Configure Change Management Flows

Code Signing Change Management Flows allow Code Signing Administrators to use flows to enforce approvals for any of the following:

  • To delete a Project

  • To delete an Environment from a Project

  • To create a new Environment in a Project

  • To edit an existing Environment in a Project

IMPORTANT  Change Management Flows are invoked only when the change is submitted via the UI. Requests submitted via the Web SDK will not invoke Change Management Flows. For information on restricting Web SDK access, see Limiting Web SDK access.

Enforcing change management provides assurance that critical Projects and Environments and their accompanying keys can't be deleted or changed without approval.

There are three types of approvals available to add to your Change Management Flow.

  • Standard approvals allow you to select either the Project Owner or the Project Key Use Approvers as approvers. These roles are set in the Project configuration.

  • Fixed approvals are similar to Standard approvals, except that a named approver or group is identified rather than relying on the roles from the Project.

  • Administrator approvals allow you to require approval from Code Signing Administrators and/or Master Admins.

Setting up a Change Management Flow

BEST PRACTICE  When an approval ticket is created, the Approvers are written to the ticket, and those Approvers are the only ones who can approve it.

Assigning groups as Approvers (rather than individuals) provides flexibility with who can approve the ticket. Group membership can be changed anytime. So if the Approvers are part of a group, and the group is assigned as the Approver, you then have the ability to manage the effective Approver list independent of the ticket itself.

In general, the more you can do with group assignments, the better.

  1. In Venafi Configuration Console, expand the Code Signing node.

  2. In the Custom Flows, and then click Add new Change Management Flow in the Actions panel.

  3. Give the new Flow a name, and then click Create. This name will serve as both the Flow's title and the name of its initial step. The new Flow is added to the Custom Flows node, and the Change Management Flow configuration screen opens.

    1. In the Flow Summary Panel, click the step that you want to precede your approval step.
    2. In the Actions Panel, click Standard. Give the approval action a name, and then click Create. The name you enter will be the name of the step in the Flow Summary Panel.
    3. (Optional) Enter a Description for this step. The description displays as part of the step in the Flow Summary Panel.

    4. From the Attribute drop-down, do one of the following:

      • Select either Key Use Approver or Owner, depending on which role you want to assign this approval step to.
      • Type in the Attribute value manually.

    5. Select the Required number of Approvers that must approve in order for this approval step to be complete.

      EXAMPLE  If you selected three approvers, or if you selected a group that has three members, and you want any two of those three to have to approve this request, then select 2.

    6. If you want to check to see if there is a policy setting for the Attribute value when this step is executed, check Use policy when reading attributes. If the Attribute value is set on the policy, it will use what is set on the policy rather than what is set on the object.
    7. Click OK.
    1. In the Flow Summary Panel, click the step that you want to precede your approval step.
    2. In the Actions Panel, click Administrator. Give the approval action a name, and then click Create. The name you enter will be the name of the step in the Flow Summary Panel.
    3. (Optional) Enter a Description for this step. The description displays as part of the step in the Flow Summary Panel.
    4. From the Who Approves drop-down, select which types of administrators can approve.

    5. Select the Required number of Approvers that must approve in order for this approval step to be complete.

      EXAMPLE  If you selected three approvers, or if you selected a group that has three members, and you want any two of those three to have to approve this request, then select 2.

    6. Click OK.

    1. In the Flow Summary Panel, click the step that you want to precede your approval step. For example, if you want to add a step after the "Approval 1" step, then click Approval 1.
    2. In the Actions Panel, click Fixed. Give the approval action a name, and then click Create. The name you enter will be the name of the step in the Flow Summary Panel.
    3. (Optional) Enter a Description for this step. The description displays as part of the step in the Flow Summary Panel.
    4. Click the Approvers drop-down, and then search for the individuals or groups that you want to add as approvers. Use the arrow button to move the approvers from the Results box to the Selected box. Click Close. The approvers are added to the Approvers field.

    5. Select the Required number of Approvers that must approve in order for this approval step to be complete.

      EXAMPLE  If you selected three approvers, or if you selected a group that has three members, and you want any two of those three to have to approve this request, then select 2.

    6. Click OK.

Limiting Web SDK access

Change Management Flows are invoked when an applicable change is submitted using the CodeSign Protect UI. Requests submitted directly using the Web SDK do not invoke Change Management Flows. Access to Web SDK endpoints is managed using OAuth scopes.

If Change Managements Flows are configured differently than what is provided by default, be sure to review the scope assignments for OAuth access to ensure that users authorized to use the Web SDK have the proper scope assignments.

Creating and updating Environments requires the Codesign:Manage scope. Deleting Projects and Environments requires the Codesign:Delete scope.

For more information about OAuth scopes, see Auth REST for token management.

Next steps

After the flow is configured, Code Signing Administrators can now assign it in the global code signing properties. See the "Default Flows" section in Set global code signing properties. This is necessary for the Flows to be invoked.

After an approval Flow is assigned and invoked, the approvers identified in the Flow will be notified, and they will need to either approve or reject the request. See Approving or Rejecting a Project deletion request or Approving or rejecting changes to CodeSign Protect Environments, depending on the request type.