items!
  • Then create a "Comments & Attachment" notification and use the same "Custom Roles" you used on your "Warning" notification. This is important, you want the same people looped on your notifications.

Wait until midnight when the "Warning" notification is sent.

  • When you get the emails, login as the "User" and review access permissions are ok, test providing comments and attachments (these emails might take up to one hour to be sent).

Some other recommendations:

  • Be careful about the awareness notification, they can potentially send many emails so is best you understand well and have tested in detail how they work.
  • Let people know eramba is being implemented and they will receive emails. This is important to void surprises.