Skip to content

Approval and Escalation Workflow

This page describes how the Identity Operations Platform handles approval requests when an operator needs temporary permission for a specific action on a managed identity.

It focuses on operational behavior for customers and operators.

Purpose

The workflow exists to:

  • enforce least privilege by default
  • allow controlled exception handling
  • ensure supervisor-based governance
  • keep all approval decisions traceable

Workflow States

The request lifecycle uses four states:

State Meaning
Requested A temporary permission request has been created and is waiting for supervisor review.
Accepted The request was approved. A transitory permission is granted for the defined action scope.
Rejected The request was denied. No temporary permission is granted.
Escalated The request was forwarded by the assigned supervisor to a specific supervisor for further decision.

Supervisor Principle

Each request is reviewed by an assigned supervisor. If escalation is required, the currently assigned supervisor decides to whom the request is escalated.

This ensures clear ownership of each decision step and prevents uncontrolled approval routing.

Request Flow

  1. An operator attempts an action on a managed identity.
  2. If the operator is not authorized, the action is blocked.
  3. The operator can submit a temporary permission request for that specific action.
  4. The request enters Requested.
  5. The assigned supervisor reviews business context, risk, and justification.
  6. The supervisor decides Accept, Reject, or Escalate.
  7. If Escalate is chosen, the request enters Escalated and is routed to a specific supervisor chosen by the current supervisor.
  8. A final decision closes the request as Accepted or Rejected.

Decision Outcomes

Accepted

  • A transitory permission is granted to the requesting operator.
  • The permission is scoped to the approved action context.
  • The permission is short-lived and removed after use or expiry.

Rejected

  • No transitory permission is granted.
  • The original action remains blocked.

Escalated

  • Responsibility moves to the selected supervisor.
  • The escalated supervisor performs the next review decision.

Audit and Governance Relevance

The workflow supports accountable operations by recording:

  • who requested access
  • who approved, rejected, or escalated
  • which managed identity and action were in scope
  • final outcome and approval path

This provides clear evidence for internal control reviews and compliance activities.

Summary

The approval and escalation workflow provides a controlled path for exceptional access without weakening baseline authorization controls. It combines operational flexibility with supervisor accountability and auditable decision trails.