# Admin Change Role Notification

Provides automated security workflow that monitors user role changes and sends real-time email notifications to system administrators when administrative roles are modified. This provides an audit trail and immediate awareness of critical permission changes within the system.

* Detecting when user roles are added, removed, or modified.
* Immediately notifying administrators of role changes for high-privilege accounts.
* Providing visibility into permission escalations or de-escalations.
* Helping prevent unauthorized privilege changes.

<figure><img src="/files/MzPxUO2mahTLCHT7iHYr" alt="Workflow sequence - Admin Change Role Notification"><figcaption><p>Workflow sequence - Admin Change Role Notification</p></figcaption></figure>

The workflow is triggered by the **Update User** event, which fires whenever a user entity is updated in the system.

#### Workflow Process

1. **Detect Role Changes**: When a user is updated, the workflow checks if the user's roles field has changed. If no role changes occurred, the workflow stops.
2. **Store Updated User**: Captures the updated user entity into a token for use throughout the workflow.
3. **Filter Original Roles**: Removes the default "authenticated" role from the original roles list to focus only on meaningful administrative roles.
4. **Filter New Roles**: Removes the default "authenticated" role from the new roles list and trims whitespace to ensure clean data.
5. **Switch to Service Account**: Changes to a service user account with appropriate permissions to create and send email entities.
6. **Set Admin Roles List**: Defines which roles are considered "administrative" that should trigger notifications:
   * Content Admin
   * SEO Admin
   * Site Admin
   * Administrator ( Super Admin)
7. **Admin Role Check**: Verifies that the role change involves administrative roles (not just "editor" or "authenticated"). If the change only affects non-admin roles like "editor", the workflow stops.
8. **Query Admin Users**: Retrieves the list of active administrator users who should receive the notification from the system.
9. **Send Notifications Loop**: For each administrator in the list:
   * Pops the first administrator from the list
   * Creates a role change notification email entity
   * Populates it with information about which user's roles changed
   * Queues the email to be sent
   * Loops back to send to the next administrator

The workflow continues until all administrators have been notified


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.varbase.vardot.com/10.1.x/developers/varbase-eca-visual-workflow-builder/admin-change-role-notification.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.