Supervisor Approval
This feature allows supervisors to implement an access policy for files uploaded using MetaDefender Vault. Supervisors can also be configured based on Active Directory organizational units or Active Directory groups.
The supervisor process can be configured as:
- One stage - one approval from a supervisor is required for each file;
- Multi-stage - you can define the number of approvals required for a file;
- Step based - you can define the number of steps required for approval and the supervisors will sequentially approve the uploaded files;
Process Setup
The supervisor approval process setup consists of a sequence of steps (wizard). All steps need to be completed in order for the configuration to be validated and the feature to be enabled.
Step 1 - Activate Supervisor Approval Process
In order to enable the Supervisor Approval feature please go to Supervisor Approval →Process Setup. Here you also have the option to choose between Organizational Unit mode or Group mode.
Supervisor Mode
| Supervisor Mode | Description | Notes |
|---|---|---|
| OU | Organizational Unit mode allows you to define supervisors in each Active Directory OU. An OU supervisor will be able to approve or deny files from all other users in that Organizational Unit and any children OUs. | For convenience, it's possible to promote users from an OU to the supervisor role by configuring an attribute-based AD filter. See the Configure supervisors section below for more details. |
| Group | Group mode allows you to define supervisors in each Active Directory group. A group supervisor will be able to approve or deny files from all other users in that group. | Supervisors from a group are not also supervisors for sub-groups of that group. You will need to assign them individually. It is not possible to use an attribute-based AD filter to dynamically configure supervisors. That option only works with OU mode. |
Step 2 - Supervisor approval details
The supervisor process can be configured as one-stage (one approval required for each file), multi-stage (multiple approvals required) or step based (one approval is required for each hierarchical level) and you can define the number of approvals or steps required for a file.
| Stage | Description | Notes |
|---|---|---|
| One stage | At least one approval from a supervisor is required to allow or deny access to a file. | You should make sure that you have at least one supervisor or at least one container based supervisor configured for every OU/group. |
| Multi-stage | Define the number of approvals required in order for a file to become available. If at least one supervisor denies the request the file will remain unavailable. | The system will not allow you to configure multi-stage supervisor approval unless you have enough supervisors or ensure that any container (OU/group) has at least N supervisors configured including the non-container based ones, where N is the stage number. If you plan to use multi-stage supervisor approval, ensure that the number of supervisors and number of supervisors for each container (OU/group) adds up to the total of N supervisors. |
| Step based | Define the number of steps (levels) required in order for a file to become available. Each step will allow a category of supervisors to approve the file before it will be forwarded for approval to the next step of supervisors. Supervisors will sequentially approve the uploaded files; | The system will not allow you to configure step based supervisor approval unless you have at least one supervisor for each step (level) or at least one container based supervisor per each step (level) for every container (OU/group). When starting the step based approval process for a file, it needs to be approved sequentially from the first level of supervisors till the N level, where N is the defined number of steps. |
Please note that whenever you change between one stage, multi-stage and step based or the number of stages the supervisor approval process resets. Any file that has not completed the process will be restarted and any existing votes will be erased. However, a change like this will not have any effect on files that have completed the process and are already approved or denied.
Skip supervisor approval
| Skip approval | Description | Notes |
|---|---|---|
| Never | Every file needs to be approved or denied | This is the default option. |
| When sanitized | Sanitized files are automatically approved | The approval process is skipped only for file types where Deep CDR is configured in MetaDefender Core. |
| After time span | Files will be automatically approved after the specified period of time elapses |
Process Setup - Configure supervisors
A user with the supervisor role can approve or revoke approval for files. Initially, the local administrator account is a supervisor so he can approve or deny approval for all the files.
Blocked files can only be approved by supervisors with the administrator role
Step 3 - Supervisors Setup
You can configure supervisors by selecting them from a list or by configuring a filter. These supervisors will have the ability to approve files uploaded by any user from any container (OU/group).
