Document Workflow States
TARA modules use the riskSpecification document type, which has a dedicated four-state workflow:
State Descriptions
| State | Description |
|---|
| Draft | Active analysis phase. Analysts populate TARA records, score feasibility, assess verdicts, and define treatments in the Risksheet. |
| In Review | Document is under peer review. Default signers with the project_approver role are automatically added when transitioning to this state. |
| Approved | Review is complete. At least one signature is required; the system auto-signs for users with the project_approver role. |
| Published | Final publication. The TARA module serves as formal evidence for the Cybersecurity Case. |
Transitions
| From | To | Action | Automation |
|---|
| Draft | In Review | Send for Review | AddDefaultSigners adds users with project_approver role |
| In Review | Approved | Approve | Requires at least one signature; auto-signs for project_approver |
| Approved | Published | Publish | Final publication step |
| Any state | Draft | Rework | MarkSignaturesObsolete clears all signatures; verdicts reset |
reviewManager: CommentBased setting in risksheet.json. During the In Review state, reviewers can annotate individual rows directly in the Risksheet interface using Polarion comments.
This is separate from the document-level signature workflow:
- Row-level comments are for collaborative technical review (questioning a feasibility score, suggesting a different threat path, etc.)
- Document-level signatures are for formal approval (confirming the TARA meets quality and compliance standards)
The Rework Cycle
When issues are found during review, the document transitions back to Draft via the Rework action. This triggers two important automations:
- Signatures are marked obsolete — All existing review signatures are invalidated, requiring a fresh approval cycle
- Analysis can resume — Analysts regain full edit access to the Risksheet to address review findings
Any transition to Draft clears all accumulated signatures. If a document was partially approved by multiple reviewers, all approvals are lost. Coordinate with reviewers before triggering Rework to avoid unnecessary re-review.
Lifecycle Visibility on Dashboards
The document lifecycle status is visible in multiple places:
- Risks Home dashboard — The System Element Navigator includes a Status column showing the workflow state of each TARA module
- TARA Summary Report — References document status alongside verdict distribution
- Cybersecurity Case — The case conclusion depends on all TARA modules being in Approved or Published state
Relationship to ISO/SAE 21434
The document workflow maps to several ISO/SAE 21434 requirements:
| ISO Clause | Requirement | Implementation |
|---|
| Clause 6.4.2 | Cybersecurity Plan defines activities and methods | Workflow states track analysis completion |
| Clause 6.4.6 | Cybersecurity Case provides assurance argument | Published TARAs serve as case evidence |
| Clause 15 | TARA results shall be reviewed | In Review state with signature-based approval |
Baseline Integration
After a TARA document reaches the Published state, it can be baselined using Polarion’s baseline management. Baselines create an immutable snapshot of the document and all its work items at a specific point in time. This is essential for type approval audits where assessors need to verify the exact analysis state that supported a compliance decision.
The sidebar navigation provides direct access to baseline management under the Baselines topic.
See Also
