Define policy exception approval rules

  • Release version: Washingtondc
  • Updated February 1, 2024
  • 2 minutes to read

    • Approval rules define the criteria (risk rating, policy or control objective) that is used for sending approval requests for an exception. Rules can be configured for an application and you can identify multiple levels of approvers, as needed.

    Before you begin

    Role required: sn_compliance.manager

    About this task

    You can configure approvals to be sent out automatically or manually after review.
    Note:
    When policy exceptions are created from upstream applications (from Vulnerability Response for example), the policy exception must have impacted controls present before you can request approval.

    For policy exceptions created using Policy and Compliance Management, exceptions can be requested for a policy without impacted controls being present, even if both policies and control objectives are added to the exception form. However, for policy exceptions created for control objectives alone, impacted controls must be present before you can request approval.

    Procedure

    1. Navigate to All > Policy and Compliance > Policy Exceptions > Approval Rule.
    2. Click New.
      Approval rules
    3. On the form, fill in the fields.
      Table 1. Approval Configuration form
      Field Description
      Type Defaults to Approval Rule.
      Name Enter a name for this approval configuration.
      Short description Provide a brief description of the purpose of the configuration.
      Source application Select the application for that applies to this approval rule. Only applications that have been previously added to the Integration Registry are listed.
      Active If this is selected, this approval rule is active.
      Risk rating The risk rating is determined by running a risk assessment on the policy exception.
      Policy Select the policy against which this policy exception is being applied.
      Control objective Select the control objective that references the selected policy.
      Auto-trigger approvals Select this check box to automatically trigger all approvals after the review is completed. If you do not select it, the compliance manager can manually trigger the approvals defined by this rule.
      Order Order defines the precedence of triggering this rule as compared to another rule that is applicable to the exception and defined with similar criteria.
    4. Click Update.

      The Approver Levels related list appears. This related list allows you to define multiple approver levels for a rule. One or more users, or a group of users can be selected as approvers for each level. Approvers must be assigned the survey_reader role. You can make it mandatory for all selected users to approve the exception or optionally allow a single user to approve on behalf of all approvers.

      Approver levels
    5. Click New.
      New approval level
    6. On the form, fill in the fields.
      Table 2. Approver Level form
      Field Description
      Name Enter a name for this approval level.
      Description Provide a brief description of the approval level.
      Required approval Select One approval required to allow a single user to approve on behalf of all approvers.

      Select All users must approve to make it mandatory that all designated users approve the selection.
      Users Select one or more users to act as policy exception approvers.
      Groups Select one or more groups to act as policy exception approvers.
      Note:
      Users who belong to the group must have GRC business user (sn_grc.business_user) role.
      Order Select the order to determine the sequence of levels used with respect to other levels (that is, order 1 is displayed first).
    7. Click Submit.
      If you selected the Auto-trigger approvals check box, the designated approvers are notified that their approvals are required. Alternatively, the approvers are notified when the compliance manager clicks the Send for Approval button.