-
Notifications
You must be signed in to change notification settings - Fork 8
Approval Workflows
UCM includes an approval workflow system that requires designated approvers to review and approve certificate operations before they are executed. This adds a governance layer to your PKI, ensuring that certificate issuance, renewal, and revocation follow organizational policies.
When approval policies are configured, certain certificate operations are held in a pending state until approved by a user with the appropriate permissions. This is critical for organizations that require multi-person authorization for PKI changes.
- Admin creates a policy defining which operations require approval and for which CAs
- User requests an operation (e.g., issue a certificate) — the request enters "pending" state
- Approver reviews the request — can approve or deny with comments
- On approval — the operation executes automatically
- On denial — the requester is notified with the denial reason
Navigate to Governance → Policies to manage approval policies.
| Setting | Description |
|---|---|
| Name | Policy name for identification |
| Description | Explanation of what the policy covers |
| Actions | Which operations require approval (issue, revoke, renew, delete) |
| CAs | Which Certificate Authorities this policy applies to |
| Templates | Optionally restrict to specific certificate templates |
| Enabled | Toggle the policy on/off without deleting it |
- Go to Governance → Policies
- Click Create Policy
- Fill in the name, description, and select applicable actions
- Choose which CAs the policy covers
- Optionally restrict to specific templates
- Click Create
Policies can be scoped to:
- All CAs — applies globally
- Specific CAs — only certificates issued by selected CAs
- Template-based — only certificates using specific templates
- Action-based — only certain operations (issue, revoke, etc.)
Navigate to Governance → Approvals to view and manage pending requests.
| State | Description |
|---|---|
| Pending | Waiting for approver review |
| Approved | Approved and executed |
| Denied | Rejected by approver |
| Expired | Not reviewed within the timeout period |
| Cancelled | Withdrawn by the requester |
- Go to Governance → Approvals
- Click on a pending request to see details
- Review the requested operation, parameters, and requester
- Click Approve or Deny
- Add optional comments explaining the decision
- Users with
write:approvalspermission can approve/deny requests - The requester cannot approve their own request (enforced by the system)
- Admins can approve any request
Concurrent approvals on the same request are serialised with a per-request DB lock and the quorum is recounted inside the transaction before the request is marked approved. Two simultaneous approvals can no longer both observe quorum - 1 and double-trip the request to approved state.
Re-submitting an approval from the same user is idempotent — it is not double-counted and does not return 409. The UI's "Approve" button is therefore safe to click twice.
Approval workflows integrate with UCM's Role-Based Access Control:
| Role | Can Request | Can Approve |
|---|---|---|
| Admin | ✅ | ✅ (any request) |
| Operator | ✅ | ✅ (if has write:approvals) |
| Viewer | ❌ | ❌ |
All approval actions are logged in the audit system:
- Request creation (who, what, when)
- Approval/denial (who, decision, comments)
- Execution result (success/failure)
View approval history in Admin → Audit Logs with the "approvals" category filter.
List approval requests. Supports filtering by status.
Permission: read:approvals
Approve a pending request.
Permission: write:approvals
Deny a pending request with a reason.
Permission: write:approvals
List all approval policies.
Permission: read:policies
Create a new approval policy.
Permission: write:policies
- Separation of duties — Ensure requesters and approvers are different people
- Minimal scope — Apply policies to specific CAs rather than globally when possible
- Document policies — Use clear descriptions so approvers understand what to check
- Review regularly — Periodically audit active policies and pending requests
- Template-based policies — Use templates to standardize what gets approved
- Approval Policies — Managing approval policies
- RBAC — Role-based access control
- Audit Logs — Viewing approval history
- Certificate Templates — Template-based issuance