Email template variables reference
OpenIAM email templates support dynamic variables — placeholders that are automatically replaced with real values (like a user's name, a reset link, or an approval link) when the email is sent. This page lists each template and the variables available in it.
Variables are written using the following format inside the template body:
${req.getNotificationParam("variableName").valueObj}— for most variables.${user.firstName},${user.lastName}— for direct user properties (where noted).
Available templates and their variables
Password and account
REQUEST_PASSWORD_RESET is sent when a user initiates a password reset.
| Variable | Returns |
|---|---|
${req.getNotificationParam("baseUrl").valueObj} | Base URL (protocol from ContentProvider SSL) |
${req.getNotificationParam("token").valueObj} | Password reset token |
${req.getNotificationParam("firstName").valueObj} | User's first name |
${req.getNotificationParam("lastName").valueObj} | User's last name |
${req.getNotificationParam("companyName").valueObj} | Company name |
USER_RESET_PASSWORD_ACTIVATION_NOTIFICATION is sent when password reset type is set to Activation Link.
| Variable | Returns |
|---|---|
${req.getNotificationParam("baseUrl").valueObj} | Base URL + /idp/activate path |
${req.getNotificationParam("token").valueObj} | Activation token |
${req.getNotificationParam("userId").valueObj} | User ID |
${req.getNotificationParam("firstName").valueObj} | User's first name |
${req.getNotificationParam("lastName").valueObj} | User's last name |
${req.getNotificationParam("companyName").valueObj} | Company name |
${user.firstName}, ${user.lastName} | Via bound user object |
USER_PASSWORD_EMAIL is sent after a password has been changed (confirmation notification).
| Variable | Returns |
|---|---|
${req.getNotificationParam("identity").valueObj} | User's login name |
${req.getNotificationParam("password").valueObj} | New password (if applicable) |
${req.getNotificationParam("firstName").valueObj} | First name |
${req.getNotificationParam("lastName").valueObj} | Last name |
${req.getNotificationParam("userAgent").valueObj} | Browser/user agent |
${req.getNotificationParam("time").valueObj} | Time of change |
${req.getNotificationParam("ipAddress").valueObj} | IP address |
FORGOT_USER_NAME is sent when a user requests a username reminder.
| Variable | Returns |
|---|---|
${req.getNotificationParam("identity").valueObj} | User's login name |
${req.getNotificationParam("firstName").valueObj} | First name |
${req.getNotificationParam("lastName").valueObj} | Last name |
${req.getNotificationParam("companyName").valueObj} | Company name |
OTP_CODE
Sent during OTP-based authentication.
| Variable | Returns |
|---|---|
${req.getNotificationParam("EMAIL_TOKEN").valueObj} | One-time password code |
${req.getNotificationParam("identity").valueObj} | User's login name |
${req.getNotificationParam("managedSystemName").valueObj} | Managed system name |
${req.getNotificationParam("companyName").valueObj} | Company name |
ACCOUNT_LOCKED
Sent when a user account is locked due to failed login attempts.
| Variable | Returns |
|---|---|
${user.firstName} | User's first name |
${user.lastName} | User's last name |
PASSWORD_HAS_BEEN_COMPROMISED
Sent when a user's password is detected in a known data breach (via HaveIBeenPwned).
| Variable | Returns |
|---|---|
${req.getNotificationParam("user").valueObj.displayName} | User's display name |
${req.getNotificationParam("BREACH_COUNT").valueObj} | Number of breaches the password appeared in |
Note: Default templates ship uncompiled. If variables appear as raw text, open the template in Administration > Mail Template Editor and click Save (no edits needed).
New User and activation
NEW_USER_ACTIVATION_NOTIFICATION
Sent to a newly created user with an account activation link.
| Variable | Returns |
|---|---|
${req.getNotificationParam("baseUrl").valueObj} | Activation URL base |
${req.getNotificationParam("token").valueObj} | Activation token |
${req.getNotificationParam("userId").valueObj} | User ID |
Workflow and approvals
The following workflow templates share a common set of variables populated by the notification engine. Not all variables are applicable to every template — use only those relevant to your use case.
