approval_request_permit_application

Approve Permit Application Request WORKFLOW: take_ownership -> get_permit_application_by_id -> application_get_matching_list -> permit_application. Start from the DTO returned by get_permit_application_by_id and modify the choices below. REQUIRED FIELDS (KB-documented, all must be present): approvalRequest.approvalRequestId; approvalRequest.json -- copy verbatim from get_permit_application_by_id (server uses it to reconstruct file/action context, omitting it causes silent failures); userinstance -- the portal shard ('h', 'g', etc.), parsed from the request's portalApiUrl subdomain; isFromApproval: true; hasOriginApprovalCenter: true; actionType (copy from request: 'elevate'/'execute'/'install'); osType (1=Windows, 2=Mac, 3=Linux, 5=WinXP); organizationId, computerId (copy from request); organizationIds -- list of parent org IDs above the request's org ([] for top-level); fileDetails.fullPath. APP SELECTION (set exactly ONE mode on matchingApplications): (a) PREFERRED -- use application_get_matching_list result. Prefer tenant-owned match (its organizationId equals the call's organizationId) over master-org/BUILT-IN (organizationName: "master"). Set useMatchingApplication: true, populate matchingApplication with the chosen result; set others false and their objects to null. The DTO's hasMatchingApplication flag is UNRELIABLE -- trust application_get_matching_list.hasMatching instead. *** CRITICAL -- BUILT-IN match REQUIRES entire-org scope. When the chosen match has organizationName: "master", you MUST set policyLevel.toEntireOrganization: true. Pairing a BUILT-IN with computer-scope returns HTTP 401 "Missing the '' permission" (misleading -- it's actually a body-shape error). Verified 2026-05-21. Tenant-owned matches and new apps use the default all-flags-false scope. (b) FALLBACK -- add to existing custom app (discover via application_get_for_application_options). Set useExistingApplication: true, populate existingApplication; others null. (c) LAST RESORT -- create new app. Set useNewApplication: true and newApplicationName to a non-null derived name (e.g. file stem title-cased: vlc.exe -> "VLC"). Null returns HTTP 417 'Must enter a name for a new application'. POLICY (policyConditions.ruleId): 0=manual rules, 1=Install Mode 1hr, 2=Learning Mode 1hr, 3=Monitor Mode 1hr. Set useExistingPolicy: true to reuse an existing policy (manualOptions then carries the rule criteria). SCOPE (policyLevel): default 'this computer' = ALL THREE flags false (toEntireOrganization/toComputerGroup/toComputer); scope is inferred from top-level computerId. Setting toComputer: true returns HTTP 417 'Provided applies to ID does not associate with a known OS type'. For computer group, set toComputerGroup: true and populate selectedComputerGroup (discover via computer_group_get_dropdown_by_organization_id). For entire-org, set toEntireOrganization: true. ACTION TYPE: for elevate set isElevationRequest: true and isExecutionRequest: false; for execute reverse. Both are spec-readOnly but MUST be sent matching the action. SHAPE: send null (not omit) for unused sub-objects -- matchingApplication, existingApplication, selectedComputerGroup, policyExpirationDate, elevationExpirationDate. Wrong shape = opaque HTTP 500. PERMISSIONS: API key user needs one of 'Approve for Entire Organization', 'Approve for Group', 'Approve for Single Computer', or 'Approve for Single Computer Application Only' in Administrators.