Cloud Account Management - PACE Integration - Automate workflows

diwakar-grandhi · ‎04-16-2025

During a cloud account request processing, we have multiple manual steps where the request will wait for a human response to proceed forward. This can cause some delays even if the request is simple. We can improve this by having a certain set of rules based on which the requisite inputs are provided in the background and the request moves forward automatically.

Let's walk through the steps that occur in a request processing to understand where we can make use of the automation. It involves several personas and steps:

👤 Requestor Persona - Creates a request

Create a Request: The requestor initiates the process by creating a request for a new Azure subscription.

👥 Approver Personas - Approves the request

General Approval: An approver, a user who is a part of the ITOM CW Approvers Group, reviews and approves the request. This can typically be someone from the cloud center of excellence who manages cloud environments in the organization.
Finance Approval: An approver, a user who is a part of the ITOM CW Finance Approvers Group, reviews and approves the request. This can typically be someone from the Finance team who will approve the budget for the account.
Depending on the need, the approvers group can be modified as well as additional approvals be added.

👨‍💼 Admin Persona - Provides additional information

Provide Additional Details: The admin then provides additional details, such as:
- Tenant under which the subscription should be created
- Management group for the subscription
- Billing account and enrollment account against which this subscription should be tagged

Post these, the system takes the request forward to completion.

Automating with Request Policies

The steps that the approver persona and admin persona perform are the manual steps in this request process, and they can be automated using request policies in Cloud Workspace. Here are some example scenarios,

Automating approvals

Note: We can add the same conditions in both, the General Approval and the Finance Approval to automate both the approvals.

Scenario 1: There is a new product being developed and hence we would like to automatically approve all requests in a cost center given the request is within a reasonable expected budget.

Step 1 - Login as a CW admin. Navigate to Workspaces > Cloud Workspace > Manage and Configure > Request Policies and open the finance policy "Subscription Account Creation Budget Approval".

Screenshot 2025-04-16 at 11.56.31 AM.png

Screenshot 2025-04-16 at 11.58.39 AM.png

Step 2 - Create a new version of the policy to make changes. We can use the "Create copy" button.

Screenshot 2025-04-16 at 12.00.52 PM.png

Step 3 - Make changes in the draft.

Screenshot 2025-04-16 at 12.06.54 PM.png

Screenshot 2025-04-16 at 12.10.49 PM.png

Step 4 - Test the policy

Screenshot 2025-04-16 at 12.25.47 PM.png

Step 5 - Publish the policy

Screenshot 2025-04-16 at 12.30.25 PM.png

Additional Debugging

Sometimes, it can happen that the policy is published but it doesn't take effect during the request processing. One likely reason is that the policy is not mapped to the automation activity properly. In this case, we expect the budget policy to be mapped to the "Finance auto approval" activity. We can check this in "Mappings" tab and validating that the "Mapping state" is set to Active.

Screenshot 2025-04-16 at 12.35.10 PM.png

If the mapping state is "Inactive", please delete it and re-add it. For deletion, select the checkbox beside the record and click on "Delete". Once done, click on the "Add" button to re-add this record. Please note that the value that needs to be selected depends on the policy. In this case, we have to select the "Finance auto approval".

Screenshot 2025-04-16 at 12.36.53 PM.png

Scenario 2: We'd like to provide all the Developer and QA users quick access to subscriptions (i.e. provide automated approval) as long as they are choosing a small budget and don't own more than 3 subscriptions already.

We can follow the same steps explained above to navigate to "Request Policies" screen. Over here, we need to create a data collector as the information we need is not present in the request. In the request, we have only the account owner's name. So, given this, we need a way to fetch the number of accounts owned by them. This is where a data collector helps.

Step 1 - create a new data collector

create an input, output parameters for the data collector and write the code

Step 2 - Modify the policy to use the above data collector in the criteria. Let's use the same policy. We can follow the steps from scenario 1 to open the budget policy. Like before, we need to create a new draft using the "create copy" option.

Once we fill the criteria, we can use the same steps like in Scenario 1 to test and publish this policy.

Automating the admin persona work

Scenario 3: We'd like to assign all the Engineering cost center subscriptions to Azure tenant 1 whereas all the Marketing cost center accounts to another Azure tenant, let's call it Azure tenant 2.

For filling the AWS and Azure information, we have provided out of the box data collectors along with our application. Let's use the inactive policy "Subscription Account Creation Configuration Assignment" for this activity. It is shipped as an inactive policy as the AWS or Azure information that is needed over here is different for different customers.

Step 1 - Form the Azure configuration details for Engineering cost center.

Step 2 - Form the Azure configuration details for Marketing cost center. Like above, click on "Add" again, so that we can fill the Azure configuration details.

Step 3 - Once the data collector values are added, we can modify the criteria.

Step 4 - Like seen in the previous scenarios, we can now save the policy, test it and finally publish it.

This is a wrap to the super long article about how different scenarios can be automated! Hope, this has been helpful.

Back to CAM home blog:

Cloud Account Management (CAM)