Supervisor Approval Settings
Supervisor mode
| Supervisor Mode | Description | Notes |
|---|---|---|
| OU | Organizational Unit mode allows you to define supervisors in each Active Directory OU. An OU supervisor will be able to approve or deny files from all other users in that Organizational Unit and any children OUs. | For convenience, it's possible to promote users from an OU to the supervisor role by configuring an attribute-based AD filter. See the Configure supervisors section below for more details. |
| Group | Group mode allows you to define supervisors in each Active Directory group. A group supervisor will be able to approve or deny files from all other users in that group. | Supervisors from a group are not also supervisors for sub-groups of that group. You will need to assign them individually. It is not possible to use an attribute-based AD filter to dynamically configure supervisors. That option only works with OU mode. |
Supervisor stage approval process
The supervisor process can be configured as one-stage (one approval required for each file), multi-stage (multiple approvals required) or step based (one approval is required for each hierarchical level) and you can define the number of approvals or steps required for a file.
| Stage | Description | Notes |
|---|---|---|
| One stage | At least one approval from a supervisor is required to allow or deny access to a file. | You should make sure that you have at least one supervisor or at least one container based supervisor configured for every OU/group. |
| Multi-stage | Define the number of approvals required in order for a file to become available. If at least one supervisor denies the request the file will remain unavailable. | The system will not allow you to configure multi-stage supervisor approval unless you have enough supervisors or ensure that any container (OU/group) has at least N supervisors configured including the non-container based ones, where N is the stage number. If you plan to use multi-stage supervisor approval, ensure that the number of supervisors and number of supervisors for each container (OU/group) adds up to the total of N supervisors. |
| Step based | Define the number of steps (levels) required in order for a file to become available. Each step will allow a category of supervisors to approve the file before it will be forwarded for approval to the next step of supervisors. Supervisors will sequentially approve the uploaded files; | The system will not allow you to configure step based supervisor approval unless you have at least one supervisor for each step (level) or at least one container based supervisor per each step (level) for every container (OU/group). When starting the step based approval process for a file, it needs to be approved sequentially from the first level of supervisors till the N level, where N is the defined number of steps. |
Please note that whenever you change between one stage, multi-stage and step based or the number of stages the supervisor approval process resets. Any file that has not completed the process will be reset and any existing votes will be erased. However, a change like this will not have any effect on files that have completed the process and are already approved or denied.
This change will take effect once you activate the process configuration.
The step based supervisor approval process
An uploaded file must be approved by N levels of supervisors to be Available where N is equal to the number configured in supervisor approval settings. The difference between Multi-stage and Step based, is that in Multi-stage mode the supervisors can approve a file in any order, while in Step based mode the supervisors are set in a hierarchy, an the file passes sequentially from level to level in order to be approved.
When a file is being Revoked by a supervisor from level X the approval process will not continue until the file is approved by the same supervisor that revoked it, and it will have to pass through all the N supervisors levels in order to be Available.
When uploading a file the pending approval notification will be sent to the first level of supervisors. When the first level approves, a notification will be sent to the next level, and so on.
When a file is in the approval process on level X and the owner adds a comment, the comment notification will be sent only to the supervisors on level X.
Exclude users from the supervisor flow
Administrators can exclude users from the supervision flow. It means that every file uploaded by that user is going to be available for the user without the approval of a supervisor.
Administrators can exclude users from the supervision flow during user creation.
Local, SSO and Active Directory users can also be edited later to exclude them from the supervision flow.
Skip supervisor approval
| Skip approval | Description | Notes |
|---|---|---|
| Never | Every file needs to be approved or denied | This is the default option. |
| When sanitized | Sanitized files are automatically approved | The approval process is skipped only for file types where Deep CDR is configured in MetaDefender Core. |
| After time span | Files will be automatically approved after the specified period of time elapses |
Enabling supervisor comments
This feature allows the supervisor approval process to be done based on comments for each uploaded file. When uploading a file users will be able to write a message informing about the upload reason. After reviewing the file and the message(s), supervisors will be better able to choose between approving or revoking the file. They will also be able to write messages indicating why a certain action was taken.
Supervisor Delegate
This feature allows the supervisor to delegate another AD user as a supervisor for a determined period of time. The delegated supervisor will have the same supervision rights as the original supervisor. This use case allows the original supervisor to have someone acting on his behalf. A supervisor can only delegate one AD user.
Configured delegations are revoked if you change the approval process configuration
Supervision between groups/organizational units
This feature allows supervision between users of different groups/organizational units. Users from other containers will be available for selection as supervisors. This applies to both list and filter selection methods.
At the third step of Process Setup, when assigning supervisors to a specific group or organizational unit, users can be selected from any Active Directory group or organizational unit. This includes all configured Active Directory groups and organizational units.
Also it is possible to exclude certain AD groups from the supervision flow. If a user upload a file to an excluded group it will not be supervised
Disabling supervision between groups/organizational units feature
When disabling this feature, a warning message will appear prompting the confirmation or rejection of the action.
Activating a new approval process configuration where this feature has been disabled, will also reset approval votes.
By doing this change, all current supervisors will be removed. A new reassignment of supervisors is required afterwards.
Global Supervisors' Approval Time Restrictions
This feature limits the supervisory abilities of users with a global supervisor role. When enabled, global supervisors can only approve or revoke files within specified time frames.
Once this feature is enabled, you can specify the exact times and days of the week when global supervisors are allowed to be active. Multiple time points on different days can be set for detailed customization.
The global supervisors will be active based on the time zone and time of the MFT server.
The global supervisors will get a warning message if they are out of their active times, both on Pending Approval and Approval History page.
