Contact

Service Management

Change Management

Plan, approve, implement, and review infrastructure changes through a structured ITIL lifecycle. Enforce CAB approvals, assess risk, track implementation windows, and complete post-implementation reviews to maintain operational stability.

Technical Manual
Status: Available

Prerequisites

  • Role with changes.view for viewing change records, the change calendar, and governance templates
  • Role with changes.manage for creating, submitting, implementing, and completing change records
  • Role with changes.approve for CAB approval or rejection of submitted changes
  • Role with settings.manage for creating change freeze windows and emergency overrides

Change types

Every change record is classified as one of three types. The type determines the approval workflow and level of documentation required.

TypeWhen to UseApproval
Standard Pre-approved, low-risk, routine changes that follow an established procedure. Examples: scheduled patch deployment, routine certificate rotation, user account provisioning. Auto-approved on creation. No CAB review required.
Normal Changes that carry moderate risk or affect shared infrastructure. Examples: server migration, firewall rule changes, software upgrades to production systems. Requires submission and CAB review before implementation can begin.
Emergency Urgent changes needed to resolve active incidents or critical vulnerabilities. Examples: hotfix for a production outage, emergency security patch, break-glass access change. Requires CAB review, but can be fast-tracked. A Post-Implementation Review (PIR) is strongly recommended.
Auto-creation from other modules Change records can be automatically created by patch deployments, remediation actions, and workflows. These auto-created changes include a source reference linking back to the originating record.

Change lifecycle

Every change record follows a structured status workflow. The available transitions depend on the current status.

Draft Submitted Reviewing Approved Scheduled Implementing Review Closed Rejected PIR required No PIR Rework

Status descriptions

DraftInitial state. The change is being planned. Fill in the implementation plan, rollback plan, test plan, and schedule before submitting.
SubmittedThe change has been submitted for review. CAB members are automatically notified. Awaiting review or approval.
ReviewingThe Change Advisory Board is actively reviewing the change. The change can be approved or rejected from this state.
ApprovedCAB has approved the change. It can now be scheduled or implementation can begin immediately.
RejectedCAB has rejected the change with notes explaining why. The change can be returned to Draft for rework and resubmission.
ScheduledThe change is approved and scheduled for a specific maintenance window. Visible on the change calendar.
ImplementingImplementation is in progress. The actual start time is recorded automatically.
ReviewImplementation is complete and a Post-Implementation Review is required. This state only appears when PIR is enabled for the change.
ClosedThe change is fully complete. If PIR was required, it has been submitted. The linked ticket is resolved automatically.

Creating a change record

Change records capture the full context of a planned change: what is being changed, why, the risk involved, and how to roll back if something goes wrong.

  1. Navigate to Change Management from the sidebar.
  2. Click Create Change.
  3. Enter a descriptive Title that summarizes the change.
  4. Select the Organization where the change will take effect.
  5. Choose the Change Type: Standard, Normal, or Emergency.
  6. Set the Risk Level based on your assessment (see Risk Assessment below).
  7. Fill in the Implementation Plan with step-by-step instructions for carrying out the change.
  8. Fill in the Rollback Plan describing how to revert the change if it fails.
  9. Fill in the Test Plan describing how to verify the change was successful.
  10. Set the Scheduled Start and Scheduled End times for the maintenance window.
  11. Toggle CAB Required if the change needs Change Advisory Board approval (enabled by default for Normal and Emergency changes; disabled for Standard changes).
  12. Toggle PIR Required if a Post-Implementation Review should be completed after implementation.
  13. Click Save. A ticket number is automatically generated (e.g., CHG-001).

Risk assessment

Every change record includes a risk level that reflects the potential impact of the change on the environment. Set the risk level based on these guidelines:

Risk LevelCriteriaExamples
Low Minimal impact, easily reversible, affects non-critical systems Documentation update, non-production config change, adding a monitoring alert
Medium Moderate impact, reversible with some effort, affects limited production systems Application update on a single server, firewall rule addition, scheduled patch deployment
High Significant impact, rollback may require downtime, affects multiple production systems Database migration, network topology change, OS upgrade on production servers
Critical Major impact, rollback is complex or risky, affects core infrastructure or many users Data center migration, authentication system change, core network switch replacement

Impact analysis

After creating a change, you can run an Impact Analysis to identify affected hosts and host groups. The analysis traverses the host group dependency graph to find all downstream systems that could be impacted by the change. The result includes a total affected count and may adjust the risk level based on the scope of impact.

