262-299-4606 • Email us

Approval flow

This page goes though the approval flow, when a user invokes the Run As Admin feature or requests an Admin Session.

Requesting access

When a user has a need to install software, the user either starts the installation and let Admin By Request intercept the installation or invokes the Windows "Run As Administrator" feature. This is called "Run As Admin" and is explained here. If the user has a need to do something advanced, the user has to request an administrator session, as explained on this page. In both scenarios, the user experience is either:
  • Computer shows denied right away (disallowed)
  • It works right away (allowed + approval not required + reason not required)
  • Have to enter a reason and then it works (allowed + approval not required + reason required)
  • Have to enter a reason and wait for approval (allowed + approval required + reason required)
You configure these rules in your portal account settings and you can also configure different rules based on Active Directory user or computer groups or OU. This is called subsettings. An example could be to allow developers to use both Run As Admin and Administrator Sessions without approval, but only allow Run As Admin for customer relations and sales - and always only by approval. In all cases, the approval flow is as follows for both Run As Admin and Administrator Sessions:


Naturally in any organization, you would not want the same rules for all employees. You may have anything from expert IT users to external personnel that would have no reason to do anything on a computer. The way you solve this is that you set default settings, also known as Global Settings. These would typically be the most restrictive to handle a case, where a user or computer by mistake is not in any groups or OUs of any subsetting. This is the Authorization page of Global settings from the portal "Settings" menu:

Request Admin right window
In the portal, you have a submenu called "Subsettings". Subsettings is for defining other rules than the Global/default for some users or computers.

Portal subsettings
When you create a new subsetting, you must enter the scope of the subsettings. The scope is based on the user or computer and can be one or more groups and/or one or more OUs.

Portal subsettings
All settings can be overruled in subsettings. In this case, you would want to enter different rules under "Authorization" than the Global settings. You may wonder, if this works of the LAN, as it is based on Active Directory. It does - because computers cache this information encrypted for usage off the LAN. This means that all your changes are real-time and not depending on laptops visiting your LAN from time to time.

PIN Code

If Run As Admin or Admin Session is not allowed and user is shown an access denied message, it is possible to use a PIN code. The PIN code option is also shown, when a computer is totally offline (no internet connection) and approval is required. The PIN code can be found in the inventory for the given computer and can overrule the settings. A scenario could be when a Help Desk employee is doing a remote control of a user's computer and needs to perform the operation without logging off and on. This is explained in greater detail on this page.

Approving a request

When approval is required, the request is pushed to the mobile app in real-time. An administrator can then press either Approve or Deny without unlocking the phone or click the notification message for more information. The mobile app is explained in greater detail here.

The same requests will appear in the portal under "Requests". If you are not using the app, you can set up an email notification to administrators in the Authorization section of your portal settings to be notified of new entries in the requests list.

Approving access


If you have questions not answered on this page, please contact us using the chat or the contact menu at the top.