MOP Approvals

TeamsEnterprise

Configure multi-approver workflows with approval thresholds, review comments, and withdrawal support to control execution of critical network change procedures.

Overview

The MOP approval system ensures that critical network changes are reviewed and authorized before execution. When a MOP is submitted for execution, it enters a review workflow where designated approvers evaluate the procedure, its risk level, and the proposed changes before granting approval.

The approval system provides:

Multi-approver workflows — Require multiple engineers to independently review and approve a MOP
Approval thresholds — Configure how many approvals are needed (e.g., 2 of 3 senior engineers)
Review comments — Approvers can attach comments explaining their decision
Approval withdrawal — Approvers can withdraw their approval if circumstances change before execution
Risk-based requirements — Tie approval requirements to MOP risk levels so low-risk changes flow quickly while critical changes get thorough review

Why approvals matter

In production networks, a single misconfigured command can cause an outage affecting thousands of users. The approval workflow adds a human review gate that catches errors, validates the rollback plan, and ensures the right people are aware of the change before it happens.

How It Works

Approval Lifecycle

When a MOP that requires approval is submitted, it moves through these states:

State	Description
Draft	MOP is being created or edited. Not yet submitted for review.
Pending Review	MOP has been submitted. Approvers are notified and can review.
Approved	Required approval threshold met. MOP is ready for execution.
Rejected	An approver rejected the MOP. Author must revise and resubmit.
Executing	MOP is currently running against target devices.
Completed	MOP executed successfully.
Failed	MOP execution failed or was aborted.

Multi-Approver Workflows

Organizations can configure approval requirements that require multiple approvers. For example, a high-risk MOP might require approval from 2 of 3 designated senior network engineers. The MOP remains in "Pending Review" until the approval threshold is met.

Review Process

When reviewing a MOP, the approver can see the complete procedure: all steps, commands, expected outputs, rollback commands, target devices, risk level, and change ticket reference. The reviewer can then:

Approve — Grant approval with an optional comment
Reject — Deny the MOP with a required comment explaining why

Approval Withdrawal

An approver can withdraw their approval at any time before the MOP begins execution. This is useful when new information emerges (e.g., a related outage, updated maintenance window, or discovered issue with the procedure). If withdrawal drops the approval count below the threshold, the MOP returns to "Pending Review" state.

Rejection is final per revision

When a MOP is rejected, the author must create a new revision to address the reviewer's feedback and resubmit for approval. The rejection comment is preserved in the MOP history for audit purposes.

Configuring Approvals

Configure your organization's approval requirements by mapping risk levels to approval policies.

Step 1: Enable Approval Requirements by Risk Level

In Admin → Automation Settings, enable approval requirements for each risk level. A common configuration:

Risk Level	Approval Required	Threshold
Low	No	—
Medium	Yes	1 of any approver
High	Yes	2 of 3 senior engineers
Critical	Yes	3 of 3 senior engineers + manager

Step 2: Configure Approver Groups

Define who can approve MOPs by assigning users or roles as approvers. You can create multiple approver groups (e.g., "Senior Network Engineers", "Change Advisory Board") and assign them to different risk levels.

Step 3: Set Approval Thresholds

For each risk level that requires approval, set the threshold — how many approvals from the designated group are needed before the MOP can execute. For example, "2 of 3 members of Senior Network Engineers must approve."

Step 4: Submit a MOP for Approval

When an author creates or updates a MOP with a risk level that requires approval, clicking Submit for Review moves the MOP to the "Pending Review" state. All configured approvers receive a notification.

Step 5: Review and Approve or Reject

Approvers open the MOP from their notification or from the Changes panel, review the procedure, and click Approve or Reject. An approval comment is optional; a rejection comment is required.

Step 6: Handle Approval Withdrawal

If an approver needs to withdraw their approval, they can do so from the MOP review page as long as execution has not started. The MOP returns to the review queue if the withdrawal drops the count below the threshold.

Low-risk bypass

Configure low-risk MOPs (read-only checks, show commands) to skip the approval workflow entirely. This keeps routine operations fast while still requiring review for impactful changes.

