Assigning dual approval limits to a custom role

After you have created a custom role, you need to decide whether device actions require a second user to authorize the request. This is controlled by limits.

Dual approval settings can only be configured for custom roles. By default, only the System Administrator can create custom roles.

Dual approval is configured by modifying the permissions for custom roles. Custom roles can be created by System Administrators by duplicating an existing default role and editing its permissions, or by selecting a set of permissions and assigning a name to the role. Dual approval cannot be configured for default roles.

For each custom role, limits are set for each supported device action. To set a limit, you set a threshold number of devices that can be included by a user in device action requests before a secondary approver is required. For each device action that is assigned a limit for the custom role, you also select which roles can approve the request, and which roles receive notifications about dual approval requests.

To configure dual approval limits, your user role must be granted the View or Manage permission for Roles and the Manage permission for Dual Approval Settings. By default, the System Administrator and the Security Administrator roles are granted these permissions.

To view dual approval limits, your user role must be granted the View or Manage permission for Roles and Dual Approval Settings. By default, the System Administrator and the Security Administrator roles are granted these permissions.

To approve device actions that require dual approval, your user role must be configured as an approver when the limits are modified on a custom role. By default, the System Administrator role is always a secondary approver for dual approval requests.

Dual approval limits are supported on the following device actions:

Limit are used to set the number of devices that can be included in device action requests before a secondary approver is required. There are three types of limits available: No approval required, Daily limit, and Always required.

No approval required

When a limit is set to No approval required, device action requests made by users assigned to the custom role don't require approval.

Daily limit

When a limit is set to Daily limit and a limit threshold is set, device action requests made by users assigned to the custom role don't require approval when the cumulative daily total of devices in the requests is less than the threshold. Once the number of devices in the requests exceeds the threshold, device action requests require approval. The device count is for a calendar day between 0:00 and 24:00 UTC.

If the number of devices in a request cause the device total to exceed the daily threshold, the entire request requires approval.

If an API token is created for the user, devices in requests created using the API token are included in the device total. Requests created using the Absolute API that exceed the daily threshold also require approval.

Example

A user belongs to a role where the Daily limit for Unenroll requests is set to 10. The user makes an Unenroll request that contains 9 devices. This request doesn't require approval. Next, the user makes an Unenroll request that contains 2 devices. The daily cumulative total is 11, which is greater than the threshold. The second request requires approval.

Always required

When the limit is set to Always required, device action requests made by users assigned to the custom role always require approval.

Devices included in requests created before the limits are changed use the limits that applied when the request was created. If you remove the limits from a role, all pre-existing requests pending removal still require approval. When a limit is created, the device count begins at the time the limit is added.

If a device action is assigned a limit for a custom role, you also need to select the roles that can approve and receive notifications about pending requests. By default, the System Administrator is assigned as an approver and receives notifications about pending requests. The System Administrator cannot be removed from the approver list, but can be configured so that users assigned to the role don't receive notifications. Although limits can only be applied to custom roles, any default or custom role can be configured as an approver and to receive notifications. The custom role you are assigning limits to can be added as an approver. In this case, a user assigned to the custom role cannot approve their own request.

The roles assigned to approve a request and for notifications are set when the request is created. Changes to approvers and notifications only apply to requests created after the change took place.

Prior to setting the limits, you should create a custom role and assign users to the role.

To assign limits to a custom role:

  1. Log in to the Secure Endpoint Console as a user with the View or Manage permission for Roles and the Manage permission for Dual Approval Settings.

    By default, the System Administrator and Security Administrator roles have these permissions.

  2. On the navigation bar, click Settings > User management > Roles.
  3. On the sidebar, click the custom role you want to change the dual approval limits for.
  4. Click Permissions to open the custom role's Permissions page.
  5. Click Edit to open the Edit Permissions dialog.
  6. Locate the device action that you want to set the limits for. If the role doesn't have Perform permissions, assign them by selecting the device action's Other Actions checkbox.

  7. Click the button in the Approval column. The button displays the current limits set for the action and, if dual approval is required, the roles that can approve requests. Only actions that support dual approval have a button in this column.

    By default, all supported device actions are set to No approval required.

  8. Do one of the following:

    If dual approval is currently required, and you want to remove it, select No approval required from the drop-down list.

    1. Select Daily limit from the drop-down list.

    2. Enter the number of devices that can be included in requests before the request needs to be approved.

      The default value is 100.

    3. In the Approver column, select the roles that can approve requests created by users assigned to this custom role.

      The Notify column is also selected.

    4. In the Notify column, clear the checkbox if you don't want the role to receive an email notification when there is a request that needs to be approved.

      You can only select Notify for a role that is also selected in the Approver column.

    5. Click outside of the Limit details dialog.
    1. Select Always required from the drop-down list.

    2. In the Approver column, select the roles that can approve requests created by users assigned to this custom role.

      The Notify column is also selected.

    3. In the Notify column, clear the checkbox if you don't want the role to receive an email notification when there is a request that needs to be approved.

      You can only select Notify for a role that is also selected in the Approver column.

    4. Click outside of the Limit details dialog.
  9. Click Save.

The role is updated and a Dual approval settings updated event is logged to Event History.

Devices in requests that were created before the limits were changed for a role use the limits that applied when the request was created. If you remove the limits from a role, all pre-existing requests pending removal still require approval. When a limit is created, the device count begins at the time the limit is added.