5 Ways to Spice Up Your Workflows with Wait for Approval

By Devin Domingo
While BetterCloud has been many IT admins’ go-to solution for automating onboarding and offboarding, what happens when a process-as-written requires some input from an end user, a manager, HR, or another internal stakeholder?
Perhaps you need a manager to approve a Google Drive transfer, or an HR manager to approve a G Suite account deletion after a legal hold period. Or maybe you need to establish a check-in with the security team to approve a tightening of file permissions whenever a credit card is found in a file. With BetterCloud’s Wait for Approval action, you can now request an approval or rejection from a user within your directory to run the remainder of your workflow.
We’ll highlight the mechanics of the action as well as five high-value use cases where you can use Wait for Approval, plus step-by-step instructions on how to set these up.
How does Wait for Approval work?
In Create Workflow within the Library for “Then” actions, nested under “BetterCloud” you will find “Wait for Approval”:

Once in your workflow, you will be asked to set up the following properties of the Wait for Approval action:
- (Optional) Enable stop and skip when this action is in progress: When enabled, a BetterCloud admin will have the ability to override the approver within Workflow Manager and stop the workflow.
- Approver: Any user account with a valid email that’s been ingested into BetterCloud can be designated as an approver. Alternatively, you can use the dynamic field selector to specify the user or user’s manager that triggered the WHEN/IF statement at the start of your workflow.
- Subject: Wait for Approval will send an email to the approver’s email with the subject line text configured. You can use the dynamic field selector to add references to the user’s name, email, or other profile information that may be relevant.
- Body: Here you can compose a message detailing the actions the workflow will take when the approver approves the workflow. You can also use the dynamic field selector to reference the user’s name, email, and other relevant profile fields.
- Strongly Recommended: Enable Workflow Notifications. If a Wait for Approval action is rejected by the approver, it is strongly recommended a workflow notification go to your BetterCloud admin’s email address. That way, both the approval and rejection are logged outside of BetterCloud and can be followed up if the rejection notification requires any manual intervention from the BetterCloud admin.

Once Wait for Approval is built into your workflow and the step triggers, the approver will receive an email that looks like this:

When the approver clicks “Approve Action,” the Wait for Approval will pass its step and continue to the next step in the workflow. Should the approver “Decline Approval,” the workflow will terminate with a status of “Stopped” and prevent all subsequent steps from running — not only the next action. Additionally, if a user fails to respond within 30 days, the workflow will stop. If this occurs, we recommend running the workflow on demand with your “Wait for Approval” and subsequent steps only.
Use case #1: Manager approves G Suite asset transfers (Drive, Calendars, email forwarding)
Chances are, when you offboard a user, you have a long list of items you need to do, like transferring their Google Drive files and primary calendar invites to their manager and enabling email forwarding. But to enhance your process, your managers can request whether they would like an offboarded user’s assets.
If you want your managers to accept asset transfers, you can run a workflow in parallel to your standard offboarding workflow by adding that user to a “Transfer Approval” group built specifically by your G Suite administrator.
To achieve this without a rejection causing critical steps in the workflow to fail (e.g., Wait for Approval for a legal hold or Delete User steps for your integrations), you can make a parallel workflow occur by adding a user to a group or OU as a workflow step that represents the data transfer process. Here’s an example of what this could look like.
Let’s say you have an offboarding workflow that contains the following steps:

Let’s focus specifically on steps 8, 9, and 10 where we automatically transfer the user’s Google Drive files and calendars and enable email forwarding from the user’s inbox to the manager.

If I put a Wait for Approval action that asks the manager before these steps, I run the risk of the manager saying “no,” meaning my workflow will then not automatically run other vital steps such as revoking the user’s Intercom SSO token, disabling the Slack user, entering my legal hold period, and ultimately deleting the user’s accounts — leaving the IT team open to security risks.
To mitigate this risk, I can run my “Wait for Approval” as a parallel workflow to my main offboarding workflow by either adding the user to a G Suite group or OU called “Data Transfer Process” and removing the transfer steps from my original offboarding workflow.

Now that I have a “processing group” (or OU) in my workflow that will be responsible for handling the user’s data, I will next need to build a parallel workflow. I named this parallel workflow “Transfer to Manager Process” and started the process with a WHEN/IF a user is added to my “Data Transfer Process” group.

Next, structure your workflow’s THEN steps with the following elements:
- G Suite: Remove from Group. This is to remove the user from the “Data Processing Group” to keep membership clean.
- Wait for Approval: See below for a walkthrough
- All data transfer steps across your connectors — some ideas here are:
G Suite: Transfer Drive Files
G Suite: Transfer Primary Calendar Events
G Suite: Transfer Group Ownership
G Suite: Transfer Sites
- Office 365: Copy User’s OneDrive Files and Folders to Recipient (you can create a similar WHEN/IF statement with O365 user groups with a WHEN/IF O365: user is Added to Group, IF: Group)
- Email Notifications: On. This notifies IT of any response to the approval — even rejection responses. This way, IT knows the offboarded user’s data is at rest, so data can be moved to a system account later.

Building the Wait for Approval step
- (Optional) Enable Stop/Skip when this action is in progress: This will allow your BetterCloud admins to stop/skip the workflow regardless of approver response (or lack of response if they miss the email), giving you more administrative control.
- Approver: You can dynamically fill this with the user’s manager email OR a named service account.
- Subject: Give a descriptive call to action for the manager or service account owner to accept the offboarded user’s files.
- Body: Give the approver instructions on what happens when they approve the file transfer, which can include dynamic fields from the user’s G Suite profile to further personalize the email notification.

