Skip to main content

Advanced Visitor Approvals

Learn how to create conditional workflows to support complex entry requirements.

Updated over a week ago

Overview

Advanced visitor approvals are a comprehensive system that provides greater control and flexibility for organizations with sophisticated visitor management needs. Unlike standard approval workflows, advanced approval leverages Policies to create intelligent, conditional approval paths that adapt based on visitor information, approver availability, and organizational requirements.

Capabilities

  • Sequential approval workflows: Create multi-stage approval chains (A → B → C) where each step must be completed before proceeding to the next

  • Conditional approval routing: Implement intelligent branching logic (if nationality = non-US → trade compliance team; else → standard approval)

  • SCIM group and multi-individual approvers: Restrict approval authority to designated personnel only, eliminating mis-approval risk through integration with your identity management system

  • Approver-only fields: Collect structured, decision-critical information from designated reviewers as part of the approval process, separate from what the host or visitor fills in.

  • Global approval policies with location overrides: Apply a single policy company-wide, while allowing different approvers per location.

  • Approval reasons with full auditability: When a policy is active, an optional reasoning window appears after approval decisions, allowing approvers to log their rationale for compliance and audit purposes

Policies

A Policy is a configurable container that houses conditional rules and approval logic for visitor requests. Think of it as the brain of your approval workflow – it defines who needs to approve what, under which circumstances, and in what order.

A policy can include any combination of these building blocks:

  • Policy fields: Information collected from the host when creating an invite. Used to route the workflow through conditions.

  • Approval step: Assigns a specific person or group to review and approve or deny the invite.

  • Condition: Branches the workflow based on visit data.

  • Concurrent step: Sends the invite to multiple approvers simultaneously

  • Data Collection step: Prompts a designated person to fill in specific fields before the workflow continues.

  • Risk Intel step: Adds screeners like Visit Frequency to the workflow.

Policies support versioning, so you can maintain different published versions and roll back when needed.

How Policies work

Policies work alongside your existing sign-in flows through a simple three-step process:

  1. Create a draft policy using the provided policy builder tools

  2. Publish the policy to make it available for association

  3. Associate the policy with sign-in flows – once associated, the policy becomes enforced for all invites that go through those sign-in flows

Policies are currently integrated into the invitation phase. The process begins when a host creates an invite, which then goes through the policy workflow. Once all required approvals are obtained, the invite email is sent to the visitor (if selected during invite creation). Should any approval step result in a denial, the entire invite is denied, requiring the host to create a new invitation.

Creating a Policy

Policies are comprised of three main components:

  • Policy fields: These are pieces of information about a visit used to determine the appropriate actions for the visit.

  • Approval steps: These are the steps where someone approves or denies an invitation. Individuals, as well as SCIM groups, can be responsible for approving.

  • Conditions: Steps that create intelligent routing based on visitor responses.

To begin creating your new policy:

  1. Navigate to Global overview > Visitors > Policies. Click Create policy.

  2. Give your policy a Name and Description. Since these policies are global, it's a good idea to keep names concise and descriptions straightforward. Click Create.

  3. After creation, you should be taken into your new policy to start building.

✨Tip: You can change the name and description of your policy after creation by clicking into the title text box. ✨

Policy Fields

Policy fields are the information that hosts/inviters must provide when creating a visitor invite. Only dropdown selections can be used for policy fields. These fields are automatically inserted into the invite form.

as seen on an invite using the associated visitor sign-in flow

Based on the dropdown selections made, you can create routing branches that connect to different approval steps by building corresponding approval paths.

Two types of policy fields are available:

  • Host (Inviter) fields: Visible and editable by the host when creating an invite. Supports dropdown selections. Used to drive conditional routing in the workflow.

  • Admin (Approver) fields: Visible and editable only by designated approvers, hosts, and admins. Supports free-form text and multiple choice. Used to collect structured information during the approval process, such as an internal security ID or zone access confirmation.

Inviter Fields

  1. Under Policy Fields, click + Add field.

    1. If you don't see this option, you might need to click the caret to open the dropdown.

  2. This process is similar to creating a sign-in field in a sign-in flow. Add your field name.

    1. Designate who is responsible for filling in the field. By default, the Inviter is selected.

    2. Set the Answer type. For Inviter fields, only Multiple choice is available.

    3. Create the options. You cannot have fewer than 2.

      1. To add more options, click + Add option.

      2. To reorder options, click and drag the toggle.

      3. To delete an option, click the trashcan.

  3. Click Create to complete.

  4. Now that you have a policy field, you can use it within the policy builder to define conditions.

Admin fields

Admin fields collect structured information from specific reviewers(often the approver) during the approval workflow, separate from what the host fills in. This is useful when an approver needs to document a decision, such as recording a program number, confirming zone access, or logging a security ID. These fields are not visible to the visitor and are saved to the invite record once completed.

