EJBCA provides ample mechanisms for redundant review and permission of specific actions through the Approvals. The various forms of approval profiles allow for anything from simple to complex and dynamic workflows. 

Approvable Actions

The following actions can be configured to require approval:

Action NameDescription
Add/Edit End EntityRequiring Approvals for this action will require approval for any operations involving enrollment or in any way editing an end entity, which includes changing status as a precursor for certificate renewal. 
Key RecoveryIf the CA has key recovery enabled, choosing this action would require an administrator's approval before the keypair is recovered and made available to the end user. 
RevocationRequires approval in order for a revocation request to go through. 
CA Service ActivationEnabling approvals for this action means that in order to change a CA from offline to online, approvals from other administrators are required. 

If multiple administrators are required to approve an action, rejection by any one of them will reject the entire action. 

Configuration

Approvals may be set in two locations, in a CA or in the Certificate Profiles. 


Approvals in the CA

Approvals in the Certificate Profiles

As it's possible to set approvals (with potentially different profiles) for the same action in both the CA's settings and the utilized Certificate Profile, the one chosen in the Certificate Profile will precede the one chosen in the CA. If no Approval Profile is chosen for the given action in the Certificate Profile, EJBCA will default to the one chosen in the CA.  

Approval Profiles

Due to requirements on EJBCA for multi-tenancy and differing workflows for different CAs, EJBCA provides Approval Profiles. Each Approval Profile provides a basic template for a reusable workflow, from the simple to the complex. For more information, see Approval Profiles. To date, EJBCA has two different types of Approval Profiles that can be configured.

Approval Profile TypeDescription
Accumulative ApprovalsThis is the simplest type of approval profile, just requiring an number of administrators with approval privileges (see Roles and Access Rules for more information) for requests to pass. 
Partitioned ApprovalsPartitioned Profiles provide a far more dynamic framework where approval actions are split into Steps (which are resolved sequentially), and each Step can be split into Partitions (which are resolved in parallel within the step). Each partition can be assigned to specific roles to either approve or review, and additional metadata fields (text, checkboxes, radio buttons, etc) can be added to each partition to be filled in by the approving administrator, providing an audit trail of the action performed. 

Approving Actions

Approvals are later resolved in the RA UI by authenticated and authorized administrators. For more information, see Managing Requests in the RA UI.

Notifications

Approval profiles can be configured to notify both the requesting user on status change (based on end entity information) and approving administrators in order to notify them about an action requiring their attention.