Create a cloud approval policy
A cloud approval policy specifies the users who must approve a specified cloud activity before the activity can proceed. Approvers can include the manager of the user making a request, a specified user or group, or users with a specified role. You can specify multiple approvers. Approvals occur in the order that you specify.
Before you begin
Optional: Create one or more cloud policy groups.
Role required: sn_cmp.cloud_governor or admin
About this task
In this example, a user requests a stack that triggers an approval policy.
- On the Cloud User Portal, a user submits a request to provision a particular blueprint. The process of provisioning the blueprint is the trigger that causes the policy engine to apply an approval policy. A cloud approval policy specifies the users who must approve a specified cloud activity before the activity can proceed.
- The policy engine determines that the request meets the condition specified in the rule for the policy. In this example, the condition evaluates to true whenever a particular blueprint is being provisioned.
- Because the condition is met, the policy engine performs the action that is also specified in the rule. In this example, the action is to create an approval action for the manager.
- While the approver (the manager) reviews the approval request, the user sees a "waiting for approval" status message on the Cloud User Portal.
- After the manager approves, the blueprint is provisioned.
- on Stack operation (approval): Triggered during any stack operation on the Cloud User Portal.
- on Stack resource operation (approval): Triggered during any resource operation (start, stop, provision, and so on) on the Cloud User Portal.
- on Task remediation: Triggered when a user resubmits a failed request.
Procedure
-
Click New and then fill in the form.
Figure 2. Example approval policy Field Description Policy name Enter a descriptive name that includes the word Policy. Do not start the name with a number. Description Enter a description of the intent of the policy. Policy group Optional: Select a policy group. Each policy in the group is enforced. Policy trigger Select a trigger that specifies when the policy should be applied. The following triggers can start approval policies: - on Blueprint provision (approval)
- on Stack operation (approval)
- on Stack resource operation (approval)
- on Task remediation
Blueprint [appears when the on Blueprint provision (approval) or on Stack operation (approval) trigger is selected]
Select the blueprint that the policy applies to. - If no blueprint is specified, then the policy applies for every blueprint. This setting can decrease performance.
- You can assign multiple policies to a blueprint. Multiple policies running simultaneously, however, might decrease performance. Publish a policy only when it should be enforced.
Operation [appears when the on Stack resource operation (approval) trigger is selected]
Reviewers: Does this also appear for on Stack operation (approval)?
Select the operation that the policy applies to. For example, a policy can apply to the Deprovision operation only or to all operations on the blueprint or catalog item. Note:If no operation is specified, then the policy applies for every operation. This condition can decrease performance.- All: Any operation executes.
- Start: The resource starts.
- Stop: The resource stops.
- Provision: The resource is provisioned.
- Deprovision: The resource is no longer available to users.
- Execute Script: A script runs on the resource.
Start Date / End Date Specify the start date when the policy should be enforced and the end date when the policy should no longer be enforced. Order of Execution Specify a number that represents the order in which the policy is applied. A policy with a lower number runs before a policy with a higher number. For example, a policy with Order of 100 runs before a policy with an Order of 200.
Status A new policy is in Draft state. Click Publish on the form header to enforce the policy. After a policy is published, you must set it to the Draft state to update it.