Workflows 9
/Workflows automate one or more tasks within GEODI. They serve a variety of purposes, such as:
🔐 Data Remediation → Automatically delete, quarantine, or classify sensitive content identified during discovery
🚨 Alerts → Trigger notifications when risky or sensitive data is detected (e.g., a CV uploaded to a shared folder)
⚙️ Automation → After discovering, generate a report and send a notification automatically.
GEODI’s workflows can achieve much more, from compliance enforcement to advanced data lifecycle automation.
Workflow
A workflow in GEODI typically consists of 2 or 3 components:
1️⃣ Query or Source
Defines what content the workflow will act on.
This could be a predefined query (e.g., status:HasScanError) or a specific data source.
2️⃣ One or More Actions
Specifies what should happen to the content, such as:
Delete, quarantine, mask, or classify
Send an email, generate a report, etc.
3️⃣ Optional Trigger Condition
You may define an event-based trigger like:
“When discovery finishes”
“When new risky data is found”
However, all actions can be executed manually, regardless of conditions.
🧭 Accessing Workflows:
You can manage workflows from the top-right menu in the GEODI ES interface.
Permissions
Only users in the SystemAdmin group have the right to:
Create new actions
Execute existing actions
Run workflows involving critical operations (e.g., deletion, quarantine)
However, GEODI can run workflows based on the data owner's consent. This way, the data owner decides; the rest is automatic for more. https://decesw.atlassian.net/wiki/spaces/geodien/pages/5139464291
Query
The query defines which content the workflow will be executed on.
Some content in the query may not be processed, due to some reason:
An action like masking or classification may not support the content.
Content may be read-only.
The source may not support remediation.
The Enable remediation flag may be unchecked in the Project Wizard.
The content may be corrupt.
There could be an issue in the system (network, disk, or endpoint access). (may be processed in the next run)
For scheduled workflows, to prevent reprocessing the same content repeatedly, each workflow processes a given piece of content only once. Running the same workflow again will not, for example, reclassify content that was already processed. A re-run only includes new or modified content.
In contrast, Run Now processes all content every time it is executed.
Platform Support and Data Source Write Permissions
GEODI data remediation actions run on multiple platforms. To execute workflows such as deletion or in-place classification, two conditions must be met at the source level:
📌 Source Definitions: Remediation must be allowed. By default, this option is disabled. Starting with GEODI 9.0.148, for the project to continue and actions to run, the “Enable Remediation Workflows” checkbox must be selected in the project source, and the project must be saved again.
📌 User Permissions: The user/credential definitions used to access the source must have write permissions.
Workflow Monitoring
Workflows run in the background. You can monitor active workflows on the /manager/System Information page.
This page displays both running and completed workflows, and also provides access to error logs for each run.
Actions
Actions can be used individually, or multiple actions can be chained together. Some actions may have configurable options.
Many actions modify the original content. The index reflects these changes immediately or during the following discovery process.
Actions work on the EndPoint only if the GDE(Discovery Agent) is installed.
📂 Path Variables in Actions
Some actions require a path. In this case, you can use either an absolute path or the following variables:
📁 %AppData% → Defines your path relative to GEODIDATAFOLDER.
Example:%AppData%\Backups\ABC📁 %WsPath% → Defines your path relative to the workspace folder.
Example:%WsPath%\Maskeds🏷️ %WsName% → Returns the workspace name, which you can use in the file path.
Example:%AppData%\Backups\%WsName%,c:\test\info\%WsName%\WS1📁 %WsSSDPath% → The WsPath value defined for split indexes. Usage is similar to the others.
The given file paths are generated by the software at runtime.
If there is an error or permission issue in the path, you can identify it from the error logs.
Deletion
The deletion action removes the content that matches the source query from its original locations and permanently deletes it from the index.
Deletion is an irreversible action; please proceed with caution.
For the deletion action, the "Secure Deletion" option ensures that the deleted content is completely removed, making it unrecoverable.