Creating the admin field

  1. Under Policy Fields, click + Add field.

  2. Add your field name.

  3. Select Admins for the To be filled by setting.

  4. Set the Answer type. For Admin fields, these can be multiple-choice or freeform text.

  5. For multiple choice, add the options accordingly.

  6. Click Create.

Adding the Data collection step

After creating your Admin field, you'll need to add a Data Collection step.

  1. Add a Data Collection step at the point where you want the field filled in.

  2. Give the step a name. This shows on the approval workflow, so it's good to make it concise.

  3. Assign the collector(s), typically the team responsible for that approval step.

  4. Select the field(s) to collect at this step. The policy fields labeled will appear in the drop-down.

  5. (Optional) Set a location override, allowing different admins to collect data according to their location.

  6. When adding your Data Collection step to your policy, connect the step to the relevant Approval step.

    1. You can place it before the decision (collect first, then approve) or after (approve first, then collect).

    2. For our example, we would place the Escort Assignment step after the assignment approval, since we would not assign an Escort until after the invite is approved.

Condition step

Conditions are steps that determine the flow of a visit through the workflow.

  1. Within the Policy builder, click Condition to add a new step to the workflow builder.

  2. Click on the new condition to select. The condition details will open in the right-hand side panel.

  3. Here, you can define the outcomes of an invite based on your policy fields. Each outcome will create a new node, on which actions can be built.

    1. The IF condition requires an IS or IS NOT correlation to an option.

    2. The ELSE condition captures the other answers to the policy field.

  4. Each node can now be used to create a new branch. You can click and drag the node to create branches in your workflow.

Approval step

Approval steps allow designated admins to approve or deny visits.

  1. Within the Policy builder, click Approval to add a new step to the workflow builder.

  2. Click on the new approval to select. The approval details will open in the right-hand side panel.

  3. Begin by giving your approval step a descriptive name, such as 'Security Review' or 'Executive Approval.' This label will show in the workflow builder.

  4. Define who will be responsible for approving this visit. Currently, this is limited to Global and Location admins.

    1. Multiple approvers listed: You can select multiple approvers. When any one of them approves, the visit advances to the next step in the workflow. This option does not require each admin listed to approve.

    2. SCIM groups: If you use SCIM to manage your directory, you can create groups within your IDP to use as potential approvers.

  5. Once approvers are added, the step will be saved automatically and will be ready for use within the workflow.

Concurrent approval step

Concurrent approval lets you notify multiple review parties simultaneously. This is useful when several teams, such as security, trade compliance, and operations, all need to sign off on a visit without waiting on each other.

How concurrent approval works

All approvers within a Concurrent step are notified simultaneously. Each reviews and responds independently. The workflow only advances once every required approver has approved. If any single approver rejects the invite, it is rejected immediately, regardless of whether others have responded.

Adding a concurrent step

  1. In the policy builder, drag the Concurrent block from the left panel onto the canvas.

  2. Inside the Concurrent block, add the Approval steps you want to run in parallel, for example, Trade Compliance, Security, and Operations approvals.

  3. Assign an approver to each step.

  4. Connect the Concurrent block's input and output nodes to the rest of your workflow.

  5. Click Save or Publish when ready.

Tips for using Concurrent approvals

  • All approvers in a Concurrent step must approve for the workflow to continue. There is no "majority" or "quorum" option.

  • If one approver rejects, the invite is rejected immediately.

  • You can add as many approval steps inside a Concurrent block as your workflow requires.

  • Concurrent steps can be combined with Conditions and sequential steps in the same policy.

Location Overrides on approval steps

Location Overrides let you apply a single policy across all your office locations while assigning different approvers at each site. Instead of building a separate policy for each location, you configure a single policy with a default approver and set location-specific overrides where needed.

How location overrides work

Each Approval step has a Default Approver, the person who handles reviews at any location without a specific override. When an override is set for a location, only that override approver is notified for invites from that site. The default approver is not included for those locations.

Setting up location overrides

  1. In the policy editor, select an Approval step on the canvas.

  2. In the step panel, enter a Default Approver.

  3. Under Location Overrides, click Set by location.

  4. In the Location Overrides modal, search for a location and assign one or more approvers.

  5. Repeat for any other locations that need a dedicated reviewer.

  6. Click Apply.

Tips for using Location overrides

  • Locations without an override automatically use the default approver. You don't need to configure every location.

  • The location list is searchable and scales to large deployments.

  • Each location supports multiple approvers.

  • To enforce the same policy across all locations, associate it with a global sign-in flow.

Risk Intel Step

Risk intel steps are additional screeners you can add to your policy, such as blocklist and visit frequency.

  1. Within the Policy builder, click Risk Intel to add a new step to the workflow builder.

  2. Select your risk intel. Currently available: Blocklist and Visit Frequency.

    1. Visit Frequency: set Threshold Days (how many days to look back) and Threshold Count (number of visits within that period).

    2. Blocklist: If you already use blocklist at a location, this will result in two cards being shown on the visitor's invite.

