The Rule Violation Mitigation Approval Process

The SOD tool has an optional opt-in mitigation approval process. This is a feature that allows you to assign specific rules to an approval role, to allow for better controls around rule violation mitigations. It is only applicable for Mitigation By Operator mitigation method at this point in time.

Creating an Approval Role

Any role that is assigned the RuleMitigationApprove permission is able to approve a mitigation for any rules that have this role as the Approver Role.

E.g. In this example I have created a custom role called Mitigation Approver that is assigned the RuleMitigationApprove permission. This role is able to approve mitigation requests for rules that have this role assigned as the Approver Role.

Assigning Approver Roles to Rules

Now if we edit an existing rule we can fill in the Approver Role field if violations of this rule requires mitigation approval. If rule violations do not require approval we can set the Approver Role field back to No approver.

Note that as mentioned above that only roles with the RuleMitigationApprove permission are selectable in the Approver Role dropdown.

Creating a mitigation that requires approval

When you are performing a Mitigation By Operator, if the potential mitigation has an Approver Role assigned, then once the user selects Update Operator Mitigations then the rule violation mitigations will be assigned to any user with the assigned Approver Role to approve or reject the mitigation. In this case any user with the custom Mitigation Approver role will be able to approve or reject the mitigation.

You can choose to cancel mitigations that you have created, if you created the mitigation by mistake. If you select the Cancel Mitigations tab it will show you all the mitigations that you created that are waiting for approval, that you can cancel. Note that you can only cancel the mitigations that you have created.

To cancel a mitigation waiting for approval, just select the mitigation(s) you want to cancel, add a comment if needed and click the Cancel button.

Approving a mitigation

If you log in as a user that has a role with the RuleMitigationApprove permission, then you can select the Approve/Reject Mitigations tab to approve or reject rule violation mitigations. In the same way as canceling mitigations, you just select the mitigations that you wish to approve (or reject), add an optional comment and click on the Approve or Reject button.

Only once the mitigations are approved then they will be marked as Currently Mitigated on the Mitigation By Operator screen and in the PowerBI SOD reports.