5 Ways to Spice Up Your Workflows with Wait for Approval
November 4, 2019
10 minute read
While BetterCloud is IT go-to solution for automating onboarding and offboarding, what happens when a process-as-written requires some input from someone else? Like an end user, a manager, HR, or another internal stakeholder? Did you know about Wait for Approval?
Perhaps you need a manager to approve a Google Drive transfer. Or an HR manager to approve a G Suite account deletion after a legal hold period. Maybe you need a check-in with the security team to approve file permission tightening for files with credit cards. With BetterCloud’s Wait for Approval action, you can now request an approval or rejection from a user within your directory to run the remainder of your workflow.
We’ll highlight the mechanics of the action. In addition, we show five high-value use cases for Wait for Approval, plus step-by-step instructions on their setup.
How does Wait for Approval work?
In Create Workflow within the Library for “Then” actions, nested under “BetterCloud” you will find “Wait for Approval”:
Once in your workflow, you will be asked to set up the following properties of the Wait for Approval action:
- (Optional) Enable stop and skip when this action is in progress
- When enabled, a BetterCloud admin will have the ability to override the approver within Workflow Manager and stop the workflow.
- Approver
- Any user account with a valid email that’s been ingested into BetterCloud can be designated as an approver.
- Alternatively, you can use the dynamic field selector to specify the user or user’s manager that triggered the WHEN/IF statement at the start of your workflow.
- Any user account with a valid email that’s been ingested into BetterCloud can be designated as an approver.
- Subject
- Wait for Approval will send an email to the approver’s email with the subject line text configured. You can use the dynamic field selector to add references to the user’s name, email, or other profile information that may be relevant.
- Body
- Here you can compose a message detailing the actions the workflow will take when the approver approves the workflow. You can also use the dynamic field selector to reference the user’s name, email, and other relevant profile fields.
- Strongly Recommended: Enable Workflow Notifications
- If a Wait for Approval action is rejected by the approver, it is strongly recommended a workflow notification go to your BetterCloud admin’s email address. That way, both the approval and rejection are logged outside of BetterCloud, and you can follow up if the rejection notification requires any manual intervention from the BetterCloud admin.
Once Wait for Approval is built into your workflow and the step triggers, the approver will receive an email that looks like this:
When the approver clicks “Approve Action,” the Wait for Approval will pass its step and continue to the next workflow step. Should the approver “Decline Approval,” the workflow will terminate with a status of “Stopped” and prevent all subsequent steps from running—not only the next action. Additionally, if a user fails to respond within 30 days, the workflow will stop. If this occurs, we recommend running the workflow on demand with your “Wait for Approval” and subsequent steps only.
Use case #1: Manager approves G Suite asset transfers (Drive files, Calendars, email forwarding)
Chances are, when you offboard a user, you have a long list of items you need to do. It probably includes tasks like transferring Google Drive files and primary calendar invites to a manager. And you very likely need to enable email forwarding. But to enhance your process, your managers can request whether they would like an offboarded user’s assets.
If you want managers to accept asset transfers, run a workflow in parallel to your standard offboarding workflow. Simply add that user to a “Transfer Approval” group built specifically by your G Suite administrator.
To achieve this without a rejection causing critical steps in the workflow to fail (e.g., Wait for Approval for a legal hold or Delete User steps for your integrations), you can make a parallel workflow occur by adding a user to a group or OU as a workflow step that represents the data transfer process. Here’s an example of what this could look like.
Let’s say you have an offboarding workflow that contains the following steps:
Let’s focus specifically on steps 8, 9, and 10. This is where we automatically transfer the user’s Google Drive files and calendars and enable email forwarding from the user’s inbox to the manager.
If I put a Wait for Approval action that asks the manager before these steps, I run the risk of the manager saying “no.” If this happens, it means my workflow will not automatically run the other vital steps, such as revoking the user’s Intercom SSO token, disabling the user in Slack, entering my legal hold period, and ultimately deleting the user’s accounts—leaving the IT team open to security risks.
To mitigate this risk, I can run my “Wait for Approval” as a parallel workflow to my main offboarding workflow by either adding the user to a G Suite group or OU called “Data Transfer Process” and removing the transfer steps from my original offboarding workflow.
Now that I have a “processing group” (or OU) in my workflow that will be responsible for handling the user’s data, I will next need to build a parallel workflow. I named this parallel workflow “Transfer to Manager Process” and started the process with a WHEN/IF a user is added to my “Data Transfer Process” group.
Next, structure your workflow’s THEN steps with the following elements:
- G Suite: Remove from Group
- This is to remove the user from the “Data Processing Group” to keep membership clean
- Wait for Approval
- See below for a walkthrough
- All data transfer steps across your connectors—some ideas here are:
- G Suite: Transfer Drive Files
- G Suite: Transfer Primary Calendar Events
- G Suite: Transfer Group Ownership
- G Suite: Transfer Sites
- Office 365: Copy User’s OneDrive Files and Folders to Recipient.You can create a similar WHEN/IF statement with O365 user groups with a WHEN/IF O365: User Is Added to Group, IF: Group
- Email Notifications: On
- This notifies IT of any response to the approval—even rejection responses. This way, IT knows the offboarded user’s data is at rest. Then you can move the data to a system account later.
Building the Wait for Approval step
- (Optional) Enable Stop/Skip when this action is in progress
- This will allow your BetterCloud admins to stop/skip the workflow regardless of approver response (or lack of response if they miss the email), giving you more administrative control.
- Approver: You can dynamically fill this with the manager’s email OR a named service account.
- Subject: Give a descriptive call to action for the manager or service account owner to accept the offboarded user’s files.
