Approvals
Gain fine-grained control over your applications, scopes, deployments, services, and more by setting up approvals and creating custom policies.
Authorization vs. approvals
Approvals provide a dynamic alternative to standard authorization:
-
Authorization is static, defining "who can do what" using fixed rules based on standard, coarse-grained roles.
-
Approvals enable detailed decision-making based on contextual information, leveraging the metadata catalog (e.g., "Do not deploy during a holiday freeze unless the user is a Principal").
By combining authorization and approvals, nullplatform provides a flexible way to manage access and workflows to meet your organization's needs.
How approvals work
Approvals in nullplatform allow you to enforce fine-grained control over actions such as deployments, services, or scopes by combining approval actions, policies, and notification channels. These components work together to ensure that specific actions are reviewed and approved based on contextual conditions.
To illustrate these concepts, let’s consider an example where you want to control deployments to your production environment.
Approval actions
An approval action defines which entities (e.g., deployments) and actions (e.g., create or delete) require approval. For instance, to require approval for deployment attempts in production, you would define an approval action like this:
{
"nrn": "organization=1:account=2:namespace=3:application=4",
"entity": "deployment",
"action": "deployment:create",
"dimensions": {
"environment": "production"
},
"on_policy_success": "approve",
"on_policy_fail": "manual"
}
This approval action specifies that any attempt to create a deployment in the production environment must be approved. If the associated policy conditions are met, the action is automatically approved; otherwise, it requires manual review.
Policies
A policy defines the conditions under which an action is approved, denied, or flagged for manual review.
For our production deployment example, a policy might require that auto-scaling is enabled, a minimum number of instances are configured, and the code coverage meets a certain threshold:
{
"nrn": "organization=1:account=2:namespace=3:application=4",
"name": "Prod deployments require approval",
"conditions": { // Policies use MongoDB syntax for conditions, letting you create flexible and complex rules.
"scope.capabilities.auto_scaling.enabled": true,
"scope.capabilities.auto_scaling.instances.min_amount": {
"$gte": 2
},
"scope.dimensions.environment": "production",
"build.metadata.coverage.percent": {
"$gte": 80
}
}
}
When an approval action is triggered, the policy is evaluated against the request. If all conditions are met, the action is approved. If not, the outcome depends on the policy's configuration—either the action is denied or flagged for manual review.
Notification channels
Notification channels can be set up to send alerts via platforms like Slack, ensuring that approvers are promptly notified and can take action. For example, a Slack notification channel might look like this:
{
"nrn": "organization=1",
"source": ["approval"],
"type": "slack",
"configuration": {
"channels": ["my-organization-private-channel"]
},
"filters": {
"action": "deployment:create"
}
}
Summary
| Step | Description |
|---|---|
| Approval action | Specifies the entities and actions requiring approval and their outcomes. |
| Policy | Defines the conditions for approving, denying, or flagging actions for review. |
| Notification channel | Sends alerts to approvers about requests, allowing for quick review and action. |
How to configure approvals
The approval setup process involves four main steps:
We'll guide you through each stage in the following articles.
Where do I start?
While you can start with either approval actions or notification channels, it’s best to create policies last to avoid confusion.
We recommend starting by creating an approval action, followed by setting up a notification channel to test if the approval action triggers the approval request. Once this is working, you can proceed to create policies and associate them with the action to define the rules for when the action is triggered.
What's next
Now that you’ve covered the basics, explore the following sections for more details on setting up approvals in your organization: