Approvals

What goes through approvals

Any admin operation tagged requires_approval — AD user disable, bulk DNS changes, runbook steps against production scopes, integration credential rotation, etc.

Workflow

1. User A requests an approval: action name, target key, justification.
2. User B (different user, with approvals.approve permission) reviews + approves or denies.
3. User A has a limited window (default 60 min) to actually execute the action. Past the window, approval expires and must be re-requested.
4. Execution records both user IDs in the audit row.

Gotchas

• You cannot approve your own request. Attempting to do so returns 403.
• Denied approvals are kept for audit history; re-request if legitimate.