Temporary Exception Requests - User Justification and Override Workflow

Overview

When Nightfall detects a policy violation and blocks a data transfer, it can optionally prompt the user to provide a business justification before the action is logged. This gives employees a chance to explain their intent while ensuring security teams have full context.

Once a justification is submitted, it appears in the Nightfall console for security admin review, and admins can approve it if warranted.

How It Works - End to End

User attempts transfer
        ↓
Policy detects violation → BLOCK action fires
        ↓
Justification prompt appears on-screen (Mac or Windows)
        ↓
User types justification and submits (or cancels / window expires)
        ↓
Justification recorded in Nightfall console as a violation event
        ↓
Security admin reviews → can Approve Business Justification

The User Experience

macOS

When a blocked action triggers the justification workflow, a floating panel appears on screen from the Nightfall AI user agent.

Panel contents:

Header: Nightfall AI branding + timestamp of the event
Alert title and message: Configured by your security admin (e.g., "Action Blocked — Policy Violation Detected")
Action Details section: Contextual information about what was blocked, including:
- For browser uploads: Source browser + destination domain + file name
- For cloud sync apps: App name
- For clipboard paste: Destination domain or app
- For removable media: File name + device label
- For code pushes: Repository name
- For print jobs: Printer name + destination
Business reason text field: Free-text input, up to 300 characters. Placeholder: "e.g: working on a project with a partner"
Buttons:
- Submit for approval - enabled only when text is entered; submits justification to Nightfall
- Cancel - dismisses the prompt without submitting

Note: Only one justification prompt is shown at a time. If the same policy triggers within 15 minutes, the prompt is suppressed to avoid repetition.

Windows

On Windows, the justification prompt appears as a toast notification in the bottom-right corner of the screen, above the system tray.

Window contents:

Header: Nightfall AI logo + app name + idle countdown timer ("Closes in: 15s")
Alert title and message: Configured by your security admin
Event Details box: Shows:
- File: Name of the file involved (if applicable)
- Destination: Where the data was being sent (domain or app)
- Time: Timestamp of the event
- View Assets link: (if configured) — links to the violation record in the Nightfall console
- Business Justification field: Text input, up to 300 characters with live character counter (e.g., "0/300")
- Info line: "Your justification will be logged for security review."
Buttons:
- Cancel - dismisses without submitting
- Submit & Proceed - enabled only when text is entered

Auto-dismiss behavior:

The window auto-closes after 15 seconds of idle (no mouse hover, no keyboard focus, no text typed)
The countdown pauses while the user is actively interacting with the window
The window hard-closes when the backend action expires (15 minutes from event time)

What Happens After Submission

Once a user submits a justification:

Nightfall records the event as an exfiltration violation in the console
The justification text is attached to the violation record
The violation appears in the Violations view with activity: "Provided Business Justification"
If the policy is configured for block override with justification, an "Approve Business Justification" action becomes available to security admins

Admin Experience - Reviewing Justifications

Security admins review submitted justifications in the Nightfall console under Violations.

What admins see

Each violation with a submitted justification shows:

The event details (user, device, file, destination, timestamp)
The user's justification text (logged in the activity timeline)
The current violation state
Available actions, including Approve Business Justification (if block override is enabled)

Available actions

Action

Description

Approve Business Justification

Grants a policy override for the specified device and policy, allowing the action to proceed

Bulk Annotate - Business Justification

Annotates the violation as having a valid business justification without granting a device override

Resolve

Closes the violation

Create Jira Issue

Escalates to Jira

Notify via Slack / Email

Sends a notification to the violating user

Note: "Approve Business Justification" is only available on endpoint exfiltration violations where the policy has Allow Block Override with Justification enabled.

Admin notifications

Nightfall sends alert notifications to configured channels (Slack, email, webhook) when a violation with a justification is created. The notification includes:

Who triggered the violation (user + device)
What was blocked (file, destination, timestamp)
A link to the violation record in the console
The justification text in the activity log

From Slack, admins can open a "Provide Justification" modal to annotate directly from the alert message.

Configuration - Enabling the Feature

Step 1: Enable the justification notification in policy settings

In the Nightfall console, navigate to Policies > [Your Policy] > Action Notification Settings.

For the BLOCK action, enable:

Enable notification: On
Notification type: Pop-up (or Banner)
Title: Custom alert title shown to the user (e.g., "Action Blocked by Nightfall")
Message: Custom message shown to the user (e.g., "Your action was blocked by a security policy. Please provide a business justification if this action is necessary.")
Allow Override with Justification: ✅ Enabled

Step 2: (Optional) Enable block override approval

If you want admins to be able to approve and unblock the action after reviewing the justification, also enable:

Allow Block Override with Justification on the policy's automated action settings

This surfaces the "Approve Business Justification" action in the Nightfall console.

Deduplication and Timing

Behavior

Detail

Prompt re-show interval

15 minutes per policy (per device)

Justification window (Windows)

Expires 15 minutes from event time

Auto-dismiss idle timeout (Windows)

15 seconds of inactivity

Max justification length

300 characters

Simultaneous prompts

One at a time (additional events are queued/suppressed)

Supported Data Transfer Types

The justification prompt fires for blocked events across all monitored channels:

Transfer Type

Details shown in prompt

Browser upload

Browser name + destination domain + file name

Cloud sync app upload

App name

Clipboard paste

Destination domain or application

Removable media

File name + device/volume label

Thick app upload (Outlook, iMessage, etc.)

App name + file name

Git push

Repository name

Printer name + print destination

Frequently Asked Questions

Q: What happens if I cancel the justification prompt?

The blocked action is logged as a standard policy violation. No justification is recorded, and your action does not proceed.

Q: What happens if the window closes before I can type my justification?

On Windows, the prompt auto-dismisses after 15 seconds of idle. If this occurs, the violation is logged without a justification. You can reach out to your security team directly to explain the context.

Q: Will submitting a justification automatically allow my action?

Not automatically. The justification is submitted for admin review. If your admin has enabled block override approval, they can approve it from the console — which creates a policy exception for your device.

Q: Will I be prompted again for the same action?

If the same policy blocks you again within 15 minutes, the prompt will not reappear. After 15 minutes, the prompt may show again if the action is blocked.

Q: Where does my justification text go?

It is securely logged in the Nightfall platform, visible only to your security team. It is attached to the violation record for audit purposes.

PreviousAutomated Actions NextEnd-User Notifications

Last updated 1 month ago

Was this helpful?