โ€‹
Overview

In Aptly, delegations may require approval before they become active. Whether an approval is triggered depends on:
  • The Decision configuration (approval required: yes/no)
  • The Delegation context (who is delegating, to whom, and with what limits)
  • System or group-based settings that enforce oversight rules
This page explains when approvals are needed and how approvers are determined.

โ€‹
โœ… When Is Approval Required?

Approval is required when any of the following apply:
  • The Decision requires approval before delegation
  • The delegation exceeds the issuerโ€™s own authority limits (if limit checks are enabled)
  • System or group rules mandate review for certain decisions
If none of these apply, the delegation may be automatically marked as Issued.
Approval is always required for Root Delegations if the Decision demands it.

โ€‹
โš™๏ธ How Approval Actions Work

When Aptly determines that a delegation needs approval, it creates a Delegation Approval Action:
  • Linked to the specific delegation
  • Tracked through an auditable lifecycle
  • Assigned to one or more eligible approvers
While pending, the delegation remains in Pending status and cannot be cascaded.

โ€‹
๐Ÿ‘ฅ How Are Approvers Assigned?

Approvers are determined by:
  1. Users with the approve_delegations (tenant) or approve_group_delegations (group) permission
  2. Evaluation of each userโ€™s scope:
    • Tenant-wide โ€” Can approve across the organization
    • Group-scoped โ€” Can approve delegations tied to their groups
  3. From that pool, Aptly assigns approvers according to system configuration (round-robin, parallel, or sequential workflows depending on setup).
Approvers donโ€™t need to be in the same department or reporting line as the issuer; only scope and permission matter.

โ€‹
๐Ÿ”„ Approval Flow

  1. A user creates a delegation (create_delegations)
  2. Aptly checks if approval is required
  3. If so, it generates an Approval Action (create_actions)
  4. An eligible approver is assigned
  5. Approver reviews and either approves or rejects (approve_delegations)
  6. Delegation status updates to Issued or Denied
  7. Audit logs capture the full trail
Denied delegations can be revised and resubmitted if allowed by system rules.

โ€‹
๐Ÿ”’ Permissions Involved

PermissionGrants ability toโ€ฆ
create_delegationsCreate new delegations (root or child, depending on scope)
issue_delegation_delegationsIssue delegations to recipients when permitted
approve_delegations / approve_group_delegationsReview and approve delegation workflows
view_actions / view_group_actionsView approval requests and their status
limit_override_delegationsApprove delegations that exceed the issuerโ€™s limits
Users without the correct scope or capacity (Issuer, Recipient, Group membership) will not be eligible approvers.
Need help modeling approval workflows?
Contact [email protected].