4.4 Customizing Email Notification Templates

Identity Governance notifies users of tasks in their queue, as well as other review events, as specified in review definitions. Depending on your configuration, various events associated with functional areas, such as bulk data update, business role approval, request, review, Separation of Duties (SoD), and fulfillment, might trigger email notifications. For example, the Bulk Data Administrator can be notified when a bulk data template is generated and when a bulk data update occurs; and an SoD Policy Owner can be notified when a new SoD violation is detected after data source collection and publication. The application supplies default templates with preconfigured tokens for the email notifications and uses the templates as is unless you customize them for your environment.

Users must have a valid email in the Identity Governance catalog to receive notifications. If Self is specified as the recipient and a user affected by the policy has no email, the application will not send the notification to Customer, Global, or other authorized administrators. When an user has multiple email addresses in the catalog, Identity Governance will send notification to only one email address.

IMPORTANT:Make sure users have a valid email because tasks such as Data and Certification policy violation uses emails for remediations and review and request approval tasks are also communicated via emails.

HINT:When setting up and testing Identity Governance notifications or testing preview review notifications, make sure you are using a test email system or test email addresses. For example, use fake mail, mail catcher, or test corporate mail server. Do not send emails to a live server while testing your system. If you have real email accounts in your test system you can inadvertently send spam email to people in your company.

You can also customize the product name in email notifications to brand it for your organization. Contact your SaaS Operations Administrator to customize the product name.

For information about configuring Identity Governance to send email notifications, contact your SaaS Operations Administrator. For information about Review related notifications, see Section 25.1.9, Setting Review Notifications.

4.4.1 Modifying Email Templates

Identity Governance allows you to modify an XML file that contains the email text in the languages supported for Identity Governance. You can edit the XML file with one of the following programs to customize it for your organization:

  • XML editor

  • Text editor

  • Designer for NetIQ Identity Manager

To modify an email template content:

  1. Log in to Identity Governance as a Customer or Global Administrator.

  2. Select Configuration > Notification Emails.

  3. Select a download option:

    • To customize all email templates in a single file, select Download XML. Depending on your browser settings, you might be prompted for the download path.

      NOTE:If prompted, do not rename the EmailTemplates.xml file. Identity Governance cannot upload a file that does not match the expected name.

    • To download the XML file for all the emails of a functional area in a single locale, select Implemented Locale from the View functional area drop-down list, then select the locale.

    • To download the XML file for a single email in all the implemented locales, select Email from the View functional area drop-down list, then click an email name.

      Optionally, select Email source preview (en) to view the template. Specify an email address to Send notification preview.

      Click Download XML.

  4. Modify the content in the email templates you have downloaded.

    NOTE:Do not modify any text in the code strings in the file. Identity Governance might not function correctly if you change the code strings. For descriptions of the email tokens, see Email Tokens.

  5. Save and close the files.

  6. To submit the modified files, click Import XML.

Email Tokens

When customizing emails, be careful in handling the tokens. Identity Governance allows the use of entities and their attributes in your email templates. Entity tokens must appear in the form:token-descriptions section to be processed. If it only appears in the <body/> section of the template it will stay unresolved.

Some email templates expect only certain processing and entity tokens. Therefore, the product might not be able to replace a token with a value in some situations. For example, when an unexpected token is present in the template, a entity token is evaluated as null during notification preview, or an entity attribute was not collected and was resolved as null, the generated email might contain blank values or might contain token as-is. Notifications sent during review preview mode that enable administrators and review owners to preview notifications, might not always replace tokens with values, and names seen in the preview might not be the name that is sent in the live mode email.

The email templates use the following processing tokens:




Application ID, unused in the Certification External Provisioning Start Error template


Application name


Application name


Business role approver


Reviewer's full name


Link to task


Unused in the Certification External Provisioning Start Error template


Used in the generic email template


Bulk data feed curator


Fulfillment error


Error message text


Unused in the Certification External Provisioning Start Error template


Bulk data update definition


Full name of the fulfiller


The workflow hostname


Bulk data CSV file


URL link


The output message from a system process.


Used in the Certification Auto Provisioning Start Failed template


Owner of the SoD policy


List of application permissions


Workflow name used in the external fulfillment template


User that the task was reassigned from


Configured product name, such as Identity Governance or Access Review


User who reassigned the task


Optional comment entered at reassignment


Number of fulfillment items in a retry state


URL link to review

NOTE:Do not use this token in notification emails to users, such as reviewers who have limited access to reviews. Instead use the certifyTaskLink token.


Name of the review


Review owner’s name


Review owner’s phone number


List of business approval roles


Found in Certification Started and Certification Changed email templates with no reference to the token in the templates.


Task timeout in days


The user that terminated a review


Identity Governance user's full name


Used in the Detected SoD Violation email template.

NOTE:Instances where there are multiple review owners, and the review uses any one of these listed templates:

  • Certification Approval Task Pending Reminder

  • Certification Approval Task Pending

  • Certify Task Past Due

  • Certify Task Pending Reminder

  • Certify Task Pending

  • Certify Task Reassignment

Identity Governance sends the email notification with the primary and the additional review owner’s phone numbers for the token $reviewOwnerPhone$ and their names for the token $reviewOwner$. If the $reviewOwnerPhone$ token is not present in the template, then Identity Governance lists the names of the review owners.

The email templates use the following entity and role-based tokens:

Entity Token

Entity Type




Primary (TO) address. Resolves to one of the following role:

  • Review Owner

  • Reviewer

  • Auditor

  • Escalation Reviewer



Review instance



Attributes for the review definition



Task owner of a current review instance. Used only in notifications to task owners.



Reviewer of the previous review instance. Used only in task reassignment notifications.

The following table shows the current attribute definitions for the review based entity types.

Entity Type



  • certificationDate

  • endDate

  • expectedEndDate

  • startDate

  • lastStatusChange

  • validToDate

  • taskCount

  • taskCompleteCount

  • itemCount

  • itemCompleteCount

  • itemApproveCount

  • statusComment

  • auditorComment

  • startMessage

  • approvedBy

  • canceledBy

  • approvedByPolicy

  • status

  • owners

  • auditor


  • name

  • description

  • activeFromDate

  • activeToDate

  • latestValidToDate

  • startDate

  • isActive

  • duration

  • escalationTimeout

  • validFor

  • repeat

  • expirationExtension

  • reviewType

  • durationUnit

  • escalationTimeoutUnit

  • validForUnit

  • repeatUnit

  • expirationExtensionUnit

  • owners

  • auditor

4.4.2 Adding an Image to the Email Template

In addition to modifying an email template, you can also add an image or logo to the email template.

To add an image to the email template:

  1. Select the image you want to add to the template and encode it in base64 string format.

    HINT:Use the base64encode website or similar encoders to encode the image.

  2. Download the email template.

  3. Add the <img src="data:image/png;base64, %base64-value% "/>t ag where you want the image to appear. For example, <p>Powered by <img src="data:image/png;base64,iVBORw0KAAA..."/></p>.

  4. Upload the modified email template.

4.4.3 Deleting a Custom Email Template

When you no longer want to use a custom email template, you can delete the custom template by clicking the custom email template name on the Notification Emails page, then clicking Delete.