Copy
Actions work on the original file. Before deletion (or any other operation like masking), you should use the copy action to create a backup of the original file in a secure location.
For quarantine, the files are stored in the specified directory with a unique folder structure, and each file contains information indicating its source.
The copy action can be used before deletion, encryption, or classification to save original content.
Mask/Anonymize
The mask action can mask or anonymize the original content based on the selected profile.
If you want a masked copy without modifying the original, you must select the file where the masked content will be stored. Similar to the copy action content, the masked content will be created in this file.
Selecting the "Change the Original" option will apply the masking directly to the original file.
License → Masking license is required
Classify
The Classify action automatically or manually classifies files according to the selected class.
From the interface, you choose the project from which the class information will be taken and the classification method (Auto or a specific class).
If you want a classified copy without modifying the original, you must select the file where the classified content will be stored. Similar to the copy action content, the classified content will be created in this file.
The original file will be classified by selecting the "Change the Original" option.
License→ Classification Lisansı gerekir
This action also replaces “Legacy Batch Classification” in GEODI 8.
Encrypt
If you want an encrypted copy without modifying the original, you must select a different folder where the encrypted content will be stored. Similar to the copy action content, the encrypted content will be created in this file.
The encrypt action creates an encrypted ZIP file alongside the original content. If a file is provided, the content will be created in the specified file, following the same structure as the copy action.
After encryption, you can use the Deletion action to remove the original content.
You can use the Email action to notify users upon completing a workflow.
Emails can be sent to individual users or LDAP/AD groups
You can attach a report summarizing the action that was performed (e.g., list of deleted or masked files)
This helps ensure transparency, auditability, and timely communication across teams
When No Content to process: Sometimes, no content matches the Workflow query, and an effectively empty mail is sent. To prevent this situation, check “Do not send if no content”.
📧 Email Addresses
Please enter the email address or group name you want to use and select it from the suggestion list. You can add multiple people or groups.👤 User → You can enter a user as
GeodiAdmin,user:GeodiAdmin, orDECE\ayse.yılmaz.👥 Group → You can enter a group as
GeodiGroupNameorgroup:GeodiGroupName. Wildcards (*) are supported.An email is sent to every user in the Geodi Group whose email address can be reached (either LDAP or GEODI users).
If it’s an LDAP group (not an individual LDAP user), the email will be sent to the group’s email address, not to each member.
📎 Attachments
Select files or reports that you want to attach to the email.📄 BodyReport
When BodyReport is selected, the report will appear directly in the email body. With the default Notification Report included in the installation, users can:Access workflow-related content directly from the email body.
Open the project directly from the email body.
This option significantly increases user engagement. The BodyReport is added after the regular email body content.
Events
Events determine the conditions under which a workflow will run. They are not mandatory; you can use the Manual Run/Run Now option.
Run at Specified Times
It runs at the specified time. For example, send an email every day, check a specific area daily, and delete sensitive content.
Run at the End of Every Scan
You can use it to run after or during the discovery process.
It can be used for tasks like classifying as you discover or sending me a report afterward.
Every note taken triggers a GEODI Scan, so your WF runs. To avoid this, add “-note” to the WF query.
Run Now
This option allows you to run the workflow immediately, even if it is linked to an event.
Examples
The following examples cover a few scenarios you can create with actions. You can design many more.
Quarantine and Send Email
Copy + Delete + Send Email
The email recipients can be a specific group.
You will determine which data to include through a query.
Create Masked Copy
Mask (This will create masked copies in the provided file) + Send Email
Classify as You Discover
Classify + Event (Classify during discovery and at the end of discovery)
Generate Report at the End of Scan and Send Email
Email (with attached report) + Event (During discovery and at the end of discovery)
Automatically Mask Risky Data
Query + Mask + Send Email
Create Alert
Query + Event (During discovery and at the end of discovery) + Send Email