Manage Waivers
Curation Waivers Approval Flow
1. Policy Configuration (Step 5)
In the final stage of policy creation, you must configure the waiver request options for blocked packages. There are three main options:
- Not Allowed: Waiver requests cannot be automatically made for this policy.
- Manually Approved: All waiver requests will require manual review and approval from the policy owner.
- When this option is selected, you must designate a Decision Owner. This is a group of users who can review and approve or reject waiver requests. They will receive notifications when a waiver is requested.
- The policy owner and decision owners must have the minimum required view permissions to access and review the relevant policy and package information.
- Automatically Approved: The system automatically approves waiver requests. This option is typically used for "soft block" policies like operational risks or licenses that require an opt-in decision. No decision owner needs to be assigned for this option.
Waivers on federated policies: On a follower Instance, you can add package waivers and label waivers to federated policies to address site-specific needs. These waivers are local to the follower and are preserved when the controller updates the policy.
Time-Based Waivers
Waivers can be configured with an expiration duration, ensuring that approved exceptions are temporary and automatically revoked after a defined period. This prevents permanent security exceptions from accumulating and ensures that waived packages are periodically re-evaluated.
Configuring Time-Based Waivers in Policies
When creating or editing a policy, you can set a maximum waiver duration (in days) for both Manually Approved and Automatically Approved waiver configurations. This setting is available under the policy's Actions & Notifications step when Enforce Policy on Cached Packages is enabled.
- For Manually Approved policies: The maximum waiver duration defines the upper limit that decision owners can set when approving a waiver request. Decision owners can choose a shorter duration, but cannot exceed the policy maximum.
- For Automatically Approved policies: The maximum waiver duration defines the default duration applied to all auto-approved waivers.
- Duration range: Minimum 1 day, maximum 365 days.
- No duration set: If no time limit is configured, waivers are permanent.
Enabling time-based waivers automatically enables Enforce Policy on Cached Packages, as expired waivers must be enforced on cached packages to take effect.
Approving Waiver Requests with a Time Limit
When a decision owner reviews a pending waiver request for a policy that has a maximum waiver duration configured:
- Select Approve to add a waiver to the blocking policies.
- A Set time limit toggle appears.
If the policy enforces a maximum duration, the time limit is mandatory. - Enter the number of days.
- The computed expiry date is displayed.
- If no time limit is set and the policy allows it, the waiver is added permanently.
- Provide a justification reason and confirm.
When multiple decision owners approve the same waiver request with different durations, the shortest approved duration is applied.
Waiver Expiry Statuses
Each approved waiver displays an expiry status in the Waiver Management interface:
| Status | Description |
|---|---|
| Permanent | Waiver has no expiration date and remains active indefinitely |
| Expiring Soon | Waiver expires within the next 7 days — displayed with a countdown (e.g., "3 days left") |
| Expired | Waiver has expired — the package is once again subject to policy enforcement |
| N/A | Not applicable (rejected or blocked requests) |
What Happens When a Waiver Expires
When a time-based waiver reaches its expiration date:
- The waiver is automatically removed from the policy.
- The package becomes subject to policy enforcement again.
- If the package is cached, it will be blocked on the next download attempt (requires Enforce Policy on Cached Packages to be enabled).
- The waiver request moves to Closed Requests with an "Expired" status.
- A new waiver request can be submitted if the package is still needed.
Waiver Request Flow Initiation
Once the policy is configured, the waiver flow is initiated by the developer:
- If a package is blocked by specific policies, the developer runs the command:
jf curation-audit - The command will list all blocked packages and prompt the developer to request a waiver.
- The developer must specify which packages to request waivers for and describe why they want this package.
Based on the policy settings:
- Manual Approval: A request will be created, and the policy owner will receive an email for review. The policy owner must have the minimum required view permissions to access the request and evaluate the blocked package and policy details.
- Automatic Approval: The waiver will be granted automatically, allowing the developer to proceed without issues. If the policy has a default waiver duration, the auto-approved waiver will automatically expire after the configured period.
Waiver Management Interface
- Pending Requests:
- A toggle at the top allows owners to view only requests assigned to them or all requests in the system.
- Clicking a request displays the developer who requested it, the policies blocking it, and the owner assigned to those policies.
- Multiple Considerations:
- Multiple policies can block a single package.
- More than one owner may be required for a specific request (e.g., a legal team for one policy, a technical team for another).
- Closed Requests:
- This section shows all approved, rejected, automatically approved, and expired requests.
- Users can audit the system to see detailed logs of who approved or rejected requests, the waiver duration set, and when those actions were taken.
- Approved waiver is created as a label, which can be reused or reconfigured in the catalog.
- The Waiver Expiry column shows the expiration date and countdown for time-limited waivers.
- CSV Export:
- Waiver data can be exported to CSV, including waiver expiry dates, decision owners, and decision history.