Approval Profiles

Approvals are used when it is required to have more than one person to do a certain task and is used for certificate issuance, revocation, and key recovery.

Overview

The basic concept behind using approvals is that your organization may not trust lower level or individual administrators to perform certain actions (such as enrolling end entities or renewing certificates), and thus require either higher level administrators (with specific approval rights) or a multitude of administrators (requiring a conspiracy) to perform certain actions, or a mixture of both.

EJBCA uses Approval Profiles to enable using the same approval scheme across several CAs/certificate profiles. Two approval profile types are available: Accumulative Approvals and Partitioned Approvals.

Accumulative Approvals

Accumulative approval profiles provide a straightforward template for approving requests: simply require n authorized administrators to pass an approval. For more information, see Accumulative Approvals.

Partitioned Approvals

Partitioned approval profiles allow for more fine grained workflow, splitting the process up in various sequential steps, each step into parallel partitions, and allowing for precise splitting up of responsibilities between roles. For more information, see Partitioned Approvals.

Configuration

Approval Profiles are configured in the CA UI, under Supervision Functions > Approval Profiles.

images/download/attachments/85927652/Screenshot_2020-03-06_at_15.27.43.png

Common Fields for All Profile Types

Field

Description

Request Expiration Period

How long the request is valid from the time it was created. When a request has expired, it is no longer possible to process and a new request has to be created.

Approval Expiration Period

Used for Non-Executable Action Requests and specifies the period from the time the last administrator approved the request until it is no longer possible to execute the request's action. See Two Different Approval Requests for more details about Executable and Non-Executable Action Requests.