Approval Workflows

OnePAM provides multi-step approval chains — define who approves, in what order, with time limits. Auto-approve trusted roles and auto-deny stale requests.

Start Free Trial See All Features
What You Get

Structured Approvals, Not Email Threads

Multi-step approval chains — team lead, then manager, then security
Configurable approver types: by role level, team membership, or specific users
Per-step required approval counts and timeout limits
Auto-approve for trusted roles — skip the queue when policy allows
Auto-deny for stale requests — timed-out requests denied automatically
Time-bound access with configurable duration and automatic revocation
Multi-channel notifications: email, Slack, Discord, Teams, Telegram, webhooks
Covers all resource types: web apps, endpoints, groups, resource sessions, VPN
Full audit trail for every decision with approver identity and notes
Priority-based workflow matching — most specific policy wins
Workflow Engine

Approval Chain Configuration

Approval Workflow: sre-prod-db 3-step chain • Priority: High • Timeout: 30 min per step Step 1: Team Lead Approval Approved by lisa@acme.com in 2m 14s Approver type: Role Level ≥ Team Lead • Required: 1 of 3 Approved Step 2: Manager Approval Approved by manager@acme.com via Slack in 5m 02s Approver type: Role Level ≥ Manager • Required: 1 of 2 Approved Step 3: Security Team Review Waiting for approval • Notified via Discord, email Approver type: Team = Security • Required: 2 of 4 • Timeout: 28m remaining Pending Request: req-84a2 dev@acme.com → prod-postgresql (read-write, 4h) Notifications: SlackDiscordEmailWebhooks Multi-step chains • Auto-approve • Auto-deny on timeout • All resource types • Full audit trail
Deploy in Under 5 Minutes

Three Steps to Secure Access

1. Sign Up With SSO

Connect your identity provider — Okta, Azure AD, Google Workspace, or any SAML/OIDC provider. Your team logs in with existing credentials.

2. Add Your Resources

Register servers, databases, Kubernetes clusters, and web apps. Define who can access what with role-based policies.

3. Access Securely

Your team accesses resources through the browser — identity-verified, session-recorded, and audit-logged. No VPN, no exposed ports.

Goes Well With

Related Capabilities

SSH Access Management

Stop exposing SSH ports and sharing keys. OnePAM provides identity-verified browser SSH with session recording, keystroke logging, and automatic key rotation.

Secure RDP Access Management

Shared admin accounts and exposed RDP ports are the #1 Windows attack vector. OnePAM replaces them with identity-verified RDP and session recording.

VNC Remote Desktop Access

VNC ports on the internet are a breach waiting to happen. OnePAM provides browser-based VNC with SSO, MFA, and session recording.

Try Approval Workflows — Free for 14 Days

From signup to your first secure session in under 5 minutes. No infrastructure changes, no credit card, no sales call.

Start Free — Deploy in 5 Minutes