Skip to main content

What this is

Admin Action Approvals let you enforce a four-eyes rule on sensitive actions in the Dynamic Dashboard. When an owner enables approval mode for an organization, selected actions cannot take effect until a second admin or owner approves the request. This protects against mistakes and against a single compromised admin account making damaging changes unnoticed.

When to use it

  • Your organization has a compliance or audit requirement for dual control on security-sensitive changes.
  • You want a reviewable history of who approved or denied each sensitive action.
  • You want to reduce the blast radius of a single compromised admin session.

Which actions require approval

When approval mode is on, the following actions are queued for review instead of taking effect immediately:
  • Resetting a user’s MFA — removing MFA devices for a user in User Management.
More actions (for example, sensitive security settings changes) will be added to the approval workflow over time. All other dashboard actions are unaffected and continue to take effect immediately.

How to enable approval mode

Only organization owners can toggle approval mode. Admins can submit and review requests once it is enabled.
  1. Sign in to the Dynamic Dashboard as an owner.
  2. Go to Account & Settings → Security in the Admin Security page.
  3. Toggle on Require Approval for Sensitive Changes.
Approval mode toggle under Account & Settings → Security Once enabled, any submitter attempting an approvable action will see a notice that the action has been queued for review, and other admins and owners in the organization will be notified by email.

Submitting an action

When you take an approvable action while approval mode is on:
  1. Make the change as you normally would (for example, reset a user’s MFA from User Management).
  2. Instead of being applied immediately, the action is added to the Activity Queue with status Pending.
  3. All other admins and owners in the organization receive an email that a request needs their review.
  4. You cannot approve your own request. You will see Awaiting another admin next to your own pending items.
If the action is urgent and no other admin can review it, disable approval mode (owner only) to apply changes directly. Any pending requests are automatically expired when approval mode is turned off.

Reviewing requests in the Activity Queue

Admins and owners review pending requests in the Activity Queue.
  1. In the sidebar, open Activity Queue. A badge shows the number of pending items in the active environment.
  2. Each row shows the action, who submitted it, how long ago it was submitted, how much time is left before it expires, and its current status.
  3. Click Review on a pending item to open the review dialog.
Activity Queue with pending, approved, and denied admin action requests The review dialog shows the action, the submitter, and the expiry time, with Approve, Deny, and Cancel buttons and an optional note for the submitter. Review dialog for a pending MFA reset request Approving a request applies the change immediately — for example, the user’s MFA devices are removed. Denying a request takes no action and notifies the submitter, including any note the reviewer added.
The Activity Queue is scoped to the active environment. Switch environments in the top bar to see requests for a different environment.

Expiration

Pending requests expire 8 hours after they are submitted. Expired requests cannot be approved or denied; the submitter must resubmit the action. Turning off approval mode also expires any outstanding pending requests.

Email notifications

The approval workflow sends three notification types automatically:
  • Request created — sent to every admin and owner except the submitter, when a new pending request is created.
  • Request approved — sent to the submitter when another admin approves their request.
  • Request denied — sent to the submitter when another admin denies their request, including any note the reviewer provided.