Templates in this group:
DELEGATE_TASK · ESCALATE_TASK · APPROVER_REMINDER · CANCEL_REQUEST · DELETE_WRONG_TASK · ACCESS_REQUESTED_ON_BEHALF · REVOKE_ACCESS_INITIATED_ON_BEHALF · STEP_APPROVED · CREATE_USER_REQUEST_STEP_APPROVED · REVOKE_ACCESS_REQUEST_STEP_APPROVED · ORIGINAL_APPROVER_NOTIFY · ORIGINAL_APPROVER_NOTIFY_ABOUT_MISSED_TASK · WORKFLOW_ERROR_OCCURRED
| Variable | Returns |
|---|---|
${req.getNotificationParam("REQUEST_ID").valueObj} | Request ID. |
${req.getNotificationParam("REQUEST_REASON").valueObj} | Request notes/reason. |
${req.getNotificationParam("REQUESTOR").valueObj} | Name of the person who made the request. |
${req.getNotificationParam("REQUESTOR_LOGIN").valueObj} | Login of the requestor. |
${req.getNotificationParam("REQUESTEE").valueObj} | Name of the target user. |
${req.getNotificationParam("REQUESTEE_LOGIN").valueObj} | Login of the target user. |
${req.getNotificationParam("TARGET_USER").valueObj} | Target user display name. |
${req.getNotificationParam("DELEGATOR").valueObj} | Delegating user's name. |
${req.getNotificationParam("DELEGATOR_LOGIN").valueObj} | Delegating user's login. |
${req.getNotificationParam("TASK_NAME").valueObj} | Name of the workflow task. |
${req.getNotificationParam("DESCRIPTION").valueObj} | Task/request description. |
${req.getNotificationParam("COMMENT").valueObj} | Comment on the request. |
${req.getNotificationParam("SUPERVISOR").valueObj} | Supervisor's display name. |
${req.getNotificationParam("SUPERVISOR_LOGIN").valueObj} | Supervisor's login. |
${req.getNotificationParam("REQUEST_ACCEPT_LINK").valueObj} | Direct link to accept the task. |
${req.getNotificationParam("REQUEST_REJECT_LINK").valueObj} | Direct link to reject the task. |
${req.getNotificationParam("REQUEST_VIEW_DETAILS_LINK").valueObj} | Link to view task details. |
${req.getNotificationParam("APPLICATION_NAME").valueObj} | Target application name. |
${req.getNotificationParam("REQUEST_GROUPS_STRING").valueObj} | Requested groups (formatted string). |
${req.getNotificationParam("REQUEST_ROLES_STRING").valueObj} | Requested roles (formatted string). |
${req.getNotificationParam("CREATE_USER_REQUEST_ENTITLEMENTS").valueObj} | All requested entitlements summary. |
${req.getNotificationParam("MY_TASKS_URL").valueObj} | Link to recipient's My Tasks page. |
${req.getNotificationParam("REASON").valueObj} | Alternative reason field. |
${user.displayName} | Notification recipient's display name (via bound user object). |
Additionally, CREATE_USER_REQUEST_STEP_APPROVED includes:
| Variable | Returns |
|---|---|
${req.getNotificationParam("IDENTITY").valueObj} | New user's login |
${req.getNotificationParam("PSWD").valueObj} | Initial password |
Access certification
ACCESS_CERT_REMINDER
Sent to campaign reviewers as a reminder.
