oakallow supports optional two-level approvals, where a request escalates from a first approver to a second approver before a tool runs.
- Under the Team page, admins and owners configure two groups: Approval 1 and Approval 2. Add team members to each group to control who receives approval pushes and who can act on them. If a group is empty, it falls back to every active team member.
- Who can do what: directly adding or removing approver-group members on the Team page is open to both admins and owners. Mapping a Microsoft Entra group to an approver group (so membership syncs from your identity provider on each sign-in) is part of SSO configuration and is owner-only. An admin can hand-pick approvers; only an owner can wire an Entra group to a group. See the SSO question for that flow.
- On the Tools page, flag the tool with "Requires second approval." When that tool triggers an approval request, the request starts at level 1 and is routed to the Approval 1 group. After the first approver approves, the request advances to level 2 and is routed to the Approval 2 group. Either level can deny, which ends the request.
- Two-level escalation only kicks in when the Approval 2 group has at least one member. If it is empty, the request stays single-level and is resolved by Approval 1 alone. Tools without the flag always stay single-level.