The Approval Manager module when licensed provides the option to dually authenticate the add/edit or delete operations using ADSS Server Console. It makes sure that no change is made unnoticed within the ADSS Server Console. When dual control is enabled it means that if one operator performs a configuration operation and creates, edit or deletes any element in any record then that action is left pending until a second operator (the security officer) has approved the operation. Both operators must have suitable privileges to access the Approval Manager. This ensures that critical changes cannot be made without considered approval by two suitably privileged members of staff.
An ADSS Server operator that has access to the Approval Manager is deemed to be a Security Officer role holder, as this privileged role allows the Security Officer to approve or reject operations performed by other operators. Security Officers cannot approve their own operations ensuring that dual control is preserved in all cases. The Security Officer can perform others configurations on ADSS Server depending on the privileges assigned to them. If this is not required then additional privileges should not be assigned.