Configure Change Management Flows

Code Signing Change Management Flows allow Code Signing Administrators to use flows to enforce approvals for any of the following:

  • To delete a Project

  • To delete an Environment from a Project

  • To create a new Environment in a Project

  • To edit an existing Environment in a Project

Enforcing change management provides assurance that critical Projects and Environments and their accompanying keys can't be deleted or changed without approval.

There are three types of approvals available to add to your Change Management Flow.

  • Standard approvals allow you to select either the Project Owner or the Project Key Use Approvers as approvers. These roles are set in the Project configuration.

  • Fixed approvals are similar to Standard approvals, except that a named approver or group is identified rather than relying on the roles from the Project.

  • Administrator approvals allow you to require approval from Code Signing Administrators and/or Master Admins.

In addition, you can add a custom log event action to the flow.

Setting up a Change Management Flow

BEST PRACTICE  When an approval ticket is created, the Approvers are written to the ticket, and those Approvers are the only ones who can approve it.

Assigning groups as Approvers (rather than individuals) provides flexibility with who can approve the ticket. Group membership can be changed anytime. So if the Approvers are part of a group, and the group is assigned as the Approver, you then have the ability to manage the effective Approver list independent of the ticket itself.

In general, the more you can do with group assignments, the better.

  1. In Venafi Configuration Console, expand the Code Signing node.

  2. In the Custom Views node, click Add new Change Management Flow in the Actions Panel.

  3. Give the new Flow a name, and then click Create. The name will be used as both the Flow name and as the name of the first step in the Flow. The new Flow is added to the Custom Flows node and the Code Signing Flow configuration screen opens.

    1. In the Flow Summary Panel, click the step that you want to precede your approval step. For example, if you want to add a step after the "Approval 1" step, then click Approval 1.
    2. In the Actions Panel, click Standard. Give the approval action a name, and then click Create. The name you enter will be the name of the step in the Flow Summary Panel.
    3. (Optional) Enter a Description for this step. The description displays as part of the step in the Flow Summary Panel.

    4. From the Attribute drop-down, do one of the following:

      • Select either Key Use Approver or Owner, depending on which role you want to assign this approval step to.
      • Type in the Attribute value manually.

    5. Select the Required number of Approvers that must approve in order for this approval step to be complete.

      EXAMPLE  If you selected three approvers, or if you selected a group that has three members, and you want any two of those three to have to approve this request, then select 2.

    6. If you want to check to see if there is a policy setting for the Attribute value when this step is executed, check Use policy when reading attributes. If the Attribute value is set on the policy, it will use what is set on the policy rather than what is set on the object.
    7. Click OK.
    1. In the Flow Summary Panel, click the step that you want to precede your approval step. For example, if you want to add a step after the "Approval 1" step, then click Approval 1.
    2. In the Actions Panel, click Fixed. Give the approval action a name, and then click Create. The name you enter will be the name of the step in the Flow Summary Panel.
    3. (Optional) Enter a Description for this step. The description displays as part of the step in the Flow Summary Panel.
    4. Click the Approvers drop-down, and then search for the individuals or groups that you want to add as approvers. Use the arrow button to move the approvers from the Results box to the Selected box. Click Close. The approvers are added to the Approvers field.

    5. Select the Required number of Approvers that must approve in order for this approval step to be complete.

      EXAMPLE  If you selected three approvers, or if you selected a group that has three members, and you want any two of those three to have to approve this request, then select 2.

    6. Click OK.
    1. In the Flow Summary Panel, click the step that you want to precede your approval step. For example, if you want to add a step after the "Approval 1" step, then click Approval 1.
    2. In the Actions Panel, click Administrator. Give the approval action a name, and then click Create. The name you enter will be the name of the step in the Flow Summary Panel.
    3. (Optional) Enter a Description for this step. The description displays as part of the step in the Flow Summary Panel.
    4. From the Who Approves drop-down, select which types of administrators can approve.

    5. Select the Required number of Approvers that must approve in order for this approval step to be complete.

      EXAMPLE  If you selected three approvers, or if you selected a group that has three members, and you want any two of those three to have to approve this request, then select 2.

    6. Click OK.

    1. In the Flow Summary Panel, click the step that should precede the Log Event action.
    2. In the Actions Panel, click Log Event. Give the log event action a name, and then click Create. The name you enter will be the name of the step in the Flow Summary Panel.
    3. Complete the log event properties. Note that you can use either the drop-down selections or enter arbitrary text on the Text 1, Text 2, Value 1, Value 2, and Data fields.
    4. Click OK.

Next steps

After the flow is configured, Code Signing Administrators can now assign it in the global code signing properties. See the "Default Flows" section in Set global code signing properties. This is necessary for the Flows to be invoked.

After an approval Flow is assigned and invoked, the approvers identified in the Flow will be notified, and they will need to either approve or reject the request. See Approving or Rejecting a Project deletion request or Approving or rejecting changes to CodeSign Protect Environments, depending on the request type.