Version: On prem: 15.0.2

Compliance Workbench

info

You can find the legacy Compliance Workbench under My data menu. Refer to Legacy Compliance Workbench if you want to know more.

The Compliance Workbench is a dashboard that allows System Owners and Auditors to easily check if a system or application meets compliance standards. It shows the status of all resources assigned to each system or application. To display the Compliance Workbench, go to My data > Manage > Compliance Workbench.

The Compliance Workbench fulfills the following main tasks:

It shows resource assignments grouped per system and their compliance status.
It provides a fast overview of the compliance state of all systems included.

Moreover, this interactive dashboard allows users to:

Get detailed information about the resource assignments.
Start recertification, for example, access or account ownership survey.

Compliance statuses

Compliance Workbench provides graphical information on the status of the calculated resource assignments. Each status is defined by a different color in a separate column. These columns are:

System name: This column shows the name of the system.
All assignments: This column displays the total sum of all calculated resource assignments for each system.
Approved: The calculated resource assignments that are approved.
Not approved: The calculated resource assignment only exists in the connected system - there is no desired state for it.
Orphan: The calculated resource assignment belongs to an unresolved identity, or the Data Warehouse is uncertain of its ownership.
System health column: This column reflects the current health status of the system, indicating the level of risk associated with its operation. The health status is categorized into three levels: high, medium, or low risk. These states (compliant and non-compliant) can be configured in the Compliance Workbench configurations.
More: It allows you to open the configured surveys for the chosen system. When you click on one of the reviews, the initiated survey opens in a new tab.

There are some columns that are hidden by default:

In violation: The calculated resource assignment violates a constraint that has not caused it to be disabled because a pending evaluation procedure exists for the violation.
Pending deprovisioning: The calculated resource assignment awaits to be deprovisioned.
Implicit assigned: Implicit assignments are created for enterprise and application roles if the Role and Policy Engine detects that identity is assigned to all the contents of the role - but not the role itself.
None: Not possible to express a meaningful compliance status for the assignment. For example, a calculated resource assignment that is disabled and has no actual state reasons has status None because it is irrelevant from a compliance perspective.

Status overview

You can see a pie chart showing you an overview of all the system statuses. Click on each color to have more detailed information about each status.

Details of Compliance

Compliance Workbench allows you to drill down to the details of each of the calculated resource assignments of each of the onboarded systems and examine involved resources, identities, reasons, or attributes.

System list

There are some filters you can use to know more information about the calculated resource assignments for each system in the System list bar.

Columns:

Use the column's filter to indicate which columns you want to see.

Filters:

Add as many filters as you want to be displayed. You can select multiple values for the same column, as well as add all values or remove all from the dropdown. Once you have selected them, you will see the values added - you can remove them easily by clicking on the X button.

Settings:

Here you can select if you want to include the account assignments or display systems with no resources.

Row filtering:

To access filtered information for each system name and compliance status, click on any column row. This will open a side panel displaying details filtered by the clicked column. For instance, clicking on the Explicit approved column will reveal CRAs explicitly approved by that system name. This filters the side panel by the selected system and status, providing a tailored view of calculated assignments.

Details view

Each system row has a context menu which supports:

Pie chart: This section provides a detailed breakdown of the compliance state of all Calculated Resource Assignments for each specific system.

Triggering surveys: the survey will be opened in a new tab in the legacy survey. You will need to choose a compliance state to send to the survey.

Details view: a list view of every CRA for the chosen system. You can filter by:
- System name
- Resource name
- Identity
- Account
- Resource type
- Compliance status
- Dashboard

Configuration

The configuration is done through the configuration object Compliance Workbench Configurations. This configuration object contains a list of surveys, with unique survey name identifiers accountOwnerShipSurveyTemplateSystemName, resourceAssignmentSurveyTemplateSystemName, and resourceAssignmentResourceOwnerSurveyTemplateSystemName. Each of these surveys determines which survey template will be used upon launch from the Compliance Workbench. The value of each of these objects must be the system name of the survey template

danger

If the system name is invalid, for example, the template can't be found, then it will not appear in the list of surveys.
If the survey is excluded from the configuration XML, it will not appear in the list of surveys.

Here you can find an example of the configuration object: