Approval Chains

Approval chains gate sensitive grants behind one or more human approvers, with SLA timers and escalation. The same engine powers access-request approvals and agentic-governance decisions.

Admin console: /admin/approvals

Concepts

• Approval chain — an ordered set of approval levels. Each level resolves to one or more approvers (a specific user, a manager, a governance group, or a role).
• Approval instance — a live request moving through a chain. Each level must be settled (approved/denied) before the next begins.
• SLA & escalation — each level has a time budget; on breach the request escalates (notifies the next approver / a fallback) so requests don't stall silently.
• Subject type — what the approval gates: an ACCESS_REQUEST, an AGENT_ACTION, etc.

How it works

When a gated action is submitted, the engine creates an approval instance and notifies the first level's approvers. Decisions are recorded against the instance; once all levels approve, the underlying grant (or agent action) proceeds. A denial stops it. Approval-engine errors (not-authorized, bad state, missing chain) are surfaced as HTTP 409 Conflict.

Typical setup

1. /admin/approvals → New approval chain.
2. Add levels; for each, choose the approver resolution (user / manager / governance group / role).
3. Set the SLA and escalation target per level.
4. Attach the chain to the resource that should require approval.

Related

• Agentic Governance — high-risk agent actions route through these chains.
• Governance Groups — use a group as an approver set.