  3. After configuring the Risk step, you can add it to your workflow.

Assembling your policy workflow

Now that all the basic components have been created, we can begin piecing together the policy and creating the workflow branches. You can include as many steps as needed in your workflow to ensure all visits meet your security standards.

The visual interface shows how different conditions and approvals interact to create a comprehensive approval system.

✨ Tip: Click Fullscreen to enlarge the policy workspace.✨

You can click and drag on any step to rearrange its position within the workflow.

To connect steps, click and drag a node to create a branch.

You can delete branches or steps by clicking them and pressing the Delete key on your keyboard.

Any issues with your workflow will be listed in the top right-hand corner of the page, next to the Publish button.

The associated steps will have a caution symbol shown in the workflow builder.

Once your workflow is complete and all steps are connected, click Publish at the top of the page.

Editing your policy

For record-keeping purposes, each time you need to make changes to your policy, you must create a new version of your policy.

  1. Navigate to the All Policies page.

  2. Next to the policies

Using your policy with a sign-in flow

Any sign-in flow used with our Policies functionality will be automatically hidden from the iPad Kiosk. It cannot be shown until the policy is removed.

Once your policy is published, it's ready for use!

You can associate one or more sign-in flows with each policy. Once the association is complete, any upcoming invitations processed through those sign-in flows will automatically follow the defined approval workflow.

Associating using the policy builder page

  1. Navigate to Global Overview > Visitors > Policies.

  2. Click on the policy you want to add sign-in flows to.

  3. Click on Manage Sign-in flows.

  4. Use the search function to select sign-in flows to use with this policy. Once you've added your sign-in flows, click Link.

  5. The flows will be added. To remove a flow, click the X.

  6. Once you've finished associating flows, click Done.

Associating using the All policies tab

  1. Navigate to Global Overview > Visitors > Policies. Here, you will see all policies created.

  2. In the Used by column, you'll see if the policy is being applied to any sign-in flows.

    1. For an in-use policy, you can click the # flows button to review current flows.

      To add a new sign-in flow to this list, select your flow from the dropdown, then click Link.

    2. For a policy not in use, you'll see an Add button.

      Clicking the Add button will open a window where you can select the sign-in flow, then click Link to complete.

    3. For a policy that has not been published, you will not see the option to assign flows.

Associating using the Flow associations tab

  1. Navigate to Global Overview > Visitors > Policies, then click on the Flow associations tab.

  2. Here, every location and global sign-in flow is listed.

  3. To associate a flow, click Associate (or Update, if there's already a policy associated).

  4. Select the policy from the dropdown, then click Save.

  5. The page will now show the current policy.

Moving Sign-in Flows Between Policies

You can transfer sign-in flows from one policy to another by navigating to the destination policy, searching for the desired sign-in flow, and creating the new association.

Any pending invitations created before the policy change will continue to be governed by the previous policy, while new invitations will be subject to the current policy.

Approving an invite

The designated approver will receive an email notifying them of a new approval. They can click the link in the email to open the invite, or view it in their invite log and approvals log.

The approval step will be listed in the right-hand side of the invite. From here, admins can approve or deny as needed.

Approval/denial reasons

When completing this step, a text box will open for an additional note for the approval/denial reason. This is separate from the Private notes field and cannot be edited or deleted.

Approver-only fields

If the policy includes a Data Collection step assigned to the approver, a prompt appears to complete those fields before the workflow continues.

Invitation process

Employees will be able to follow the same process for invites, but any newly added policy fields are marked as required.

After sending their invite, employees can check its progress by viewing it in the invite log.

Once an invite is approved, the employee will receive an email confirmation of the visit, and the invitation will be sent (if selected).

What to know before enabling a policy

Advanced Approval works with individual and group invites. For group approvals, use Group Invite and select Send direct invites to specific people. The "Create a signup link for self-registration" option is not available yet for flows managed by a policy. Bulk Invite is a legacy feature; use Group Invite instead.

Repeat invites are not currently supported on sign-in flows linked to a policy. This is coming in a future release.

Advanced Approval works alongside other screeners. Blocklist and Visitor Compliance and other screening still apply. Advanced Approval is an additional layer, not a replacement.

Getting started tips

Setting up AVA for the first time works best in stages:

  • Stage 1: Build your first policy. Create a policy, add your policy fields, configure conditions, assign approvers, add any concurrent or data collection steps, and publish.

  • Stage 2: Test with a dedicated sign-in flow. Create a new sign-in flow specifically for testing and associate it with your policy. Walk through the full approval experience before going live.

  • Stage 3: Move to active sign-in flows. When you're confident in the workflow, associate your policy with your production sign-in flows.

  • Stage 4: Expand to global flows. Associate your policy with a global sign-in flow and configure location overrides to enforce requirements across all locations.

Related Articles
Using the visitor log
Sign-in flow Rules
Creating visitor invites & check-in visitors to your suite
Connect Visitor Walk-In Approvals
Visitor Assessments
Did this answer your question?