Reference Guide
Approval Management

Approval Workflow

6min

The Managerial Approval feature can also be managed by creating workflows so that the authentication and authorization processes are fully customized in terms of approval management. The Approval Workflow is available for Managerial Approval of Connections and Commands. The implementation of an approval workflow for connections and/or commands leads to a fully customized and flexible environment to manage the authentication process.

These Managerial Approval features allow the configuration of a one-level approval mechanism by default, with the user group manager as the managing authority. Additional and increasing levels of managerial approval can be added, in which case, the approval authority can now be assigned for each level - the approval authority can be a user group manager, members of a user group, or any external email address or phone number, which are not required to be defined in the Kron PAM instance.

The Approval Workflow feature can be managed as a policy and used in a policy realm so that the designed workflow can be applied to device realms to flexibly control each user group’s authentication and authorization processes for each device group.

To configure the Approval Workflow:

  1. Navigate to Policy>Add/E dit Policy Group> Connection Approval Workflow click the + plus.
  2. Define a name for the Approval Workflow and click + plus.
  3. Configure the level details in the Level step. Select the Authority and Approval Tool and click Save.
  4. After adding one level to the workflow, you can save the workflow or add more levels by using the + plus Level button.

If a workflow level is deleted, the new workflow will only be used for new reservation requests. For older created requests the previously created workflow levels are used.

Hints for the Approval Workflow Configuration:

  • The Authority field in the Add Level window includes two options:

o   The Escalate to Group Manager option allows the manager of the selected group to respond to the approval request.

o   The Escalate to Group option allows one of the selected group members to respond to the approval request.

o   The AD Line Manager option allows the requester’s Active Directory manager to respond to the approval request.

o   The Extra Notification checkbox allows information about approval notifications to be sent to the selected user groups.

o   The Select User Group for Approver option allows you to send approval notifications to other approvers only.

o   The Select User Group for Requester option allows you to send approval notifications to other requesters only.

  • The Select Group field in the Add Level window is a combo box that defines which User Group’s Manager or members will be selected as the approving authority.
  • The Approval Tool field in the Add Level window includes two checkboxes: Email and SMS - these are the mediums for sending the approval request to the approving authority.
  • The Timeout Period field in the Add Level window is a combo box where you can select the timeout period to start an escalation. Default values are 30 minutes, 2 hours, and 24 hours. You can change the values in the combo box with the approval.workflow.level.timeout.period.values parameter in the System Config. Man. The request gets escalated to the Escalation Authority after the specified period. If nothing is selected, no escalation is done.
  • The Timeout Action field in the Add Level window defines the action after the Timeout Period. Selecting Escalate to Group Manager or Escalate to Group redirects the request to the Group Manager or the Group selected in the Escalation Field. The request expires after the timeout period if Expire is selected.
  • The Escalation Group field in the Add Level window defines which User Group’s Manager or members will be selected for the approval escalation.

Connection Approval Workflow

The Approval Workflow feature can be used to manage user authentication to devices by using the defined approval workflow as a policy. This is only applicable to RDP/SSH/SFTP/HTTP Proxy sessions. To use the designed workflow during user connection to some devices:

  1. Navigate to Policy > Policy Group.
  2. Select the desired workflow from the Workflow for Connection Approval list.
Connection Approval Workflow Configuration
Connection Approval Workflow Configuration


Command Approval Workflow

The Approval Workflow feature can be used to manage authorization in devices by using the defined approval workflow as a policy, which means some commands will need approval(s) to be run during the session.

To use the designed workflow to configure user authorization:

  1. Navigate to Policy> Policy Group.
  2. Select the desired workflow from the Workflow for Command Approval list.
Command Approval Workflow Configuration
Command Approval Workflow Configuration




PREVIOUS
Managerial Approval in Shared Account Password Manager (SAPM)
NEXT
Approval Workflow SMS Settings
Docs powered by Archbee