The Caisey Approval Gate Decision Tree: When to Require Client Consent for Log Inspection vs. Automated Remediation

Most MSPs live in one of two painful extremes: their RMM scripts run with god-mode privileges and zero oversight, or every single action grinds through a manual approval queue that makes real-time troubleshooting impossible. Neither model scales, and neither gives you a defensible story when a client asks who authorized what on their machines.

Caisey's approval gates exist to break this binary. The system lets you define graduated consent levels tied to action impact, endpoint trust status, and operational scope. This article walks through a practical decision framework for configuring those gates—when to let automation flow, when to pause for human consent, and when to demand dual approval.

The RMM Trap: Silent Scripts or Manual Bottlenecks

Traditional RMM platforms like NinjaOne force an awkward choice. You can deploy PowerShell scripts that execute silently across hundreds of endpoints, hoping your automation logic is perfect and your credential management never leaks. Or you can require technician confirmation per script execution, which turns a five-minute diagnostic into a twenty-minute coordination exercise when the Level 1 who triggered it is waiting on a Level 3 who just stepped into another call.

Bomgar and BeyondTrust offer approval workflows, but they typically operate at the session level: a technician requests access, a manager approves the session, and then that technician has broad operational freedom until logout. The approval is binary and front-loaded, not granular and action-specific. If the technician pivots from log review to registry modification mid-session, that escalation happens without additional friction or record.

The result is predictable. Silent automation creates incidents. Manual approval creates delays. And neither produces the granular audit trail that distinguishes a mature MSP from a liability waiting to happen.

Caisey's Three Gate Levels

Caisey structures approval around what an action actually does, not who is logged in. The runtime on each enrolled endpoint evaluates the requested operation against its configured gate level before execution.

**Read-only inspection: auto-approved for enrolled endpoints.** Diagnostic commands that fetch state without mutation—reading event logs, checking service status, enumerating installed drivers—flow automatically when the endpoint is enrolled and the technician has baseline access. The session records what ran, but no client-side prompt interrupts the workflow.

**System state mutation: single prompt.** Any command that changes local state—modifying registry keys, restarting services, installing patches, removing files—triggers a real-time permission prompt. The client sees what is requested, which technician initiated it, and the specific scope. They approve or deny once, and that decision is logged with their identity and timestamp.

**Network-wide or destructive action: dual approval.** Commands that affect multiple endpoints, alter authentication mechanisms, or carry irreversible consequences require two authorized approvals before execution. This might mean the assigned technician plus a team lead, or the on-call engineer plus the client's designated contact, depending on your policy configuration.

The key distinction: gates are per-action, not per-session. A technician can run twenty read-only diagnostics automatically, hit a mutation that triggers a prompt, continue with more reads, then request a group-wide change that escalates to dual approval. The runtime enforces this progression without the technician needing to remember policy or switch tools.

Concrete Scenarios: Where the Line Falls

Consider three common MSP workflows and how the gate levels apply.

**Printer driver check: no gate.** A user reports print failures. The technician runs a script through Caisey that checks the spooler service status, enumerates installed drivers, and reads recent event log entries for print-related errors. All of this is read-only state inspection on an enrolled endpoint. The diagnostic completes in under a minute with zero client interruption.

**Registry edit for Outlook fix: single prompt.** The same technician identifies a corrupted WAM token cache registry path and needs to clear it. This is a system state mutation. Caisey presents a permission prompt to the endpoint user or pre-authorized contact, showing the specific registry path and the technician's identity. The client approves, the edit executes, and the approval record attaches to the session transcript.

**Mass service restart across client group: dual approval.** A managed application update has left a background service hung across twelve endpoints in a client's environment. Restarting the service on one machine is a single-prompt mutation. Restarting it across the entire enrolled group simultaneously is a network-wide action with broader blast radius. Caisey escalates to dual approval, requiring the technician's direct manager and the client's technical liaison to both authorize before execution proceeds.

This progression feels obvious in retrospect, but most tooling collapses it. Either the mass restart runs silently because the technician already has session approval, or every single service restart demands manual coordination because the platform cannot distinguish scope.

The Audit Record: Who Approved What, When

Every gate decision in Caisey generates a durable record through the Cloudflare Worker control plane and SQLite Durable Objects. The session transcript captures not just that a command ran, but the approval chain that permitted it: the requesting technician, the prompt timestamp, the approver identity, the response latency, and the execution outcome.

This matters for three operational realities.

First, technician handoffs. When a Level 1 escalates to Level 3, the incoming engineer sees the full approval history without relying on ticket notes or verbal briefings. They know which mutations were client-authorized and which diagnostics ran clean.

Second, client review. Public transcript shares can include or redact approval details depending on audience. A client technical contact sees that their team member approved the registry edit. An external auditor sees that dual approval executed for the mass service restart without exposing internal technician identities.

Third, pattern detection. If a particular endpoint or client contact consistently denies specific prompt categories, that friction surfaces in operational analytics. Maybe the contact needs training, or maybe your gate configuration is misaligned with that client's risk tolerance.

Positioning Graduated Trust as Competitive Advantage

The MSPs that win long-term contracts are not the ones with the fastest mean time to resolution. They are the ones whose clients can explain, six months later, exactly how their provider protected their interests during an incident.

Caisey's approval gates let you tell that story with specificity. You automated the routine diagnostics that would have bored a client contact. You paused for consent at the exact moment their system state changed. You escalated to dual control when the scope expanded beyond one machine. And you recorded every decision in a format that survives technician turnover, client staff changes, and compliance audits.

Your competitors running silent RMM scripts cannot make that claim. Your competitors requiring manual approval for every diagnostic step cannot match your response velocity. The graduated model is the operational middle ground that becomes a commercial differentiator.

Configuring it well means mapping your actual service catalog to the three gate levels, training your team on which scenarios trigger which escalation, and reviewing approval analytics monthly to find misalignment. The framework is not a one-time policy document. It is a living operational rhythm that gets sharper with each client interaction.