Define policy exception approval rules

Release version: Australia

Updated March 12, 2026

2 minutes to read

Approval rules define the criteria (risk rating, policy or control objective) that is used for sending approval requests for an exception. Rules can be configured for an application and you can identify multiple levels of approvers, as needed.

Before you begin

Role required: sn_compliance.manager

About this task

You can configure approvals to be sent out automatically or manually after review.

Note:

When policy exceptions are created from upstream applications (from Vulnerability Response for example), the policy exception must have impacted controls present before you can request approval.

For policy exceptions created using Policy and Compliance Management, exceptions can be requested for a policy without impacted controls being present, even if both policies and control objectives are added to the exception form. However, for policy exceptions created for control objectives alone, impacted controls must be present before you can request approval.

You can also use the GRC Approval Configurator to configure policy exception rules. For more information, see Define policy exception and extension rules.

Procedure

Navigate to All > Policy and Compliance > Policy Exceptions > Approval Rule.
Click New.

On the form, fill in the fields.

Table 1. Approval Configuration form
Field	Description
Type	Defaults to Approval Rule.
Name	Enter a name for this approval configuration.
Short description	Provide a brief description of the purpose of the configuration.
Source application	Select the application for that applies to this approval rule. Only applications that have been previously added to the Integration Registry are listed.
Active	If this is selected, this approval rule is active.
Risk rating	The risk rating is determined by running a risk assessment on the policy exception.
Policy	Select the policy against which this policy exception is being applied.
Control objective	Select the control objective that references the selected policy.
Auto-trigger approvals	Select this check box to automatically trigger all approvals after the review is completed. If you do not select it, the compliance manager can manually trigger the approvals defined by this rule.
Order	Order defines the precedence of triggering this rule as compared to another rule that is applicable to the exception and defined with similar criteria.

Click Update.

The Approver Levels related list appears. This related list allows you to define multiple approver levels for a rule. One or more users, or a group of users can be selected as approvers for each level. Approvers must be assigned the survey_reader role. You can make it mandatory for all selected users to approve the exception or optionally allow a single user to approve on behalf of all approvers.
Click New.

On the form, fill in the fields.

Table 2. Approver Level form
Field	Description
Name	Enter a name for this approval level.
Description	Provide a brief description of the approval level.
Required approval	Select One approval required to allow a single user to approve on behalf of all approvers. Select All users must approve to make it mandatory that all designated users approve the selection.
Users	Select one or more users to act as policy exception approvers.
Groups	Select one or more groups to act as policy exception approvers. Note: Users who belong to the group must have GRC business user (sn_grc.business_user) role.
Order	Select the order to determine the sequence of levels used with respect to other levels (that is, order 1 is displayed first).

Click Submit.
If you selected the Auto-trigger approvals check box, the designated approvers are notified that their approvals are required. Alternatively, the approvers are notified when the compliance manager clicks the Send for Approval button.