Skip to main content

Four-Eyes Framework

The Four-Eyes framework, based on the Maker-Checker framework, is designed to control critical actions and reduce the risk of unintended actions performed in the console. Within this framework:

  • Critical actions require approval before they are executed.
  • This ensures enhanced security and accountability by preventing unauthorized or accidental actions.

Even if a user has the required permissions for critical actions (currently available only for Wipe Device), the action will not be executed until it receives approval from an Account Admin.

note

For single-checker accounts, self-approval by the same user is allowed.

This framework ensures that all critical actions are properly reviewed and authorized before execution.

Roles in the Four-Eyes Framework

  • Maker: A user who initiates a request to perform a critical action. Users with Role-Based Access Control (RBAC) permissions are automatically treated as Makers.
  • Checker: An account administrator who reviews requests raised by Makers and either approves or denies them. Account Administrators can explicitly assign users as Checkers by selecting the appropriate checkbox during user creation or editing.

Enabling the Four-Eyes Framework

The Four-Eyes Framework can be enabled or disabled only by Account Admins in the SureMDM Console.

note

To disable the Four-Eyes framework, all approval requests must be completed. The framework cannot be disabled while any requests are pending; all requests must be either approved or denied before disabling.

Steps to enable the Four-Eyes framework:

  1. Log in to the SureMDM Web Console.
  2. Navigate to Account Settings > Account Management > Four-Eyes Framework.
  3. Enable the Four-Eyes Framework checkbox.
  4. Review the confirmation message and click Proceed.

Assigning User as a Checker

In the Four-Eyes Framework, a Checker is responsible for reviewing and authorizing requests raised by Makers. Assigning the Checker role ensures that critical actions are reviewed before execution.

note

Only Account Admins can assign users as Checkers.

Steps to assign a Checker:

  1. Log in to the SureMDM Web Console.
  2. Navigate to User Management > Users.
  3. Perform one of the following actions:
  • To assign a new user as a Checker, click New User and enable the Make as Checker checkbox.
  • To assign an existing user as a Checker, click Edit User and enable the Make as Checker checkbox.
  1. Click Save.

Creating Request for a critical action as a Maker

When a Maker initiates a critical action, the action is not executed immediately. The system creates a request that must be reviewed by a Checker. This process ensures secure and authorized execution of critical actions.

The following are the sections available for Makers in Four Eyes:

  • My Requests - View all requests created by the logged-in user.
  • Historical - View requests that have been approved, rejected, or withdrawn.
note

Pending requests created by the user can be cancelled using the Withdraw option.

Steps to create a request:

  1. The Maker initiates a critical action.
  2. A confirmation message appears indicating that approval is required.
  3. Click OK to create a request.
  4. A new request is created with a unique Request ID, which is available under: Four-Eyes > My Requests.
  5. A notification is sent to the Checker requesting for approval.

Checker actions to Approve/deny requests

The following are the sections available for the Checkers in Four Eyes:

  • My Requests – View requests created by the logged-in user.
  • Awaiting Approval – View pending requests that require approval from the logged-in user.
  • Historical – View requests that have been approved, rejected, or withdrawn.

Steps to Approve/Reject the Request:

  1. Log in to the SureMDM Web Console.
  2. Review the notification received for the pending request.
  3. Navigate to Four-Eyes > Awaiting Approval.
  4. Click Target Object to review the target object details.
  5. Select one of the following actions and add optional comments:
  • Approve - The system executes the action and updates the status to Approved.
  • Reject - The action is cancelled and the status is updated to Rejected.
  1. Both the Maker and the Checker receive a notification with the decision.
note

The same steps apply for a single-checker account, where the checker performs self-approval.