Skip to main content
Risksheet offers three distinct review strategies, each suited to different organizational processes and compliance requirements. Understanding how each strategy works, what data it produces, and where review records are stored helps you choose the right approach for your organization’s regulatory environment.

Why Review Workflows Matter

Risk management in regulated industries is not just about identifying and scoring risks — it is equally about demonstrating that qualified personnel have reviewed, validated, and approved the analysis. Auditors and regulatory bodies expect traceable evidence of review activities. Without integrated review workflows, organizations typically fall back to one of these patterns:
  • Exporting risk tables to Excel, circulating for review via email, and manually reconciling feedback
  • Navigating to each work item individually in Polarion to add comments or approvals
  • Using separate document review workflows that are disconnected from the risk analysis grid
Each of these approaches introduces friction, delays, and opportunities for review evidence to become disconnected from the risk data. Risksheet eliminates this gap by embedding review capabilities directly into the grid.

Three Review Strategies

Risksheet implements three mutually exclusive review strategies. You configure exactly one strategy per Risksheet document through the reviews.reviewManager property in risksheet.json. The system automatically detects which strategy is configured and routes all review operations to the appropriate implementation. diagram
Only one review strategy can be active per Risksheet document. If multiple modes happen to be configured, the system follows a priority order: comment-based takes precedence, then work-item-based, then approval-based. In practice, you should configure exactly one strategy to avoid ambiguity.

Comment-Based Review

Comment-based review is the simplest strategy. When enabled, reviews are created as standard Polarion comments attached to the work item being reviewed. Each review appears as a comment with the reviewer’s name, timestamp, and review text. How it works:
  • The reviewer opens the review column in Risksheet and enters review text
  • Risksheet creates a Polarion comment on the underlying work item
  • The comment is visible both in Risksheet’s review display and in Polarion’s native work item comment section
  • Existing reviews are retrieved by reading comments from the work item
When to use comment-based review:
  • Teams that want lightweight, informal review tracking
  • Projects where review evidence does not need to follow a formal workflow with states
  • Organizations that already use Polarion comments for collaboration and want review records in the same place
Configuration: 
{
  "reviews": {
    "reviewManager": "CommentBased"
  }
}

Work-Item-Based Review

Work-item-based review creates a separate Polarion work item for each review. These review work items are linked to the reviewed risk item through a configurable link role, creating a traceable relationship in Polarion’s work item graph. This approach is well suited to organizations that need review records to follow their own lifecycle and workflow. How it works:
  • The reviewer initiates a review from Risksheet, entering a title and description
  • Risksheet creates a new work item of the configured review type
  • A bidirectional link is established between the review work item and the reviewed risk item using the configured link role
  • The link preserves the revision of the reviewed item, creating a snapshot of what was reviewed
  • Reviews can optionally be created in a different project or within a specific Polarion document
When to use work-item-based review:
  • Organizations that need review records as first-class Polarion artifacts with their own workflows
  • Projects where reviews must be tracked, assigned, and transitioned through states (draft, in-review, completed)
  • Regulatory environments that require review records to be independently auditable work items
  • Cross-project review scenarios where review records are stored centrally
Required configuration properties:
PropertyDescription
reviews.reviewManagerMust be set to "WorkItemBased"
reviews.typeProperties.linkTypesThe work item type used for review items
reviews.typeProperties.linkRoleThe link role name connecting reviews to reviewed items
Optional configuration properties:
PropertyDescription
reviews.typeProperties.queryCustom query expression to filter displayed reviews
reviews.typeProperties.documentTarget document for review work items (supports expression evaluation)
reviews.typeProperties.projectTarget project for review work items (supports expression evaluation)
reviews.typeProperties.itemTemplateCustom HTML template for review display rendering
If linkTypes or linkRole are not set when using WorkItemBased review mode, the system raises a runtime error: “TypeProperties for WorkItemBased reviews not set”. Ensure both properties are configured before enabling this review strategy.
Cross-project review storage: Review work items can be stored in a different project or document than the risk items being reviewed. The project and document properties support dynamic expression evaluation, allowing the target to be determined at runtime based on context variables. Document positioning: When reviews are created inside a Polarion document, they are automatically positioned after the last existing review item of the same type in the document structure. This maintains chronological ordering of review records within the document. Custom rendering: By default, reviews display the work item ID (as a clickable hyperlink), author name, creation date, title, and HTML-rendered description. You can customize this display by providing an itemTemplate that defines custom HTML layout for review entries. All review content is wrapped in the risk_reviews CSS class for styling purposes.

Approval-Based Review

Approval-based review integrates with Polarion’s native approval comment system. Reviews are stored as approval comments on work items, leveraging Polarion’s built-in approval infrastructure. This approach provides the tightest integration with Polarion’s approval workflows. How it works:
  • The reviewer creates an approval review through Risksheet
  • Risksheet creates an approval comment on the work item with the fixed title “Approval comment”
  • The comment is stored using Polarion’s comment system with plain text format
  • When displaying reviews, Risksheet retrieves all approval comments and renders them with reviewer name, timestamp (in yyyy-MM-dd HH:mm format), and comment text
  • Resolved and unresolvable comments are filtered out — only active approval comments are displayed
When to use approval-based review:
  • Organizations that already use Polarion’s approval workflows and want review records to align with that system
  • Projects where approval comments carry formal significance in regulatory documentation
  • Teams that need approval evidence associated with specific work item revisions
Configuration: 
{
  "reviews": {
    "reviewManager": "ApprovalBased"
  }
}
Author display: The reviewer’s full name is displayed when available in the Polarion user profile. If the full name is not set or the user account cannot be resolved, the system falls back to displaying the user ID.

Review Columns in the Grid

Risksheet uses two system columns to display and manage reviews within the grid:
ColumnBindingPurpose
ReviewsreviewsRenderedDisplays existing review comments, status, and approval information for each work item
Add ReviewreviewsAddProvides UI controls to create new reviews for the work item in the current row
These columns are not visible by default. You toggle their visibility using the review toggle command, which shows or hides both columns simultaneously and automatically adjusts row heights to accommodate the review content.
When you toggle review columns on, Risksheet automatically resizes visible rows to fit the review content. When you toggle them off, rows return to their standard height. This prevents review text from being clipped in fixed-height rows.

Review State and the reviewer Property

The reviewer configuration property (default: false) enables reviewer mode, which restricts the grid to review-specific interactions. When reviewer is set to true:
  • Editing capabilities are restricted to review-related columns only
  • Standard data editing is disabled, preventing reviewers from accidentally modifying risk values
  • Review-specific UI controls are displayed in the grid toolbar
This mode is distinct from the readonly property (which prevents all editing) — reviewer mode specifically permits review interactions while blocking data modifications.

How Reviews Integrate with Read-Only Behavior

Several Risksheet features interact with review workflows:
FeatureEffect on Reviews
readonly: trueAll editing disabled, including review creation
reviewer: trueOnly review-related editing permitted
Historical revision viewGrid becomes read-only; review creation disabled
Baseline comparison modeGrid becomes read-only; existing reviews visible but new reviews cannot be added
downstreamReadonly: trueAffects downstream items only; review columns on risk items remain functional

Choosing the Right Strategy

The right review strategy depends on your regulatory environment, organizational processes, and how you need to manage review evidence.
FactorComment-BasedWork-Item-BasedApproval-Based
Setup complexityLow — single propertyMedium — requires type and link configLow — single property
Review as Polarion artifactComment onlyFull work itemApproval comment
Own workflow/lifecycleNoYesNo
Cross-project storageNoYesNo
Custom display templateNoYes (via itemTemplate)No
Integration with Polarion approvalsNoNoYes
Formal audit trailBasicFullModerate
Full work item approval workflow actions (transitioning work item status through approve/reject states directly from Risksheet) are not yet available in the current version. The review strategies documented above provide review commenting and approval commenting, but multi-role status transition workflows within the grid are planned for a future release. Currently, formal status-based approvals require navigating to the work item or document view in Polarion.

Interaction with Status Transitions

Risksheet supports limited status transitions for work items. However, status transitions that require mandatory fields (such as the resolution field) cannot be completed from within Risksheet. The resolution field specifically is not editable from the Risksheet grid because it is typically a mandatory field during Polarion status transitions. Status changes from Risksheet only succeed when all transition conditions are met without mandatory field requirements.
Administrators may be able to modify fields marked as read-only in Polarion when editing through Risksheet, because Polarion’s read-only field APIs are not fully available to third-party products. This is a known limitation — administrators should exercise caution when editing fields that Polarion marks as read-only.
KB ArticlesSupport TicketsSource Code
  • IReview.java
  • AppConfig.ts
  • risksheet.json
  • SystemConsts.java
  • WorkItemBasedReview.java