Using Email to Approve or Reject Requests
PAM email approval response allows users to approve or reject workflow access requests by simply replying to the Approval request email received after the access is submitted for approval.
This allows Approvers the ability to approve or reject records without logging into the System.
Enable the Approval by Email Feature
- Login to PAM with a System Administrator account. Only System Administrators can configure, enable and disable this feature.
- Navigate to Administration > Settings > Mail Server and add a value for the following parameters and Save when completed:
IMAP Port: enter your IMAP port. Default value is 993.
IMAP Folder: enter the name of an existing folder where the approved emails will be delivered to the email address specified in the Login field. For example, if the approval email replies are delivered to the default Inbox, enter the value Inbox. If these emails are automatically moved to another existing folder or sub-folder, enter the path like Inbox/PAM Workflow Approvals.
The IMAP Folder defined is the folder that System will monitor for access request email responses. It is required that all approval emails that are replied to by Approvers end up in this folder or else they will not be found. If you define a location other than the default Inbox, then ensure you have created the necessary rules in the mailbox or email server to automatically move these emails to this folder or sub-folder.
We recommend the use of a dedicated email address for the purpose of Mail Server integration and Approve by Email functionality so as not to interfere with personal email usage. Email folders that contain a large number of emails can decrease the performance of PAM processing service, therefore PAM deletes access request responses after they are processed.
-
Navigate to Administration > Settings > Parameters and locate the parameter Approve by Mail. Change this setting to Enabled then click its Save button to enable this feature.
Email Responding to Access Requests
Responding to Access Requests through Email Replies.
When an access request has been submitted for approval, the Approver(s) will receive a notification to their email address.
Once received, the Approver can respond to the access request by simply replying to that original request email notification.
When responding to an access request, the first line of the email body needs to contain one of the following case insensitive words:
To Approve the Access Request | To Reject the Access Request |
Yes | No |
Approve | Reject |
Approved | Rejected |
Ok | {Anything other than the listed Approve words will also reject} |
You can add custom Approval keywords to PAM by navigating to Administration > Settings > Parameters > Approve by Mail Keywords.
Add additional keywords to this comma separated list that can be used to Approve workflow requests using email replies.
Please note that these are Approval keywords only as any keywords that are not designated for Approval in this list will automatically be detected for Rejection.
Access Request Email Response
Notes for consideration about the Access Request Email Response.
- Approvers can use standard desktop email clients or mobile email apps and respond to the approval request email by sending a reply with the above words, without requiring the Approver to first login to PAM.
- The Approver must reply using the same email address that received the email approval request.
- All words contained in the first line of the email body may be included in the Reason field for the Approval or Rejection action.
- Any words contained in the first line of the email body that are not one of the above Approval words will be detected as a Rejection response.
- Periods or other punctuation marks are allowed at the end of the word.
- Approvers can go to their Requests for Approval Management page in PAM by clicking the link provided in the request access email.
Access Request Email Process
Notes for consideration about the Access Request Email Process.
-
When the access request response email is sent, it will be delivered to the email address in the Mail Server configuration Login account and must arrive in the folder defined in the Mail Server configuration IMAP Folder.
-
The Approve by Email feature has to be Enabled in PAM by a System Administrator.
-
The Audit Message for the Event Workflow Step Approved will include the value By email to indicate this was approved or rejected by an email response.
Troubleshooting: Emails not Coming
If the Workflow emails are not coming through:
-
Ensure that the User is subscribed to the needed alerts here: Management > My Profile > Subscriptions.
-
Restart the PamManagement service (Windows) or the pammanager service (Linux) on all PAM Node(s). This has been seen to rectify issues with stuck notifications or large queues.
-
Update to the latest PAM version as notification or mail queue fixes may be needed.