Supervisor Approval Settings
Supervisor Mode
| Supervisor Mode | Description | Notes |
|---|---|---|
| OU | Organizational Unit mode: Supervisors are defined for each Active Directory OU. Supervisors can approve/deny files from users in the OU and its child OUs. | Users can be promoted to supervisors using an attribute-based AD filter. See the "Configure supervisors" section below. |
| Group | Group mode: Supervisors are defined for each Active Directory group. Supervisors can approve/deny files from users in their group. | Supervisors do not act as supervisors in the sub-groups of their group. Such supervisors need to be assigned separately. No attribute-based AD filter is available for dynamic supervisor configuration. |
Supervisor Stage Approval Process
The supervisor process can be configured in three ways: as one-stage, multi-stage, or step-based. Each method allows you to define the number of steps required for a file approval.
| Stage | Description | Notes |
|---|---|---|
| One-stage | Requires at least one approval from a supervisor to allow/deny access to a file. | Ensure you have at least one supervisor or at least one container-based supervisor configured for each OU/group. |
| Multi-stage | Define the number of approvals required for a file to become available. If at least one supervisor denies the request, the file remains unavailable. | The system will not allow you to configure multi-stage supervisor approval unless there are enough supervisors. Each container (OU/group) must have at least N supervisors, where N is the stage number. If you plan to use multi-stage supervisor approval, ensure that the total number of supervisors adds up to N. |
| Step-based | Define the number of steps (levels) required for a file to become available. Each step allows a category of supervisors to approve the file before forwarding it to the next step. Supervisors will sequentially approve the uploaded files. | The system will not allow step-based supervisor approval unless there is at least one supervisor for each step (level) for each container (OU/group). The approval process must proceed sequentially from the list level to the Nth level, where N is the number of defined steps. |
Changing between one-stage, multi-stage and step-based configurations or altering the number of stages will reset the supervisor approval process. Any file that has not completed the process will be reset and any existing votes will be erased. This change will not affect files that have already completed the process and are either approved or denied.
These changes take effect once you activate the process configuration.
Step-Based Supervisor Approval Process
Files must be approved sequentially from the first level of supervisors to the last (N). In Multi-stage mode, supervisors can approve a file in any order, whereas in Step-based mode, supervisors in different hierarchies approve files at different levels.
If a file is revoked by a supervisor at level X, the approval process halts until the file is approved by the same supervisor, then continues through all levels until finally approved.
During file upload, pending approval notifications are sent level by level.
Comment notifications at each level are only visible to the corresponding supervisor.
Excluding Users from the Supervisor Flow
Administrators can exclude users from the supervision flow. This means that any file uploaded by the excluded user will be available without needing supervisor approval.
Administrators can exclude users during the user creation process.
Local, SSO, and Active Directory Users can also be edited later to be excluded from the supervision flow.
Skip Supervisor Approval
| Skip approval | Description | Notes |
|---|---|---|
| Never | Every file requires approval or denial. | This is the default option. |
| When sanitized | Sanitized files are automatically approved. | The approval process is skipped only for file types where Deep CDR is configured in MetaDefender Core. |
| After time span | Files are automatically approved after a specified period of time. |
Enabling Supervisor Comments
This feature allows supervisors to base their approval process on comments for each uploaded file. When uploading a file, users can provide a message explaining the reason for the upload. Supervisors can review these messages and the file, making it easier to decide on approval or revocation. They can also leave messages indicating the reasons for their decisions.
Supervisor Delegate
Supervisors can delegate another Active Directory (AD) User to act as a supervisor for a specified period. The delegated supervisor will have the same supervision rights as the original supervisor. This allows the original supervisor to have someone acting on their behalf. A supervisor can only delegate one AD user at a time.
Configured delegations are revoked if the approval process configuration is changed.
Supervision Between Groups/Organizational Units
This feature enables supervision across different groups or organizational units (OUs). Users from other containers can be selected as supervisors, applicable to both list and filter selection methods.
During the third step of Process Setup, users from any configured AD group or OU can be selected as supervisors.
Certain AD groups can be excluded from the supervision flow. Files uploaded to an excluded group will not be supervised.
Disabling Supervision Between Groups/Organizational Units
When disabling this feature, a warning message will prompt for confirmation.
Activating a new approval process configuration with this feature disabled will reset approval votes and remove all current supervisors.
Reassignment of supervisors will be required.
Disable Group Supervision for Default Supervisors
When this feature is enabled, then only Group Supervisors will be able to oversee groups. Default Supervisors will not involved in the supervision process. However, if a group has no Group Supervisor, the Default Supervisors will act as supervisors.
The feature is only available for Group Supervision.
Global Supervisors' Approval Time Restrictions
This feature restricts global supervisor's approval capabilities to specified time frames.
When enabled, you can set the exact times and days of the week when global supervisors are active. Multiple time points on different days can be set for detailed customization.
The active periods are based on the MetaDefender Managed File Transfer™ server's time zone.
Global Supervisors will receive a warning message if they attempt to approve files outside their active times, visible on the "Pending Approval" and "Approval History" pages.