With parallel workflows and Wait for Approval, BetterCloud provides more control over an employee’s offboarding, giving IT visibility into their assets and approval decisions made by managers.
Use case #2: HR approves account deletions
In some industries like technology or media, there aren’t many specific regulations about data retention that would prevent IT administrators from deleting their user’s SaaS accounts during offboarding.
However, IT sometimes lacks visibility into extended legal holds that someone from HR or Legal may want to enforce, which usually results in a manual coordination of account deletions. With “Wait for Duration,” many BetterCloud administrators include this step before offboarding workflow actions like “G Suite: Delete User” to represent their legal hold of 30/60/90 days. By including a “Wait for Approval” that sends a request to a HR or legal representative to delete the user’s SaaS accounts, you can automatically complete this typically manual step.
Building the Wait for Approval step

Simply insert a “Wait for Approval” step after your “Wait for Duration” step, with your approver set to your HR/legal representative. BetterCloud requires the approver to have a valid user account in either G Suite or O365, but you can easily send approvals to a group by including a forwarding rule that will forward messages from “notifications@bettercloud.com” that contain your subject/body text. We also highly recommend enabling a workflow notification so that rejections by HR and Legal can be sent to the helpdesk for future reference.
Use case #3: Security approves file permission changes after finding overextended file permissions or exposed sensitive data
For security administrators who have configured alerts like “Sensitive Data Scanned” for G Suite, Slack, Box, Dropbox, or “Files Shared Publicly” for G Suite, Slack, Box, or Dropbox, they may want to review the file metadata before remediating the exposed file.
With Wait for Approval, a BetterCloud admin can send a notification of the exposure to a security administrator with file metadata details, as well as a request to approve or deny the removal of a public share and external collaborators. A BetterCloud administrator on our Pro and higher tiers can take advantage of this semi-automated workflow below:
Building the Wait for Approval step

For assistance setting up a Sensitive Data Scanned alert for Box, Dropbox, Slack, or G Suite, please refer to our Help Center article. For assistance on setting up a public sharing alert for a file in G Suite, Box, Dropbox, or Slack, please refer to this Help Center article.
Once your custom alert is configured, you can select it as your WHEN statement to trigger your workflow. For your THEN steps, start with a Wait for Approval, designating your security team representative as your approver. You can then populate the body using dynamic fields that include the file’s name, path, owner, and a timestamp to document the security incident. After the Wait for Approval, you can use actions in the respective SaaS storage application like “Remove All External Collaborators” to remove any explicit external domain sign-ins to that file and “Remove Sharing Link”/“Set File Sharing Settings” to remove a public link and make the file private.
Rinse and repeat the above procedure for all the SaaS storage solutions you’d like to establish notifications and approvals for to reduce file exposure risk.
Use case #4: IT management approves an offboarding initiated by helpdesk before BetterCloud executes the workflow
This use case is especially useful for organizations that have Tier 2 or systems teams that create BetterCloud workflows but orchestrate offboardings through Tier 1 helpdesk staff. By putting a Wait for Approval step at the start of your offboarding workflow, you can rest assured that the workflow cannot accidentally trigger.
Your system administrators or IT management staff can approve an offboarding (or any workflow for that matter) before any action steps kick off. By reducing the amount of helpdesk staff within BetterCloud, Wait for Approvals at the start of workflows can help enforce the least privilege model across the IT organization.
For example, the start of your offboarding workflow may be WHEN A User’s Org Unit Changes, IF Org Unit is Deprovisioning. If your helpdesk has the ability to move user G Suite org units without having access to BetterCloud, you would want an additional layer of administrator security should a helpdesk G Suite administrator unintentionally move a user to the deprovisioning OU.
Building the Wait for Approval step

The WHEN/IF in this workflow is assumed to be something that helpdesk has privileges to do but requires approval from a level 2 approver (e.g., adding a user to a deprovisioning org unit in G Suite admin console). Simply add the Wait for Approval as a first step, with the approver being the level 2 IT manager or sysadmin who would be able to approve or deny the workflow from running. This will protect your end user experience and make your helpdesk staff less prone to human error or insider threats.
Use case #5: Manager or IT staff approves account provisioning for onboarding per security hold or probationary new hire period
Similar to the use case above, BetterCloud can request approval from a new user’s manager or IT staff before the rest of a user’s provisioning continues. If new employees enter into a probationary period on hire for security reasons, with a combination of Wait for Duration and Wait for Approval, you can prevent a user from being added to their necessary security groups and other SaaS applications until that user has passed their probationary/security risk period.

Building the Wait for Approval step
Here’s a workflow example for onboarding sales development employees. The BetterCloud administrator has broken out the initial accounts that are approved for the employee on day one, built in a Wait for Duration for 60 days to represent the probationary period, and included a Wait for Approval set dynamically to the user’s manager to approve once the employee has passed their probationary hold.
After the approval step, the workflow proceeds with employee provisioning of more secure accounts and distributions, such as granting them access to their assigned project in Asana, creating an Atlassian account and assigning them to a Bitbucket provisioning group, adding them to LastPass and their associated password groups, and assigning them to their secure Box groups. The admin also adds a workflow notification to be informed of the manager’s response to the approval. Our sales development new hires should have what they need to be functional for their first day and their managers will be systematically reminded to approve their access to their remaining applications post-60 days of employment.
Through the power of Wait for Approval, BetterCloud admins can now put much needed pauses in workflows to gain approval from non-BetterCloud users such as helpdesk staff, team managers, HR, legal, and more. Pair any of these use cases with our latest release of Integration Center, and BetterCloud admins have more power than ever to orchestrate their SaaS operations.
