Skip to content

Session Workflow Approval

A Remote Access Workflow provides a controlled process for granting access to managed endpoints. Instead of allowing users unrestricted, anytime access, workflows require users to submit an access request for approval. Approvers can then review the request, including the reason for access, and choose to Approve or Reject it. Approved requests typically grant time-limited access, while rejected requests deny access entirely.

There are also additional workflow use cases:

  • Automatic Approval eliminates the need for manual approval while retaining auditing capabilities.
  • Restricting Workflows prevent remote access entirely during defined time periods, acting as an “anti-workflow” to block access during, for example, non-business hours.

This article outlines how to configure and use the three supported Workflow templates; Automatic, Interactive, and Restricting, and how they are applied to assets and users.

Workflow Architecture: Forms and Selectors

Workflows in 12Port consist of two core components:

  • Workflow Forms: Define the approval behavior. A form can be of type Automatic (approval), Interactive (human approver evaluated), or Restricting.
  • Workflow Selectors: Define how an enabled Workflow Form is applied to an asset or container. Selectors control aspects such as asset operations, time-based restrictions, and user/group targeting.

Together, these components determine how and when remote access is granted.

Workflow Types

The three types of Workflow Forms are:

  • Automatic
    Approves access requests automatically, while logging the request and approval for auditing purposes.
  • Interactive
    Requires human review. Requests must be approved (or rejected) through a single 0r multi-level approval chain defined in the Workflow Form. For Interactive workflows, Approvers can be individual users or groups. When a group is defined, the number of required approvals is specified using the Weight setting in the form.
  • Restricting
    Disables access entirely during specific periods or conditions. Users cannot request access, access is simply unavailable.

Use Case: Automatic Approval

The Automatic Approval workflow automatically approves submitted requests without human intervention. This is useful for trusted users, while still allowing the system to log key session details, such as access reasons, for auditing.

To Create an Automatic Approval Workflow:

  1. Log in as an Administrator (other roles may also support aspects of workflow creation).
  2. Go to Management > Workflow Forms and click Add.
  3. Configure the Form:
    • Form Name: Provide a unique and recognizable name.
    • Type: Select Automatic for this use case.
    • Enabled: Toggle this option to make the form enabled. Only enabled forms can be used.

Workflow Form Automatic Approval Type

To Apply the Form Using a Workflow Selector:

  1. Navigate to the target Asset or Container.
  2. Go to Manage > Workflow Selectors. Note that if applied to a container, this selector will apply to all child objects due to inheritance.
  3. Click Add and configure the selector:
    • Workflow Form: Select the form created earlier.
    • Operations: Specify which operations requiring approval (e.g., Asset Access). In this use case, we will toggle the Asset Access option that enables workflow approval for remote access sessions.
    • Targets: Define users or groups required to request access.
    • Time: Time when Workflow selector is applicable. This includes:
      • Work Hours: during traditional business hours of 08:00-17:00.
      • After Hours: after traditional business hours or 17:00-24:00, 00:00-08:00.
      • Weekend: applies for Saturday and Sunday.
      • Holiday: applies to a Holiday schedule.
    • Exclusive: Indicates that access, once approved, is granted exclusively to the requester.
  4. Click Save.

Workflow Selector Configuration for Asset Access Operation

Testing:

Log in as a user in the Targets group and navigate to the asset. The standard Access button is replaced with Access (Request Access). Submit the request, and the system will automatically approve it. Access is granted via this now labeled Access button, and workflow steps, including the access reason, are recorded in the audit log.

Workflow Access (Request Access) Option

Use Case: Interactive Approval

The Interactive Approval workflow requires manual review and decision-making from defined Approvers, who determine whether to Approve or Reject requests. This is appropriate in scenarios where human oversight is necessary, albeit more time consuming; e.g., when a DevOps manager wants to review team member access requests.

To Create an Interactive Approval Workflow:

  1. Log in as an Administrator (other roles may also support aspects of workflow creation).
  2. Go to Management > Workflow Forms and click Add.
  3. Configure the Form:
    • Form Name: Provide a unique and recognizable name.
    • Type: Select Interactive for this use case.
    • Level n: Define each approval level and assign Approver(s). Add additional levels if needed. For multi-step interactive approval, use the Add Level button to create an additional step. Note that each step must have at least one defined Approver.
    • Enabled: Toggle this option to make the form enabled. Only enabled forms can be used.

Workflow Form Interactive Approval Type

To Apply the Form Using a Workflow Selector:

Follow the same steps as the Automatic Approval setup in the previous section, adjusting the Workflow Form field to use the newly created Interactive form.

Testing:

  1. Log in as a user in the Targets group of the Selector.
  2. Navigate to the asset and click Access (Request Access).
  3. Submit the form.

The request will now wait for human approval:

  1. Log in as an Approver.
  2. Go to My Profile > Approver List.
  3. Find the request and select Actions > Approve.

Workflow Approver Actions

For multi-level workflows, each level must approve the request before access is granted. If any level approver Rejects, the entire request is denied.

All approval steps and user-submitted reasons are logged in the Events Report.

Use Case: Restricting Access

The Restricting workflow is designed to prohibit access entirely during defined periods. It doesn't offer an Access nor Access (Request Access) options, access is simply unavailable. This is useful for enforcing blackout periods (e.g., blocking access outside business hours).

To Create a Restricting Workflow:

  1. Log in as an Administrator (other roles may also support aspects of workflow creation).
  2. Go to Management > Workflow Forms and click Add.
  3. Configure the Form:
    • Form Name: Provide a unique and recognizable name.
    • Type: Select Restricting for this use case.
    • Enabled: Toggle this option to make the form enabled. Only enabled forms can be used.

Workflow Form Restricting Approval Type

To Apply the Form Using a Workflow Selector:

Same process as previous workflows use cases. Select the new Restricting form previously created in the Workflow Form field.

Testing:

Log in as a user in the Targets group and navigate to the asset. The Access or Access (Request Access) buttons will not appear when access is restricted by the Selector’s Time condition.

Workflow Restricting Form no Access Button

Once the restricted time window passes, access options will reappear.

Workflow Time Extension Requests

Users with an approved time-restricted workflow can request an extension if additional time is needed to complete their session. This feature is available only for workflows that have already been approved and are subject to a predefined time limit.

When a user submits an extension request, it is routed for review and must be approved before the time limit can be adjusted. The original session expiration remain in effect until the extension request has been approved and the time extension has been assigned.

Viewing Time Remaining

During an approved secure web session (non-proxy), the remaining session time is displayed in the in-session toolbar under the Expiration field:

In-session Toolbar Expiration Time

This countdown timer shows how much time is left before the session automatically ends (hours:minutes:seconds).

Extension Request Flow

If the user requires additional time, they can request an extension from this asset. Here is the flow for extending an approved web session.

Requesting a Time Extension

If you need more time during an active session:

  1. From the asset, click Extend (Request Access).
  2. Complete the extension request form, specifying how long you’d like to the ability extend the session.

    The time you define here will determine how long the Extend option remains available, not the amount of session time extension that is needed.

  3. Submit the Request Action: Extend Request form for approval.

Extend (Request Access) Button

Once this extension request is approved, the Extend (Request Access) button state changes to Extend.

Extend Button

  1. Click Extend, and select the new session end time using the Extend To field.
  2. Confirm by clicking Extend on this form.

Extend Request Form

The in-session Expiration timer will update to reflect the newly extended session end time.

In-session Toolbar Expiration Time Updated

The session will now continue until the new expiration time, or until you manually end it.

Ending Your Session Early

If you complete your work before the session expires, you can manually end the session:

  • Use the Complete your approved request option to complete the workflow.
  • This returns the session to the Request state, and a new approval will be required to start another session or extend the remaining time.