Approvals
Realm9's approval system provides governance and control over environment access through configurable multi-level approval workflows. Workflows can be applied to booking requests and environment provisioning requests.
Approvals Page
Navigate to Approvals in the sidebar to see a centralised view of all workflow instances — both active (in progress) and completed. From here you can:
- View pending approvals assigned to you
- Review approval history for requests you submitted
- See the current level and progress of any workflow instance
- Take approval actions directly
How Approvals Work
When a user submits a booking or environment request, Realm9 checks whether an approval workflow applies:
- With a workflow: A workflow instance is created and approval steps are sent to the configured approvers. The request progresses through each level in order. When all levels are approved, the request is activated automatically.
- Without a workflow: The request stays in Pending status and requires a direct admin action to approve or reject.
Workflow Types
Workflows are created under Configuration → Workflows and apply to one of two resource types:
- Booking Request — triggered when a user creates a booking on an environment that requires approval
- Environment Request — triggered when a user submits an environment provisioning request
Configuring Workflows
Path: /configuration/workflows
Admins can create, edit, activate, and deactivate workflows from this page.
Workflow Properties
- Name — display name for the workflow
- Description — optional notes for admins
- Resource Type — Booking Request or Environment Request
- Timeout — optional overall timeout in hours; if no decision is made within this period, the workflow is auto-rejected
- Send Reminders — if enabled, pending approvers receive reminder notifications
- Reminder Interval — how frequently reminders are sent (in hours)
- Is Active — inactive workflows are not applied to new requests; workflows with active instances cannot be deactivated until those instances complete
Assigning Workflows to Environment Types
For Environment Request workflows, you can target:
- All environment types — the workflow applies to every provisioning request regardless of type
- Specific environment types — the workflow only applies to requests for the selected types
If multiple workflows could apply, the type-specific workflow takes precedence over an all-types workflow.
Approval Levels
Each workflow has one or more approval levels that execute in sequence. Once the required number of approvals at a level is reached, the workflow advances — remaining pending steps at that level are left open but the next level begins.
Level Properties
| Property | Description |
|---|---|
| Level Number | Execution order (1, 2, 3…) |
| Name | Display name, e.g. "Manager Review" or "Security Sign-off" |
| Approver Type | How approvers are determined: Specific Users, Role-based, or Dynamic |
| Required Approvals | How many approvals are needed to pass the level (default: 1) |
| Allow Parallel | If on, all approvers receive their steps simultaneously; if off, steps are issued sequentially |
| Optional | If on, the level can be skipped if no approvers are available |
| Timeout (hours) | Level-specific timeout; auto-rejects the level if no decision is made in time |
Approver Types
Specific Users — named individuals are assigned approval steps. You specify the exact users when configuring the level.
Role-based — all active users with the specified role(s) receive approval steps (e.g. all ADMIN users, all PROVISIONER users).
Dynamic — approvers are determined at runtime based on context:
resource_owner— users with Admin or Provisioner roles on the requester's teamrequester_manager— the requesting user's team managers
Parallel vs Sequential Execution
- Parallel: All approvers at the level receive their step at the same time. The level passes once the required number approve.
- Sequential: Approvers receive steps one at a time. The next approver's step is created only after the previous one approves.
Making Approval Decisions
Eligible approvers can act on pending steps from:
- The Approvals page
- The booking detail page (Workflow tab)
- The environment request detail page
Available Decisions
| Decision | Effect |
|---|---|
| Approve | Marks the step approved; advances the workflow if the required count is met |
| Reject | Rejects the entire workflow; the request is declined and the requester is notified |
| Needs Info | Marks that more information is required; the step remains pending |
An optional Decision Notes field lets approvers add a comment or reason with any decision.
When a Level Completes
Once the required number of approvals for a level is reached:
- The next level is created and its approvers are notified
- If it was the final level, the workflow is marked Approved and the underlying request (booking or environment request) is activated
When a Rejection Occurs
- The workflow is immediately marked Rejected
- Any remaining pending steps are cancelled
- The requester receives a notification with the rejection reason
Workflow Instance Statuses
| Status | Meaning |
|---|---|
| Pending | Workflow is in progress, awaiting decisions |
| Approved | All levels passed; request activated |
| Rejected | Rejected at one or more levels |
| Timeout | Overall timeout elapsed with no decision |
| On Hold | Temporarily paused |
| Cancelled | Manually cancelled |
Admin Override
Admins and Super Admins can override any pending workflow level from the workflow instance detail view:
- Approve the current level, bypassing normal approver requirements
- Reject the workflow entirely
- An optional reason can be provided
All overrides are logged in the audit trail.
Workspace Attachment Requirement
For booking request workflows, individual approval levels can be configured to require that Terraform workspaces are attached to the booking before the level can be approved. If workspaces are missing, the approval action is blocked with a prompt showing how many workspaces are still required.
Notifications
| Event | Who is Notified |
|---|---|
| New approval step created (user-based) | Assigned approver (email) |
| New approval step created (role-based) | In-app notification to eligible users |
| Reminder (if enabled) | Pending approvers at regular intervals |
| Level approved | Next level approvers notified |
| Workflow approved | Requester (email) |
| Workflow rejected | Requester (email with reason) |
Approval History
Every workflow instance maintains a full history of decisions:
- Approver name and email
- Decision (Approved, Rejected, Needs Info)
- Decision timestamp
- Decision notes
- Level name
This is visible on the workflow instance detail panel and is also captured in the audit log.
See Audit Logs for the full audit trail reference.
Role-Based Access
| Action | Viewer | User | Provisioner | Admin / Super Admin |
|---|---|---|---|---|
| View own pending approvals | — | ✓ | ✓ | ✓ |
| View all workflow instances | — | — | — | ✓ |
| Approve / Reject / Needs Info | — | — | ✓* | ✓ |
| Create / edit workflows | — | — | — | ✓ |
| Activate / deactivate workflows | — | — | — | ✓ |
| Admin override | — | — | — | ✓ |
*Any user can approve a step they are directly and individually assigned to, regardless of role. Provisioners additionally qualify for role-based steps assigned to the PROVISIONER role.