Skip to content

Approvals and apply

Approval belongs to one plan, revision, workspace, provider connection, policy contract, and cost-evidence set. It is not a reusable permission.

Typical time
10 minutes to review window
You need
A successful reviewed plan
Outcome
An approved or explicitly blocked plan

Choose Run guardrails review. Review:

  • review status and risk score;
  • organization baseline, project rules, and workspace context;
  • policy findings and scanner evidence;
  • cost policy status and required acknowledgements;
  • approval gates and minimum approvals;
  • reviewer availability; and
  • review and plan expiry.

Approval 1 of 5 · Screenshot placeholder

Evaluate the plan guardrails

Show a synthetic Plan guardrails card with risk, policy alignment, cost state, gates, and expiry.

Future capture briefHide policies tied to customers, reviewers, comments, resource addresses, plan/revision/cost digests, and all scoped identifiers.

Step 2: Resolve findings and acknowledgements

Section titled “Step 2: Resolve findings and acknowledgements”

Fix blocking findings in source when practical and run a new plan. Where the product requires acknowledgement, review the finding or cost evidence and add a safe comment.

An acknowledgement records review; it does not convert a blocking rule into a pass unless the authoritative governance evaluation permits that path.

Approval 2 of 5 · Screenshot placeholder

Resolve findings and cost acknowledgements

Show synthetic findings with required acknowledgement and remediation guidance.

Future capture briefDo not capture customer code, addresses, costs, actors, comments, evidence references, or raw policy payloads.

Share the Review link with an eligible reviewer who already has project access. Reviewers can approve, reject, or comment through the current review.

The requester cannot approve their own governed request. Required reviewer groups and the organization approval floor must remain satisfiable.

Approval 3 of 5 · Screenshot placeholder

Collect approval from eligible reviewers

Show synthetic approval progress, reviewer-group gates, comment controls, and Approve/Reject actions.

Future capture briefReplace reviewer groups and actors. Hide emails, user IDs, comments, review URLs, and project/workspace/run identifiers.

Before apply, refresh the review and confirm:

  • status is APPROVED;
  • plan and review have not expired;
  • policy alignment is not STALE;
  • approval gates remain satisfied;
  • exceptions remain approved and unexpired;
  • cost evidence and acknowledgements still match; and
  • provider connection and environment are unchanged.

Any changed evidence requires a fresh plan review.

Approval 4 of 5 · Screenshot placeholder

Confirm the approval is current

Show an APPROVED review with satisfied gates and no stale, expired, or blocked notices.

Future capture briefHide evidence digests, reviewers, timestamps linked to customers, provider details, and run identities.

Choose Apply approved plan from the successful plan. Read the confirmation: the apply uses the exact approved plan and revision. Confirm only after rechecking guardrails, cost evidence, provider connection, and environment.

ScrinCloud creates a separate apply run linked to the approved plan. Monitor it to a terminal state and review resource-level execution evidence.

Approval 5 of 5 · Screenshot placeholder

Confirm and monitor the approved apply

Show the apply confirmation and a synthetic linked apply run.

Future capture briefNever show state, plan bodies, resource addresses, provider accounts, actors, approval evidence IDs, or live infrastructure output.

Emergency break-glass apply is not a shortcut for normal delivery. When the review makes it available:

  1. provide the incident reason and selected one-time scopes;
  2. record safe risk acceptance and rollback/monitoring context;
  3. complete required strong verification;
  4. obtain an independent Approve Break-Glass decision;
  5. use the one-time override before it expires or is revoked; and
  6. complete the required post-event review with outcome, notes, and follow-up actions.

Never place secrets, incident-sensitive payloads, or raw infrastructure data in break-glass comments.

Approval is complete only when the current review says APPROVED and every required gate, cost acknowledgement, policy exception, reviewer floor, and evidence binding is satisfied. Delivery is complete only after the linked apply run is separately verified.

Run a new plan and guardrails review. Do not attempt to revive the old approval.

Use a different eligible reviewer. This is an intentional separation-of-duties boundary.

Correct reviewer-group membership and minimum approvals. Do not lower the organization floor to unblock one plan.

The environment, policy, permissions, or review does not permit the emergency path. Continue through normal remediation and approval.