Document toolboxDocument toolbox

Configuring Approval Workflows

Owned by Aliaksei Shautsou (Deactivated)
Dec 07, 2017
9 min read

Approval workflows support routing certain core network service tasks submitted by an admin group to another for approval. You can add an admin group to an approval workflow and define the group as a submitter or approver group. Note that only superusers can create approval workflows. For information about how to set up admin groups, see About Admin Groups.
In an approval workflow, you can add a submitter group and an approver admin group that you have previously defined. You can also define when and to whom email notifications are sent, and configure options such as whether submitters or approvers must enter a comment or a ticket number when they submit tasks for approval. Approval workflows are useful when you want to control tasks that require reviews. For example, if you have a group of help desk users who can add, modify, and delete hosts and you want members of an operation group to review these tasks, you can define the help desk users as submitters, and then set up members of the operation group as approvers. You can then add the submitter and approver groups to an approval workflow and configure notifications options and other configurations, such as allowing the approvers to reschedule the submitted tasks.
Not all core network service tasks can be routed for approval. You can configure approval tasks associated with certain objects. For a list of supported objects, see Supported Objects for Scheduled and Approval Tasks.

Note: When an admin group is defined as a submitter group, there are certain operations the submitters cannot perform even though they may have the permissions to do so. For information about such operations, see 21744312

To create an approval workflow, complete the following:

  1. If you have not already done so, set up admin groups that you can configure as submitter groups and approver groups in an approval workflow, as described in About Admin Groups.
  2. Create an approval workflow and configure email notifications and other options, as described in 21744312 21744312

You can do the following after you have created approval workflows:

  • View a list of approval workflows, as described in 21744312
  • Modify approval workflows, as described in 21744312.
  • Delete approval workflows, as described in 21744312
  • View a list of approval tasks, as described in 21744312.
  • View approval notifications, as described in 21744312.

Supported Tasks for Different Admin Groups

Depending on your admin permissions, you may or may not be able to perform certain tasks that are subject to approvals. 21744312 lists specific tasks and indicates which admin group can perform the tasks.
Table 1.2 Supported Tasks for Admin Groups

Admin groups that can perform the task
Tasks related to approval workflowsSubmittersApproversSuperusers
Change the schedule of a task when it is pending approvalYesNoYes
Change the schedule of a task after it has been approved

Yes (Task is re-submitted for approval)

YesYes
Execute the task now when it is pending approvalNoNoNo
Delete a task after it has been approved but pending
execution		NoNoYes
Delete a task after it failed or has been executedNoNoYes
Delete tasks by selecting the Select all objects in this
dataset option		YesYesYes

Note: Not all tasks are deleted, depending on the task status and the admin who performs the deletion




Creating Approval Workflows

Before you create an approval workflow, ensure that you have admin groups that you can define as submitters and approvers. Note that a submitter group can be added to only one approval workflow, and approver groups can be added to multiple workflows. An approver can choose to approve a task and either keep or change the date and time when the task is executed. For information about scheduling and rescheduling tasks, see Scheduling Tasks. An approver can also reject a submitted task.
All submitted tasks are executed based on submitter permissions. When an admin submits a task, the appliance logs the task in the audit log and associates it with a task ID. You can view your tasks in Task Manager, as described in Viewing Tasks. Depending on your configuration, you can control when and to whom email notifications are sent. For example, you can configure the appliance to send notifications to only the approver each time when a task requires approval, or send notifications to both the submitter and approver group each time when a task is disapproved.
To create an approval workflow

1. From the Administration tab, select the Workflow tab -> Approval Workflows tab, and then click the Add icon

2. In the Add Approval Workflow wizard, complete the following:

  • Submitter Group: From the drop-down list, select the admin group whose submitted tasks require approvals. Note that performing CSV imports do not require approvals. If there is a warning that the submitter group has CSV import permission, you may want to remove the permission.
  • Approver Group: From the drop-down list, select the group that can approve tasks submitted by admins of the submitter group. If the approver group you select does not have the permission to schedule tasks, the approvers cannot reschedule the execution dates and times of the tasks when they approve them.
  • Ticket Number: From the drop-down list, select one of the following to determine whether a ticket number is required when a submitter submits a task for approval.
    • Required: The submitter must enter a ticket number when submitting a task.
    • Optional: The submitter can choose to enter a ticket number or not when submitting a task.
    • Not Used: The Ticket Number field does not appear when the submitter creates a task.
  • Submitter Comment: From the drop-down list, select whether the submitter must enter a comment or not when submitting a task for approval. You can select Required, Optional, or Not Used.
  • Approver Comment: From the drop-down list, select whether the approver must enter a comment or not when approving a task. You can select Required, Optional, or Not Used.

3. Click Next and complete the following to specify notification options for the workflow:

  • Approver Notification Address(es): Select one of the following to specify to which approver email addresses the appliance sends workflow notifications. The default is Group Email Address(es).
    • Group Email Address(es): Select this if you want the appliance to send notifications to the list of email addresses configured for the admin group. For information about how to configure this list, see About Admin Groups.
    • User Email Address(es): Select this if you want the appliance to send notifications to individual email addresses of the admin group.
  • Notifications sent on: Select the operations that can trigger email notifications. When you select an operation, the appliance sends a notification each time that operation occurs. By default, all operations are selected.
    • Approval Required: The appliance sends an email notification each time an approval is required.
    • Task Approved: The appliance sends an email notification each time a task is approved.
    • Task Rejected: The appliance sends an email notification each time a task is rejected.
    • Task Succeeded: The appliance sends an email notification each time a task is completed successfully.
    • Task Failed: The appliance sends an email notification each time the execution of a task fails.
    • Task Rescheduled: The appliance sends an email notification each time a task is being rescheduled.
  • Notifications sent to: For each operation, select whether the Approver, Submitter, or Both are notified when the operation occurs. The default value is Both for all operations. For information about email notifications, see 21744312

4. Optionally, click Next to add extensible attributes to the approval workflow. For information, see About Extensible Attributes.
5. Save the configuration.

Viewing Approval Workflows

Grid Manager lists all approval workflows in the Approval Workflows tab. Only superusers can view approval workflows defined for the Grid. Limited-access users cannot view approval workflows.
To view approval workflows:

  1. From the Administration tab, select the Workflow tab -> Approval Workflows tab.
  2. Grid Manager displays the following for each approval workflow:
  • Submitter Group: The name of the admin group whose tasks require approvals.
  • Approver Group: The name of the admin group that can approve tasks submitted by members of the submitter group.
  • Ticket Number: Displays whether the submitter is required to enter a ticket number when submitting tasks that require approvals. Possible values are Not Used, Optional, and Required.
  • Submitter Comment: Displays whether the submitter is required to enter a comment when submitting tasks that require approvals. Possible values are Not Used, Optional, and Required.
  • Approver Comment: Displays whether the approver is required to enter a comment when approving tasks. Possible values are Not Used, Optional, and Required.
  • Site: Values that were entered for this predefined extensible attribute.

You can do the following in this tab:

  • Modify some of the data in the table. Double click a row, and either modify the data in the field or select an item from a drop-down list. Click Save to save the changes. Note that some fields are read-only.
  • Sort the data in ascending or descending order by column.
  • Select an approval workflow and click the Edit icon to modify data, or click the Delete icon to delete it.
  • Use filters and the GoTo function to narrow down the list. With the autocomplete feature, you can just enter the first few characters of an object name in the Go to field and select the object from the possible matches.
  • Create a quick filter to save frequently used filter criteria. For information, see Using Quick Filters.
  • Print and export the data in this tab.

Modifying Approval Workflows

You can modify information in an approval workflow, except for the submitter group. To modify approval workflow configuration:

  1. From the Administration tab, select the Workflow tab -> Approval Workflows tab.
  2. Select an approval workflow and click the Edit icon.
  3. Grid Manager provides the following tabs from which you can modify information:
    • General tab: You can modify the approver group and decide whether the ticket number, submitter comment, and approver comment are required, but you cannot change the submitter group. For information, see 21744312
    • Approval Notifications tab: You can modify when and to whom email notifications are sent. For information, see 21744312.
    • Extensible Attributes tab: You can add or modify values of extensible attributes. For information, see About Extensible Attributes.
  4. Save the configuration.

Deleting Approval Workflows

You can delete an approval workflow any time after you have created it. Note that when you delete a workflow that has associated tasks that are pending approvals, the tasks will be rejected after you delete the workflow.
To delete an approval workflow:

  1. From the Administration tab, select the Workflow tab -> Approval Workflows tab.
  2. Select an approval workflow and click the Delete icon.
  3. Click Yes in the Delete Confirmation dialog.


Viewing Approval Tasks

If you belong to an approver admin group, you can view, approve, or reject tasks that are pending your approval in the Task Manager tab. For information, see Viewing Tasks. Submitters can view all pending and completed tasks they have submitted.

Viewing Workflow Notifications

When a submitter and approver receives an email notification about their tasks, the appliance lists the approval status and workflow related information such as task ID, submitter name, execution time, object type and action in the email notification.
Following is a sample email notification:


Notification:
=============

Message: Task 32 submitted by subm has been approved The following task has been approved:
Task details

Task ID: 32 Submitter: subm Approver: jdoe
Submit time: 2012-10-09 05:55:01 (UTC) Coordinated Universal Time Execution time: N/A
Object type: NS Record Action: Add
Affected object: corp1.com Ticket number: MKTG245
Submitter comment: Create an NS record. Approver comment: Approved.

Click here to go to the task management tab - https://192.168.1.2/ui/?contextId=taskmanager

Note: When you can click the hyperlink displayed in the notification, you can log in to Grid Manager and access the Task Manager tab in a separate browser tab or window.

Unsupported Operations for Submitters

When admins are part of a submitter group in an approval workflow, there are certain operations they cannot perform even though they may have the permissions to do so. Following is the list of operations that submitters cannot perform:

  • Reclaim IPv4 or IPv6 addresses
  • Expand networks
  • Resize networks
  • Split networks
  • Sign (DNSSEC) zones
  • Unsign DNSSEC signed zones
  • Import DS to DNSSEC signed zones
  • Perform KSK rollovers on a DNSSEC signed zones
  • Copy records from one DNS zone to another
  • Clear all discovered data
  • Clear discovered timestamps
  • Clear unmanaged addresses
  • Resolve discovery conflicts
  • Update extensible attributes on multiple objects at a the same time
  • Delete or modify several objects at a time (using the "Select all objects in this dataset" option from Grid Manager)
  • Order DHCP Ranges inside a network (feature is available only when used with Sophos)
  • Configure member DHCP Captive Portal through the wizard
  • Restore objects from the Recycle Bin
  • Delete non-native NIOS DNS resource records. These objects can only be synchronized from a Microsoft DNS server
  • Copy rules from one Response Policy Zone to another
  • Order Response Policy Zones