Creating Policy for Supervised Approval

If you want some or several applications to require an approval flow before users can access it, you can leverage the Supervisor Approval policy access provided by Safous ZTNA service. To enable this policy, you need to have an admin user and create the policy. Please check the KB articles below for information on Admin access:

 

  1. Login to https://portal.safous.com
  2. Go to Settings tab> ZTNA
  3. In Policies, click on New Policy button
  4. Once clicked, it will expand all the options for policies that can be used for application authorization
  5. You need to input the policy name because it's mandatory and must be unique from other policy
  6. To enable the function for approval policy access, you need to toggle the "Supervisor approval" access policy
  7. Then, you need to choose which user/s will become the supervisors of that apps. It includes a search function so you can easily select the users
  8. For the user groups, applications, categories, and configurations, fill/choose what you want to be mapped. Then click 'Save
  9. It will give you success notification when the policy has been added
  10. One additional information that differentiate the policy that has supervised policy access compared to the rest of policy is the labels shows "Supervised"

 

To test if the policy has been successfully implemented, ensure the following:

  • User that already created by admin, please refer to here
  • User already enrolled the MFA and can login properly, please refer to here
  • Your favorite web browser to open User Portal

Login to user portal with the user who's not the supervisor, then you will see all the applications that your user can access

Click on the application that already mapped with supervised approval access policy

Then, a confirmation reason for accessing the application will pop up. You just need to choose between those three options. If you choose 'Other', then you need to input detailed notes

New tab will open, showing you the information that is still awaiting approval from the supervisor

On supervisor side, he/she will get notification through 2 media

  • The first one is via SMS, which shows like this:
  • The second one is through user-portal, this is the notification on supervisor tab:

If the supervisor choose to deny the approval, it will asked for confirmation

Then on the user that requested approval to application will get this notification

If the supervisor chooses to approve the request either via the user portal or by clicking the link sent by SMS, the requestor tab that shows 'waiting for approval' will be redirected to the application