Four-Eyes Approvals

Four-eyes approvals

Four-eyes approval is a safety measure used to ensure important changes are checked by two people before they are carried out. This feature helps prevent mistakes and unauthorized changes by requiring four-eyes approval from two authorized users. By having two people review and approve decisions, organizations can improve security, reduce risks, and ensure that rules and guidelines are being followed. In the Atlar dashboard the organization can opt to enable four-eyes approvals on sensitive organizational settings, such as user management and changes to payment approval chains. However, note that the actual approval of a payment is not approved using ‘Four-eyes approvals’. Four-eyes approvals are applied to all types of changes to sensitive organizational settings, including creating, updating and deleting.

Change requests

When the Four-eyes approvals feature is enabled in the Atlar dashboard, any change to sensitive organizational settings will require four-eyes approvals. When a user for example creates a new role, invites new user(s) or modifies payment approval chain(s), a change request will be created before any changes are implemented. The change, as such, does not have an immediate effect. Another user needs to approve the change request for it to have effect.

For example, if a user wants to change a created role they would first need to have the correct permissions to perform this action (roles:read/update). When the user then modifies the role a change request is created. Another user with the same permissions (roles:read/update) would then be able to approve the change request, ultimately making the change go into effect.

How to set up four-eyes approval

  1. Navigate to Settings -> Organization
  2. Under Organization security, select what you want to enable four-eyes approval for. Note: changing the four-eyes approval settings will also require four-eyes approval, unless it’s the first time you enable it for your organization.
    1. Enable Organization four-eyes approval: this will enable four-eyes approvals for organization security settings, such as enabling/disabling four-eyes approval.
    2. Enable User Management four-eyes approval: this will enable four-eyes approvals for roles and users.
    3. Enable Approval Chains four-eyes approvals: this will enable four-eyes approvals when adding, editing and deleting approval chains.

How to create change requests

Change requests are automatically created when an operation is performed that requires four-eyes approval, for example when altering a role, inviting a new user or modifying a payment approval chain.

How to approve change requests

  1. Navigate to Settings -> Organization
  2. Click the Change requests tab
    1. Changes awaiting your approval can be found under My Approvals. To approve a change you can either approve it directly in the list, or open a specific change request to see more details about the change request before approving.
    2. Requested changes can be found under All Approvals. These cannot be approved by the user requesting the change, but are still visible to the creator of the change request.

Best practices

  • Atlar will require that at least two users approve changes if the four-eyes approval is enabled, but it's beneficial to have additional approvers to ensure coverage in case approvers are unavailable or leaves the company.
  • To ensure your organization is fully protected, it is recommended to enable four-eyes approval for all the features used within the organization.
  • It’s recommended to only invite each person once with a personal email address in order to reduce risks related to a person acting as multiple users.

How to recover from having too few users with approval permission

To ensure change requests can always be approved, it's important to have enough users with approval permissions in case someone is unavailable or leaves the company. If your organization has too few approvers, contact Atlar at [email protected] to manually disable the four-eyes approval requirement. This process includes a verification step to ensure that only authorized users regain approval access.