Compliance & Cloud IAM

Monitor your security posture, meet compliance frameworks, and manage cloud identity entitlements.

Compliance Posture Business+

The Compliance dashboard provides a real-time view of your organisation's security posture. It evaluates controls from common frameworks and produces a score based on evidence collected from your OnePAM deployment.

What’s Measured
  • Audit events — total audit events and unique users generating events.
  • Recording coverage — percentage of sessions with complete recordings.
  • Average endpoint posture — mean posture score across enrolled endpoints.
  • Active policies — number of access policies enforced.
  • MFA enforcement — whether MFA is enforced for the organisation.
Controls

Each control shows a pass, partial, or fail status with supporting evidence. Expand a control to see detailed findings. Controls are grouped by compliance framework tabs and refresh in real time via WebSocket.

Trends

The trends chart shows posture score over time, helping you track improvement and identify regressions.

Cloud IAM (CIEM) Business+

Cloud Infrastructure Entitlement Management (CIEM) analyses IAM identities across your cloud providers to find over-provisioned permissions, unused access, and privilege risks.

Cloud Integrations

Connect your cloud accounts to enable scanning:

  • AWS — provide access key, secret key, region, and optional assume-role ARN.
  • Azure — provide tenant ID, client ID, and client secret.
  • GCP — provide project ID and service account key.
Identity Analysis

After scanning, the CIEM dashboard shows all discovered identities with:

  • Risk level — critical, high, medium, low.
  • Identity type — user, service account, role.
  • Over-provisioned flag — identities with unused permissions.
  • Policies & entitlements — attached IAM policies and effective permissions.
Recommendations

OnePAM generates least-privilege recommendations for each identity, suggesting which permissions can be safely removed based on actual usage patterns.

Security Settings

Centralised security policies are configured under Settings → Security Business+:

  • Reauthentication interval — how often users must re-authenticate (hours).
  • Browser / API idle timeout — automatic logout after inactivity.
  • Interactive session inactivity timeout — auto-disconnect idle sessions.
  • Max concurrent sessions — limit per user.
  • MFA required — enforce MFA for all users.
  • Phishing-resistant MFA — require passkeys for authentication.
  • Team overrides — apply stricter security policies to specific teams.

Identity Provider (SAML SSO)

Configure SAML-based Single Sign-On under Settings → Identity Provider Business+. This requires a verified domain. Once configured, users with matching email domains authenticate through your identity provider (Okta, Azure AD, OneLogin, etc.).

The settings page provides your ACS URL, Entity ID, and Metadata URL for configuring the IdP side.