Approval Security
Approval Security governs how strongly an approver has to authenticate before a sensitive or privileged action is allowed to proceed. When a PAM elevation or an AI tool action lands in the approval queue, Breeze already knows how risky it is – it carries a risk tier. This tab lets you say, for each risk tier, the minimum assurance level the approver must clear on their Breeze Authenticator device before their “Approve” actually counts.
The idea is step-up verification: a low-risk approval can be a quick tap, but signing off on a critical action should demand your strongest proof of identity. Approval Security is the policy that draws those lines.
Reach it at Settings → Organization → Approval Security. The policy set here applies across your MSP – it is the per-partner enforcement floor, not a per-device setting.
Risk tiers and assurance levels
Section titled “Risk tiers and assurance levels”Every approvable action is classified into one of four risk tiers. Breeze ships a default assurance floor for each – the minimum verification strength required out of the box:
| Risk tier | Breeze default floor |
|---|---|
| Low risk | L1 |
| Medium risk | L2 |
| High risk | L3 |
| Critical risk | L4 |
The four assurance levels describe increasingly strong proof, performed on the approver’s enrolled Authenticator device:
| Level | What the approver must do |
|---|---|
| L1 – session tap | A simple tap to confirm within an authenticated session. |
| L2 – biometric | A biometric check (Face / fingerprint). |
| L3 – biometric + PIN | Biometric plus a PIN. |
| L4 – hardware key + PIN | A hardware security key plus a PIN. |
Configuring approval assurance
Section titled “Configuring approval assurance”-
Open Settings → Organization → Approval Security.
-
For each risk tier (Low, Medium, High, Critical), pick the minimum assurance level you want to require from the dropdown. Only levels at or above the Breeze default for that tier are selectable.
-
Optionally turn on Require an enrolled approver device to enforce the policy – under-assured approvals (including approvals from a technician who hasn’t enrolled an Authenticator device) are blocked rather than merely flagged.
-
Optionally set an Enforce from date. This is the grace-window cutoff: before that date the policy is advisory, giving your team time to enroll their devices; on and after it, enforcement is live.
-
Click Save.
How it interacts with PAM and Breeze Authenticator
Section titled “How it interacts with PAM and Breeze Authenticator”When an approver acts on a request from any surface (the Privileged Access console, the Helper desktop app, or the mobile app), Breeze looks up the request’s risk tier, resolves the required assurance level from this policy, and demands that level of verification on the approver’s Breeze Authenticator device before recording the decision.
- PAM elevations – UAC intercepts and Tech JIT admin requests are risk-tiered, so the assurance floor you set here is what an approver must clear to grant them.
- AI tool actions – privileged actions proposed by the Breeze AI agent or Helper carry a risk tier (for example T2 / T3) and are held for a human; the approver must meet the matching assurance level to sign off.
Because an approval always requires a separate human identity from the requester, Approval Security is what makes “confirmed with MFA” concrete: it defines exactly how strong that confirmation has to be for the risk at hand.
Related
Section titled “Related”- Privileged Access Management – the rule chain, request queue, and elevation flows whose approvals this policy governs.
- Users & Roles – roles, permissions, and MFA for the technicians who act as approvers.