Approval Workflows




Why Do We Need Approval Workflows?

The purpose of approval workflows in tenfold is to make the processes for assigning privileges structured and auditable. tenfold distinguishes between two aspects: the approval of privileges on the one hand, and the actual assignment of privileges on the other. Only a designated data owner has the power to approve a privilege request. He or she must decide whether the requested privilege is necessary or not (principle of least privilege). The actual assignment is then carried out by the associated plugin.




Advantages (CIOs, CISOs, IT Managers)

  • Data owners can make decisions about whether to grant privileges independently

  • Proven delegation of decisions fulfills compliance requirements

Advantages (IT Admins & Infrastructure)

  • Approval requests no longer have to be transmitted to data owners manually

  • Processes no longer have to be documented manually in unsuitable systems (help desk) or emails




How Are Workflows Generated in tenfold?

tenfold comes with a graphical BPMN 2.0 workflow editor, which admins can use to add any number of workflows. For each workflow, the admin can decide whether only the data owner should be incorporated into the workflow or whether other people should be included as well. These workflows are not bound to individuals, but to labels, or designations. Example: Larry is the designated owner of Resource X. Larry resigns and Nancy takes his place. She is now the new designated owner of Resource X. As of now, tenfold will inform Nancy about any requests concerning Resource X. As you can see, the workflow remains unaffected by staff changes; it is the label “data owner” that counts, regardless of who is behind it.


Screenshot depicting the access management software tenfold's user interface. The image shows how an individual workflow can be set up in tenfold with only a few clicks. The workflow then runs automatically.

What Is the Approval Process?

To inform data owners about new requests (e.g. coming in via self-service), tenfold sends out automated e-mails. These e-mails contain buttons which data owners can click to approve or reject requests directly from within these e-mails. Data owners do not have to be particularly tech-savvy at all to respond to such requests. To protect this process against abuse, the request is processed via Kerberos or, optionally, two-factor authentication. Once the request has been approved, the relevant plugin takes care of provisioning.

Screenshot of an automated e-mail sent out by the access management software tenfold to inform the data owner about a new request.

Escalation for Unanswered Workflows

tenfold lets you set a time-window during which the data owner must decide whether to approve or reject the request. For cases where the data owner fails to respond to the request within the given time-frame, you can incorporate an escalation into the workflow. If the data owner fails to respond, the escalation will automatically trigger Action Y.


Screenshot depicting the access management software tenfold's user interface. It shows how data owners can view requests during the approval workflow.

Action Y could be a reminder, for instance, that is sent after X days of no response, reminding the data owner about the pending request. You can pre-define different texts for these automated reminders and determine whether the request should be escalated to a higher position (e.g. the data owner’s superior) or to a central position (e.g. an IT admin).

Diagram illustrating approval workflows in the IAM software tenfold.


Would you like to experience tenfold LIVE?

Sign up now for our product demo!
tenfold – Simple. Secure. Ready to go.

Register