5. Supervisor Approval

This feature allows supervisors to implement an access policy for files uploaded using MetaDefender Vault. Supervisors can be configured based on Active Directory organizational units or Active Directory groups, but it is also possible to assign global supervisors. The supervisor process can be configured as one-stage (one approval required for each file) or multi-stage and you can define the number of approvals required for a file.

Enabling supervisor approval feature

In order to enable the Supervisor Approval feature please go to Supervisor Approval Global Settings.


Supervisor Mode

Supervisor Mode




Organizational Unit mode allows you to define supervisors in each Active Directory OU. An OU supervisor will be able to approve or deny files from all other users in that Organizational Unit and any children OUs.

For convenience, it's possible to promote users from an OU to the supervisor role by configuring an attribute-based AD filter. See the Configure supervisors section below for more details.


Group mode allows you to define supervisors in each Active Directory group. A group supervisor will be able to approve or deny files from all other users in that group.

Supervisors from a group are not also supervisors for sub-groups of that group. You will need to assign them individually.

It is not possible to use an attribute-based AD filter to dynamically configure supervisors. That option only works with OU mode.

Supervisor stage approval process

The supervisor process can be configured as one-stage (one approval required for each file) or multi-stage and you can define the number of approvals required for a file.





One stage

At least one approval from a supervisor is required to allow or deny access to a file.

You should make sure that you have at least one global supervisor configured for every OU/group.


Define the number of approvals required in order for a file to become available. If at least one supervisor denies the request the file will remain unavailable.

The system will not allow you to configure multi-stage supervisor approval unless you have enough global supervisors or ensure that any container (OU/group) has at least N supervisors configured, where N is the stage number.

If you plan to use multi-stage supervisor approval, please go to Setup Supervisors first and ensure that the conditions above are met.


Please note that whenever you change between one-stage and multi-stage or the number of stages the supervisor approval process resets. Any file that has not completed the process will be restarted and any existing votes will be erased. However, a change like this will not have any effect on files that have completed the process and are already approved or denied.

Skip supervisor approval

Skip approval




Every file needs to be approved or denied

This is the default option.

When sanitized

Sanitized files are automatically approved

The approval process is skipped only for file types where Deep CDR is configured in MetaDefender Core.

After time span

Files will be automatically approved after the specified period of time elapses


Configure supervisors

A user with the supervisor role can approve or revoke approval for files. Initially, the local administrator account is a global supervisor so he can approve or deny approval for all the files. Please note that guest users can't be set as supervisors.

You can configure other supervisors by going to Supervisor ApprovalSetup Supervisor page.


Global config

From the global configuration menu you can select global supervisors. These users can supervise files for all the other users in the system.


Add or edit supervisors for each container (Organizational Unit or Group)

If you wish to configure one or more supervisors for each container you can do so by clicking Add / Edit when hovering over an entry.


Each supervisor can only approve or reject files of his supervised users (in the same container). A container can have any number of supervisors, including none.

Learn how to include or exclude a container by going to 8.5.2 User Filtering Configuration.

Assign supervisors dynamically by using an Active Directory filter

For both the global supervisors and Organizational Unit supervisors, you can choose to select a supervisor by specifying an Active Directory filter. This way, users are promoted to supervisors whenever they match the specified filter.


This option is only available in OU (Organizational Unit) mode. It is not available for group-based supervisors.

To verify if a certain user matches the filter, an LDAP query is executed to check if the specified LDAP attribute has the expected value. If the attribute does not exist or if the value is different, the user will not be promoted to the supervisor role.

Please note that for global configuration, the filter applies to all your Active Directories (if you have configured more than one).


Pending Approval Page

This page allows supervisors to manage files uploaded by the supervised users.


On the last column the following options are available:

  • Approve file: make the file available for download

  • Revoke approval: deny access to download the file

  • Retry processing (only visible in case of failures)

Approve or revoke multiple files at once

Supervisors can also approve or revoke multiple files at the same time, and not individually.


By selecting multiple files, the following actions will become available:

  • Approve

  • Revoke Approval

  • Delete

  • Download as archive

The multi-stage supervisor approval process

An uploaded file must be approved by N supervisors to be Available where N is equal to the number configured in supervisor approval settings.

When a file is being Revoked by a supervisor the approval process will be restarted from scratch and N supervisors must approve the file again in order to be Available. If the file is being approved twice by the same supervisor, it won't be available. In order to be available, N different supervisors must approve the file.

Approval History

You can use this page to check files that have been previously approved or denied approval.


If you wish to change your decision you can do so by using the actions menu when choosing files.