# Temporary Exception Requests - User Justification and Override Workflow ### Overview When Nightfall detects a policy violation and blocks a data transfer, it can optionally prompt the user to provide a **business justification** before the action is logged. This gives employees a chance to explain their intent while ensuring security teams have full context. Once a justification is submitted, it appears in the Nightfall console for security admin review, and admins can approve it if warranted. ### How It Works - End to End ``` User attempts transfer ↓ Policy detects violation → BLOCK action fires ↓ Justification prompt appears on-screen (Mac or Windows) ↓ User types justification and submits (or cancels / window expires) ↓ Justification recorded in Nightfall console as a violation event ↓ Security admin reviews → can Approve Business Justification ``` ### The User Experience #### macOS When a blocked action triggers the justification workflow, a **floating panel** appears on screen from the Nightfall AI user agent. **Panel contents:** * **Header:** Nightfall AI branding + timestamp of the event * **Alert title and message:** Configured by your security admin (e.g., "Action Blocked — Policy Violation Detected") * **Action Details section:** Contextual information about what was blocked, including: * For browser uploads: Source browser + destination domain + file name * For cloud sync apps: App name * For clipboard paste: Destination domain or app * For removable media: File name + device label * For code pushes: Repository name * For print jobs: Printer name + destination * **Business reason text field:** Free-text input, up to 300 characters. Placeholder: *"e.g: working on a project with a partner"* * **Buttons:** * **Submit for approval** - enabled only when text is entered; submits justification to Nightfall * **Cancel** - dismisses the prompt without submitting > **Note:** Only one justification prompt is shown at a time. If the same policy triggers within 15 minutes, the prompt is suppressed to avoid repetition. *** #### Windows On Windows, the justification prompt appears as a **toast notification** in the **bottom-right corner** of the screen, above the system tray. **Window contents:** * **Header:** Nightfall AI logo + app name + idle countdown timer ("Closes in: 15s") * **Alert title and message:** Configured by your security admin * **Event Details box:** Shows: * **File:** Name of the file involved (if applicable) * **Destination:** Where the data was being sent (domain or app) * **Time:** Timestamp of the event * **View Assets link:** (if configured) — links to the violation record in the Nightfall console * **Business Justification field:** Text input, up to 300 characters with live character counter (e.g., "0/300") * **Info line:** *"Your justification will be logged for security review."* * **Buttons:** * **Cancel** - dismisses without submitting * **Submit & Proceed** - enabled only when text is entered **Auto-dismiss behavior:** * The window auto-closes after **15 seconds of idle** (no mouse hover, no keyboard focus, no text typed) * The countdown **pauses** while the user is actively interacting with the window * The window **hard-closes** when the backend action expires (15 minutes from event time) ### What Happens After Submission Once a user submits a justification: 1. Nightfall records the event as an **exfiltration violation** in the console 2. The justification text is attached to the violation record 3. The violation appears in the **Violations** view with activity: **"Provided Business Justification"** 4. If the policy is configured for **block override with justification**, an **"Approve Business Justification"** action becomes available to security admins ### Admin Experience - Reviewing Justifications Security admins review submitted justifications in the **Nightfall console** under **Violations**. #### What admins see Each violation with a submitted justification shows: * The event details (user, device, file, destination, timestamp) * The user's justification text (logged in the activity timeline) * The current violation state * Available actions, including **Approve Business Justification** (if block override is enabled) #### Available actions
ActionDescription
Approve Business JustificationGrants a policy override for the specified device and policy, allowing the action to proceed
Bulk Annotate - Business JustificationAnnotates the violation as having a valid business justification without granting a device override
ResolveCloses the violation
Create Jira IssueEscalates to Jira
Notify via Slack / EmailSends a notification to the violating user
> **Note:** "Approve Business Justification" is only available on endpoint exfiltration violations where the policy has **Allow Block Override with Justification** enabled. #### Admin notifications Nightfall sends alert notifications to configured channels (Slack, email, webhook) when a violation with a justification is created. The notification includes: * Who triggered the violation (user + device) * What was blocked (file, destination, timestamp) * A link to the violation record in the console * The justification text in the activity log From Slack, admins can open a **"Provide Justification"** modal to annotate directly from the alert message.
### Configuration - Enabling the Feature #### Step 1: Enable the justification notification in policy settings In the Nightfall console, navigate to **Policies > \[Your Policy] > Action Notification Settings**. For the **BLOCK** action, enable: * **Enable notification:** On * **Notification type:** Pop-up (or Banner) * **Title:** Custom alert title shown to the user (e.g., "Action Blocked by Nightfall") * **Message:** Custom message shown to the user (e.g., "Your action was blocked by a security policy. Please provide a business justification if this action is necessary.") * **Allow Override with Justification:** ✅ Enabled #### Step 2: (Optional) Enable block override approval If you want admins to be able to **approve and unblock** the action after reviewing the justification, also enable: * **Allow Block Override with Justification** on the policy's automated action settings This surfaces the **"Approve Business Justification"** action in the Nightfall console. *** ### Deduplication and Timing | Behavior | Detail | | ----------------------------------- | ------------------------------------------------------- | | Prompt re-show interval | 15 minutes per policy (per device) | | Justification window (Windows) | Expires 15 minutes from event time | | Auto-dismiss idle timeout (Windows) | 15 seconds of inactivity | | Max justification length | 300 characters | | Simultaneous prompts | One at a time (additional events are queued/suppressed) | *** ### Supported Data Transfer Types The justification prompt fires for blocked events across all monitored channels: | Transfer Type | Details shown in prompt | | ------------------------------------------ | --------------------------------------------- | | Browser upload | Browser name + destination domain + file name | | Cloud sync app upload | App name | | Clipboard paste | Destination domain or application | | Removable media | File name + device/volume label | | Thick app upload (Outlook, iMessage, etc.) | App name + file name | | Git push | Repository name | | Print | Printer name + print destination | *** ### Frequently Asked Questions **Q: What happens if I cancel the justification prompt?** The blocked action is logged as a standard policy violation. No justification is recorded, and your action does not proceed. **Q: What happens if the window closes before I can type my justification?** On Windows, the prompt auto-dismisses after 15 seconds of idle. If this occurs, the violation is logged without a justification. You can reach out to your security team directly to explain the context. **Q: Will submitting a justification automatically allow my action?** Not automatically. The justification is submitted for admin review. If your admin has enabled block override approval, they can approve it from the console — which creates a policy exception for your device.
**Q: Will I be prompted again for the same action?** If the same policy blocks you again within 15 minutes, the prompt will not reappear. After 15 minutes, the prompt may show again if the action is blocked. **Q: Where does my justification text go?** It is securely logged in the Nightfall platform, visible only to your security team. It is attached to the violation record for audit purposes.
--- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://help.nightfall.ai/data-exfiltration-prevention/exfiltration_endpoint/policies/advanced_settings/automated_action/temporary-exception-requests-user-justification-and-override-workflow.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.