CAB approval process

The Change Advisory Board (CAB) reviews Normal and Emergency changes before implementation can begin. The CAB process ensures changes are properly assessed, planned, and authorized.

  1. The change author completes the change record in Draft status with all required fields (implementation plan, rollback plan, schedule).
  2. The author clicks Submit for Review. The status moves to Submitted.
  3. All users with the changes.approve permission in the same account are automatically notified that a change requires review.
  4. A CAB member reviews the change details, risk assessment, implementation plan, and rollback plan.
  5. The CAB member either Approves or Rejects the change, optionally adding notes explaining the decision.
  6. If approved, the change moves to Approved and can proceed to implementation.
  7. If rejected, the change moves to Rejected. The rejection notes explain what needs to be addressed. The author can return the change to Draft, make corrections, and resubmit.

Who can approve

Any user whose role includes the changes.approve permission can approve or reject changes. Account Administrators have this permission implicitly. The system records who approved or rejected the change and when the decision was made.

Standard changes bypass CAB Standard changes are auto-approved on creation because they follow pre-approved procedures. They do not require CAB review and skip directly to the Approved state.

Implementation tracking

Once a change is approved (or scheduled), track the implementation through start and completion.

  1. When you are ready to begin the change, click Start Implementation. The status moves to Implementing and the actual start time is recorded.
  2. Carry out the change according to the implementation plan.
  3. When implementation is complete, click Complete Implementation.
  4. If PIR is required, the status moves to Review (pending Post-Implementation Review).
  5. If PIR is not required, the status moves directly to Closed and the linked ticket is resolved.

Both the scheduled times (planned) and actual times (recorded at start/complete) are tracked, allowing you to compare planned vs. actual implementation windows.

Source tracking

Change records that were automatically created by other modules (patch deployments, remediation actions, workflows) include a source reference. This allows you to trace the change back to its origin and understand the full context of why the change was initiated.

Post-Implementation Review (PIR)

A PIR captures the outcome of a change after implementation is complete. PIRs are required for Emergency changes and optional for Normal changes. They provide a structured record of what happened and lessons learned.

  1. After implementation is marked complete, the change moves to Review status (if PIR is required).
  2. Navigate to the change record and click Submit PIR.
  3. Select the Outcome from the list below.
  4. Enter PIR Notes with details about what went well, what went wrong, and lessons learned.
  5. Click Submit. The change moves to Closed and the linked ticket is resolved.

PIR outcomes

SuccessfulThe change was implemented as planned with no issues. All success criteria were met.
Partially SuccessfulThe change was implemented but with some deviations or minor issues that did not require rollback.
FailedThe change did not achieve its objectives. Issues were encountered that could not be resolved during the implementation window.
Rolled BackThe change was implemented but had to be reverted using the rollback plan due to issues discovered during or after implementation.
Emergency change PIR Emergency changes that are linked to an incident record include a PIR due date. This ensures post-incident review is completed in a timely manner even when the initial change was expedited.

Change freeze windows

Change freeze windows block automated changes during sensitive periods such as quarter-end, audit windows, or deployment freezes. When a freeze is active, the patch engine and remediation engine hold all changes.

  1. Navigate to Settings > Change Freeze.
  2. Click Create Freeze Window.
  3. Select the target organization.
  4. Set the start and end dates/times (UTC).
  5. Select the Scope to control what is blocked.
  6. Enter a reason for the freeze.
  7. Click Save.

Freeze scopes

AllBlocks patches, deployments, and auto-remediation.
PatchesBlocks patch deployments only.
DeploymentsBlocks all deployments (patches and software installs).
RemediationBlocks auto-remediation only.

Emergency override

If an urgent change is needed during a freeze, users with settings.manage can issue an emergency override. The override requires a written justification, records who approved it and when, and creates a full audit trail. The freeze is deactivated but the override record is preserved.

Freeze and maintenance window interaction Change freezes override maintenance windows. If a freeze is active, patches will not deploy even if a maintenance window is currently open.

Governance templates

Governance templates define the approval gates and notice requirements for change records. They enforce a consistent review process across the organization, scaled to the maturity level of your change management practice.

Maturity levels

LevelDescriptionTypical Gates
Minimal Lightweight process for small teams. Peer review is optional. Peer review (optional)
Standard Balanced process for most organizations. Includes peer review, CAB review, and user notification. Peer review, CAB review, user notification
Enterprise Full governance for regulated or high-risk environments. Includes security review, functional owner sign-off, and formal CAB. Peer review, security review, functional owner, CAB review, user notification

Gates

Each template defines one or more approval gates. Gates can be marked as required (must be completed before the change can be approved) or optional (informational, tracked but not blocking).

