Skip to main content

Multi-Party Approval (MPA)

Multi-Party Approval (MPA) adds an additional layer of security by requiring multiple administrators to approve sensitive actions before they are executed.

Overview

When MPA is enabled, the following destructive commands require approval from multiple administrators before they can be executed:

  • Kill Process commands - Commands that terminate processes on hosts
  • Disable MPA - Disabling MPA itself requires multi-party approval
  • API Key creation - Creating an API key with MPA-protected permissions requires approval

Configuration

MPA can be configured in the Workshop Settings page under the "Multi-Party Approval" section.

Required Approvers

Specify how many unique administrators must approve a request before it is executed. This value must be at least 2 to ensure no single administrator can approve their own requests.

Maximum Duration

Set the maximum time an approval request can remain pending before it automatically expires. Expired requests are rejected automatically.

How It Works

  1. An administrator initiates a destructive command (e.g., kill process)
  2. Instead of executing immediately, an approval request is created
  3. Other administrators can view pending requests and approve or reject them
  4. Once the required number of approvals is reached, the command executes
  5. If the request expires before receiving enough approvals, it is rejected

Security Considerations

  • Administrators cannot approve their own requests
  • Each administrator can only approve a request once
  • The requestor is automatically excluded from the approval count
  • Disabling MPA also requires multi-party approval when MPA is enabled

API Methods

MPA settings can be configured using the following API methods:

  • GetMultipartyApprovalSettings - Retrieve current MPA configuration
  • SetMultipartyApprovalSettings - Update MPA configuration
  • DisableMultipartyApproval - Initiate the process to disable MPA
  • ListMultipartyApprovalRequestsForSession - List pending approval requests
  • GetMultipartyApprovalRequest - Get details of a specific request
  • ResolveMultipartyApprovalRequest - Approve or reject a request