...
An Approval Group is a group of users within of your PreVeil organization who together can authorize the activities of Admin ManagementAccount Recovery, Data Export, and Account Recovery within the organizationAdmin Management. The concepts behind Approval Groups are purpose of the Approval Group is to:
Decentralize trust amongst the members of the group, ensuring no one person has the ability to authorize these activities on their own
Continually verify the trustworthiness of all approval group members
Prevent single points of failure. The groups will have a pool of users that can approve activities, but only a subset of that pool are needed to approve: If one administrator is lost or unavailable, others in the group may fill in
Principle of least privilege: Users only have the minimum permissions needed, and only at the time they need them
| Info |
|---|
Note: Approval groups cannot be edited but only replaced by another approval group. We advise to form approval groups with reliable members of the organization. Also, if a user of an Approval Group is no longer available to approve group activities, then we recommend creating a replacement Approval Group as soon as possible. |
| Table of Contents | ||||
|---|---|---|---|---|
|
Creating an Approval Group
To establish an Approval Group within your organization, you need a minimum of three fully onboarded members
...
The group can comprise of more than three persons
For a three-person group, two out of the three members of the group will need to approve the activity the group is assigned on
An approval group must have a required number of approvers
The range to pick from is two to N minus one where N is the number of members of the group
To create a group:
Click the Admin Console option in the menu bar at the top of the PreVeil browser application, and then select Approval Groups from the left-hand menu.
Click on the plus sign icon under the Manage tab.
Give the group a name, and then type in the email address of the first user you want to add. When the user’s email address shows up in the pre-filled drop-down menu, select it to add the user to the group. Repeat to add at least two more additional users to the group. (Remember that you will need to add at least three users before you can create the group; the Create Approval Group button will remain grayed out until at least three users have been added to the group.)
Once at least three users have been added to the group, click on the Create button.
If you create a group with more than three users, then you will have additional options to select from in the How many approvals are required for recovery drop down menu for the required number of approvers
You will receive a notification that the group has been created
Activities an Approval Group Can Be Assigned To
The three activities in a PreVeil organization that an Approval Group can be assigned to are:
Admin Management
The purpose of this activity is to add a layer of security restrict administrators in the Admin consoleorganization. Assigning a group to this activity will make it so that any activity certain activities an administrator wishes to undertake performs in the Admin console will require group approval.If no group is assigned to this activity, a single administrator will have full functionality in the Admin console, and can perform any action without the need for approval.
The Approval Group assigned to this activity must consist of entirely admin level users, as a standard level user will not have access to the Admin console functionality.
Actions like deleting a user, changing a user’s role, and swapping an approval group will invoke the Admin Management group’s approval
Data Export
Data Export allows an administrator within your organization to download a decrypted copy of any data for any user within your organization.of the organization’s data
An organization must pass the organization health check to complete a full export
The types of exportable data are email, drive, activity log, and ACL report
Email data is exported in a folder hierarchy consisting of an inbox, drafts, sent, trash, and custom user folders
The mail messages are in EML format
Drive data is exported in the same folder set as the user’s actual drive and contains the files
Activity Log data is exported as a CSV file
ACL Report is exported as a CSV file
All or a selection of users may be chosen
A timeframe is chosen and may span the origin of the organization
The Approval Group assigned to this activity can consist may compose of admin level users, standard level users, or a mix of the two.combination
Account Recovery
The account recovery Approval Group (also known as the Recovery Group) is a group of users within your organization that can assist a user in recovering access to their PreVeil account.approve a user’s account recovery
PreVeil doesn’t utilize user names usernames and passwords for account recovery. Instead, what allows a user to access their PreVeil account is an encryption key that gets generated on a user’s device when they create their PreVeil account.
Assigning a Recovery Group to a user in your organization will provide each member of the group with a shard of the user’s encryption key. When invoked, the Recovery Group has the ability to rebuild a user’s key on their device, thereby allowing the user to re-access their account.
This is the primary method to protect a user’s account access, as PreVeil does not have access to any of our user’s encryption keys, so we cannot restore these keys for you. As such, the responsibility of making sure this recovery method is available to your users will fall upon the administrators of a PreVeil organization creating and assigning a Recovery Group for their users. We strongly recommend that a Recovery Group is assigned to every user in your organization.
