Cloud Change approval process
This content applies only to Pega Cloud environments
Triggering the Approval process
The security contact approval process for all Significant Production changes has now been embedded within Pega Support itself.
Change request cases are requested by Cloud Specialist. If as a cloud specialist, you also have the Security Contact role, then the Security Contact Approval process is not triggered, as approval is deemed to be received.
However, if you are not a Security Contact, we need to obtain an approval from any one of the identified Security contact(s) on your account before submitting your request to the support team.
Selecting a Security contact
Whilst creating a Significant production CC case you will be asked to obtain approval in the Security approval section of the Communication Preferences step.
There are 2 ways to provide approval i.e.
- The default: by requesting one or more security contacts to provide their approval (Select a security contact and Pega will send that Security contacts an email requesting them to access MSP to provide the relevant approval.)
- Alternatively, by attaching an approval email from the security contact, to the CC, as you create it.
During the CC case creation process, on the Communication preferences screen, you will be presented with the Security approval section in the following circumstances:
- You are creating a Significant Production Cloud change request
- And you are not a Security contact.
- Or it is not a case which is auto created by Pega.
The following message is displayed:
"In order to process this significant production cloud change request, a security contact must provide approval.
Do you have an approval email from a security contact?"
By default, option No is selected.
With No selected, you must click the Add security contact link to select a security contact from the Select security contact to request approval table. i.e., Select the relevant Security contact from the picklist, who can provide the approval. For example, a security contact associated with the environment concerned.
Note: Multiple Security contacts can be selected, as required.
If Yes is selected, you will be presented with a dropdown list with the names of the security contacts affiliated to the account. Pick the name of the security contact who provided the email approval. Then use the Upload button to upload the email approval to the case.
On submit, system skips approval process and move to Pending-Triage.
No Security contacts
If there are no security contacts available on the account, the requestor will be presented with the following message:
"There is no Security contact available for this account, please reach out to account administrator to have this role filled in order to approve change"
Once a Security contact is selected
- The CC support case will change to New-PendingSecurityApproval status.
- An approval email will be sent to the selected Security Contact containing a link to the case in MSP. e.g.
'This cloud change requires Security contact approval. You have been nominated to approve this case. Please access <link to case, show case ID> via My Support Portal to review.'
- A pulse post is also added to the cases with the following text:
'Cloud Change (Case ID: Title) : This change is waiting on approval from the following, authorized security contacts:
(A list of the selected security contacts is provided)
- An email notification is sent to all parties on the case:
'Cloud Change <Case ID>: This change is waiting on approval from the following, authorized security contact:
(A list of the selected security contacts is provided)
- On receiving the email notification, the Security Contact, can approve or reject the CC from My Support Portal. Upon clicking the case link in email, it opens the case for security contact as below. Security contact can approve / reject after clicking on Start button.
- Alternatively, any other Security Contact, on the account, can approve or reject the CC in MSP also. E.g. If a security contact, on the account selects the case from the Home page, (instead of clicking the link in the email) it will open with the Approval screen displayed.
- Note: GCS/SRT engineers are not able to see CC's created by the client whilst they are in New-PendingSecurityApproval status. GCS/SRT engineers are able to approve CC's from Interaction portal - only if they have created the CC themselves.
- The approval screen shows the list of the CC tasks, with Approve / Reject buttons at the bottom and a mandatory Note field, for the approver to provide a note.
- If any other user (without the Security Contact role) opens the case, it will open in the normal review harness:
- An additional local action is available on the CC case, to enable the requestor to select another security contact whilst in New-PendingSecurityApproval status. With this action the requestor can request approval from another Security Contact, if their original choice is unavailable e.g. Actions> Request security approval:
The following popup window is displayed:
Whilst awaiting approval
- The CC case remains with the requestor.
- For requestor, and any Security Contact affiliated to the account, the CC case will be displayed in Cases needing my action, All cases, My Open cases , All open cases lists in My Support Portal.
- Whilst in New-PendingSecurityApproval, requestor cannot edit the case.
- Likewise, Security contacts can see the details in assignment as read only. Only the approver Note field is editable.
- Pulse is also available to post messages.
Approval / Rejection
- Once approval is received from security contact, case is moved to either New-PendingDateVerification (see below for details) or Pending-Triage.
- A Pulse post is added: 'This change has been approved by the Security Contact, <Name>, with the following comment:
- An Email Notification is sent to the parties on the case advising: 'This change has been approved by the Security Contact, <Name>, with the following comment: <Comments:...>'
- If the security contact rejects the case, it is moved to Resolved-Rejected and cannot be reopened.
- A pulse post is added to the CC case to confirm closure: 'This change has been rejected by the Security Contact, <Name>, with the following comment: <Comments:...>'
- An Email Notification is sent to the parties on the case advising them of case closure: 'This change has been rejected by the Security Contact, <Name>, with the following comment: <Comments:...>'
- If no approval is forthcoming, cases can only remain in a New-PendingSecurityApproval state for 30 days before being resolved automatically. The status is then updated to Resolved-PendingSecurityApproval'
- A pulse post is added to the CC case to confirm closure: 'Case automatically withdrawn for no action after 30 days from last update’
- An Email Notification is sent to the CC Requestor advising them of case closure: 'Case automatically withdrawn for no action after 30 days from last update'
Revalidate Date / Time
After the approval is received, the system will revalidate the scheduled start date to verify:
- If case falls under 2 hours to schedule start time.
- If case schedule start time is in the past.
- If emergency justification not provided earlier but since approval delayed, case schedule start time is within suggested schedule time and hence emergency justification needed.
During this process the case status is ‘New-PendingDateVerification’.
Regardless of the scenario, the approver can still approve the CC case, but the case remains assigned to the CC requester to update the scheduled date or provide the relevant business justification.
The following message is shown: "This Change has now been authorized by your security contact. However, the dates provided are no longer compliant with the date parameter. Please review the schedule and re-submit. This Change will not be required to be approved again.
This message is added to the case as a pulse post and the parties to the case are notified by email.
When the case is opened, this message is also displayed on the top of the screen. MSP should suggest a suitable schedule.
Similarly, if the planned schedule date means that the CC has moved from being ‘Normal’ to ‘Emergency’ the approver can still approve the CC case, but the CC case remains assigned to the CC requester to either update the date or provide the business justification for an Emergency CC….
After the requestor updates the start date and time the case status moves directly to the Triage stage, since the case is already approved. As such it is routed to the frontline team for initial triage.
The case will be auto resolved (Resolved-PendingDateVerification) after 30 days if the date is not amended appropriately.
The details tab now has a Security approval section to reflect who provided the approval.
This is the view for a case where the cloud specialist is also a security contact:
Where the Security approval is provided via My Support portal the Security Approval section will look as follows:
Where the Security approval is provided via an email attachment the Security Approval section will look as follows:
If the CC is rejected the details tab will display the following: