Jump to content

External Authorisation - Confirmation of user

Recommended Posts

When you use the External Authorisation node, when these are authorised/rejected there is no link or confirmation of who did this authorisation.

We have found that the authorisation email can be sent to anyone and forwarded etc, so we don't know who really said Yes/No would it be possible to grab the email address that clicked the link to add to the request as an outcome of the node (as part of the URL link)?

Link to comment
Share on other sites

25 minutes ago, Jeremy said:

the authorisation email can be sent to anyone

It is sent to the email provided in the node. I would (like to) think the workflow designer will not just put any address in there? 

26 minutes ago, Jeremy said:

the authorisation email can be sent to anyone and forwarded

You would still know where the email was sent originally. If forwarding is an issue, you could question the forward with the respective person?

Link to comment
Share on other sites

Just now, Victor said:

If forwarding is an issue, you could question the forward with the respective person?

But as you don't know who actually completed the authorisation, you have no idea if the original email was forwarded or not, that is our issue.

We would have to assume that the original person was the authorisor, as we cannot say 100% who the authorisor was. This potentially leaves us open to questions if auditing requests.

Link to comment
Share on other sites


Unfortunately no, this is very email client dependant, and generally because of security there is no way for us to get the email address from within the mail client.   There are two authorisation schemes available on the Hornbill platform.   

External Authorisations - these work like most typical built-in authorisation implementations, the audit trail relies on the fact that the system sends an email with a link containing an unguessable one-time-use token, when the user clicks the link it takes them to a page to do the approval.  The verifiability relies on the fact that the recipient DOES NOT simply forward this on but acts on it accordingly, you rightly identify that if your user does forward that on to someone else, or if you try to do things like distribute the authorisation request to an email group, you essentially loose audit-ability.  This scheme is included with all subscription levels and allows you to have an unlimited number of authorisers in use on the Hornbill platform without them needing any form of subscription - these are what we generically refer to as "free authorisers"

Advanced User Authorisations - this is a significantly extended authorisation capability, with these types of authorisations there is built in support for majority, master and weighted group authorisations, custom forms, custom outcomes, mandatory and optional addtional fields and a whole host of other features that make Hornbill's BPM very powerful orchestration tool. However, any user doing authorisations using the advanced user authorisations is REQUIRED to be authenticated on the Hornbill platform. This does mean, that from an audit perspective, every authorisation decision made is audited and is traceable to individual users.  In order to use this though, each user who will "authorise" stuff needs to be a Hornbill Platform/Authorisation User which requires a user subscription, a subscription to the platform authoriser user - not to service manager its self.  

Basically External Authorisations are provided and are functionally equivalent to how most of the service desks and other similar workflow systems work. Advanced User Authorisations are provided as a significantly extended enterprise-level capability for companies that need more flexibility, customisability and especially audit traceability when handling authorisations. Typically in IT-type workloads, External Authorisations are more than sufficient, the general audit requirements are not that stringent.  But, when dealing with security, audit, PII and other regulated data/workflows, then the more professional-level Authorisation Scheme is often required, this is where ESM type requirements often come into play and what AUA's were built for. 

Hope that helps. 


  • Like 1
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...