To verify and exercise control over some critical operations, an approval of responsible persons can be required for execution of such operations. Using Adaxes service you can determine operations that require approval.
If an operation requires approval, during the attempt of its execution an approval request is sent to its approvers and the operation execution is suspended until the approval is granted by one of the approvers. If the approval is denied, the operation is not executed.
To request approval for a certain operation, you need to create a Business Rule that will be triggered by this operation and will send an approval request to the approvers. In the Business Rule, you need to specify the approval-requiring operation as the triggering operation and select the type of objects on which it is executed (e.g. 'Creating a User'). After that, you need to add the 'Send operation for approval' action to this Business Rule and specify the approvers of this operation.
Approvers can be:
Specific users - the users you specify can approve or deny this operation.
Members of specific groups - members of the groups you specify can approve or deny this operation.
Manager of the requestor - the manager of the user, who initiated the operation, can approve or deny this operation. The manager is specified via the Manager property of AD user accounts.
Owner of the requestor's OU - the owner of the Organizational Unit (OU) containing the account of the user, who initiated the operation, can approve or deny this operation. The OU owner is specified via the Managed By property of OU objects.
Manager of the target object - the manager of the AD object, on which the operation is performed, can approve or deny this operation. The manager is specified via the Manager property of AD objects.
Owner of the target object - the owner of the AD object on which the operation is performed can approve or deny this operation. The owner is specified via the Managed By property of AD objects.
Owner of the target object's OU - the owner of the Organizational Unit (OU) containing the AD object on which the operation is performed can approve or deny this operation. The OU owner is specified via the Managed By property of OU objects.
If you define multiple approvers for an operation, approval requests are sent to all of them. The operation is executed after it is approved by one of the approvers. If the user who executes the approval-requiring operation is included in the list of its approvers, the operation is executed without requesting approval. Adaxes service administrators can approve or deny any approval request.
At the last step, you specify the Business Rule activity scope, i.e. the resources on which this Rule is effective. It means that approval requests are only sent when the approval-requiring operation is performed on objects included in the activity scope of this Business Rule.
For example, if you need the renaming of users that are the members of the 'Domain Users' group to be approved by a member of the 'Administrators' group, you need to create a Business Rule launched by the triggering operation: 'Before Renaming a User', and add 'Send this operation for approval' action to this Business Rule. In the action parameters, add 'Administrators' group to the list of approvers. And to make this Rule effective on the members of 'Domain Users', assign the Business Rule on the 'Domain Users' group. After that, an approval request is automatically sent to all members of the 'Administrators' group after an attempt to rename a user, who is a member of the 'Domain Users' group.
| If an approval-requiring operation was performed by mistake, the requestor (the user who attempted to perform the operation) can cancel the approval request. |
You can add conditions to the 'Send operation for approval' actions. In this case, approval requests will be sent only if the conditions you specify are met. For example, if you add 
If the initiator is a member of Account Operators group condition to the 'Send operation for approval' action, approval requests will be only sent when the operation is performed by a member of the 'Account Operators' group.
Also, you can specify different approvers, if different conditions are met. For example, you can create two sets of actions and conditions, each of which will contain the 'Send operation for approval' action and a specific condition of its execution.
|
If the initiator is a member of 'Human Resources' group
|
 Send operation for approval (approver: Human Resources Manager)
|
| and |
|
If the initiator is a member of 'Sales' group
|
|
Send operation for approval (approver: Sales Manager)
|
In this case, an approval request will be sent to Human Resources Manager, if the operation is executed by a member of the 'Human Resources' group, or to Sales Manager, if it is executed by a member of the 'Sales' group.
Business Rules can contain other actions along with the 'Send operation for approval' action. In this case, an approval request suspends both the main operation and the other Business Rule actions. After the operation approval the execution of Business Rule actions proceeds. If the operation is denied, neither the main operation nor Business Rule actions are executed.
| Actions executed by a Business Rule can also require approval, and every action can send an approval request to different approvers. |
To inform users about requests sent, processed or waiting for their approval, email notifications are sent to the requestor and the approvers of the operation.
Approval Request Management
Approval request management can be carried out with the help of the Service Web Interface or Administration Console.
To facilitate management of approval requests, they are divided by their destination into the following views:
My requests - the requests initiated by your operations. You can monitor their status or cancel them.
My approvals - the requests submitted for your approval. You can approve or deny these requests.
All requests (for service administrators only) - all requests sent to any approver. Administrators can monitor or manage these requests and delete processed requests.
Approval requests are further divided by their status into the following groups:
Pending - requests awaiting decision.
Approved - the requests that have been approved.
Denied - the requests that have been denied.
Cancelled - the requests that have been cancelled.
For information on how to manage approval requests, see Managing Approval Requests.