Automation Phase 2:Request Approval


#1

I am trying to trigger an email approval for a service request.

Like https://access.redhat.com/documentation/en-US/Red_Hat_CloudForms/3.1/html-single/Management_Engine_5.3_Lifecycle_and_Automation_Guide/index.html#Phase_2_Request_Approval
I set the values in the following file:
Infrastructure\VM\Provisioning\StateMachines\ProvisionRequestApproval\Default

But it seems that the real desicion point whether to auto-approve or to set status to pending and send an email to the approvers it in the folloing method:
Service / Provisioning / StateMachines / ServiceProvisionRequestApproval / validate_request
But the validate_request method is only a placeholder with no implementation.

I am missing something? Do I need to write ruby code to make use of the approver workflow?
Is there a simpler way of doing this using tags?

Thank you a lot for any inputs.


#2

@gmccullough can you review this question from @marioland and forward to a SME if necessary.


#3

Hi @marioland

You’re right, by default the provisioning workflow for VMs provisioned the ‘old fashioned’ way via Lifecycle -> Provision VMs includes an approval stage. The provisioning workflow for VMs provisioned through services still has an approval stage - and we’re free to customise it - but as you correctly state by default it auto-approves all service provisioning requests. If you need to customise this you’d need to add your own equivalent of the ProvisionRequestApproval state machine and associated methods.

I can see the logic behind auto-approval of services. By creating a service catalog we’re implicitly delegating a level of control and authority to our users, to allow them to create their own VMs via a self-service interface. This is very much the ‘cloudy’ way of working.

I’d almost certainly allocate quotas to my users/groups/tenants to ensure that they don’t consume all of my precious cloud or virtual infrastructure resources, but as long as they stay within quota, I probably wouldn’t want to manually approve individual service requests as well.

Hope this helps,
pemcg


#4

Hi @pemcg
Thanks for your reply. This answered the question.

If we take it one step further:
I would like to see some questions about data sensitivity and requested network security zone in the service request form. Based on that a manual approval can be neccesarry for compliance reasons.

cheers
mario


#5

ok, you have interesting use-cases here, and you may well need to implement your own approval workflow to satisfy your requirements.

It would be interesting to try to formalise what the approval criteria would be, and see if you can implement some kind of RBAC-like selective presentation of suitable options to your users in a dynamic dialog element (such as only presenting a reduced list of networks to users in certain groups).

pemcg