** Multi-Level Approval update at the end of the blog**
Providing a self-service catalog can be a great way to allow users in an organization to quickly get applications and services they need and can help IT focus on other tasks outside of just full-filling requests for machines. However when a catalog is presented to an organization it is important that there are some guardrails and governance around those requests from the catalog. Policies such as “Lease Times” help by eliminating resources that are not being used and ensuring that users know they cannot keep something forever. Governance is a key aspect of building a cloud-like experience for an organization and now vRealize Automation contains “Approval” policy definitions to allow for even greater control. In this blog I will highlight this exciting feature and explain how it can be used.
What is an Approval Policy in vRealize Automation?
Approval policies are a level of governance that helps control which Deployment Requests and Actions require approvals before being initiated. If the approver rejects the request, the request is not initiated and fails to execute.
For example, you have a catalog item that is important, but it consumes a significant amount of resources. You want one of your IT administrators to review any deployment requests to ensure that the request is needed. Another example applies to day 2 actions. Making changes to a deployment that is used by many might be devastating. You want the project administrator who manages the deployment for that team to review all changes to the deployed catalog item.
Approval policies can also be applied to “Actions” that can be performed within vRealize Automation. Examples include “Deployment Creation” , “AWS EC2 Instance Power On”, in fact there are 70+ actions that can have an approval attached to them.
So lets jump into this exciting new policy feature and take a look.
How To Get Started with Approvals
In this section I am going to go over where and how to setup approvals. Of course before implementing approval policies in a production environment the approvers and items needing to be approved should be identified.
In order to start configuring Approval policies you need to go to the Service Broker service within vRealize Automation. Once inside Service Broker , go to Content and Policies —> Policies —> Definitions —> New Policy Definitions then click on the Approval Policy tile as shown in the screenshot below.
Once you click on the Approval Policy tile you will see the various configuration options for creating the Approval Policy. Provide the following information:
- Name – of the Approval Policy
- Description – (optional)
- Scope – this determines if the policy is applicable to all deployments or just to deployments within a certain Project. To learn more about Projects go here.
- Deployment Criteria – if you want to further refine when the policy is applied then you can add policy criteria. Policy criteria options are:
- blueprint: choose a blueprint that was created in Cloud Assembly
- catalog item: choose any catalog item that is published in Service Broker catalog
- deploymentCreationCost: (vRA 8.1/8.2 only) – requires integration with vRealize Operations Manager. This criteria enforces the policy based on estimated cost of the deployment.
- deployment: choose an existing deployment and apply an action that you want to be the trigger for the approval (e.g. – Deployment.Poweroff)
-
- requested By: choose a user in the system, when this user requests an item it triggers an approval
- resources: choose a resource that will trigger an approval (e.g. – Cloud Zone, Flavor, or Image etc.)
- Approver Mode – choose whether just one or all approvers need to approve the request.
- Approvers – click the “Add Users” button to add approvers. They will get an email when an approval request is initiated.
- Auto Expiry – choose either to Approve or Reject a request after a period of no response from approvers
- Auto Expiry Trigger – choose in “Days” how long the request can live before the auto expiry action takes affect
- Actions – search for approval actions that would be triggered at time of request.
It is worth mentioning that Deployment Criteria can be refined by and/or statements and choosing multiple criteria. Take a look at the example below.
Once you hit the “Create” button then the policy will be show up under the Policy Definitions page. At that point the policy is in effect.
The Approval Process
The policy definition that I defined states that whenever someone tries to deploy a Multi-Cloud Machine, an approval is needed. After the user requests the service within the Service Broker catalog they then fill out the information needed for the request.
Once the user hits the “Submit” button, then the deployment will stall at the Approval Needed step in the deployment. So the user will see this type of message in the Deployment section:
Shortly after that the Approver will get an email with some instructions and a notification that a deployment is needing their attention.
Once the Approver clicks on the “Approve or Reject the request now” link in the email, they will be taken to the vRealize Automation login screen then sent to the Deployment Approve/Reject screen. The approver can then review the Request Details and then click “Approve” or “Reject” with comments. The approver can also see information about the request via the Policy Details, Resource Details and Input Details tabs.
Once the Approver clicks “Approve” the deployment will continue to completion. If the Approver rejects the request, then it is cancelled and the item will not be deployed.
Approval policies will also apply to a Cloud Template when the deployment of the Cloud Template is initiated from Cloud Assembly. This was not possible in previous releases and is new in vRealize Automation 8.2 (and later) and vRealize Cloud.
This was just one example where approvals can help govern what get deployed out of your Self-Service catalog. Also keep in mind that actions can also be chosen as approval criteria. So if you do not want a user to be able to “update tags” without approvals, then that can also be done.
** Update for vRealize Automation 8.8 and vRealize Automation Cloud – Multi-Level Approvals.
I am excited to share the latest update in regards to Approval Policies within vRealize Automation 8.8 and vRealize Automation Cloud. The latest update allows for multi-level approvals to maintain technical constraints and capabilities for resources in the organization.
To manage virtual infrastructure resources and consumption, administrators can add multiple policies at different approval levels, for example one level of approval could be for deployment of a resource and another related to the amount of compute requested.
If a deployment request exceeds at least one of the levels deployment criteria, then an administrator must approve the request. Only Approvers of that level are notified of the request. When an approver approves the request at that level, the request is routed to the next level. If the request is rejected, it is not routed any higher and is denied.
The level defines the order in which the policy is enforced. Level 1 approvals are applied first, followed by level 2 approvals, and so on, use a numerical value (1-99). Just remember that approvers associated with higher level Approval Levels will not see the approval pending in the Service Broker Approval portal until the lower level approvals have been accepted.
The approval level is set in the policy.
In the example below there are two levels of approval. Level 1 Approval Policy requires approval for the creation of the deployment from a specific cloud template and the second level approval policy requires an approval if the cloud templates machines are set to Flavor: Large
.
Level 1 Policy looks like this:
The Level 2 Approval Policy is the same as Level 1 except for the Criteria and Approval Level and the Approve. It is also is associated with Deployment.Create
actions.
Once a deployment is kicked off the user will see something like this in the Event History:
The administrator called configuser will then see the approval request in the Approvals section of Service Broker.
Notice there are two levels and both pending. Once configuser accepts the request the approval request will show up for the Level 2 Approvers.
Whether or not the Level 2 approver accepts or rejects the request will determine whether the Application Server Request deployment will proceed or not.
Policies are a key strategy for managing resources and vRealize Automation continues to provide additional value for our customers in this area!