Approval Workflow Configuration

Overview

Approval workflow configuration allows you to customize how AI agent actions are routed for human review. Configure risk thresholds, assign approvers, set timeout policies, and create custom workflows tailored to your organization's security requirements.

All configurations are stored in PostgreSQL and persist across server restarts, providing enterprise-grade reliability.

Key Features

Database-Backed Configuration: All settings persisted in PostgreSQL
Real-Time Updates: Changes take effect immediately
Multi-Tenant Isolation: Configurations scoped to your organization
Audit Trail: All changes tracked with user and timestamp
CRUD Operations: Full create, read, update, delete support
Validation: Schema validation prevents invalid configurations

How It Works

Configuration Storage

+-------------------+
| Admin Console     |
| or API Request    |
+-------------------+
         |
         v
+-------------------+
| Validation Layer  |
| - Schema check    |
| - Permission check|
+-------------------+
         |
         v
+-------------------+
| PostgreSQL        |
| workflows table   |
| - organization_id |
| - workflow config |
+-------------------+
         |
         v
+-------------------+
| Workflow Engine   |
| (reads from DB)   |
+-------------------+

Workflow Table Schema

Column	Type	Description
`id`	string	Unique workflow identifier
`name`	string	Human-readable name
`description`	string	Workflow description
`organization_id`	integer	Tenant isolation
`risk_threshold_min`	integer	Minimum risk score (0-100)
`risk_threshold_max`	integer	Maximum risk score (0-100)
`approval_levels`	integer	Number of approval stages (1-5)
`approvers`	jsonb	List of approver emails
`timeout_hours`	integer	Hours before timeout
`escalation_minutes`	integer	Minutes before escalation
`emergency_override`	boolean	Allow emergency bypass
`is_active`	boolean	Workflow active status
`created_by`	string	Creator email
`modified_by`	string	Last modifier email
`last_modified`	timestamp	Last update time

Configuration

Get All Workflows

curl -X GET "https://api.ascend.ai/api/authorization/workflow-config" \
  -H "Authorization: Bearer $TOKEN"

Response:

{
  "workflows": {
    "risk_90_100": {
      "name": "Critical Risk (90-100)",
      "risk_threshold_min": 90,
      "risk_threshold_max": 100,
      "approval_levels": 3,
      "approvers": ["security@company.com", "senior@company.com", "executive@company.com"],
      "timeout_hours": 2,
      "emergency_override": true,
      "escalation_minutes": 30,
      "is_active": true,
      "modified_by": "admin@company.com",
      "last_modified": "2026-01-15T10:30:00Z"
    }
  },
  "total_workflows": 4,
  "storage_type": "database"
}

Get Single Workflow

curl -X GET "https://api.ascend.ai/api/authorization/workflow-config/risk_70_89" \
  -H "Authorization: Bearer $TOKEN"

Update Workflow Configuration

curl -X POST "https://api.ascend.ai/api/authorization/workflow-config" \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "workflow_id": "risk_70_89",
    "updates": {
      "timeout_hours": 6,
      "approval_levels": 3,
      "approvers": ["security@company.com", "senior@company.com", "ciso@company.com"]
    }
  }'

Response:

{
  "message": "Workflow configuration updated successfully",
  "workflow_id": "risk_70_89",
  "updated_fields": ["timeout_hours", "approval_levels", "approvers"],
  "modified_by": "admin@company.com",
  "timestamp": "2026-01-20T14:30:00Z",
  "storage_type": "database"
}

Create New Workflow

curl -X POST "https://api.ascend.ai/api/authorization/workflow-config/create" \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "id": "pci_data_access",
    "name": "PCI Data Access Workflow",
    "risk_threshold_min": 0,
    "risk_threshold_max": 100,
    "approval_levels": 2,
    "approvers": ["compliance@company.com", "security@company.com"],
    "timeout_hours": 4,
    "emergency_override": false,
    "escalation_minutes": 60
  }'

Delete (Deactivate) Workflow

curl -X DELETE "https://api.ascend.ai/api/authorization/workflow-config/pci_data_access" \
  -H "Authorization: Bearer $TOKEN"

Note: Workflows are soft-deleted (set to inactive) to preserve audit trails.

Usage Examples

Example 1: Configure Approvers

Update the approver list for high-risk actions:

curl -X POST "https://api.ascend.ai/api/authorization/workflow-config" \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "workflow_id": "risk_70_89",
    "updates": {
      "approvers": [
        "security-team@company.com",
        "engineering-lead@company.com",
        "devops-oncall@company.com"
      ]
    }
  }'

Example 2: Adjust Risk Thresholds

Expand the medium-risk range to include scores 40-69:

curl -X POST "https://api.ascend.ai/api/authorization/workflow-config" \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "workflow_id": "risk_50_69",
    "updates": {
      "name": "Medium Risk (40-69)",
      "risk_threshold_min": 40,
      "risk_threshold_max": 69
    }
  }'

Example 3: Create Department-Specific Workflow

Create a workflow for finance department actions:

curl -X POST "https://api.ascend.ai/api/authorization/workflow-config/create" \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "id": "finance_sensitive",
    "name": "Finance Sensitive Operations",
    "risk_threshold_min": 30,
    "risk_threshold_max": 100,
    "approval_levels": 2,
    "approvers": ["finance-security@company.com", "cfo@company.com"],
    "timeout_hours": 2,
    "emergency_override": true,
    "escalation_minutes": 30
  }'

Example 4: Enable Emergency Override

Enable emergency override for a workflow:

curl -X POST "https://api.ascend.ai/api/authorization/workflow-config" \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "workflow_id": "risk_70_89",
    "updates": {
      "emergency_override": true
    }
  }'

Updateable Fields

Field	Type	Valid Range	Description
`name`	string	-	Workflow display name
`description`	string	-	Detailed description
`risk_threshold_min`	integer	0-100	Minimum risk score
`risk_threshold_max`	integer	0-100	Maximum risk score
`approval_levels`	integer	1-5	Number of approval stages
`approvers`	array	-	List of approver emails
`timeout_hours`	integer	1+	Hours before timeout
`escalation_minutes`	integer	0+	Minutes before escalation
`emergency_override`	boolean	-	Allow emergency bypass
`is_active`	boolean	-	Enable/disable workflow

Validation Rules

Risk Thresholds: risk_threshold_min must be less than risk_threshold_max
Approval Levels: Must be between 1 and 5
Approvers: Must have at least as many approvers as approval levels
Timeout: Must be at least 1 hour
Workflow ID: Must be unique within organization

Best Practices

Start Conservative: Begin with higher approval levels and reduce as you gain confidence
Use Distribution Lists: Use team email aliases rather than individual emails
Plan for Absences: Include backup approvers in the list
Document Changes: Add descriptions explaining why configurations were modified
Test in Staging: Validate workflow changes before applying to production
Monitor SLAs: Track approval times and adjust timeouts accordingly

Approval Workflows Overview - Understanding workflows
Multi-Stage Approvals - Configuring approval chains
SLA and Escalation - Timeout management
Emergency Override - Expedited approvals

Overview​

Key Features​

How It Works​

Configuration Storage​

Workflow Table Schema​

Configuration​

Get All Workflows​

Get Single Workflow​

Update Workflow Configuration​

Create New Workflow​

Delete (Deactivate) Workflow​

Usage Examples​

Example 1: Configure Approvers​

Example 2: Adjust Risk Thresholds​

Example 3: Create Department-Specific Workflow​

Example 4: Enable Emergency Override​

Updateable Fields​

Validation Rules​

Best Practices​

Related​