Multi-Stakeholder Approvals
Overview
Require approval from security, compliance, or other teams before policies go live. This ensures multiple eyes review governance changes.
Setup Approval Requirements
- Go to Settings → Governance → Approval Settings
- Require Approval For: Select what needs approval
- Policy creation
- Policy modifications
- Policy deployment
- Firewall configuration changes
- Approvers: Select users or roles who can approve
- Specific people (e.g., “security-lead@company.com”)
- Roles (e.g., “Security Team”, “Compliance Officer”)
- Number of Approvals Required: 1, 2, or 3
- Auto-Approve Timeout: Auto-approve if not responded in X days (optional)
- Click Save
Approval Workflow
Step 1: Create Policy
- Policy Creator writes and tests policy
- All tests pass
- Click Request Approval (instead of Deploy)
Step 2: Approval Notification
- Approvers Notified:
- Email: “Policy ‘Block PII’ requires your approval”
- Slack: Message in #security channel
- In-app: Notification badge
- Approval Link: Click to review
Step 3: Review
- Approver reviews policy:
- Purpose and description
- Test cases and results
- Impact analysis
- Version history
- Decides: Approve or reject
Step 4: Approve
If approved:
- Click Approve
- Optional: Add comment “Looks good, tested with production data”
- If multiple approvers required, others are notified
- Once all approvals received, Deploy button appears
Step 5: Deploy
- Policy Creator can now click Deploy
- Policy goes live
- Approval history tracked in audit trail
Rejection Workflow
If approver has concerns:
- Click Request Changes
- Add comment explaining issue:
- “False positive rate too high”
- “Need clarification on scope”
- “Conflicts with existing policy”
- Policy Creator gets notification
- Revises policy
- Resubmits for approval
Role-Based Approval
Different roles require different approvers:
approval_workflows: policy_creation: requires_approval: true approvers_required: 2 approvers: ["security_team", "engineering_lead"]
policy_modification: requires_approval: true approvers_required: 1 approvers: ["policy_author"] # Original author reviews changes
firewall_config_change: requires_approval: true approvers_required: 3 approvers: ["cto", "security_lead", "compliance_officer"]
rule_deployment: requires_approval: false # Custom rules don't need approvalApproval Templates
Pre-define common approval requirements:
Template: Low-Risk Change
- 1 approval required
- From: Security team
- Auto-approve after: 48 hours
Template: Medium-Risk Change
- 2 approvals required
- From: Security + Engineering
- Auto-approve after: 72 hours
Template: High-Risk Change
- 3 approvals required
- From: CTO + Security + Compliance
- No auto-approve
Managing Approvers
Add/Remove Approvers
- Go to Settings → Teams → Security
- Members: Add/remove users
- These users automatically become approvers
Designate Backup Approver
If primary approver unavailable:
- Approval Settings → Escalation
- If no approval in X days, escalate to backup
- Backup gets notification
- Backup can then approve/reject
Approval History
Track all approvals:
- Go to Governance → Policies → [Policy]
- Click History tab
- See timeline:
- When policy created
- When submitted for approval
- Who reviewed and when
- Approval/rejection comments
- When deployed
Example:
Mar 13, 10:45 - John created "Block PII" policyMar 13, 11:00 - John submitted for approvalMar 13, 11:30 - Sarah reviewed, requested changes Comment: "Test case 3 needs more detail"Mar 13, 14:15 - John resubmitted with test case detailMar 13, 14:20 - Sarah approvedMar 13, 15:00 - John deployed policy to productionAutomatic Approvals
Auto-approve under certain conditions:
auto_approval: enabled: true
rules: # Small changes auto-approve - if: "policy_lines_changed < 10" then: "auto_approve"
# Low-risk policy types auto-approve - if: "policy_type == 'allowlist'" then: "auto_approve"
# Revert to previous version auto-approves - if: "action == 'rollback'" then: "auto_approve"
# After 72 hours, auto-approve - if: "time_pending > 72 hours" then: "auto_approve"Approval SLA
Track approval turnaround:
SLA Targets:
- Low-risk: Approval within 24 hours
- Medium-risk: Approval within 48 hours
- High-risk: Approval within 5 business days
Dashboard shows:
- Average approval time
- % of policies approved on time
- Bottlenecks (approvers delaying)
API for Approvals
Integrate with external systems:
# List pending approvalscurl -X GET http://localhost:5000/api/v1/governance/approvals/pending \ -H "Authorization: Bearer $TOKEN"
# Approve a policycurl -X POST http://localhost:5000/api/v1/governance/approvals/123/approve \ -H "Authorization: Bearer $TOKEN" \ -d '{"comment": "Approved"}'
# Reject a policycurl -X POST http://localhost:5000/api/v1/governance/approvals/123/reject \ -H "Authorization: Bearer $TOKEN" \ -d '{"comment": "Needs revision"}'