Change Management

Change Types

StackFlow implements the ITIL change management framework with three change types, each with different approval requirements and risk profiles. The change type is selected during creation and determines the workflow path.

⚙️ Minimum Requirements

DynamoDB: StackFlow_Change table with GSI on status and cabDate
SES: CAB notification emails require cab-notifications@stackflow-tech.com verified in SES
SNS Topic: stackflow-change-approvals for approval request notifications
Assignment Groups: CAB group must exist in StackFlow_AssignmentGroup with type: CAB
Workflow: At least one active change workflow in StackFlow_Workflow with type: change_approval

Type	Description	CAB Required	Approval SLA
Standard	Pre-approved, low-risk routine changes	No	Auto-approved
Normal	Regular changes requiring CAB review	Yes	5 business days
Emergency	Urgent changes to restore service	ECAB	2 hours

CAB Process

The Change Advisory Board (CAB) is the approval body for Normal changes. StackFlow's CAB module provides a weekly meeting agenda automatically populated with all pending Normal changes, their risk scores, and implementation plans. CAB members review and vote on changes asynchronously via the portal or email-based approval.

The Emergency CAB (ECAB) is a subset of the full CAB (typically just management and the on-call lead) that can approve Emergency changes out of band. ECAB approvals require a minimum of two approvers and a post-implementation review within 48 hours.

CAB Calendar: CAB meeting schedules are configured in Workflows → Business Hours → CAB Schedule. Changes submitted after the cutoff time for a weekly CAB meeting are automatically deferred to the following week's agenda.

Risk Assessment

Every Normal and Emergency change requires a risk assessment. StackFlow calculates an automated risk score based on the affected CIs (from Neptune impact analysis), time of change (business hours vs. maintenance window), and historical change success rates for the assignment group.

{
  "risk_assessment": {
    "automated_score": 72,
    "risk_level": "High",
    "factors": {
      "affected_ci_criticality": "Critical (production database)",
      "blast_radius_cis": 23,
      "change_window": "Business hours (not recommended for High risk)",
      "group_success_rate": "94% (last 30 days)",
      "similar_change_failures": 1
    },
    "recommendation": "Schedule during maintenance window. Consider Blue/Green deployment."
  }
}

Approval Workflow

The change approval workflow is configurable per change type, risk level, and affected CI class. Multi-stage approvals can require sequential or parallel sign-offs from different stakeholders. The workflow engine sends approval request notifications via email and in-portal notifications.

curl -X POST   https://your-instance.stackflow-tech.com/prod/api/changes/CHG0000456/approve   -H "Authorization: Bearer $TOKEN"   -H "Content-Type: application/json"   -d '{"decision": "approved", "notes": "Risk mitigation plan looks solid. Approved for maintenance window."}'

Implementation & Review

After CAB approval, the change moves to the Scheduled state. Implementation tasks are created as sub-tasks linked to the change. A post-implementation review (PIR) is automatically scheduled for 48 hours after the scheduled end time. The PIR captures whether the change achieved its objectives and any lessons learned.

← Previous

Problem Management

Root cause analysis and KEDB

Service Requests

Request fulfillment and RITM