Approval Workflows

Approval workflows are the mechanism by which requests for access can be viewed by authorized approvers and be approved or denied. These requests can take the form of access requests via an access workflow, made from the user’s StrongDM Desktop application or from an integration such as Slack. Requests that need approval can also originate with policies, where something about the user’s actions against a resource has triggered the need to have their action approved.

When adding or editing an approval workflow, the Name and Description fields are where you name the workflow and briefly describe it. The description should clearly depict what the approval workflow does. The name and description help administrators to find the correct workflow when navigating the Approval Workflows page of the Admin UI.

Approval Step #

The Approval Step section provides a selection between automatic approval, ServiceNow approval, and manual approval.

• Automatic Approval: Requests for resources that are processed via this workflow are automatically approved. Automatic approvals provide the audit trail benefits of temporary access to particular resources without the need for manual intervention.
• ServiceNow Approval: Requests are handled within your ServiceNow instance.
• Manual Approval: Users or roles are chosen to function as approvers for requests that follow this workflow, and requests must be manually approved by those individuals.

Manual Approval #

For manual approval workflows, the request must be approved by specified StrongDM users functioning as approvers.

Approvers gain the ability to approve requests for this workflow and receive notifications of new requests. In addition to selecting users as approvers, you can also add a role to the approvers list. When a role is selected as an approver, all users who are currently members of the role (or who are later added to the role) are able to approve requests that are made via this workflow. If an approver for a workflow is not an administrator of your StrongDM organization, they see requests from that workflow in the Requests > All Requests tab and can approve and deny them, but they are unable to edit the actual workflow.

You may have just one approval step, or several, based on the requirements of your organization. For each step, you can search your organization’s existing users and roles and select them, and then specify whether the request must be approved by any of the selected users and/or roles, or all of them.

There is a Skip timeout option that can be used to skip the current step by default if a certain period of time elapses without a response. Specify a time in days, hours, and minutes. Once the request is made, after the specified amount of time elapses without an approver response, this step will be skipped. If this is the last or only step in the workflow, and you enable Skip timeout, the request will be automatically approved if no one approves or denies it within the set time.

You may add further steps as desired. For example, access may need to be approved by someone in an engineering-management role and then by one of two specific IT personnel; or by someone with a team-lead role and then by someone with a security role.