The Recovery Group can consist of admin level users, standard level users, or a mix combination of the two.
Creating An Approval Group
There must be three fully joined members of your organization to be able to create an Approval Group; three is the minimum number required to create an Approval Group.
Approval Groups can also consist of more than three people.
For a three person group, two out of the three members of that group will need to approve any activity that group gets invoked for.
For groups larger than three, you have more flexibility in setting the number of approvers. For example, in a four person group you can set the number of approvers to two or three; for a five person group you can set the number of approvers at two, three, or four; etc.
To create a group:
Select Approval Group from the left hand menu, then click on the plus sign icon under the Manage tab.
...
Give the group a name, and then type in the email address of the first user you want to add and click on the Add User button. Repeat to add at least two more additional users to the group. (Remember that you will need to add at least three users before you can create the group; the Create Approval Group button will remain grayed out until at least three users have been added to the group.)
...
Once at least three users have been added to the group, click on the Create Approval Group button. (If you create a group with more than three users that you will have some additional options to select from in the How many approvals are required for recovery drop down menu.)
...
You will receive a notification that the group has been created.
...
Assigning An Approval Group
Assigning an Approval Group
Depending on the activity you are assigning a group to, there are two different methods for doing so.
To assign an Approval Group to either the Admin Management or Data Export activities
Select Approval Group from the left hand menu, then click Click on the Assign tab in the Approval Group section of the Admin Console.
...
Click on the Assign button next to either Admin Management or Data Export. For this example we’ll use Data Export.
...
Select the group that you want to assign to that activity from the drop-down list.
...
You will see the details about the group you selected. Click Assign to assign the group to the activity.
...
- The
You will receive a confirmation message that the selected group will is now be assigned to the activity.
...
To assign an Approval Group as the Recovery Group for your organization’s users
Select Approval Group from the left hand menu, then click on the Assign tab.
...
Click on the Manage Users button.
...
Click on the checkbox next to the user (or users) you want to assign the Recovery Group to. (You can assign it to more than one user at a time.)
...
Click on the Set Recovery Group button.
...
Select the group that you want to assign as the Recovery Group from the drop-down list.
...
You will see the details about the group you selected. Click Set Recovery Group to assign the group to the activityusers.
...
- The selected
You will receive a confirmation that the group will now be assigned as the Recovery Group for the selected user (or users).
...
| Info |
|---|
Note: The user’s computer needs to be online for the Recovery Group to be successfully assigned. If the user’s device is not online, the Recovery Group will not be assigned to the user’s account. The recovery group will show up in the admin console, but the assignment will be incomplete. If the user’s device doesn’t come online within two weeks of the group being assigned, the assignment will fail, and the group will be removed from the user’s entry in the admin console. |
Copying
...
an Approval Group
To make a copy of an existing group:
Select the checkbox of the group you want to copy, and then click on the copy icon.
...
You can then make any changes you want to that group, like changing the name (which is required as you cannot have two Approval Groups with the same name), adding additional users, deleting existing users, and changing the number of required approvers. Once all changes have been made, click on the Create Approval Group button.
...
You will receive a notification confirmation that the new group has been created.
...
Replacing
...
an Approval Group
An existing Approval Group cannot be modified to add or remove users, but it can be replaced if needed. To replace an Approval Group assigned to an activity:
Create a new Approval Group using the steps in the Creating An Approval Group section above.
Assign the new Approval Group to the activity using the steps in the Assigning An Approval Group section above.
The outgoing Approval Group will need to approve this replacement action before the new group will be assigned to the activity.
Deleting
...
an Approval Group
To delete an Approval Group:
Select the checkbox of the group you want to delete, and then click on the trash can icon.
...
Click Yes to confirm.
...
You will receive a notification that the group has been deleted.
...
| Info |
|---|
Note: You will not be able to delete an Approval Group if it is currently assigned to an activity. If this is the case, that Approval Group will need to be replaced before it can be deleted. See the Replacing An Approval Group section above for steps on how to do this. |
...