The request/approval workflow (called Dual Control by CyberArk) works as follows:
The user creates a request: A user who wishes to access an account in an environment where the Master Policy enforces Dual Control must first create a request. In the request, the user specifies the reason for accessing the account, whether they will access it once or multiple times, and the time period during which they will access it. A notification about the request is sent to users who are authorized to confirm this request. For more information, refer to Request access to accounts.
The request is confirmed or rejected by the authorized user: Through the notification, authorized users can access the request and view its details. Based on these details, authorized users either confirm or reject the request. The number of authorized users who are required to confirm requests is defined in the Master Policy. For more information, refer to Confirm requests.
The user connects to the account: Each time an authorized user responds to the request, the user who created it receives a notification. When the total number of required confirmations is received for the request, this user receives a final notification. The user can now activate the confirmation and access the account according to the request specifications. For more information, refer to Dual Control.