Setting up Approval Workflows¶
This guide walks through creating and configuring an Approval Workflow. For background on how workflows operate, see Introduction to Approval Workflows.
Prerequisites¶
- You must be signed in with the
policy_adminorsuper_adminrole. - Approvers you designate must already have user accounts on your tenant. Any tenant user can be designated as an approver regardless of their role.
Creating a Workflow¶
Step 1 — Open the Approvals page¶
Navigate to Policies > Approvals in the sidebar. This page lists all existing approval workflows for your tenant.
Select Create Workflow.
Step 2 — Set a name and description¶
Provide a Name that clearly identifies the workflow's purpose. Names are displayed in the workflow list, in approval request details, and in email notifications sent to approvers.
An optional Description can be used to record the rationale for the workflow or link it to a compliance requirement.
Step 3 — Select the trigger¶
Choose which operation type the workflow will intercept:
| Option | Effect |
|---|---|
generate |
Applies to certificate generation (new issuance) requests |
revoke |
Applies to certificate revocation requests |
both |
Applies to both generation and revocation |
Step 4 — Add domain patterns¶
Domain patterns control which certificates are matched by this workflow. A certificate is matched when its Common Name or any Subject Alternative Name matches at least one of the configured patterns.
Select Add Pattern to add each pattern. The following formats are supported:
| Format | Example | Behaviour |
|---|---|---|
| Exact match | api.example.com |
Matches only that specific hostname |
| Wildcard subdomain | *.example.com |
Matches any single subdomain of example.com, but not example.com itself |
| Catch-all | * |
Matches any certificate regardless of domain |
You can add multiple patterns to a single workflow. A match on any one pattern is sufficient to trigger the workflow.
Step 5 — Configure approvers¶
Add one or more users who will be authorised to approve or reject requests triggered by this workflow. Use the approver search field to find users by name or email address.
Set the Required Approvals count to specify how many approvers must accept a request before the operation proceeds. The default is 1. Setting this to 2 or more enforces two-person integrity for the matched operations.
Step 6 — Set a timeout (optional)¶
The Approval Timeout field specifies how many hours a request can remain pending before it is automatically expired. Leave this blank to allow requests to remain open indefinitely.
Organisations with SLA requirements for certificate issuance typically set a timeout aligned to their internal SLA — for example, 48 hours for non-urgent certificate requests.
Step 7 — Configure renewal bypass¶
The Bypass on Renewal toggle controls whether automated renewal operations are held for approval or allowed to proceed immediately.
Enable this toggle if automated renewal processes (renewal threshold jobs, Bridge-driven renewals, or ACME renewals) should not require approval. Disable it if renewals must also be approved.
Step 8 — Enable and save¶
Ensure the Enabled toggle is on, then select Save. The workflow is immediately active.
A workflow can be saved in a disabled state and enabled later without deleting and recreating it.
Editing a Workflow¶
- Navigate to Policies > Approvals.
- Select the workflow you want to edit.
- Modify the fields as needed and select Save.
Changes take effect immediately. In-flight approval requests that were created before the edit are not retroactively affected — they will be decided against the workflow configuration that was active when the request was created.
Enabling and Disabling a Workflow¶
Workflows can be enabled or disabled without deleting them. This is useful for temporarily suspending approval requirements during maintenance windows or staged rollouts.
To toggle a workflow from the list view, use the enable/disable toggle in the workflow's row. The change takes effect immediately.
Disabling a workflow does not affect approval requests that are already pending — those must be decided manually.
Deleting a Workflow¶
Deleting a workflow is permanent. Any approval requests that were created by the workflow remain in the system for audit purposes, but no new requests will be created.
To delete a workflow, open its detail page and select Delete.
Next Steps¶
- Managing Approval Requests — handle pending requests once a workflow is active.
- Service Account API — create and manage workflows programmatically.
- Best Practices for Approval Workflows — guidance on scoping, approver selection, and timeout configuration.