I am trying to create a “peer review” functionality, but it is not working. My goal is: when a user submits a high risk action (like rebooting a server), that action sits idle until it is approved by a peer reviewer. So far, here is what I’ve done:
Set up a parameter input on a high risk action.
The action will ask the user to enter in a unique code (we could use a change # or similar). Then, the user targets his endpoints and submits the job “pause while” action code waits until the unique code is verified, by looking for the property that is set by the peer reviewer.
The peer reviewer looks at the action, then runs a task on the same targeted endpoints, setting the property to the same code from step one.
In theory, the endpoints would pick up the property, and then the high risk action will run. However, using the “pause while”, in step 1, causes the action to sit waiting, and those endpoints won’t run ANY other action until it gets out of the pause while.
So it doesn’t work
Does anyone have any ideas for me, as another way to go about this? I have tried the “Four eyes” thing but that requires the peer reviewer to physically be at the same location as the person who is submitting the job. Plus, it is user based, instead of action based.
Since I am not sure on the exact process you are doing, I will make a couple suggestions
If this is a custom fixlet that you are using, maybe look at using the Action Settings Locks on the fixlet. From there you can set up the default values you want for an action on a particular fixlet. To get at this, open the fixlet, click on the Actions tab, check the “Include action settings locks” and press the Edit button. From there, you can set the action options and even lock them so they cannot be changed.
If doing this in a baseline, you can do pretty much the same thing by checking the “Use custom action settings for this baseline” then clicking the “Set action settings”
Is the somewhat hidden “Four Eyes” feature something that would solve your use case? You could then push-out high risk action using an account that requires approval. Then the second set of eyes approves or denies the action for release.
Hey bxk, yes we tried this option. This is user based. So you set up a user to be restricted, and they can’t run anything, unless someone physically comes over to his computer and types their un and pw. I like this for “trainees”, but there is no way for the user to submit the action, and then someone else release it. I hope IBM expands on this feature.
martin, I just tried that action lock and it worked!
I set up a new global property called “actionapprovecode”. Then, as a test, I set the action to not run unless “actionapprovecode” contains approved. So userA submits the job, then the job goes into a “constrained” holding mode. Then, UserB approves those clients to run the action, by running ANOTHER action called, “Approve clients”. This action has a parameter, where UserB can type “approved”.
So the test works. Now, I need to figure out a way to make this approval code be unique, so no two actions would ever have the same code. Ideally, UserA could type in a parameter key, like this: “The action you are about to take is dangerous and must be peer reviewed. Type in your peer review code now.” And then he gives that unique code to UserB, who uses it in the second action. “You are about to approve these clients for action. Enter approval code only after careful review”.
Or something like that Thanks for your help so far guys!