JS7 JobScheduler

Space shortcuts

Page tree

Versions Compared

Old Version 9

changes.mady.by.user Andreas Püschel

Saved on

compared with

New Version 10

changes.mady.by.user Andreas Püschel

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Users wish to find an approval process in JOC Cockpit for situations in which users perfrom interventions such as adding or cancelling orders.

The following roles are involved:

  • An Operator intends requests to perform an intervention that requires approval.
  • An Approver confirms or denies the Operator's Approval Request for intervention.

The basic functionality of the Approval Process includes:

  • to implement the 4-eyes principle: an Approver must confirm the intervention of an Operator.
  • to keep track of pending Approval Requests for intervention.
  • to offer fallback from a number of Approvers.

...

  • supported Notification Channels in their preferred order,
  • one or more Notification Endpoints matching supported Notification Channels:
    • An e-mail address for receipt of related Notifications,
    • A phone number for receipt of Notifications for mobile devices.

...

Notification Channels include

  • Internal Notifications
    • Notify the recipient of the Notification Notifying recipients in JOC Cockpit provided that an active session exists in JOC Cockpit for the recipientrecipients.
  • External Notifications
    • Send Sending e-mail to the recipientrecipients.
    • Send Sending SMS messages to a mobile device devices by e-mail using an SMS Gateway Provider that accepts e-mail which is converted to SMS messages and is forwarded to the recipient.
      • SMS Gateways are commercial services offered at low cost from a vast number or providers such as Twilio, Telnyx, Bird etc.
    • Send Sending WhatsApp messages to a mobile device devices using https://developers.facebook.com/docs/whatsapp/cloud-api/.
      • The Facebook Cloud API requires prior registration.
      • Consider that use of 3rd-party APIs and Services for sending WhatsApp messages is illegal. Use of the Facebook Cloud API only is legitimate.
    • Send Sending Signal messages to a mobile device devices using https://github.com/signalapp/libsignal

...

Notification Channels that require internet access, for example when sending messages sent to mobile devices, make use of the JS7 Notification Service. The service JOC Cockpit API Server that is operated from a component on a separate machine with internet access.

  • JOC Cockpit can access the JS7 Notification Service API Server to send and to receive Notifications. The JS7 Notification Service API Server does not establish a connection to JOC Cockpit.
    • Connections are established using mutual TLS authentication between JOC Cockpit (client) and the JS7 Notification Service (server)API Server.
  • The JS7 Notification Service API Server offers a REST API to send Notifications and to receive Notifications.

...

Operators and Approvers are managed from groups:

  • Operators are members in assigned a given JS7 role. A number of JS7 roles can be used to populate an Operator Group: Operators are chosen selected from a given role and are added to the group in specific ordering.
    • This implies that user accounts that are not members in assigned a given JS7 role cannot create Approval Requests.
    • This implies that user accounts that are not members in assigned a given JS7 role cannot perform Approval.
    • Any user accounts are individually added to an Operator Group or Approver Group. Role assignment to groups remains in place and is checked at run-time for a given user account.
  • Approvers are members in assigned a given JS7 role. A number of JS7 roles can be used to populate an Approver Group: Approvers are chose selected from a given role and are added to the group in specific ordering.
    • The same applies for role membership and role assignment as for Operators.

...

The following applies to the mapping of roles Approvers to Approval Requests:

  • Any member of an Operator Group can prompt an Approver who is a member of the matching Approver Group for confirmation of an intervention.
    • An For a given Approval Request the Operator can specify the preferred Approver (identified from the Approver's account) for a given from the matching Approver Group.
    • If no preferred Approver is specified then the first Approver of the matching Approver Group will be assigned the Approval Request.
  • Any member of an Approver Group matching the requesting Operator Group can handle Approval Requests.
    • The preferred Approver specified by the Operator for an Approval Request is contacted will be assigned and notified first.
    • If the preferred Approver does will not respond to the Approval Request within a configurable period, then the next Approver in the Approver Group will be assigned and notified.

Use Cases

Operator prompts Approver to confirm Intervention

  • The Operator is prevented from directly performing an intervention. Instead, a Notification is created for the requested intervention that is sent to an Approver.

  • Fail-over and switch-over of JOC Cockpit must be supported.

  • Approval Requests are persisted, and the list of pending requests is available in JOC Cockpit, allowing Operators to cancel pending Approval Requests.

Anchor
approver_connected_joc_cockpit
approver_connected_joc_cockpit
Approver connected to JOC Cockpit

...

The Approval Process is supported by an external OIDC Identity Provider allowing to connect to JOC Cockpit and to approve the intervention. Any approval is performed inside JOC Cockpit.

  • The Operator creates and digitally signs the Approval Request.

...

  • The request includes the object, for a example an order, on which the intervention is performed and the type of intervention (delete, update, execute).
  • The authorization flow The basic proceeding corresponds to https://www.ory.sh/docs/oauth2-oidc/authorization-code-flow
    • The Approver clicks a link in the Notification message for the Approval Request.
    • The Approver is redirected to the Authorization Server, where they authenticate themselves and grant permission to the requested intervention.
    • The Authorization Server generates an authorization code and redirects the user back to the JS7 API Server with the authorization code.
    • The Approver is logged in to the JS7 API Server that stores the authorization code related to the Approval Request and logs out the Approver.
      • The JOC Cockpit that originated the Approval Request pulls the authorization code from the API Server and notifies the Operator. The Operator can enter the authorization code for the matching Approval Request to perform the intervention.

Capabilities

Prompt Notification

...

When an Approver does not pick up an Approval Request, then the next Approver in the Approver Group is notified to take over confirmation/denial of the suggested internvention to ensure that the Approval Process is not interrupted. 

  • If a number of Approvers receive receives Notifications for the same NotificationApproval Request, then only one Approver can confirm/deny the Approval Request.
  • If an Approval Request is confirmed/denied then remaining Approvers who previously have been notified receive a Notification about completion of the Approval Request.

...

Along with real-time Notification of Approval Requests, Approvers receive a summary of pending Approval Requests.

Bulk Approval 

No bulk approval is supported. Approvers must confirm/deny Approval Requests individually.

Audit Log Entries

The Audit Log contains all operations and approval information to allow users to identify inconsistencies. The Audit Log records all operations, confirmations and denials. The Audit Log includes the User IDs of both Operator and & Approver and intervention details.

...