Approval-Based Workflow
Picture the world where administrative tasks in your AD environment are performed by non-technical staff. Sounds like a piece of fiction, doesn't it? But, with approval-based workflows it is closer to a manageable reality than you think.
Adaxes enables you to add an approval step to practically any operation in AD, Entra ID, Exchange, and Microsoft 365. You will finally be able to delegate a large portion of your daily job to someone else without the loss in quality and while still maintaining full control.
How it works
Operations are sent for approval with the help of business rules – automated workfklows in Adaxes-speak. You simply need to create a business rule that triggers before an operation, and define what objects the rule will affect. For example, before creating users in the Miami office.
From then on, Adaxes will catch every attempt to create a user in your AD or Entra ID, and will suspend it. Nothing will be committed to the directory until an approval is granted. An important bit is that the operation must be executed via Adaxes for the approval to trigger. For instance, via the Web interface.
The person you designated as an approver will be notified by email, will able to review the operation details in the same email, and then approve or deny it from the same email. Everything can be done in seconds, and from the comfort of a mobile phone.
This is the approval-based workflow in a nutshell. Now, let's explore what you can build on this foundation.
User creation
Delegating user creation first and foremost requires taking the technical aspect out of it. Approvals come after. The customizable user creation forms in the Web interface the automated provisioning workflows simplify user creation to the point where it does not require any specialized knowledge. That's one piece of the puzzle taken care of.
An approval step is the second piece – it ensures that no stray users are created and that you won't have to hunt for mistakes in recently created accounts. You only have to review and approve emails.
But what if you don't want to be bombarded with countless approval request emails for every new user? Well, you can add conditions to your workflow to control whether to send an operation for approval or not.
For example, you can configure Adaxes to skip the approval step for the creation of most accounts, but keep it for subcontractor accounts created by someone not from the IT department.
Conditions add flexibility and enable you to send operations for approval only when strictly necessary. If every possible operation is sent for approval, you will drown in these requests. It defies the whole point, so conditions are your best friend here.
How to request approval for user creation
Group membership management
Let's make a 180-degree turn and look at how approvals can improve group membership management. Your employees, or at least their managers probably know what printer access, shared folder access, third-party system access, etc. they need to do their job.
It is only natural that employees should be able to request additional access to company resources when the need arises. How? By adding themsleves to security groups that grant it. Of course, with an approval step.
The efficiency of this approach is incomparable to emailing the IT department or submitting a ticket to the help desk. That's because approval emails are more than immediate and actionable alerts. The task has already been done – you just need to click a button to confirm it.
In fact, why should you approve all the requests yourself? Verifying information in an email and clicking a button is not exactly a technical task. You can delegate both sides of an approval-based workflow to other people.
Employees know what access they need and they can ask for it. Higher-level employees know whether their subordinates really need that access. Let them approve group membership requests and make the process what it should be – a direct interaction between involved parties without unnecessary reliance on the IT department.
Again, you can spice it up with conditions. Skip the approval step if the new member is added by the group owner. Skip the approval step if the new member has a particular property value. If a piece of information exists in your directory, most likely, you can plug it into a condition to trigger approvals precisely when you need to.
Flexible approvers
Approval-based workflows are the most efficient when approvers have the capacity to make a decision immediately, without consulting anyone. One person or even a team are unlikely to have this capacity for every request from every user across the entire company.
That's why there are dynamic approval options like Manager of the initiator can approve the request. They help you keep your workflows localized – Adaxes will take context into account for every operation and will send it for approval to the person with the most knowledge about it.
You can also set up multi-level approval for extra sensitive operations. For example, request approval from the user's manager first, and once they approve, send it for a second approval to the IT department. Unless approved at all levels, the operation will not be executed. And, an administrator can jump in at any point and approve a particular step if it takes too long.
Finally, you can go wild with the approval logic with the help of PowerShell scripts. The built-in scripting system in Adaxes enables you to build the list of approvers as you wish, providing you can express your wishes in code. For example, you can send user creation for approval to members of a specific group that will be different every time, depending on the initiator or the properties of the new user.
Controlling automated tasks
Keeping control over manual tasks you delegated to other users is one thing. But what about scheduled operations or operations automatically triggered by certain events?
For example, you might have a scheduled task for directory cleanup. It performs destructive operations – deletes inactive computers, deprovisions stale accounts, etc. If left unchecked, you can end up in an awkward position where all the time saved by automating the process will be spent on restoring the lost data.
Luckily, the approval mechanism of Adaxes can cover all operations. Whether it is a scheduled task or a REST API request from a third-party system, you can be sure that Adaxes will not let anything destructive happen unless you approve it.
Of course, spending your time to approve every automated workflow defies the whole point of having automated workflows and approvals in the first place. However, requesting approval only for certain irreversible operations within these workflows is a good compromise. You dedicate some time to click through the emails every now and then, but you always have a get-out-of-jail-free card in your pocket.
In the end, it is up to you to find that perfect balance between saving time and maintaining control. All the tools are there, and it is only a matter of how you apply them. You can grab some quick wins with approval-based workflows for user creation and group membership management, and then explore more elaborate delegation. You will be surprised how many tasks were done by the admins only because users weren't equipped with Adaxes before.
