Customize PIM Monitor
PIM Monitor is designed to be customized. The defaults work out of the box, but nearly every behavior can be changed by editing configuration files or environment variables.
This section covers everything you can customize, from schedules and notification channels to severity rules and diff logic.
Complete Customization Guide
Pipeline & Scheduling
| Topic | File/Variable | What you can change | Page |
|---|---|---|---|
| Schedule | monitor-pipeline.yml / .github/workflows/scan.yml | How often scans run (cron pattern) | Pipeline Configuration |
| Upstream update check | NOTIFY_UPSTREAM_UPDATE | Notify when a newer release is published upstream | Pipeline Configuration |
| Manual triggers | YAML | Allow on-demand scans via UI | Pipeline Configuration |
| Commit message | YAML git step | Format of git commits | Pipeline Configuration |
| Git author | src/git.ps1 | Commit author name/email | Pipeline Configuration |
| Inventory path | src/Scan-PimState.ps1 | Where scan data is stored | Pipeline Configuration |
Notifications
| Topic | File/Variable | What you can change | Page |
|---|---|---|---|
| Email setup | NOTIFICATION_EMAIL, NOTIFICATION_MAIL_FROM | Enable email notifications | Email Notifications |
| Email format | src/notifications-email.ps1 | HTML layout, colors, sections | Email Notifications |
| Webhook URL | NOTIFICATION_WEBHOOK_URL | Add Teams, Slack, Discord, or custom webhooks | Webhook Channels |
| Webhook payload | src/notifications-webhook.ps1 | Customize Teams/Slack/Discord format | Webhook Channels |
| Severity threshold | NOTIFICATION_MIN_SEVERITY | Which changes trigger notifications | Notifications Overview |
| Error notifications | New feature | Send notifications when components fail | Scan Error Notifications |
Reporting & Artifacts
| Topic | File/Variable | What you can change | Page |
|---|---|---|---|
| HTML report | REPORT_ARTIFACT | Enable/disable scan report generation | Reporting & Artifacts |
| Report format | src/notifications-html.ps1 | HTML layout, colors, metadata | Reporting & Artifacts |
| Report branding | Build-HtmlReport | Custom title, logo, colors | Reporting & Artifacts |
Change Classification & Detection
| Topic | File/Variable | What you can change | Page |
|---|---|---|---|
| Policy severity | src/diff.ps1 $PolicyRuleSeverity | Which policy rules are High/Medium/Low | Severity Rules |
| Property severity | src/diff.ps1 $PropertySeverity | Which definition properties are High/Medium/Low | Severity Rules |
| Assignment severity | src/diff.ps1 Compare-Assignments | How permanent/eligible/active assignments are classified | Severity Rules |
| Filtered fields | src/diff.ps1 $DiffIgnoreProperties | Hide fields from diff preview | Diff Engine |
| Object equality | src/diff.ps1 Test-ObjectEqual | How old/new objects are compared | Diff Engine |
| Assignment matching | src/diff.ps1 Get-AssignmentKey | How assignments are matched across scans | Diff Engine |
| Access-model classification | AccessModel/*.json | Classify roles by severity and EAM plane, enforce desired policy config | Access Model |
| Coverage exclusions | AccessModel/coverage-exclusions.json | Permanently exclude roles from unclassified-role alerts | Access Model: Coverage |
Expected Changes & Suppression
| Topic | File/Variable | What you can change | Page |
|---|---|---|---|
| Suppress changes | expected-changes.json | Silence notifications for planned changes | Expected Changes |
| Matching rules | JSON | Wildcard matching on workload/entity/fileType | Expected Changes |
Expiring Assignments
| Topic | File/Variable | What you can change | Page |
|---|---|---|---|
| Detection window | EXPIRING_WINDOW_DAYS | Days ahead to flag expiring assignments | Expiring Assignments |
| Severity level | src/diff.ps1 | Change expiring from Informational to Low/Medium | Expiring Assignments |
Environment & Platforms
| Topic | File/Variable | What you can change | Page |
|---|---|---|---|
| All env variables | Reference | Complete list of all configuration variables | Environment Variables |
| GitHub Actions | .github/workflows/scan.yml | Full setup for GitHub Actions workflow | GitHub Actions Setup |
| Azure DevOps | monitor-pipeline.yml | Full setup for Azure DevOps pipeline | Pipeline Configuration |
Quick Navigation by Task
"I want to..."
- ...change how often scans run → Pipeline Configuration - Schedule section
- ...send notifications to Slack/Teams → Webhook Channels
- ...set up email notifications → Email Notifications
- ...suppress a known-good change → Expected Changes
- ...change what's High/Medium/Low severity → Severity Rules
- ...generate HTML reports → Reporting & Artifacts
- ...get warnings for expiring assignments → Expiring Assignments
- ...hide noise from diffs → Diff Engine
- ...set up on GitHub Actions → GitHub Actions Setup
- ...find all environment variables → Environment Variables
- ...handle component failures gracefully → Scan Error Notifications
- ...classify roles using the Enterprise Access Model → Access Model and Desired-State Compliance
- ...stop getting alerts for a role that's intentionally unclassified → Access Model: Coverage and Exclusions
Customization Depth Levels
Basic (variables only)
No code editing: just set environment variables in your pipeline:
NOTIFICATION_EMAIL/NOTIFICATION_MAIL_FROM: Email setupNOTIFICATION_WEBHOOK_URL: Webhook setupNOTIFICATION_MIN_SEVERITY: Severity thresholdEXPIRING_WINDOW_DAYS: Expiring assignment windowREPORT_ARTIFACT: Enable HTML reports
Time to customize: 5 minutes
Risk: None: variables are scoped to your pipeline
Intermediate (YAML and JSON)
Edit pipeline configuration and expected changes:
- Change scan schedule (cron pattern in YAML)
- Change commit message format
- Create
expected-changes.jsonto suppress notifications - Create
AccessModel/*.jsonto classify roles by EAM plane and enforce policy - Create
AccessModel/coverage-exclusions.jsonto opt out specific roles - Change inventory storage path
- Enable manual triggers
Time to customize: 15 to 30 minutes
Risk: Low: changes are in separate files, easy to revert
Advanced (PowerShell code)
Edit notification payloads, severity rules, and diff logic:
- Customize email/webhook format
- Change severity classification rules
- Add custom notification channels
- Modify diff comparison logic
- Change diff output formatting
Time to customize: 1 to 2 hours
Risk: Medium: requires PowerShell/JSON knowledge, test thoroughly
Contributing
If you've built a useful customization, we'd love to see it! Open a PR and add a page here. Keep it concise:
- What it does (1 paragraph)
- What file to edit
- A code snippet showing the change
- Example output (if applicable)
See Contributing for full details.