- Body: Give the approver instructions on what happens when they approve the file transfer, which can include dynamic fields from the user’s G Suite profile to further personalize the email notification.
With parallel workflows and Wait for Approval, BetterCloud provides more control over the offboarding process. It also gives IT visibility into assets and approval decisions made by managers.
Use case #2: HR approves account deletions
In some industries like technology or media, there aren’t many specific regulations about data retention that would prevent IT administrators from deleting their user’s SaaS accounts during offboarding.
However, IT sometimes lacks visibility into extended legal holds that someone from HR or Legal may want to enforce, which usually results in a manual coordination of account deletions. With “Wait for Duration,” many BetterCloud administrators include this step before offboarding workflow actions like “G Suite: Delete User” to represent their legal hold of 30/60/90 days. By including a “Wait for Approval” that sends a request to a HR or legal representative to delete the user’s SaaS accounts, you can automatically complete this typically manual step.
Building the Wait for Approval step
Simply insert a “Wait for Approval” step after your “Wait for Duration” step and set your HR/legal representative as approver. BetterCloud requires the approver to have a valid user account in either G Suite or O365, but you can easily send approvals to a group by including a forwarding rule that will forward messages from “notifications@bettercloud.com” that contain your subject/body text. We also highly recommend enabling a workflow notifications go to the helpdesk when there are rejections from HR and Legal.
Use case #3: Security approves file permission changes after finding overextended file permissions or exposed sensitive data
For security administrators using alerts like “Sensitive Data Scanned” for “Files Shared Publicly” for G Suite, Slack, Box, Dropbox, they may want to review file metadata before remediating the exposed file.
With Wait for Approval, a BetterCloud admin can send a notification of the exposure to security administrators. The notification includes file metadata details and a request to approve public share and external collaborators removals. A BetterCloud administrator on our Pro and higher tiers can take advantage of this semi-automated workflow below:
Building the Wait for Approval step
For assistance setting up a Sensitive Data Scanned alert for Box, Dropbox, Slack, or G Suite, please refer to our Help Center article. For assistance on setting up a public sharing alert for a file in G Suite, Box, Dropbox, or Slack, please refer to this Help Center article.
With a configured custom alert, you can select it as your WHEN statement to trigger your workflow. For your THEN steps, start with a Wait for Approval, designating your security team representative as your approver. You can then populate the body using dynamic fields that include the file’s name, path, owner, and a timestamp to document the security incident. After the Wait for Approval, you can use actions in the respective SaaS storage application like “Remove All External Collaborators” to remove any explicit external domain sign-ins to that file and “Remove Sharing Link”/“Set File Sharing Settings” to remove a public link and make the file private.
Rinse and repeat the above procedure. Use it for all the SaaS storage solutions for establishing notifications and approvals to reduce file exposure risk.
Use case #4: IT management approves an offboarding initiated by helpdesk before BetterCloud executes the workflow
This use case is especially useful for organizations using Tier 2 or systems teams to create BetterCloud workflows but orchestrate offboardings through Tier 1 helpdesk staff. By putting a Wait for Approval step at the start of your offboarding workflow, you can rest assured that the workflow cannot accidentally trigger.
Your system administrators or IT management staff can approve an offboarding or any workflow before any action steps start. By reducing helpdesk staff numbers within BetterCloud, Wait for Approvals at workflow starts help enforce least privilege access across IT.
For example, the start of your offboarding workflow may be WHEN A User’s Org Unit Changes, IF Org Unit Is Deprovisioning. If your helpdesk has the ability to move user G Suite org units without having access to BetterCloud, you want an additional security layer should a helpdesk G Suite administrator unintentionally move a user to the deprovisioning OU.
Building the Wait for Approval step
The WHEN/IF in this workflow is assumed to be something that a helpdesk employee has privileges to do. It requires approval from a level 2 approver. An example is adding a user to a deprovisioning OU in the G Suite Admin console. Simply add the Wait for Approval as a first step, with the approver being the level 2 IT manager or sysadmin who would be able to approve or deny the workflow from running. This will protect your end user experience and make your helpdesk staff less prone to human error or insider threats.
Use case #5: Manager or IT staff approves account provisioning for onboarding per security hold or probationary new hire period
Like the use case above, BetterCloud can request approval from a new user’s manager or IT staff before continuing provisioning. For example, some recently hired employees may enter into a probationary period security reasons. Simply use a combination of Wait for Duration and Wait for Approval. This way, a user is added to security groups and other SaaS applications after passing the probationary period.
Building the Wait for Approval step
Here’s an example of an onboarding workflow for sales employees. The BetterCloud administrator broke out initial accounts approved for an employee on day one. There’s a Wait for Duration for 60 days to represent the probationary period. And there’s a Wait for Approval set dynamically to go the user’s manager for approval after the probationary hold.
After the approval step, the workflow proceeds with employee provisioning of more secure accounts and distributions. It proceed to grant access to assigned projects in Asana. It also creates an Atlassian account and assignments to Bitbucket provisioning group. Finally, it adds the new employee to LastPass and associated password groups, and secure Box groups.
The admin also adds a workflow notification when a manager’s responds to the approval. Our new hires get what they need to be functional for their first day. Their managers then receive system reminders to approve access to their remaining applications post-60 days of employment.
Through the power of Wait for Approval, BetterCloud admins can now add much-needed workflow pauses. It allows them to gain approval from non-BetterCloud users such as helpdesk staff, team managers, HR, legal, and more. Pair any of these use cases with our latest release of Integration Center, and BetterCloud admins have more power than ever to orchestrate their SaaS operations.