When selecting Step based as the stage approval process, the supervisor assigned to a specific level will be able to approve or revoke a file only when the file corresponds to his assigned level in the approval process.
Guests and external users cannot be set as supervisors
Depending on the Active Directory configuration settings, there are two cases of displaying Groups in the Setup Supervisors page:
- When the Active Directory configuration includes only Groups, the Setup Supervisors page will display only the explicitly included Groups.
- When the Active Directory configuration includes both Groups and OUs, the Setup Supervisors page will display all the Groups from the connected Active Directory. The reason for this is that the synchronized users may be part of an OU but may not a part of any explicitly included group.
Step 4 - Active Directory Supervisors Setup
The last step in the Supervisor Approval Process Setup is to add/edit supervisors individually for each container (OU/group).
When in Step based stage approval process, one or multiple supervisors can be assigned for every level to each container (OU/group).
When trying to save the new added supervisors by clicking the Save button, a validation will be done in order to ensure that there are enough supervisors set for each container (OU/group). If there are insufficient supervisors, an error message will be displayed and the save action will not be finalized.
Process Setup - Final Step
After setting the desired supervisors and after settings container based supervisors for the individual containers, the last step is to click Continue to finalize the process. If the configuration is not valid, you will be prompted with an error message and you will need to add enough supervisors for the selected configuration.
If the assigned supervisors met your Supervisor configuration setup, you will be prompted with a success message and a Finish button to complete the Supervisor Approval Process Setup. Now you can use the Supervisor Approval feature.
Assign supervisors dynamically by using an Active Directory filter
For both the supervisors and Organizational Unit based supervisors, you can choose to select a supervisor by specifying an Active Directory filter. This way, users are promoted to supervisors whenever they match the specified filter.
To verify if a certain user matches the filter, an LDAP query is executed to check if the specified LDAP attribute has the expected value. If the attribute does not exist or if the value is different, the user will not be promoted to the supervisor role.
Please note that for supervisors configuration, the filter applies to all your Active Directories (if you have configured more than one).
Each supervisor can only approve or reject files of his supervised users (in the same container). A container can have any number of supervisors, including none.
Learn how to include or exclude a container by going to User Filtering Configuration.
Step based approval process does not yet support adding supervisors from filter.
Pending Approval Page
This page allows supervisors to manage files uploaded by the supervised users.
On the last column the following options are available:
- Approve file: make the file available for download
- Revoke approval: deny access to download the file
- Retry processing (only visible in case of failures)
Supervisors can only see the files on which they can take action on the "Pending Approval" page
Approve or revoke multiple files at once
Supervisors can also approve or revoke multiple files at the same time, and not individually.
By selecting multiple files, the following actions will become available:
- Approve
- Revoke Approval
- Delete
- Download as archive
The multi-stage supervisor approval process
An uploaded file must be approved by N supervisors to be Available where N is equal to the number configured in supervisor approval settings.
When a file is being Revoked by a supervisor the approval process will be restarted from scratch and N supervisors must approve the file again in order to be Available. If the file is being approved twice by the same supervisor, it won't be available. In order to be available, N different supervisors must approve the file.
The step based supervisor approval process
An uploaded file must be approved by N levels of supervisors to be Available where N is equal to the number configured in supervisor approval settings. The difference between Multi-stage and Step based, is that in Multi-stage mode the supervisors can approve a file in any order, while in Step based mode the supervisors are set in a hierarchy, an the file passes sequentially from level to level in order to be approved.
When a file is being Revoked by a supervisor from level X the approval process will not continue until the file is approved by the same supervisor that revoked it, and it will have to pass through all the N supervisors levels in order to be Available.
When uploading a file the pending approval notification will be sent to the first level of supervisors. When the first level approves, a notification will be sent to the next level, and so on.
When a file is in the approval process on level X and the owner adds a comment, the comment notification will be sent only to the supervisors on level X.
Approval History
You can use this page to check files that have been previously approved or denied approval.
If you wish to change your decision you can do so by using the actions menu when choosing files.