# POST Action Plan TOE ID source: https://developer.mastercard.com/riskrecon-api/documentation/use-cases/risk-mgmt-issue-rmdfn/actionplan/post-actpln-toe/index.md ## Overview {#overview} The `POST Action Plan TOE ID` allows users to send action plan findings to external recipients and internal recipients. External recipients correspond to key contacts you have at the vendor. The external recipients receive an action plan email and create an account within a vendor portal to work through your prioritized list of action plan findings. Internal recipients are internal contacts, such as procurement or vendor management teams, that you want to notify of an action plan shared with the vendor. As the vendor remediates findings, you can track their progress using [Retrieve Action Plan for TOE ID](https://developer.mastercard.com/riskrecon-api/documentation/use-cases/risk-mgmt-issue-rmdfn/actionplan/actpln-toe/index.md). To use the `POST Action Plan TOE ID`, the end-user must provide the `toe_id` associated with the action plan. ## Sequence Diagram {#sequence-diagram} Diagram post-act-pln-toe ## Execution Steps {#execution-steps} The following steps describe how to send an Action Plan for a TOE ID: 1. The user sends a `POST` request specifying a TOE ID. 2. RiskRecon sends the TOE ID's action plan to the specified recipients at the indicated frequency. ## Sample Request and Response {#sample-request-and-response} For a sample response of this API, see [Post Action Plan TOE ID](https://developer.mastercard.com/riskrecon-api/documentation/testing/actionplan-samples/post-actionpln-toe-smpl/index.md) ### Request Parameters: {#request-parameters} * `toe_id` (required): The vendor identifier for the targeted action plan. * `recipients` (optional): An array of recipient objects. If not provided, the action plan will be shared with previously configured recipients. At least one valid external recipient is required to execute the route successfully. External recipients must have an email domain that matches an email domain attributed to the vendor or the vendor's parent company or parent company's subsidiaries. Each recipient object includes: * `first_name` * `last_name` * `email` * `internal` (boolean; true for internal users, false for external) * `frequency` (optional): Determines how often the action plan is sent to the defined recipients. * 0 (default): Manual/one-time share * 30, 60, or 90: Sets up periodic automated sharing at the specified day intervals If recipients are omitted, the system uses the previously defined recipient list. If frequency is not specified, the action plan will be sent manually and the vendor will not be enrolled in automated sharing. Use the [Retrieve Action Plan for TOE ID](https://developer.mastercard.com/riskrecon-api/documentation/use-cases/risk-mgmt-issue-rmdfn/actionplan/actpln-toe/index.md) endpoint to view existing action plan configurations, including defined recipients and sharing frequency. ## Use Case Example {#use-case-example} The use case in this section discusses how you can use the `POST Action Plan TOE ID`. ### Ongoing monitoring and risk management {#ongoing-monitoring-and-risk-management} A security analyst is responsible for ensuring that risk findings related to a vendor (TOE) are consistently communicated to the right internal and external stakeholders. To streamline ongoing monitoring, the analyst uses the Action Plan Sharing API to automate the delivery of action plan findings. By configuring the action plan through the API, the analyst can: * Specify the TOE ID to identify which vendor's findings need to be shared. * Define a recipient list that includes internal risk managers and external vendor contacts, ensuring all relevant parties stay informed. * Set the frequency to 30, 60, or 90 days to automate periodic distribution of updated findings. This setup allows the analyst to: * Ensure consistent communication of risk issues without manual intervention. * Enable proactive remediation by keeping stakeholders regularly updated with new or unresolved issues. * Adapt quickly by issuing manual (one-time) updates when urgent risk findings arise. By leveraging this API, the organization strengthens its ongoing risk management process, reduces the chance of missed follow-ups, and ensures that third-party risk is being addressed in a structured, repeatable, and transparent manner. ## Endpoint {#endpoint} API Reference: `POST /v1/action_plan/{toe_id}`