Skip to main content

Approve and publish your policies

Learn how to approve and publish policies in Drata using assigned approvers.

Updated over a week ago

Before a policy can be published in Drata, it must be reviewed and approved by the appropriate people. This article explains how to prepare a policy, assign approvers, manage the approval process, and publish the policy once it’s approved.

What is policy approval?

Policy approval is the process where assigned approvers review and confirm that a policy is ready to be published. You can assign one or more approvers per policy and choose whether all or just one must approve. Approvers can be organized into tiers to control the order of review. Once all required approvals are complete, the policy can be published.

Approval settings can be edited at any time, but changes only apply to future approval cycles. Ongoing cycles continue uninterrupted.

The following table describes the main stages in the policy approval workflow:

Stage

Description

Not started

The policy draft has not been finalized; approval has not begun.

Needs Approval

The draft is finalized and waiting for one or more approvers to approve.

Approved

If the policy requires multiple tiers of approval, Tier 1 must approve it first. Then, it moves to Tier 2.

Once all required approvers have approved, the policy is ready to publish.

Changes Requested

An approver requested changes; the policy is in Needs Approval status.

The Policy Owner can either edit the policy, creating a draft that can be finalized and resubmitted for approval, or override the policy approval (aka requested changes) to move the policy forward as-is.

What is a tier?

You can create up to six tiers for any policy. A tier is a step in the approval process. Tiers allow you to organize approvers in a specific order—useful when input is needed from multiple departments.

When configuring a tier, you can:

  • Assign a name (e.g., "Legal Review")

  • Choose the approvers

  • Set the level of approval (all approvers vs. one approver required)

  • Set a time to approve (in days)

Example: Remote Work Policy

Let’s say you’re publishing a Remote Work Policy. You want:

  • Tier 1: HR to approve the policy language and employee requirements

  • Tier 2: Legal to approve compliance-related concerns

  • Tier 3: IT to approve technology and VPN access guidelines

Each tier must approve before the next group is notified. Once all tiers approve, the policy is ready to publish.

Prerequisite

  • Every policy must have a policy owner before approvers can be added.

  • Policies must be Finalized before the approval process can begin.

  • Policies in the Needs Approval status can’t be edited. The policy is waiting for the approvers to review and approve or request changes to the policy.

Roles and permissions

Actions

Who can do it

Approve a policy

Approver

Request changes

Approver

Cancel approval

Policy owner

Override approval

Policy owner

Publish the policy

Policy owner

BambooHR-specific requirements

If your company uses BambooHR for policy approvals:

  • Approvals are conducted outside of Drata

  • You can still publish policies in Drata after they’ve been approved in BambooHR

Configure approval settings

You can configure approval settings before or after finalizing a policy draft, but approval can only be started after finalizing the draft.

  1. In the Overview tab, go to the Review and approval section

  2. Select Edit approval settings

    • Approvers: Add the approvers.

    • Level of approval:

      • All approvers must approve

      • Only one approver must approve

    • Time to approve: Set number of days to approve

    • Add tier: Select Add tier to add the multi-level tier approval process. (up to 6 tiers can be added. Rename the tier, if desired.

  3. Save changes

You must finalize the policy draft and assign a policy owner before you can start to approve the policy.

Step 1: Finalizes your policy draft

  1. Go to Policy Center.

  2. Create or edit a policy.

  3. Mark the draft as Finalized.

  4. Choose whether the change is material or non-material.

  5. If approval is required, proceed to the next section.

Step 2: Approvers review the policy

  1. Navigate to the Policy Center. If needed, filter the table by: Needs approval status and Owner.

  2. Select the policy you need to approve.

  3. In the Overview tab, approvers can:

    • Select Approve to move the policy forward.

    • Select Request changes and enter the request change.

      • If changes are requested:

        • Within the tier (if applicable), the other approvers cannot approve the policy.

        • The policy owner receives an email notification about the change request

        • The policy owner can either edit and re-finalize the draft to restart approval from the beginning, or override to move the policy forward.

Email notifications

  • Approvers are notified when it’s their turn to review the policy.

  • The policy owner is notified when changes are requested or when final approval is complete.

  • Admins and policy owners are notified if the approval is overridden.

Step 3: Publish the policy

Note: Only Policy Owners can publish a policy.

  1. After all tiers approve, policy status becomes Approved.

  2. Go to the Policy Center, select the desired policy.

  3. Then, select Publish.

Policy becomes live in My Drata for personnel acknowledgment and can impact monitoring tests and compliance.

Track approval progress

In the Overview tab under Review and approval, you can:

  • View approval status by tier

  • View who approved or requested changes

  • View what the requested change was.

  • Check deadlines

  • Edit approvers or the approval configurations.

Cancel approval

  • Only the policy owner can cancel an ongoing approval cycle

  • When canceled, the policy returns to Draft

  • Any automated approval tasks are removed from the Tasks dashboard

Override approval

Override allows a policy owner or admin to bypass the normal approval process and move the policy forward. For example:

  • A policy is waiting on Tier 2 approvers, but one is out on extended leave. The policy owner overrides Tier 2 to move the policy forward to Tier 3.

What happens when overridden:

  • The policy is marked Approved immediately

  • Remaining approval tasks are removed

  • The override is recorded in:

    • The approval card (in the Overview tab)

    • The version history (visible after publishing)

When you can override:

You can either:

  • Override just the current tier to move the policy forward to the next tier

  • Override the entire cycle to immediately mark the policy as approved

Who can override:

  • Policy owners

  • Admins

Edit your approved or published policies

You can edit policies in the Approved or Published statuses, but there are specific rules to follow in order to ensure compliance and proper version control.

Editing Rules by Status

To learn more about policy status, go to Policy Center overview. To learn more about editing your policies, go to Edit your policies.

Based on the policy status, the following table indicates who can edit the policy with additional notes.

Policy Status

Who Can Edit

Additional Notes

Needs Approval

No one

Policies in this status are locked and cannot be edited.

Approved

Only Policy Owners

Edits must be made by the Policy Owner and require selecting material or non-material changes.

Published

Anyone

Edits create a new Draft version, moving the policy to the Draft status.

Did this answer your question?