Each gate can be configured with:

  • Approver Group — the assignment group responsible for completing this gate
  • Notification Group — the group that receives a notification when this gate is reached
  • Auto-approve Timer — if set, the gate is automatically approved after the specified number of minutes without action
  • Advance Notice — how many minutes before the scheduled start time to send a notification

Notice period enforcement

Templates can enforce a minimum notice period (default: 48 hours). If a change is scheduled to start within the notice period, it cannot be approved unless an override reason is provided. This ensures stakeholders have adequate time to prepare for the change.

Setting a default template

One template per account can be marked as the default. When a new change record is created, the default template is automatically applied. Only one template can be the default at a time — setting a new default clears the previous one.

Template protection A governance template cannot be deleted if any change records reference it. Unlink the change records from the template before deleting it.

Change calendar

The Change Calendar provides a unified timeline view of all scheduled activity across your organization. It combines three event types into a single calendar view:

Event TypeColorSource
Changes Blue Scheduled change records (Normal, Emergency, Standard)
Maintenance Windows Green Active maintenance windows (recurring schedules expanded into individual occurrences)
Change Freezes Red Change freeze windows (active, inactive, or overridden)

Use the calendar to spot scheduling conflicts between changes and freeze windows, ensure changes are planned within maintenance windows, and coordinate across teams.

Date range limit The calendar supports a maximum date range of 366 days per query. For longer time ranges, query in segments.

Field reference

Change record fields

TitleShort description of the change (up to 512 characters). This appears on the linked ticket and in the change calendar.
Change TypeStandard, Normal, or Emergency. Determines the approval workflow.
Risk LevelLow, Medium, High, or Critical. Reflects the potential impact on the environment.
StatusCurrent lifecycle state (Draft, Submitted, Reviewing, Approved, Rejected, Scheduled, Implementing, Review, Closed).
Implementation PlanStep-by-step instructions for carrying out the change.
Rollback PlanInstructions for reverting the change if problems occur.
Test PlanHow to verify the change was successful after implementation.
Scheduled Start / EndThe planned implementation window. Visible on the change calendar.
Actual Start / EndThe real implementation times, recorded when you click Start Implementation and Complete Implementation.
CAB RequiredWhether Change Advisory Board approval is needed. Automatically disabled for Standard changes.
CAB DecisionThe CAB verdict: Approved or Rejected, with the reviewer's name, timestamp, and notes.
PIR RequiredWhether a Post-Implementation Review must be submitted before the change can close.
PIR OutcomeThe result of the PIR: Successful, Partially Successful, Failed, or Rolled Back.
PIR NotesFree-text notes from the post-implementation review (lessons learned, issues encountered).
Ticket NumberAuto-generated identifier (e.g., CHG-001) linking the change to the unified ticket system.
Governance TemplateThe governance template applied to this change, if any. Determines required gates and notice periods.
Assignment GroupThe team responsible for implementing the change.

Permissions reference

ActionPermission
View change records, calendar, governance templateschanges.view
Create, submit, implement, and complete change recordschanges.manage
Approve or reject changes (CAB)changes.approve
Run impact analysis on a changechanges.manage
Create/edit/delete governance templateschanges.manage
Create/delete change freeze windowssettings.manage
Emergency override of change freezesettings.manage

Troubleshooting

IssueCauseSolution
Cannot submit change for review The change is not in Draft status Only changes in Draft can be submitted. If the change was rejected, return it to Draft first, then resubmit.
Cannot approve change The change is not in Submitted or Reviewing status Changes can only be approved from Submitted or Reviewing states. Check the current status.
Approval blocked by governance gates Required gates on the governance template have not been completed Complete all required gates listed in the error message before attempting approval.
Approval blocked by notice period The scheduled start is within the template's notice period (default: 48 hours) Either reschedule the change further out, or provide a Notice Override Reason on the change record to proceed.
Cannot start implementation The change is not in Approved or Scheduled status The change must be approved by CAB before implementation can begin. Standard changes are auto-approved.
Change is stuck in Review status PIR is required but has not been submitted Submit a Post-Implementation Review with an outcome and notes to close the change.
Cannot delete governance template Change records still reference the template Unlink all change records from the template before deleting it. The error message shows how many records reference it.
Change freeze blocking deployments An active change freeze window covers the current time Wait for the freeze to end, or request an emergency override from a user with settings.manage.
No CAB notifications sent No users in the account have the changes.approve permission Assign the changes.approve permission to at least one role and ensure users are assigned to that role.