Code Examples

MOP with Review Status

A MOP record showing the review fields populated after approval. The reviewed_by, reviewed_at, and review_comment fields capture the approval decision:

approved-mop.jsonjson

{
  "id": "d4e5f6a7-890b-cdef-0123-456789012def",
  "name": "BGP Peer Change - Core Router DC1",
  "description": "Add new eBGP peer to ISP2 on core-rtr-01.dc1",
  "author": "jsmith",
  "revision": 2,
  "status": "approved",
  "risk_level": "high",
  "change_ticket": "CHG-3192",
  "tags": ["bgp", "core", "dc1"],
  "platform_hints": ["cisco-ios"],
  "estimated_duration_minutes": 30,
  "reviewed_by": "a1234567-89ab-cdef-0123-456789abcdef",
  "reviewed_at": "2026-03-10T14:30:00Z",
  "review_comment": "Verified BGP config and rollback commands. Approved for maintenance window."
}

Review Decision Payload

The API payload for approving or rejecting a MOP:

review-api.jsonjson

// Approve a MOP
POST /api/mops/{mop_id}/review

{
  "approved": true,
  "comment": "Reviewed all steps. Rollback plan looks solid. Approved."
}

// Reject a MOP
POST /api/mops/{mop_id}/review

{
  "approved": false,
  "comment": "Missing post-check for BGP neighbor state. Please add a 'show ip bgp summary' post-check step and resubmit."
}

Approval Workflow Configuration

Example configuration mapping risk levels to approval requirements:

approval-policies.jsonjson

{
  "approval_policies": [
    {
      "risk_level": "low",
      "requires_approval": false
    },
    {
      "risk_level": "medium",
      "requires_approval": true,
      "approver_group": "network-engineers",
      "threshold": 1
    },
    {
      "risk_level": "high",
      "requires_approval": true,
      "approver_group": "senior-network-engineers",
      "threshold": 2,
      "total_approvers": 3
    },
    {
      "risk_level": "critical",
      "requires_approval": true,
      "approver_groups": [
        { "group": "senior-network-engineers", "threshold": 2 },
        { "group": "change-advisory-board", "threshold": 1 }
      ]
    }
  ]
}

Change tickets

MOPs support an optional change_ticket field for linking to your organization's change management system (ServiceNow, Jira, etc.). This creates a cross-reference between the NetStacks MOP and the external change record for audit purposes.

Questions & Answers

Q: Who can approve a MOP?: A: Any user who is a member of the configured approver group for the MOP's risk level can approve it. Approver groups are configured in Admin → Automation Settings. The MOP author cannot approve their own MOP — at least one independent reviewer must approve it.
Q: How many approvals are required?: A: The number of required approvals depends on the approval threshold configured for the MOP's risk level. For example, medium-risk MOPs might require 1 approval, while critical-risk MOPs might require 3 approvals from designated senior engineers. The threshold is configurable per risk level.
Q: Can an approval be withdrawn?: A: Yes. An approver can withdraw their approval at any time before the MOP begins execution. If the withdrawal causes the approval count to drop below the required threshold, the MOP returns to the "Pending Review" state and additional approvals are needed. Withdrawal is not possible once execution has started.
Q: What happens if a MOP is rejected?: A: When a MOP is rejected, the author receives a notification with the reviewer's comment explaining the reason. The author must create a new revision of the MOP that addresses the feedback, then resubmit for approval. The rejection is recorded in the MOP's history for audit purposes.
Q: Are approvals required for all MOPs?: A: No. Approval requirements are tied to risk levels. You can configure low-risk MOPs to skip the approval workflow entirely, allowing routine read-only procedures to execute immediately. Only MOPs with risk levels that have approval policies enabled require review before execution.
Q: Can I see the full approval history for a MOP?: A: Yes. The MOP detail view shows the complete review history including who approved or rejected each revision, when the decision was made, and the review comment. This history is preserved across revisions so you can trace the evolution of a procedure through its review cycles.

Troubleshooting

Approval not being received by reviewers

Verify that the approver group is correctly configured for the MOP's risk level. Check that the designated approvers are members of the correct group in Admin → Users & Roles. Also verify notification settings — approvers must have notifications enabled to receive review requests.

MOP auto-rejected or expired

If your organization has configured an approval timeout, MOPs that are not reviewed within the timeout period may be automatically moved back to draft status. Check the approval policy for timeout settings and resubmit the MOP if needed.

Cannot withdraw approval

Approval withdrawal is only available before the MOP begins execution. Once the MOP enters the "Executing" state, approvals are locked. If you need to stop an executing MOP, use the cancel action from the Task Monitoring dashboard instead.

Threshold impossible to meet

If a risk level requires 3 approvals but only 2 users are in the approver group, the MOP can never be approved. Review the approver group membership in Admin → Automation Settings and ensure there are at least as many members as the required threshold.

Tip

Use the Audit Log to track all approval actions. Every approve, reject, and withdrawal is recorded with the user, timestamp, and comment.

Approval workflows integrate with these NetStacks features:

Method of Procedures (MOPs) — Create and manage the procedures that go through the approval workflow
Roles & Permissions — Configure which roles can approve MOPs and manage approval policies
Audit Logs — Review the complete history of approval actions, rejections, and withdrawals
Task Monitoring — Track MOP execution after approval is granted