Guide

Approving Sensitive Finding Changes

2 min read

Get the document

Tell us where to send it. The PDF lands in your inbox in under a minute.

About

About this guide

A four-eyes governance gate that keeps the most sensitive finding decisions a two-party, audited record across draft, submit, approve, and reject.

This guide walks through PMAP’s approval workflow for sensitive finding status changes. It shows you which transitions are gated, how a request moves from draft to a final approve or reject, and how every decision is captured as durable audit evidence. You will work the flow from both the web interface and the REST API, so the same governance holds wherever your team operates.

Approving Sensitive Finding Changes
The Approvals inbox at /approvals: a ShieldCheck header, four mode pills, a target-status filter, and a request table with inline approve and reject controls.

It is written for security reviewers and approvers who own risk-acceptance decisions. By the end you will be able to run the complete request lifecycle, reject with a mandatory reviewer reason, prove that self-review is blocked, and drain the Approvals inbox while reading the per-finding timeline as an audit record.

Inside this guide

  • See exactly which status transitions are approval-gated and why they are treated as sensitive.
  • Trigger the gate from a status change and draft a clean approval request.
  • Approve or reject as an independent second reviewer, with a stored reason on every rejection.
  • Prove the four-eyes rule blocks a requester from approving their own request.
  • Work the Approvals inbox across its four queue modes and target-status filter.
  • Read the per-finding approval timeline and the ApprovalRequest record as audit evidence.
  • Handle request expiry, the pending-queue badge, and common error responses.

Before you start

  • A PMAP account inside your company scope with permission to read findings and review approval requests.
  • The approval workflow enabled for your tenant, since otherwise sensitive transitions apply immediately with no approval record.
  • At least one finding in a non-terminal status, such as in_progress, so a sensitive transition can be requested.
  • A second, genuinely independent reviewer, because the four-eyes rule requires the approver is not the requester.
  • Familiarity with your risk-acceptance policy, since accepted_risk and false_positive are the decisions this gate most often protects.

All resources

Keep exploring

Related resources

See it live

Ready to see PMAP in action?

Talk to our team or jump straight into a guided tour of the platform.

We use your email only to set up your guided tour. No marketing drip, no third-party tracking.