Create Approval Rules

  • Release version: Zurich
  • Updated July 31, 2025
  • 3 minutes to read

    • Configure approval rules that require one or more approvers to authorize an advanced response option before it is applied to a DLP incident.

    Before you begin

    Role required:
    • sn_dlir.admin
    • sn_dlir.analyst and sn_dlir.analyst_read

    About this task

    An approval rule is triggered when an end user selects a response option that is marked as Advanced on a DLP incident. When the rule's conditions match the incident fields, the system initiates an approval request and routes it to the configured approvers before the response option can be applied. If multiple rules match, the rule with the lowest Execution order value runs first.

    Procedure

    1. Navigate to All > DLP Administration > DLP Approval Rules.
    2. Select New.
    3. On the form, fill in the fields.
      Table 1. DLP Approval Rules form
      Field Description
      Name Name for the approval rule.
      Active Option to indicate whether the approval rule is active.
      Execution order

      Indicates the approval rule priority. The approval rule of the highest priority or the least order is selected.

      The approval rule with the lowest number has the highest priority. To set the order of operation, enter a value. For example, 100, 200, 300, and so on.

      The default value is 100.
      Description Unique description for the approval rule.
      Condition Conditions in the condition builder. These conditions are based on the DLP incident table. To build a condition for the approval rule, select any of the incident fields.

      Use the lists and fields of the conditions builder to set the filters for the first row.

      To add more conditions, select AND or OR.
      • If AND is selected, all conditions must be matched.
      • If OR is selected, either condition can be matched.

      To set a second filter condition, select New Criteria.

      For example, you can set the conditions for this incident consolidation rule by selecting the condition as Integration Source, contains, Microsoft.
      Applicable for response options Option to select the response option of type advanced.

      You can select the multiple response options.
      Approver Select how approvers are identified for this rule.
      • User Table: Selects an approver based on a field in the Users (sys_user) table, such as the incident assignee's manager.
      • Custom Approval List: Configures a multi-level approval chain with specific users or groups at each level.
      Approver identifier This field will appear when User Table is selected for Approver option.

      Select field to identifier the approver from the Users(sys_user) table.
      Number of levels This field will appear when User Table is selected for Approver option.

      Enter a number in this field to define the levels of approval.

      For example, if 3 is added in the Number of levels field and Manager is selected in the Approver identifier field then approval request will traverse to three levels of approval.
      For example, your organization requires manager approval before a DLP analyst can apply the Block response option to any Microsoft DLP incident. Configure the rule as follows:
      • Condition: Integration Source | contains | Microsoft
      • Applicable for response options: Block
      • Approver: User Table
      • Approver identifier: Manager
      • Number of levels: 1
      When an analyst selects Block on a qualifying Microsoft DLP incident, the system creates an approval request and routes it to the analyst's manager. The response option is applied only after the manager approves.
    4. For the Approver option, select Custom Approval List.
    5. Select Submit.
    6. Verify that the Approval Levels related list appears on the form.
    7. In the Approval Levels section, select New.
    8. On the form, fill in the fields.
      Table 2. Approval Level form
      Field Description
      Name Name for the approval level.
      Active Option to indicate whether the approval level is active.
      level The level for the approval rule. This field indicates the order in which the approval levels are executed when two or more levels are configured.

      The approval level with the lowest number has the highest priority.

      To set the level of operation, enter a value. For example, 100, 200, 300, and so on.

      The default value is 100.
      Approval Rule Approval Rule for which you want to define this configuration.

      This will be read-only field.
      Description Unique description for the approval level.
      Approvals required Select option to define whether approval from all the configured users/groups are required or only required from any one user.
      Approvers Option to select the approvers.
      1. Users and Groups:
        1. Users: Add a particular user from the list. You can add yourself or add a user by using their email address or search option.
        2. Groups: Select the <add_icon> icon to add a particular group from the list. You can also add a group by using the search option.
      2. Find by using script: You can use the script editor to customize and format the field values during the approval level creation. For example, you can use the email address field to identify the approver user.
    9. Select Submit.