.png){kind=logo}
Approvals
EJBCA provides configurable mechanisms for enforcing redundant review and authorization of sensitive actions through Approvals. Approval profiles enable organizations to design workflows ranging from simple multi-admin checks to complex, multi-step and role-based processes.
Approvable Actions
The following actions can be configured to require approval:
Action Name | Description |
|---|---|
Add/Edit End Entity | Requiring Approvals for this action will require approval for any operations involving enrollment or in any way editing an end entity, which includes changing status as a precursor for certificate renewal. |
Key Recovery | If the CA has key recovery enabled, choosing this action would require an administrator's approval before the keypair is recovered and made available to the end user. |
Revocation | Requires approval in order for a revocation request to go through. |
CA Service Activation | Enabling approvals for this action means that in order to change a CA from offline to online, approvals from other administrators are required. |
If multiple administrators are required to approve an action, rejection by any one of them will reject the entire action.
Configuration
Approvals can be configured in two locations:
CA configuration
Certificate Profiles
Because approvals can be defined in both places (and may reference different approval profiles for the same action), the Certificate Profile configuration takes precedence. If no approval profile is defined in the Certificate Profile, EJBCA defaults to the configuration defined in the CA.
Approval Profiles
Due to requirements on EJBCA for multi-tenancy and differing workflows for different CAs, EJBCA provides Approval Profiles. Each Approval Profile provides a basic template for a reusable workflow, from the simple to the complex. For more information, see Approval Profiles. To date, EJBCA has two different types of Approval Profiles that can be configured.Approving Actions
Approvals are later resolved in the RA UI by authenticated and authorized administrators. For more information, see Managing Requests in the RA UI.
Notifications
Approval profiles can be configured to notify both the requesting user on status change (based on end entity information) and approving administrators in order to notify them about an action requiring their attention.