Request and Approval
(Versions 7.9.7+, Enterprise+)
This feature allows users to request access to folders or entries. Specific users or roles can be given the ability to request access, for select items. Designated approver(s) can approve or deny the request.
In this method, administrators can provide access that is "available upon request."
This workflow also allows for Dual Control approval (also known as Peer Approval / Four Eyes / Two-man rule):
- Approval can be obtained by a requester before completing an action. (see more details: Dual Control Explained)
Limited Time Access
Time-limit options can allow approvers to restrict the access time allowed:
- Administrators can decide if permanent access can be granted, set a default time-limit, and a max time-limit
Approvers can then choose from the enabled options: time-limited or permanent
To see a full example setup see the following steps: Requesting View Password access. More detailed explanations are found in the sections below.
To set an approver on a folder or entry, the user must go to the User Access window, as shown here. Here, there will be the default tab for Access Levels, but beside that is a tab for Access Approvals. Clicking it will allow the user to set a user or role that has the "Access Approvals" permission as an approver for that entry or folder.
The access level selected will determine both what access levels the approver can grant for a request and what access levels a user can request.
To request access for a folder or entry, the user must have an access level on that folder or entry that has the "Request Access" permission enabled.
Once they do, they can right click the folder or click Folder Actions and select Request Access.
For an entry, they can right click the entry or click Actions and select Request Access.
A dialog for Request Access on that folder or entry will appear. If no approvers have been set, the user will get a message instead that they are unable to request access.
- Access Level: The access level the user wants on the entry or folder. The user is able to choose from any access levels that are able to be approved. (required)
- Comment: The reasoning as to why the user is requesting access to the folder or entry. (required)
Once the request has been properly filled out, the user can hit "Save" to submit their request. This will notify all approvers who are eligible to approve or deny the request, both through e-mail and through notifying them in the Password Server.
A requesting user is also able to view their pending request, which will display the submitted access level and comment in addition to the time they made the request. For a folder, right click the folder or click Folder Actions then select Pending Request, which takes the place of Request Access.
For an entry, right click the entry or click Actions then select Pending Request.
This will bring up the Pending Request dialog.
If a user no longer needs access to the folder or entry, they are able to cancel the request by selecting "Cancel Request".
Approving or Denying Requests
In order to approve or deny a request, an approver must go to the Access Approval page, which can only be accessed by having the "Access Approvals" permission. All pending requests that an approver can approve or deny will shown.
If an approver wants to approve a request, they can click the Approve button, which will bring up the Approve Request dialog.
- Access Level: The access level the approver is granting the requesting user upon that folder or entry. It can be different from the one requested by the requester. (required)
- Access Expiry: The time at which access to the folder or entry will expire for the requester. If the approver does not have permission to grant this access level, they will be restricted to only granting access for up to 30 days. Otherwise they will be able to grant access for as long as they think is appropriate. (required)
- Comment: The explanation of why the approver is approving this request. (required)
Upon approving the request, a new access row will be created for the requesting user on the requested folder or entry, thus granting the requester access on that folder or entry.
Likewise, if an approver wants to deny a request, they can click the Deny button which will bring up the Deny Request dialog.
- Comment: The explanation of why the approver is denying this request. (required)
Once a request has been approved or denied, the requesting user will be notified of it through e-mail and through the Password Server.
These messages will display each time the requesting user enters the Home page unless the user presses "x" to close them out.
The templates for the emails the users are sent upon a request being created and a request being approved or denied can be viewed in Advanced > Email > Email Templates if the user has "Email Templates" permission. These new email templates are:
- Approved Request
- Denied Request
- New Pending Request
More information about email templates can be viewed here.