Managing Approval Requests¶
When a certificate operation matches an enabled Approval Workflow, an approval request is created and the operation is held pending a decision. This page covers how to view, approve, and reject those requests.
Viewing Approval Requests¶
Navigate to Policies > Approvals and select the Requests tab.
The requests list shows all approval requests visible to your account:
- Users with the
policy_adminorsuper_adminrole see all requests for the tenant. - All other users see only requests where their account is listed as an approver on the matched workflow.
Request Details¶
Each row in the list shows:
| Column | Description |
|---|---|
| Workflow | The name of the workflow that triggered the request |
| Certificate CN | The Common Name of the certificate involved |
| Matched Domain | The specific domain pattern that triggered the match |
| Event | Whether this is a generate or revoke request |
| Requested by | The user who initiated the certificate operation |
| Requested at | Timestamp of when the request was created |
| Status | Current status of the request |
Filtering by Status¶
Use the status filter dropdown to narrow the list:
| Filter | Shows |
|---|---|
| Pending | Requests awaiting a decision |
| Approved | Requests that have been approved |
| Rejected | Requests that have been rejected |
| Expired | Requests that timed out before a decision was made |
| All | All requests regardless of status |
The default view shows pending requests. The pending count is displayed as a badge on the Requests tab header.
Approving a Request¶
To approve a request:
- Locate the request in the pending list.
- Select Approve.
- Optionally, enter a note in the Decision Notes field to record your reasoning or reference a ticket number.
- Confirm the approval.
When a request is approved:
- The approval request status is set to
approved. - For generation requests: the CertificateOrder is returned to
pendingstatus and the certificate generation job is re-dispatched. The certificate issues through the normal pipeline. - For revocation requests: the revocation call is made immediately to the Back Control Plane.
- An audit log entry is created with your user details, timestamp, and any decision notes.
Rejecting a Request¶
To reject a request:
- Locate the request in the pending list.
- Select Reject.
- Optionally, enter a note in the Decision Notes field explaining the reason for rejection.
- Confirm the rejection.
When a request is rejected:
- The approval request status is set to
rejected. - For generation requests: the CertificateOrder status is set to
cancelled. The certificate is not issued. - For revocation requests: the revocation is not performed. The certificate remains active.
- An audit log entry is created.
The requester is not automatically notified of a rejection — they can monitor the status of their CertificateOrder in the certificates list, or check the Requests tab directly if they have access.
Expired Requests¶
If a workflow is configured with an Approval Timeout, requests that are not decided within that window are automatically set to expired. An expired request is treated as a non-decision — the operation is not dispatched.
For generation requests: the CertificateOrder remains in awaiting_approval status. The requester must submit a new certificate request.
Expired requests are visible under the Expired filter in the requests list.
Bypassed Requests¶
When a certificate renewal triggers a workflow that has Bypass on Renewal enabled, the request is recorded with a status of bypassed and the renewal proceeds without waiting for a decision. Bypassed requests appear in the requests list for audit purposes.
Audit Log¶
All approval-related actions are recorded in the platform audit log:
| Event | Recorded when |
|---|---|
approval_request.created |
A new approval request is created (operation blocked) |
approval_request.approved |
An approver approves a request |
approval_request.rejected |
An approver rejects a request |
approval_request.bypassed |
A request is bypassed due to renewal bypass |
Each entry includes the user who took the action, the timestamp, the workflow and certificate details, and any decision notes provided.
Next Steps¶
- Service Account API — manage workflows programmatically.
- Best Practices for Approval Workflows — guidance on scoping, timeouts, and approver management.