VN-04 · Compliance Controls & Policy Forking
Status: Delivered Roles needed: Tenant admin (fork/edit), operator/auditor (read-only)
What the client asked for
"Compliance/policy scope includes a starter catalog of 25-30 policies mapped to SOC 2, HIPAA, and GLBA, with baseline OneProtect-managed policies and tenant-managed forks/customization."
What this proves
The tenant sees a catalog of compliance controls/policies mapped to SOC 2, HIPAA, and GLBA. OneProtect-managed baselines are read-only, but a tenant admin can fork a baseline into a tenant-owned, editable, versioned copy.
How it works (at a glance)
Where to look in the portal
Compliance Evidence(controls catalog and policies)Audit
Validation walkthrough
| # | Action | What you should see |
|---|---|---|
| 1 | Log in as tenant admin, open Compliance Evidence | A catalog of controls/policies mapped to SOC 2, HIPAA, and GLBA |
| 2 | Open a OneProtect-managed baseline policy | It is marked managed/baseline and is read-only (no edit on the baseline itself) |
| 3 | Fork the baseline | A tenant-owned editable copy is created |
| 4 | Edit the forked policy and save | The change is accepted; a new version is recorded in its version history |
| 5 | Open Audit | Entries exist for the fork and the edit |
| 6 | Log in as operator / auditor | The catalog is visible read-only; no fork/edit controls are shown |
Pass / fail checklist
- Catalog shows controls/policies mapped to SOC 2, HIPAA, and GLBA
- OneProtect-managed baselines are read-only
- Tenant admin can fork a baseline into a tenant-owned copy
- Edits to a fork are versioned (version history visible)
- Fork and edit actions appear in
Audit - Operators/auditors see the catalog read-only with no mutation controls
- Policies and forks are scoped to the owning tenant only
Intentionally not in Phase 1
- Visual policy editor, side-by-side diff views, bulk policy operations, and approval workflows. Phase 1 delivers the catalog, baselines, forking, edit, and versioning.
Evidence to capture
- Screenshot of the SOC 2 / HIPAA / GLBA catalog.
- Screenshot of a forked policy with its version history.
- Screenshot of the fork/edit audit entries.