Since we launched System Initiative, one of the most requested features has been the ability to approve changes within a change set. Enterprise teams and those with regulatory requirements need an approval workflow to change their production systems, and today, they can!

The approval workflow

In a world where people use existing IaC tools, they are usually using Pull Requests or a particular cloud provider (like HCP or Pulumi) as a mechanism to achieve an approval workflow to merge code that changes their infrastructure. In System Initiative, we bring the infrastructure to a collaborative, living architecture model. This means we needed to introduce a new way of approving changes to the architecture.

An approval workflow is the first step in our relationship-based access control system (ReBAC) that uses SpiceDB to deliver these capabilities to our users.

A System Initiative workspace can now have a designated set of approvers who are the only ones who can approve the changes in a change set that would make their way to HEAD, and thus the running infrastructure.

A collaborator on the workspace will request that the approver check the changes. The approval request can either be rejected or accepted. If rejected, the collaborator can continue making changes to their workspace and send another approval request when ready. If the approval request is accepted, the collaborator can merge the change set in their own time.

When can I use this?

Starting today, if you own a workspace in System Initiative, you are automatically an approver for changes to that workspace if there are collaborators. As a workspace owner, you can designate an approval role for any of the collaborators or invite others to the workspace. You can do this by visiting the workspace's Manage Users link.

This is the first iteration of ReBAC, and we can’t wait for you to use it! If you have any questions or feedback on the feature, please join us on Discord and talk to us there. You can message me directly at SI_Stack72.