Legacy Compliance Workbench
You can find the legacy Compliance Workbench under My data menu.
The Compliance Workbench is a dashboard that allows System Owners and Auditors to easily check if a system or application meets compliance standards. It shows the status of all resources assigned to each system or application.
To display the Compliance Workbench, go to My data > Manage > Compliance Workbench.
Compliance Workbench fulfills the following main tasks:
- It shows resource assignments grouped per system and their compliance status,
- It provides a fast overview of the compliance state of all systems included.
Moreover, this interactive dashboard allows the users to:
- Get detailed information about the resource assignments,
- Start recertification, for example, access or account ownership survey.
Compliance statuses
Compliance Workbench provides graphical information on the status of the calculated resource assignments. Each status is defined by a different color in a separate column.
Explicitly approved (Green)
The calculated resource assignment is the outcome of a direct assignment, or it has been approved in a survey.
Implicitly approved (Light Green)
The calculated resource assignment is the outcome of a policy or a child of an assigned enterprise or application role.
Not approved (Red)
The calculated resource assignment only exists in the connected system - there is no desired state for it.
Orphan assignment (Yellow)
The calculated resource assignment belongs to an unresolved identity, or the Data Warehouse is uncertain of its ownership.
Pending deprovisioning (Orange)
The calculated resource assignment awaits to be deprovisioned.
In violation (Violet)
The calculated resource assignment violates a constraint that has not caused it to be disabled because a pending evaluation procedure exists for the violation.
Implicitly assigned (Blue)
An enterprise or application role, which is not in violation, is implicitly assigned.
Implicit assignments are created for enterprise and application roles if the Role and Policy Engine detects that identity is assigned to all the contents of the role - but not the role itself.
This is done to allow Separation of Duties constraints to be defined on the enterprise or application role level.
None (Grey)
Not possible to express a meaningful compliance status for the assignment. For example, a calculated resource assignment that is disabled and has no actual state reasons has status None because it is irrelevant from a compliance perspective.
There are some column statuses that are hidden by default:
- In violation
- Pending deprovisioning
- Implicit assigned
- None
Details of Compliance
Compliance Workbench allows you to drill down to the details of each of the calculated resource assignments of each of the onboarded systems and examine involved resources, identities, reasons, or attributes.
The following diagram presents the graphical overview of the details provided by the Compliance Workbench.
To open the details of the desired system, click the ellipsis menu on the right-hand side of the Compliance Workbench.
From the menu, select the Details option. This will open a new window with the details of the selected system.
Each column of the Details window allows you to sort and filter the calculated resource assignments. You can also filter out only one compliance status using the Compliance status drop-down menu.
The Details screen of the system also allows you to view the specifics of the Resources, Identities, Accounts, Attributes, and Reasons relevant to a particular compliance status of the calculated resource assignment.
To view these specific data, click on a given element on the list, and a new window with the appropriate information will be displayed.
Account Rules and Compliance
Compliance Workbench also gives you access to review the Account rules applied in a onboarded system, as well as, filtering out the system itself.
You can filter out a desired system by clicking the Filter button in the top left-hand side corner of the Compliance Workbench.
Similar to the Details, the Account rules are available under the ellipsis menu on the right-hand side of the Compliance Workbench.
This allows you to open the Account rules window for the desired system, and view and manage the account rules for the entire system category.
Account rules that you can configure here apply to all systems in a system category.
By default, all accounts in Omada Identity must belong to an identity; either the identity of who uses the account or the identity of the person responsible for it.
The Account rules are used to resolve account ownership and help you manage the accounts in your system by classifying them for different types of usage. When you onboard a system, you can import additional information and create rules based on that information to resolve the owner or resolve the classification of an account.
There are three types of Account rules you can add to an identity, and out-of-the-box there is one ownership and one classification rule already set up for you.
Details pane
You can trigger a survey through the Compliance Workbench dashboard. To do that, click on the three dots on the main page:
Or you can also click on the three dots in the Details pane:
If you click Account ownership review, then the survey launches and a new page with the regular launch survey flow opens. Select an option and click Start survey.
Configuration
The configuration is done through the configuration object Compliance Workbench Configurations. This configuration object contains a list of surveys, with unique survey name identifiers accountOwnerShipSurveyTemplateSystemName, resourceAssignmentSurveyTemplateSystemName, and resourceAssignmentResourceOwnerSurveyTemplateSystemName. Each of these surveys determines which survey template will be used upon launch from the Compliance Workbench. The value of each of these objects must be the system name of the survey template
- If the system name is invalid, for example, the template can't be found, then it will not appear in the list of surveys.
- If the survey is excluded from the configuration XML, it will not appear in the list of surveys.
Here you can find an example of the configuration object:
