Versions Compared

Old Version 1

changes.mady.by.user The Force

Saved on

compared with

New Version Current

changes.mady.by.user The Force

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Published by Scroll Versions from space DOC and version 8.1.0-8.1.1

...

One Admin group and two DNS worker groups with different levels (high - low) of oversight needed, with restrictions set for particular Action types. 

Group 1A (Admin)Group 1BGroup 1C
  • Global Admins (Full TLR User Group Perms + Admin)
  • All Admins in this group can approve any change requests
  • It doesn't matter which Admin user approves a request

Approval Group Settings:

  • Set to policy "Must Approve" for all DNS Family / Action types
  • Tip: Click the quick select checkbox next to each DNS Family name to select all actions under that family
  • Users with minimal oversight
  • Can work fully in all DNS family areas
  • Only needs admin approval for DNS Pushes

Approval Group Settings:

  • Set to policy "Action to be Approved" for "Push" actions only, under each DNS Family in Group Assignment
  • Users with high oversight
  • Not allowed to Add or Delete any DNS item
  • Needs admin approval for all DNS Push and Updates

Approval Group Settings:

  • Set to policy "Deny" for "Add" and "Delete" actions under each DNS Family; save
  • Open again, set the policy to "Action to be Approved", and select "Update" and "Push" actions under each DNS family; save.

Expand the following link to view example images of setting the assignments for all three groups:

...

Two Admin approval groups exist: One general Approver group that can approve any action type, and a second Group containing one person, Bob, who must sign off on any action taken under DNS Groups. 

Group 2A (Admin Approvers)Group 2B (Admin Approver Bob)Group 2C
  • Global Admins (Full TLR User Group Perms + Admin)
  • All Admins in this group can approve any change requests
  • It doesn't matter which Admin user approves a request
  • DNS Group changes require multiple levels of oversight- from both this group and Bob

Approval Group Settings:

  • Set to policy "Must Approve" for all DNS Family / Action types
  • Tip: Click the quick select checkbox next to each DNS Family name to select all actions under that family
  • Global Admins (Full TLR User Group Perms + Admin)
  • Only contains one user - Bob, who specifically must approve of any change to DNS Groups

Approval Group Settings:

  • Set to policy "Action to be Approved" for "Push" and actions only, under each DNS Family in Group Assignment
  • Full Access throughout DNS
  • Not allowed to work with DNS Servers, even if they might have admin level access otherwise
  • Changes to DNS Groups and DNS Records require approval

Approval Group Settings:

  • Set to policy "Deny" before quick-selecting the DNS Servers Family; save
  • Open again, set the policy to "Action to be Approved", then quick-select the "DNS Groups" and "DNS Records" families; save.

Approval Workflows

Initial Setup

The high level process to use when first setting up approvals is as follows:

Review User Groups and Approval Process Needs

...

Step 1 - Review Existing User Groups and Process Needs

When setting up Approvals for the first time, review the information in the previous section under "Approvals Fundamentals" to ensure a basic understanding of how Policies, Actions, and User Groups relate together in Approvals. 

Then, take a few minutes to think about the following questions to get a better sense of how to use Approvals with your specific organization:

Expand

Who are the users that perform DNS / DHCP tasks, and at what level? 

Affects which users should be included in what User Groups  

What ProVision User Group(s) are they in? 

Approvals settings are applied to the User Group, not individuals - ensure users with similar oversight needs are grouped together

What actions made by a certain user group should be automatically denied, if any? 

Assign the "Deny" policy to that Action/User Group combination

What actions made by a certain user group should require oversight (admin approval / rejection)? 

Assign "Action to be approved" to that Action/User Group combination

Who is the admin / User Group that will make the final approval on a change? 

Ensure the approver(s) is in a User Group with the "Must Approve" policy assigned for the actions requiring approval

Should any changes require multiple admins / User Groups to approve it in order to execute? 

A single user from every group assigned with "Must Approve" for the action must approve the action for it to succeed 

If two admins are required to both  separately agree on a change, they should be under two separate User Groups assigned "Must Approve"

What User Groups would need to receive email Approval Status notifications, and on what type of actions? 

Affects whether to enable notifications and set up the scheduler task to send the notifications, and to what User Groups. When enabled, all users of the relevant group(s) will receive the email(s)

Once your User Groups are optimized for use with Approvals, you may want to write down a quick note on which Action Types and policies are planned for each group. 

Edit User Groups / Create Approvals-Specific User Groups, if needed

...

Step 2 - Add or Edit ProVision User Groups

From here, depending on the answers to the questions in step 1, you may need to do one or more of the following from the Users tab:

  1. Edit existing User Groups to add or remove users, in order to combine users who will need similar action types approved.
  2. Verify the User Groups have appropriate CRUD permissions set to perform the action(s) to be approved (e.g, you may have previously removed "Create" permissions for a group, but if the intent is now for those users to have "Add" actions approved by an Admin, the submitter will need User Group resource "Create" permissions back!)
  3. Create new User Groups specifically for use with Approvals (recommended)
  4. Associate users with different, or additional User Groups (remember - users can be associated with multiple groups!)

For more information on adding and editing ProVision User Groups, see Users & PermissionsGlobal Permissions, and Working with Users

...

Assign Action and Policy Settings to User Groups

...

Step 3 - Assign Approval Action Settings to Groups

From the Approvals Tab, navigate to the Permission Groups sub-tab.


Image Modified

Then, under the Groups page tab, find the ProVision User Group you want to assign a policy to and click "Assign".

Image Modified

Clicking the "Assign" button for a group brings up a checklist to select what policy to apply to the group for what Family and Actions (i.e. DNS Zone 'Add' or DNS Group 'Update'). Select either "Deny", "Action to be Approved", or "Must Approve Action" under Policy. Once you've selected a policy, you can "quick-select" all actions for a DNS Family (Severs, Groups, Zones, Records) by clicking the checkbox next to the family name, or only select individual action types for each Family.

Image Modified

When done, Click "Assign", and repeat as needed for other Policy types or User Groups.

Step 4 - Enable Notifications (Optional)

If using Approvals notifications, enable notifications for the appropriate Permissions Group(s)

...

Step 4 - Enable Notifications (Optional)

:

From the Approvals Tab, navigate to the Permission Groups sub-tab Groups page tab.

Image Modified

Click on the group name for which you want to set notifications - the Group Permissions Detail page will provide additional information on the group's settings.

Image Modified

For any Family/Action that you want to enable notifications, click the checkbox under "Enable Notifications". All users of that group will get email notifications when a change of the selected type(s) are made.

If using Approvals notifications, set up a Scheduler task for "Approvals - Process Subscription"

...

Step 5 - Add Scheduler Task: "Approvals - Process Subscription"

The "Approvals - Process Subscription" task processes approval request events and handles the sending of notification emails to subscribed Approvals Groups - this task must be created and running on a regular interval in order for Approval Notification emails to be sent.

In order to receive the most up to date information in the Approval Notifications, is recommended to create this task with a run time of "every 5 minutes" and no end date.

For information on setting up Scheduler Tasks, see Scheduler.

Set up a Scheduler Task for "Approvals - Delete events older than 1 month", to occasionally clear out old and obsolete Approval request events

...

Step 6 - Add Scheduler Task: "Approvals - Delete events older than 1 month"

...

Set up a Scheduler Task for "Approvals - Delete events older than 1 month"

...

, to occasionally clear out old and obsolete Approval request events. 

It is recommended to set this task to run monthly with no end date, to clear out obsolete approvals items, reduce data storage space needs, and reduce approvals page load time.

For information on setting up Scheduler Tasks, see Scheduler.

Daily Use

On a day-to-day basis after initial setup, an Approvals Workflow will be similar to the following (with "Submitter" as the user whose actions require approval, and "Approver" as the admin with the ability to approve/reject the change):

...