| Variable | Returns |
|---|---|
${req.getNotificationParam("CAMPAIGN_NAME").valueObj} | Campaign name |
${req.getNotificationParam("CAMPAIGN_ID").valueObj} | Campaign ID |
${req.getNotificationParam("REQUEST_ID").valueObj} | Request ID |
${req.getNotificationParam("NUMBER_OF_USERS").valueObj} | Number of users to review |
${req.getNotificationParam("NUMBER_OF_ITEMS").valueObj} | Number of access items to review |
${req.getNotificationParam("REMINDERS_LEFT").valueObj} | Remaining reminder count |
${user.displayName} | Reviewer's display name |
ESCALATE_TASK_ACCESS_CERT_TASK
Sent when a certification task is escalated.
| Variable | Returns |
|---|---|
${req.getNotificationParam("CAMPAIGN_NAME").valueObj} | Campaign name |
${req.getNotificationParam("TARGET_USER").valueObj} | User being reviewed |
${req.getNotificationParam("TARGET_USER_LOGIN").valueObj} | Login of reviewed user |
${req.getNotificationParam("ACCESS_REVIEW_ITEMS").valueObj} | Summary of access items |
${req.getNotificationParam("ESCALATED_FROM").valueObj} | Escalation source type |
${req.getNotificationParam("ESCALATED_FROM_NAME").valueObj} | Name of original reviewer |
${req.getNotificationParam("ESCALATED_TO").valueObj} | Escalation target type |
${req.getNotificationParam("ESCALATED_TO_NAME").valueObj} | Name of new reviewer |
${req.getNotificationParam("REQUEST_ID").valueObj} | Request ID |
CERTIFICATION_COMPLETE_REPORT
Sent to campaign owners when a certification campaign completes.
| Variable | Returns |
|---|---|
${req.getNotificationParam("CAMPAIGN_NAME").valueObj} | Campaign name |
${req.getNotificationParam("TARGET_USER").valueObj} | Reviewed user |
${req.getNotificationParam("TARGET_USER_LOGIN").valueObj} | Reviewed user's login |
${req.getNotificationParam("REVIEWERS").valueObj} | List of reviewers |
${req.getNotificationParam("ACCESS_REVIEW_ITEMS").valueObj} | Access review summary |
${req.getNotificationParam("DELEGATED_ITEMS").valueObj} | Delegated review items |
${req.getNotificationParam("ESCALATED_ITEMS").valueObj} | Escalated review items |
${req.getNotificationParam("REQUEST_ID").valueObj} | Request ID |
Access lifecycle
ACCESS_IS_ALMOST_EXPIRED
Sent when a user's access is approaching its expiration date.
| Variable | Returns |
|---|---|
${req.getNotificationParam("USER").valueObj} | User object |
${req.getNotificationParam("DAYS_BEFORE_EXPIRATION").valueObj} | Days until access expires |
${req.getNotificationParam("EXPIRING_ACCESS").valueObj} | Description of expiring access |
${req.getNotificationParam("RENEW_EXPIRING_ACCESS_LINK").valueObj} | Link to renew access |
REQUEST_COMMENT_ADDED
Sent when a comment is added to a workflow request.
| Variable | Returns |
|---|---|
${req.getNotificationParam("REQUEST_VIEW_DETAILS_LINK").valueObj} | Link to the request |
${req.getNotificationParam("TYPE").valueObj} | Comment type |
${req.getNotificationParam("USER_NAME").valueObj} | Name of user who added the comment |
${req.getNotificationParam("CREATE_DATE").valueObj} | Date comment was added |
${req.getNotificationParam("NOTES").valueObj} | Comment content |
DUPLICATE_SELF_REGISTRATION_ATTEMPT
Sent when a self-registration is attempted for an account that already exists.
| Variable | Returns |
|---|---|
${user.firstName} | User's first name |
${user.lastName} | User's last name (via bound user object) |
USER_TERMINATE_NOTIFY_SUPERVISOR
Sent to a supervisor when a user account is terminated.
| Variable | Returns |
|---|---|
${req.getNotificationParam("TARGET_USER").valueObj} | Terminated user's display name |
${user.displayName} | Supervisor's display name (via bound user object) |