Documentation

Approval workflows | Entitle Pathfinder

Suggest Edits

Overview

Approval workflows define the Just-in-Time (JIT) permissions approval process in Entitle. When a user requests access, the workflow determines whether approval is required, which conditions apply, who must approve, and how long access is granted. A single workflow can support multiple JIT components, including integrations, resources, roles, and bundles.

How approval workflows work

  • Rules and evaluation: Each approval workflow contains one or more rules. Every rule includes:
    • A condition (if) defines when the rule applies.
    • An approval process (then) defines how the request is approved.
      Rules are evaluated in order from top to bottom. The first rule whose condition is met determines the approval process for the request.
  • Approval steps: The approval process inside a rule can include multiple steps, each representing an approver or approval action. Steps run sequentially. Each step can use one of two operators:
    • Any: Any approver in the step may approve.
    • All: All approvers in the step must approve.

      Avoid assigning specifically named individuals when possible. Use managers, groups, roles, schedules, or other abstract approver types to ensure scalability.

Approver Types

Entitle includes several approver types you can use in workflow steps.

  • Team member: Any user who shares the same manager as the requester. For requests made on behalf of another user, this refers to users sharing the manager of the user receiving access. If no direct manager exists, any Entitle admin may approve.
  • Resource owner / integration owner: The primary owner of a resource or integration. For bundles, this means the owner of each included resource or integration.
  • Resource maintainer / integration maintainer: A secondary administrator of the resource or integration. Multiple maintainers may be assigned, including IdP groups. For bundles, this means the maintainer of each included resource or integration.
  • Direct manager: The manager of the user requesting access. For requests made on behalf of another user, this refers to the manager of the user receiving access.
  • Automatic Approval: The step is approved automatically, without human intervention.
  • Group: Any member of an IdP group at the time of request. Group members cannot approve their own requests. If someone requests access on behalf of another user and belongs to the approval group, the step is automatically approved.
  • Schedules: Any member of an on-call schedule. Schedule members cannot approve their own requests. If someone requests access on behalf of another user and is currently on-call, the step is automatically approved.
  • Specific user: Any user in the tenant. Start typing to see available users.
  • Webhooks: Third-party code that acts as the approver.

    ℹ️

    For more information on webhooks, see Webhook-based approvals.

ℹ️

When using Team or Schedule approvers, only users currently on-call can request access. This design ensures that only active responders can request access.

To allow all schedules (not just on-call users) to request access, create a group containing all schedule members and use that group instead.

View and manage approval workflows

  1. Sign in to app.beyondtrust.io with your credentials. The BeyondTrust Pathfinder Home displays.
  2. At the top right of the page, select your site from the drop-down.
  3. Select the Entitle tile from your list of available applications.
  4. From the top left menu, select Approval workflows.

The Approval workflows page lists all existing workflows in your organization, including their name, approval steps, and the total number of roles and bundles associated with each.

This screen has four main functionalities:

  1. Edit and delete approval workflows
  2. Search, sort, and filter approval workflows
  3. Add a new approval workflow
  4. Set up webhook-based approvals

Edit and delete approval workflows

  1. Edit approval workflow: You can modify the workflow name, access request conditions, and approval steps. you can also add or remove rules and steps, and change rule order using the arrows at the left. After making changes, click Save approval workflow.

    Example of a an edit workflow screen, indicating how to add a new rule or a new step to the workflow. At the end, click the save approval workflow at the bottom right corner

  2. Delete an approval workflow: On the Approval workflows page, locate the workflow you want to remove, then click Delete. Confirm the deletion in the pop-up.

Search, sort, and filter approval workflows

  • Search by Workflow name.
  • Sort options:
    • Name
    • Number of steps (sorts by the highest step count present in any rule in each workflow)
    • Last added
  • Filter options:
    • Name
    • IdP group
    • On-call group
    • Approval by webhook
    • Request duration
    • Usage

Add a new approval workflow

  1. On the Approval workflows page, click New approval workflow.
  2. Choose a name for your workflow.
  3. Define one or more rules, including their conditions and approval steps.
  4. Order the rules as needed.
  5. Click Save approval workflow.

