Article 9: The Approval Workflow
What happens after a reviewer submits
When a reviewer completes their account set and hits Submit, the review moves into the approval stage. Submission locks the reviewer's decisions — they can no longer change them unless an admin sends the review back.
The admin dashboard shows the account set status as Submitted and notifies the relevant admins that it's ready for their review.
Who can approve
Approval is an admin-level action. Any Ploy admin in your organisation with full access can approve submitted account sets.
Reviewers cannot approve their own submissions — the approval step is always a separate person, which is what makes it a meaningful attestation.
Reviewing a submitted account set
Admins reviewing a submission can see:
Every account and the decision the reviewer made
Any notes the reviewer added
Any evidence files the reviewer uploaded
Luna's original recommendation for each account (and whether the reviewer agreed or overrode it)
Approving
Once satisfied, the admin approves the account set. This:
Marks the account set as Approved and records who approved it and when
Triggers automated remediation for any accounts marked as not appropriate (see Article 10)
Checks whether all account sets across the review are now approved — if so, the review moves to Ready for Approval at the review level, and a final cycle-level approval step becomes available
Admins can approve multiple account sets at once using bulk selection — useful in large reviews where many sets are submitted close together.
Requesting a revision
If the admin has questions about a submission — a decision seems wrong, a note is unclear, or an account needs a second look — they can send the account set back to the reviewer with a Request Revision.
When requesting a revision, the admin writes a message explaining what they need the reviewer to reconsider. The reviewer receives a notification with the admin's message, and the account set reopens in their portal.
The reviewer can then update their decisions and resubmit.
There's no limit on revision rounds, but each one adds to the timeline — and the review's due date doesn't extend automatically.
Review-level vs account-set-level approval
It helps to understand there are two layers:
Layer | What it is |
|---|---|
Account set approval | An admin approves a specific reviewer's submitted set of decisions |
Review-level completion | Once all account sets in a review are approved, the review itself is marked complete |
Cycle completion | Once all reviews in the cycle are complete, the cycle closes and certificates are generated |
A cycle with ten reviews is complete only when all ten are approved. Individual reviews can be approved at different times — there's no requirement to approve everything simultaneously.
What the approval records
Every approval captures:
Which admin approved
The exact timestamp
The IP address the approval came from
This is the attestation record — it's what auditors will look at to confirm that a qualified person reviewed and signed off on the access decisions. See Article 12 for more on attestation and certificates.