Skip to content

Add "Read Compliance" as a customizable permission

Background

Group owners and project owners have the ability to read + update compliance frameworks, and settings in the compliance center. While admin_compliance_frameworks allows read and write using custom roles, organizations would like to also be able to just read compliance center, frameworks, and settings.

Proposal and User Experience

  1. When creating a custom role, any base can be selected. A new permission is available and labeled "Read Compliance" that can be selected.
  2. The permission actions for read_compliance includes being able to read compliance capabilities under the compliance center at the group or project level:
Group Actions Project Actions

Read Compliance Center including:

  • Adherence
  • Violations
  • Frameworks
  • Projects

Read Compliance Center including:

  • Adherence
  • Violations
  • Frameworks

Views+Workflows include:

  • Base + Permission: Can see Group > Secure > Compliance Center
  • Base + Permission: Can see Project > Secure > Compliance Center

Impacted APIs

Documentation

  • Permission Title: "Read Compliance"
  • Permission Description: "Read compliance capabilities including adherence, violations, and frameworks for groups and projects."
  • Update prerequisites for feature documentation. Include links to feature pages.

Evidence

Implementation Plan

  • Using the custom roles doc add read_compliance_dashboard as a custom ability.
  • Update group & project policy to enable read_compliance_dashboard when a user is assigned to a member role with that custom ability.
  • Add read_compliance_dashboard as a requirement for admin_compliance_framework.
  • Create a background migration to enable read_compliance_dashboard when admin_compliance_framework is enabled.
  • Disable New framework button in the frontend when read_compliance_dashboard is enabled but not admin_compliance_framework.
Original request Our customer is trying to incorporate security engineer oversight into their instance but without any of the "write" permissions. Ideally, their security engineers can pull data and vulnerabilities and, in this case, would like to also "read-only" the compliance frameworks available and in place across the instance.
Edited by Hinam Mehra