The newly created approval workflow appears on the Approval workflows main page.

Set up webhook-based approvals

Configure approvals by webhook (advanced)

Approval workflows support both third-party code approvals and advanced webhook notifications. Approval by webhook allows you to extend Entitle's built-in approver types with your organization's specific approval mechanisms, such as customer approvals or certification services.

  1. On the Approval workflows screen, click Approval by webhook.
  2. Click Add webhook, and insert your webhook details.
    • Name: Enter a name to identify your webhook.
    • URL: Insert your webhook URL. Make sure it adheres to the Approval webhook structure.
    • Headers: Any value set in this field will be added to the request header as is.
    • Additional parameters: Any value set in this field will be added to the request body as is.

      🚧

      Important information

      The following keys are forbidden: stageNumber, stageAmount, token, and accessRequest.

Use a webhook in a workflow

  1. After the webhook is registered, go to the Approval workflows page and either add or edit a workflow.
  2. Add the webhook to the workflow as either an approver or a notification recipient.
  3. Save the workflow to apply the changes.

This example shows both configurations (indicated by the webhook icon).

Screenshot showing both approver/notification configurations (indicated by the webhook icon).

Webhook Request Structure

When a webhook is triggered as part of an approval step, Entitle sends a JSON payload similar to this:

{  
  stageNumber: 1,  
  stageAmount: 3,  
  accessRequest: {  
    behalfOf: {  
      id: "51907709-306b-4587-a89a-4c1a3f8d081f",  
      email: "[[email protected]](mailto:[email protected])",  
    },  
    duration: 15768000,  
    id: "054283fe-f1b4-4bdc-b54e-2adba50f079a",  
    justification: "I need it",  
    number: 114,  
    roles: [  
      {  
        isPrerequisite: false,  
        id: "a7b1e5be-d2bb-4891-a446-406b74ba7b3f",  
        name: "role1",  
        resource: {  
          id: "f40d54f4-1483-431f-bbe1-ce6e19a792eb",  
          name: "resource 1 name",  
          integration: {  
            id: "e5eb6b93-5735-4a65-97fc-5f11e29b9566",  
            name: "manuella",  
            application: {  
              name: "Manual",  
            },  
          },  
        },  
      },  
    ],  
    status: "waitingForApproval",  
    targets: [  
      {  
        type: "role",  
        role: {  
          id: "a7b1e5be-d2bb-4991-a446-406b74ba7b3f",  
          name: "requested role",  
        },  
      },  
    {  
    type: "bundle"
    bundle: {  
      id: "a7b1e5be-d2bb-4991-a446-406b74ba7b3f",  
      name: "requested bundle",  
    },  
  }
]

Field meanings:

  • stageNumber – The current step number in the approval process.
  • stageAmount – The total number of approval steps in the access request.
  • token – A unique identifier used to authenticate and link a specific webhook workflow request with its corresponding response. This token is required only when the webhook acts as an approver, not when it is used for notifications.
  • accessRequest – The access request details.

Webhook response structure

Your webhook returns its approval decision – approve or decline – by sending an HTTP POST request to the accessRequests/reply endpoint.

The response should include the following parameters:

{
  "type": "approve" | "decline",
  "token": "token received from webhook data"
}

Example cURL

curl -X POST <https://api.entitle.io/webhooks/v1/approvalRequests/reply>  
-H "Content-Type: application/json"  
-d '{  
    "type": "approve",  
    "token": "c14f9c92-87bd-4a2e-9f13-2e7c4a1d5b8e"  
}'

🚧

Important information

If Entitle repeatedly fails to deliver webhook requests, the webhook is automatically disabled. While disabled, new approval steps intended for that webhook are escalated to Entitle administrators.

Updated 3 months ago