Policies available
The Policy page is organised into three categories: Spend management controls- Card request approvals
- Vendor creation approvals
- Vendor update approvals
- Bill pay approvals
How rules work
Each rule has two parts:- Conditions — the criteria that must all be true for this rule to apply. A rule with no conditions matches every request.
- Outcome — what happens when the rule matches: Approved, Declined, or Requires Approval.
Rule outcomes
| Outcome | What happens |
|---|---|
| Approved | The request is automatically approved and actioned without human review |
| Declined | The request is automatically blocked |
| Requires Approval | The request is held and sent to the specified approvers |
The last rule
The last rule in every policy is protected — it can’t be deleted, and new rules are always inserted above it. It acts as the catch-all: any request that doesn’t match an earlier rule is handled by it. Set the last rule’s conditions to empty so it genuinely catches everything not handled above. Set its outcome to match your default posture — Approved for permissive defaults, Requires Approval for cautious ones.Approvers
When a rule’s outcome is Requires Approval, you specify who receives the request. Approvers can be any combination of:- User group manager — the manager of the requesting user’s group
- Users — specific named users
- Groups — all members of one or more user groups
- Roles — all users holding a particular role
Conditions by policy type
Card request approvals
| Condition | Description |
|---|---|
| User roles | Matches requests from users holding the selected roles |
| User groups | Matches requests from users in the selected groups |
| Spend limit | Matches by amount: ≤, <, ≥, or > a threshold |
| Spend frequency | Matches by frequency: per day, week, month, year, or lifetime |
Vendor creation approvals
| Condition | Description |
|---|---|
| User roles | Matches creation requests from users holding the selected roles |
| User groups | Matches creation requests from users in the selected groups |
Vendor update approvals
| Condition | Description |
|---|---|
| Fields changed | Matches updates that include changes to: payment methods, tax ID, name, legal name, address, country, owners, spend category, merchant category, status, external ID, or logo |
| User roles | Matches updates submitted by users holding the selected roles |
| User groups | Matches updates submitted by users in the selected groups |
Bill pay approvals
| Condition | Description |
|---|---|
| User roles | Matches payment requests from users holding the selected roles |
| User groups | Matches payment requests from users in the selected groups |
| Total amount | Matches by amount: ≤, <, ≥, or > a threshold |
Editing a policy
- Click a policy to open the side panel
- Click a rule card to enter edit mode — set conditions and outcome
- Click Apply to stage the changes on that rule (doesn’t save yet)
- Click Add Rule to insert a new rule above the last rule
- To remove a rule, use the delete icon and confirm — the last rule can’t be deleted
- Click Save policy to make all changes live
- Click Discard to revert all unsaved changes
FAQ
What's the difference between Apply and Save policy?
What's the difference between Apply and Save policy?
Apply commits edits on a single rule card and takes it out of edit mode. Save policy sends the entire updated rule list to the backend and makes it live. You must click Save policy for any changes to take effect.
Why can't I delete the last rule?
Why can't I delete the last rule?
The last rule acts as the catch-all for any request that doesn’t match an earlier rule. Removing it would leave some requests with no outcome.
What does a rule with no conditions do?
What does a rule with no conditions do?
It matches every request in that policy — displayed as “All requests” or “All updates.” This is the standard configuration for the catch-all last rule.
Can I combine role and group conditions in the same rule?
Can I combine role and group conditions in the same rule?
Yes. Multiple conditions within a rule are additive — the request must match all specified conditions for the rule to apply.
Can I route approvals to a user's own manager?
Can I route approvals to a user's own manager?
Yes. When a rule’s outcome is Requires Approval, toggle on “User group manager” in the approvers section. This routes the request to the manager of the user group the requester belongs to.