Approval links are a way to send manual actions that are waiting for user
input (pending actions) to users outside of the platform.
For example, if you are working with an end user that does not have access to
Google Security Operations, you could email them the approval link and (similarly to the
Pending actions widget or the Pending Actions tab in Your
Workdesk), they can approve or decline the action from wherever they are.
Consider the following use case: You are an MSSP building a playbook based on
a suspected phishing alert. You want to quarantine an infected computer on
your end customer's site but you want the IT manager in the end customer's
company to approve this action first. To send out this request to approve or
decline the action to the IT Manager in an email, you will need to assign an
approval link in the action.
Assign an approval link in an action
In the playbook you are building, select the Carbon Black Quarantine
Device action. This action is the one we want the end user to approve.
Change the Action Type to Manual. The Approval link
toggle displays.
Enable the Approval link toggle. This automatically creates
placeholders (with links to approve or decline the Quarantine Device) which can
then be used in any action preceding this one in the playbook.
You can assign the manual action to a specific user or SOC role, or leave it
blank.
Optionally, you can enable the Time to respond toggle in conjunction
with the Approval link toggle. This will specify a specific time by which
the end user (or indeed anybody in the platform) must respond to the email by
clicking one of the links.
Drag a Send Email action to directly before the Carbon
Black Quarantine Device action in the playbook.
In the Send Email action, fill out the recipient email address.
While in the email body, click
data_array
and click
individually on the approve and decline links to place them in the message.
Make sure you have written an email first before you pop in the
placeholders.
Pro Tip: Wrap the sentence in HTML links so that the approval link appears as a
hypertext link.
Make sure to save your playbook. Once an alert that matches the playbook
trigger enters the system, the playbook will start running and when it reaches
the Send Email step, an email with instructions to click approve or
decline will be sent to the defined recipient.
You can also take the approval links and use them wherever or however you want
to. For example, in an HTML widget when building a playbook view,
playbook actions such as Send to Slack, or Send SMS with Twilio.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-29 UTC."],[[["\u003cp\u003eApproval links in Google SecOps SOAR allow manual actions awaiting user input to be sent to users outside the platform.\u003c/p\u003e\n"],["\u003cp\u003eThese links enable external users to approve or decline actions, similar to the "Pending actions" features within the platform.\u003c/p\u003e\n"],["\u003cp\u003eTo use an approval link, designate an action as "Manual," enable the "Approval link" toggle, and then use a preceding "Send Email" action to send the approve/decline links.\u003c/p\u003e\n"],["\u003cp\u003eYou can set a response time limit when using approval links to ensure timely user feedback.\u003c/p\u003e\n"],["\u003cp\u003eThe generated approval links are versatile and can be placed in locations other than email, like HTML widgets, Slack messages, or SMS texts.\u003c/p\u003e\n"]]],[],null,["# Assign approval links in actions\n================================\n\nSupported in: \nGoogle secops [SOAR](/chronicle/docs/secops/google-secops-soar-toc) \nApproval links are a way to send manual actions that are waiting for user\ninput (pending actions) to users *outside* of the platform.\nFor example, if you are working with an end user that does not have access to\nGoogle Security Operations, you could email them the approval link and (similarly to the\n**Pending actions** widget or the **Pending Actions** tab in **Your\nWorkdesk**), they can approve or decline the action from wherever they are.\n\nConsider the following use case: You are an MSSP building a playbook based on\na suspected phishing alert. You want to quarantine an infected computer on\nyour end customer's site but you want the IT manager in the end customer's\ncompany to approve this action first. To send out this request to approve or\ndecline the action to the IT Manager in an email, you will need to assign an\napproval link in the action.\n\nAssign an approval link in an action\n------------------------------------\n\n1. In the playbook you are building, select the **Carbon Black Quarantine\n Device** action. This action is the one we want the end user to approve.\n2. Change the **Action Type** to **Manual** . The **Approval link** toggle displays.\n3. Enable the **Approval link** toggle. This automatically creates placeholders (with links to approve or decline the Quarantine Device) which can then be used in any action *preceding* this one in the playbook. \n\n You can assign the manual action to a specific user or SOC role, or leave it blank.\n4. Optionally, you can enable the **Time to respond** toggle in conjunction with the **Approval link** toggle. This will specify a specific time by which the end user (or indeed anybody in the platform) must respond to the email by clicking one of the links.\n5. Drag a **Send Email** action to directly *before* the **Carbon\n Black Quarantine Device** action in the playbook.\n6. In the **Send Email** action, fill out the recipient email address.\n7. While in the email body, click data_array and click individually on the approve and decline links to place them in the message.\n8. Make sure you have written an email first before you pop in the placeholders. \n Pro Tip: Wrap the sentence in HTML links so that the approval link appears as a hypertext link.\n9. Make sure to save your playbook. Once an alert that matches the playbook trigger enters the system, the playbook will start running and when it reaches the **Send Email** step, an email with instructions to click approve or decline will be sent to the defined recipient. \n You can also take the approval links and use them wherever or however you want to. For example, in an **HTML** widget when building a playbook view, playbook actions such as **Send to Slack** , or **Send SMS with Twilio**.\n\n\u003cbr /\u003e\n\n**Need more help?** [Get answers from Community members and Google SecOps professionals.](https://security.googlecloudcommunity.com/google-security-operations-2)"]]
