Delegation Approvals & Logic
Learn when delegation approvals are required and how Aptly determines the appropriate approvers.
Overview
In Aptly, delegations may require approval before they become active. Whether an approval is triggered depends on:
- The Decision configuration (approval required: yes/no)
- The Delegation context (who is delegating, to whom, and with what limits)
- System-wide or group-based settings that enforce review workflows
This page outlines how approval decisions are made and how approvers are assigned.
β When Is Approval Required?
Approval is required when any of the following apply:
- The Decision explicitly requires approval before delegation
- The user is delegating beyond their own limits (if configured)
- System settings or group-specific rules require oversight for certain decisions
If none of these apply, the delegation may be automatically marked as Issued.
Approval is always required for Root Delegations if the Decision demands it.
βοΈ How Approval Actions Work
When Aptly determines that a delegation needs approval, it automatically creates a Delegation Approval Action.
Each Approval Action is:
- Linked to a specific delegation
- Timestamped and tracked through an auditable lifecycle
- Assigned to one or more eligible approvers
While the approval is pending, the delegation remains in Pending status and cannot be cascaded further.
π₯ How Are Approvers Assigned?
Approvers are selected based on role and scope:
- Aptly finds users with the
can_approve_delegationpermission - It evaluates each userβs scope:
- All β Can approve across the tenant
- Groups β Can approve delegations tied to specific groups they manage
- From the valid pool, one approver is selected (by default via round-robin, but this is configurable)
Approvers donβt need to be in the same department or reporting line as the issuer. Scope and permission are the only requirements.
π Approval Flow
Hereβs how a delegation flows through approval:
- A user creates a delegation
- Aptly evaluates whether approval is required
- If required, it generates an Approval Action
- An eligible approver is assigned
- Approver reviews and either approves or rejects
- Delegation status is updated to Issued or Denied
- Audit logs capture the full trail
Delegations that are denied can be revised and resubmitted (based on system settings).
π Permissions Involved
| Permission | Grants ability to⦠|
|---|---|
can_create_delegation | Create and issue delegations |
can_approve_delegation | Be assigned approval actions |
can_view_approval_actions | See approval requests and their status |
can_override_delegation_limits | Approve delegations that exceed parent authority |
Users without the proper scope will not be considered eligible approvers.
π Related Pages
Need help modeling your approval logic?
Reach out to [email protected] and weβll help tailor approval flows to your governance model.