Define policy exception verification rules

  • Release version: Australia
  • Updated March 12, 2026
  • 1 minute to read

    • The verification rule is used to verify the accuracy and completeness of a policy exception request prior to sending it out for approvals. You can define multiple levels of approvers for an application.

    Before you begin

    Role required:
    • sn_compliance.manager to create the policy exception verification rules
    • survey_reader to review and verify the questionnaire

    About this task

    Defining verification rules is an optional step. If you do not define verification rules or define them and do not activate them, approvals from the requester's team will not be required.

    You can also use the GRC Approval Configurator to configure policy exception rules. For more information, see Define policy exception and extension rules.

    Procedure

    1. Navigate to All > Policy and Compliance > Policy Exceptions > Verification Rule.
    2. Click New.
    3. On the form, fill in the fields.
      Table 1. Approval Configuration form
      Field Description
      Type Defaults to Verification Rule.
      Name Enter a name for this approval configuration.
      Short description Provide a brief description of the purpose of the configuration.
      Source application Select the application for that applies to this verification rule. Only applications that have been previously added to the Integration Registry are listed.
      Active If this is selected, this verification rule is active and the requester will have the option of requesting an initial approval prior to sending it to the compliance manager for approvals.
    4. Click Update.

      The Approver Levels related list appears. This related list allows you to define multiple approver levels for a rule. One or more users, or a group of users can be selected as approvers for each level. Approvers must be assigned the survey_reader role. You can make it mandatory for all selected users to approve the exception or optionally allow a single user to approve on behalf of all approvers.

      Approver levels
    5. Click Submit.
      When the policy exception record transitions to the Pending Verification state, the designated approvers are notified that their approval is required. If any fields in the policy exception request were not filled in by the requester (for example, the Policy or Control Objective), those fields become mandatory for the approvers. When the approvers have reviewed, completed, and approved the request, it transitions to the Analyze state and is assigned to the compliance manager for further analysis and approval.