Introduction

Users wish to find an approval process in JOC Cockpit for situations in which users perfrom interventions.

The following roles are involved:

• An Operator intends to perform an intervention that requires approval.
• An Approver confirms or denies the Approval Request for intervention.

The basic functionality of the Approval Process includes:

• to implement the 4-eyes principle: an Approver must confirm the intervention of an Operator.
• to keep track of pending Approval Requests for intervention.
• to offer fallback from a number of Approvers.
  
  

FEATURE AVAILABILITY STARTING FROM RELEASE 2.8.0

Prerequisites

Profiles

Operator profiles and Approver profiles are required to specify

• supported Notification Channels in their preferred order,
• one or more Notification Endpoints matching supported Notification Channels:
  • An e-mail address for receipt of related Notifications,
  • A phone number for receipt of Notifications for mobile devices.

Internet Connection

JOC Cockpit, Controller and Agents are operated without internet connection.

Components

Notifications

Notification Channels include

• Internal Notifications
  • Notify the recipient of the Notification in JOC Cockpit provided that an active session exists in JOC Cockpit for the recipient.
• External Notifications
  • Send e-mail to the recipient.
  • Send SMS messages to a mobile device by e-mail using an SMS Gateway Provider that accepts e-mail which is converted to SMS messages and is forwarded to the recipient.
    • SMS Gateways are commercial services offered at low cost from a vast number or providers such as Twilio, Telnyx, Bird etc.
  • Send WhatsApp messages to a mobile device using https://developers.facebook.com/docs/whatsapp/cloud-api/.
    • The Facebook Cloud API requires prior registration.
    • Consider that use of 3rd-party APIs and Services for sending WhatsApp messages is illegal. Use of the Facebook Cloud API only is legitimate.
  • Send Signal messages to a mobile device using https://github.com/signalapp/libsignal

Users configure available Notification Channels and configure the ordering by which Notification Channels are triggered.

Notification Channels that require internet access, for example messages sent to mobile devices, make use of the JS7 Notification Service. The service is operated from a component on a separate machine with internet access.

• JOC Cockpit can access the JS7 Notification Service to send and to receive Notifications. The JS7 Notification Service does not establish a connection to JOC Cockpit.
  • Connections are established using mutual TLS authentication between JOC Cockpit (client) and the JS7 Notification Service (server).
• The JS7 Notification Service offers a REST API to send Notifications and to receive Notifications.

Operator Groups and Approver Groups

Operators and Approvers are managed from groups:

• Operators are members in a given JS7 role. A number of JS7 roles can be used to populate an Operator Group: Operators are chosen from a given role and are added to the group in specific ordering.
  • This implies that user accounts that are not members in a given JS7 role cannot create Approval Requests.
  • This implies that user accounts that are not members in a given JS7 role cannot perform Approval.
  • Any user accounts are individually added to an Operator Group or Approver Group. Role assignment to groups remains in place and is checked at run-time for a user account.
• Approvers are members in a given JS7 role. A number of JS7 roles can be used to populate an Approver Group: Approvers are chose from a given role and are added to the group in specific ordering.
  • The same applies for role membership and role assignment as for Operators.

More than one Operator Group and Approver Group can be created. Each group is assigned matching folder permissions. The relation of folder permissions, Operator Group and Approver Group is persisted.

The following applies to the mapping of roles to Approval Requests:

• Any member of an Operator Group can prompt an Approver who is a member of the matching Approver Group for confirmation of an intervention.
  • An Operator can specify the preferred Approver (identified from the Approver's account) for a given Approval Request.
• Any member of an Approver Group matching the requesting Operator Group can handle Approval Requests.
  • The preferred Approver specified by the Operator for an Approval Request is contacted first.
  • If the preferred Approver does not respond to the Approval Request within a configurable period, then the next Approver in the Approver Group will be notified.

Use Cases

Operator prompts Approver to confirm Intervention

• The Operator is prevented from directly performing an intervention. Instead, a Notification is created for the requested intervention that is sent to an Approver.

• Fail-over and switch-over of JOC Cockpit must be supported.

• Approval Requests are persisted, and the list of pending requests is available in JOC Cockpit, allowing Operators to cancel Approval Requests.

Approver connected to JOC Cockpit

• An Approver who is connected to JOC Cockpit from an active session receives an Internal Notification within JOC Cockpit for pending Approval Requests. The Notification explains affected objects and the type of intervention.

  • The Approver confirms/denies the intervention in JOC Cockpit.
• If an Approver connected to JOC Cockpit from an active session does not respond to the Internal Notification within a configurable period, for example 5 minutes, then the process applies as explained from chapter Approver not connected to JOC Cockpit.

Approver not connected to JOC Cockpit

If an Operator prompts for confirmation of an intervention and the Approver is not connected to JOC Cockpit from an active session or does not respond to a JOC Cockpit Internal Notification, then the Approver will be notified externally.

The Approval Process is supported by an external OIDC Identity Provider allowing to connect to JOC Cockpit and to approve the intervention. Any approval is performed inside JOC Cockpit.

• The basic proceeding corresponds to https://www.ory.sh/docs/oauth2-oidc/authorization-code-flow

Capabilities

Prompt Notification

When an Operator prompts an Approver to confirm an intervention, then the Approver receives an Internal and/or External Notification. If an Approver confirms or denies an Approval Request, then the Operator receives an Internal and/or External Notification.

• Notifications include details about the internvention and about the Approver's response (confirmed/denied).

• Users can customize notification preferences. In case that the Approver is not available, another Approver should receive a notification in JOC Cockpit and via e-mail.

Approver Fallback

When an Approver does not pick up an Approval Request, then the next Approver in the Approver Group is notified to take over confirmation/denial of the suggested internvention to ensure that the Approval Process is not interrupted. 

• If a number of Approvers receive the same Notification, then only one Approver can confirm/deny the Approval Request.
• If an Approval Request is confirmed/denied then remaining Approvers who previously have been notified receive a Notification about completion of the Approval Request.

Pending Approval Requests

Along with real-time Notification of Approval Requests, Approvers receive a summary of pending Approval Requests.

Bulk Approval 

• No bulk approval is supported. Approvers must confirm/deny Approval Requests individually.

Audit Log Entries

The Audit Log contains all operations and approval information to allow users to identify inconsistencies. The Audit Log records all operations, confirmations and denials. The Audit Log includes the User IDs of both Operator and Approver and intervention details.