Before a policy can be published in Drata, it must be reviewed and approved by the appropriate people. This article explains how to prepare a policy, assign approvers, manage the approval process, and publish the policy once it’s approved.
What is policy approval?
Policy approval is the process where assigned approvers review and confirm that a policy is ready to be published. You can assign one or more approvers per policy and choose whether all or just one must approve. Approvers can be organized into tiers to control the order of review. Once all required approvals are complete, the policy can be published.
Approval settings can be edited at any time, but changes only apply to future approval cycles. Ongoing cycles continue uninterrupted.
The following table describes the main stages in the policy approval workflow:
Stage | Description |
Not started | The policy draft has not been finalized; approval has not begun. |
Needs Approval | The draft is finalized and waiting for one or more approvers to approve. |
Approved | If the policy requires multiple tiers of approval, Tier 1 must approve it first. Then, it moves to Tier 2. |
Changes Requested | An approver requested changes; the policy is in Needs Approval status. |
What is a tier?
You can create up to six tiers for any policy. A tier is a step in the approval process. Tiers allow you to organize approvers in a specific order—useful when input is needed from multiple departments.
When configuring a tier, you can:
Assign a name (e.g., "Legal Review")
Choose the approvers
Set the level of approval (all approvers vs. one approver required)
Set a time to approve (in days)
Example: Remote Work Policy
Let’s say you’re publishing a Remote Work Policy. You want:
Tier 1: HR to approve the policy language and employee requirements
Tier 2: Legal to approve compliance-related concerns
Tier 3: IT to approve technology and VPN access guidelines
Each tier must approve before the next group is notified. Once all tiers approve, the policy is ready to publish.
Prerequisite
Every policy must have a policy owner before approvers can be added.
Policies must be Finalized before the approval process can begin.
Policies in the Needs Approval status can’t be edited. The policy is waiting for the approvers to review and approve or request changes to the policy.
Roles and permissions
Actions | Who can do it |
Approve a policy | Approver |
Request changes | Approver |
Cancel approval | Policy owner |
Override approval | Policy owner |
Publish the policy | Policy owner |
BambooHR-specific requirements
If your company uses BambooHR for policy approvals:
Approvals are conducted outside of Drata
You can still publish policies in Drata after they’ve been approved in BambooHR
Configure approval settings
You can configure approval settings before or after finalizing a policy draft, but approval can only be started after finalizing the draft.
In the Overview tab, go to the Review and approval section
Select Edit approval settings
Approvers: Add the approvers.
Level of approval:
All approvers must approve
Only one approver must approve
Time to approve: Set number of days to approve
Add tier: Select Add tier to add the multi-level tier approval process. (up to 6 tiers can be added. Rename the tier, if desired.
Save changes
You must finalize the policy draft and assign a policy owner before you can start to approve the policy.
Step 1: Finalizes your policy draft
Go to Policy Center.
Create or edit a policy.
Mark the draft as Finalized.
Choose whether the change is material or non-material.
If approval is required, proceed to the next section.
Step 2: Approvers review the policy
Navigate to the Policy Center. If needed, filter the table by: Needs approval status and Owner.
Select the policy you need to approve.
In the Overview tab, approvers can:
Select Approve to move the policy forward.
Select Request changes and enter the request change.
If changes are requested:
Within the tier (if applicable), the other approvers cannot approve the policy.
The policy owner receives an email notification about the change request
The policy owner can either edit and re-finalize the draft to restart approval from the beginning, or override to move the policy forward.
Email notifications
Approvers are notified when it’s their turn to review the policy.
The policy owner is notified when changes are requested or when final approval is complete.
Admins and policy owners are notified if the approval is overridden.
Step 3: Publish the policy
Note: Only Policy Owners can publish a policy.
After all tiers approve, policy status becomes Approved.
Go to the Policy Center, select the desired policy.
Then, select Publish.
Policy becomes live in My Drata for personnel acknowledgment and can impact monitoring tests and compliance.
Track approval progress
In the Overview tab under Review and approval, you can:
View approval status by tier
View who approved or requested changes
View what the requested change was.
Check deadlines
Edit approvers or the approval configurations.
Cancel approval
Only the policy owner can cancel an ongoing approval cycle
When canceled, the policy returns to Draft
Any automated approval tasks are removed from the Tasks dashboard
Override approval
Override allows a policy owner or admin to bypass the normal approval process and move the policy forward. For example:
A policy is waiting on Tier 2 approvers, but one is out on extended leave. The policy owner overrides Tier 2 to move the policy forward to Tier 3.
What happens when overridden:
The policy is marked Approved immediately
Remaining approval tasks are removed
The override is recorded in:
The approval card (in the Overview tab)
The version history (visible after publishing)
When you can override:
You can either:
Override just the current tier to move the policy forward to the next tier
Override the entire cycle to immediately mark the policy as approved
Who can override:
Policy owners
Admins
Edit your approved or published policies
You can edit policies in the Approved or Published statuses, but there are specific rules to follow in order to ensure compliance and proper version control.
Editing Rules by Status
To learn more about policy status, go to Policy Center overview. To learn more about editing your policies, go to Edit your policies.
Based on the policy status, the following table indicates who can edit the policy with additional notes.
Policy Status | Who Can Edit | Additional Notes |
Needs Approval | No one | Policies in this status are locked and cannot be edited. |
Approved | Only Policy Owners | Edits must be made by the Policy Owner and require selecting material or non-material changes. |
Published | Anyone | Edits create a new Draft version, moving the policy to the Draft status. |