NCCM Approval Workflow
The NCCM Approval Workflow introduces a maker-checker control mechanism for high-impact NCCM actions. Instead of executing critical operations directly, users without approval rights submit a request that must be reviewed and approved by an authorized approver before the action is carried out.
This provides operational governance, reduces the risk of unauthorized configuration changes, and creates a traceable record of all approval-based actions.
Roles
The approval workflow is governed by two roles:
| Role | Description |
|---|---|
| NCCM | It assigns the user a requester role. A user assigned with this role can only initiate actions, but the system generates an approval request instead of executing the action directly. |
| NCCM and NCCM Approval | It assigns the user an approver (admin) role. A user assigned with both the roles can review, approve, or reject approval requests. When this user initiates an action, the system executes it directly without generating an approval request. |
A default NCCM user has approval rights by default. The approval request flow applies only when a user is explicitly assigned the NCCM role without the NCCM Approval role.
Approval-Controlled Actions
The following actions in NCCM trigger an approval request when initiated by a requester (NCCM-only user):
- Restore
- Sync
- Execute Runbook
- Firmware Upgrade
All other NCCM actions are not subject to the approval workflow.
Approval Request Naming Convention
Every approval request is automatically named using the following format:
APR: <sequence_number> – <hostname> – <action>
Example:
APR: 01 – hb1.hb1.com – Restore
The sequence number increments for each new request.
How the Workflow Operates
Requester Initiates an Action
When a requester (NCCM-only user) initiates an approval-controlled action:
- The system does not execute the action immediately.
- An approval request is created and sent to all users with the NCCM Approval role.
- The system displays a confirmation message indicating that the request has been sent for approval.
- The requester can track the request from their approval list.
Approver Reviews the Request
Users with the NCCM Approval role receive the approval request and can:
- Open the request to view all related metadata — device, action, requester, reason, and timestamp.
- Approve the request — the system then executes the action as per the original request.
- Reject the request — the action is not executed and the requester is notified.
If multiple users hold the NCCM Approval role, the request is visible to all of them. Any one authorized approver can act on the request.
Requester View
A requester can access their approval requests from the approval list. From this view, the requester can:
| Action | Description |
|---|---|
| View requests | See all approval requests created by them, along with current status. |
| View approval details | Access metadata related to the requested action. |
| Send Reminder | Send a reminder notification for a pending approval request. Available only while the request is in a pending state. |
| Cancel Request | Cancel their own pending approval request. Once cancelled, the action is not executed and the request cannot be reactivated. |
The Reminder and Cancel actions are only available for requests in a Pending state. They are not available once a request has been approved, rejected, or cancelled.
Approver View
A user with both NCCM and NCCM Approval roles can access the approver screen, which provides:
| View | Description |
|---|---|
| Current Requests | Displays all pending approval requests awaiting action. |
| Historical Requests | Displays previous requests raised for actions such as approved, rejected, or cancelled. |
From the approver screen, the approver can open any request to view its full metadata and take action.
An approver cannot act on a request that has already been approved, rejected, or cancelled.
Device-Level Approval Visibility
All approval requests associated with a specific device are accessible directly from the device information screen. A dedicated Approvals tab in the device details view displays all approval entries for that device — including pending, approved, rejected, and cancelled requests.
This allows both requesters and approvers to track approval history in the context of a specific device without navigating away from the device view.
Email Notification
When an approval request is generated, ObserveOps sends an email notification to the configured approver email address. This ensures approvers are alerted promptly and can act without delay.
Email notifications require the email service to be configured in ObserveOps system settings using Mail Server Configuration. Also, an email address must be configured for the respective user.