Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.dynamic.xyz/docs/llms.txt

Use this file to discover all available pages before exploring further.

What this is

Admin Action Approvals let you enforce a four-eyes rule on sensitive actions in the Dynamic Dashboard. When an owner enables approval mode for an organization, selected actions cannot take effect until a second admin or owner approves the request. This protects against mistakes and against a single compromised admin account making damaging changes unnoticed.

When to use it

  • Your organization has a compliance or audit requirement for dual control on security-sensitive changes.
  • You want a reviewable history of who approved or denied each sensitive action.
  • You want to reduce the blast radius of a single compromised admin session.

Which actions require approval

When approval mode is on, the following actions are queued for review instead of taking effect immediately:
  • Resetting a user’s MFA — removing MFA devices for a user in User Management.
More actions (for example, sensitive security settings changes) will be added to the approval workflow over time. All other dashboard actions are unaffected and continue to take effect immediately.

How to enable approval mode

Only organization owners can toggle approval mode and change the required-approvals count. Admins can submit and review requests once it is enabled.
  1. Sign in to the Dynamic Dashboard as an owner.
  2. Go to Account & Settings → Security in the Admin Security page.
  3. Toggle on Require Approval for Sensitive Changes.
  4. Set Required approvals to the number of distinct admins or owners that must approve before the action takes effect. The default is 1.
Approval mode toggle under Account & Settings → Security Once enabled, any submitter attempting an approvable action will see a notice that the action has been queued for review, and other admins and owners in the organization will be notified by email.

Required approvals (quorum)

The Required approvals field lets you require more than one admin to sign off on a request. The submitter cannot approve their own request, so the upper bound is the total number of owners and admins in your organization, minus one. If you have 4 admins, the highest value you can set is 3. The dashboard shows the current cap as helper text below the input.
  • Any single denial rejects the request immediately — the workflow does not wait for the remaining admins to vote.
  • The threshold is snapshotted at the moment a request is submitted. Changing the setting later does not affect in-flight requests.
  • If the threshold is set higher than the current approver pool can satisfy, new requests will be rejected at save time. Existing pending requests keep their snapshot and may expire if they can no longer reach quorum.

Submitting an action

When you take an approvable action while approval mode is on:
  1. Make the change as you normally would (for example, reset a user’s MFA from User Management).
  2. Instead of being applied immediately, the action is added to the Activity Queue with status Pending.
  3. All other admins and owners in the organization receive an email that a request needs their review.
  4. You cannot approve your own request. You will see Awaiting another admin next to your own pending items.
If the action is urgent and no other admin can review it, disable approval mode (owner only) to apply changes directly. Any pending requests are automatically expired when approval mode is turned off.

Reviewing requests in the Activity Queue

Admins and owners review pending requests in the Activity Queue.
  1. In the sidebar, open Activity Queue. A badge shows the number of pending items in the active environment.
  2. Each row shows the action, who submitted it, how long ago it was submitted, how much time is left before it expires, and its current status. When the required approvals is greater than 1, pending rows show progress as Pending (N/M) — the number of approvals collected so far against the threshold.
  3. Click Review on a pending item to open the review dialog.
Activity Queue with pending, approved, and denied admin action requests The review dialog shows the action, the submitter, and the expiry time. When another admin has already voted on this request, the dialog lists each existing reviewer, their decision, and any note they added, so you can see where the request stands before casting your own vote. Your own action buttons are Approve, Deny, and Cancel, with an optional note for the submitter. Review dialog for a pending MFA reset request Approving a request does not necessarily execute it immediately — under quorum, the change only takes effect when the Nth approval lands and crosses the threshold. Denying a request at any point rejects it immediately, regardless of how many approvals have accumulated, and notifies the submitter with any note you added. If you have already voted on a request, the Activity Queue shows You’ve already reviewed in place of the Review button.
The Activity Queue is scoped to the active environment. Switch environments in the top bar to see requests for a different environment.

Expiration

Pending requests expire 8 hours after they are submitted. Expired requests cannot be approved or denied; the submitter must resubmit the action. Turning off approval mode also expires any outstanding pending requests.

Email notifications

The approval workflow sends three notification types automatically:
  • Request created — sent to every admin and owner except the submitter, when a new pending request is created.
  • Request approved — sent to the submitter when another admin approves their request.
  • Request denied — sent to the submitter when another admin denies their request, including any note the reviewer provided.