VN-05 · Auditor Access & Exports
Status: Delivered Roles needed: Tenant admin (to grant an auditor session), auditor
What the client asked for
"Auditor access in Phase 1 must include time-boxed read-only access, full read-action audit, CSV export metadata and hashes, PDF watermarking, and PII/PHI redaction."
What this proves
An auditor's access is time-boxed and read-only; everything they read is itself audited; exports carry integrity hashes and watermarks; and sensitive PII/PHI is redacted from what they see and export.
How it works (at a glance)
Where to look in the portal
- Console header auditor access window indicator (countdown)
Compliance Evidencethen export controlsAudit
Validation walkthrough
| # | Action | What you should see |
|---|---|---|
| 1 | As tenant admin, grant a time-boxed auditor session | The session has an explicit expiry |
| 2 | Log in as auditor | The console header shows an access-window countdown; mutation controls are absent everywhere |
| 3 | Open evidence / records | Sensitive PII/PHI fields are redacted in the view |
| 4 | Request a CSV export | The export completes with associated metadata and an integrity hash |
| 5 | Request a PDF export | The PDF is watermarked |
| 6 | Open Audit | Your read actions and the export request are recorded |
| 7 | Let the session window approach expiry | The countdown reflects the remaining time; after expiry, auditor access is no longer granted |
| 8 | Attempt any change as auditor | No mutation controls are available |
Pass / fail checklist
- Auditor access is time-boxed with a visible countdown
- Auditor sees no mutation controls anywhere
- PII/PHI is redacted in auditor views
- CSV export includes integrity hash / metadata
- PDF export is watermarked
- Auditor read actions and export requests appear in
Audit - Access ends at the session window expiry
- Auditor of one tenant cannot read another tenant's evidence
Intentionally not in Phase 1
- Background export workers and long-term artifact storage in object storage with signed download URLs. Phase 1 produces the redacted, hashed, watermarked export and records the request.
- A tenant-facing editor for redaction policy rules.
Evidence to capture
- Screenshot of the auditor access-window countdown.
- Screenshot of a redacted evidence view.
- The exported CSV (showing hash/metadata) and the watermarked PDF.
- Screenshot of the read-action audit entries.