title: Activating Compliance Frameworks category: Compliance Frameworks tags: compliance, activation, frameworks, policies, controls priority: Normal
Activating Compliance Frameworks
This guide walks you through activating a compliance framework in IdentityCenter. Activating a framework automatically creates the policies associated with its controls, enabling you to evaluate your identity environment against regulatory requirements immediately.
Prerequisites
Before activating a framework, ensure the following:
- At least one directory connection is configured and tested
- Initial synchronization has completed successfully
- You have administrative access to the Compliance Center
- Organizational data (departments, managers) has been synced for full policy coverage
Step 1: Navigate to the Compliance Center
Open the Compliance Center by navigating to Administration > Compliance Center or going directly to /admin/compliance-center.
The main view displays all available frameworks with their current status:
| Status | Meaning |
|---|---|
| Available | Framework can be activated; no policies have been created |
| Active | Framework is activated; policies are evaluating |
| Partially Active | Some controls have been manually disabled |
| Inactive | Framework was previously active and has been deactivated |
Step 2: Select a Framework
Click on the framework you want to activate. For this example, we will use SOX (Sarbanes-Oxley).
The framework detail view shows:
- Description - Overview of the framework and its purpose
- Controls - The full list of controls defined by the framework
- Policies - The policies that will be created upon activation
- Category - Whether the framework is Compliance, Risk, Lifecycle, or Governance
Step 3: Review Included Controls
Before activating, review the controls that the framework includes. Each control lists:
| Field | Description |
|---|---|
| Control ID | Unique identifier (e.g., SOX-404.1) |
| Control Name | Human-readable name |
| Description | What the control requires |
| Policies | Number of policies that implement this control |
| Severity | Default severity level for generated violations |
Take time to understand which controls are relevant to your organization. You can choose to exclude specific controls during activation if they do not apply.
Step 4: Activate the Framework
Click the Activate Framework button. IdentityCenter will:
- Create all associated policies in Detection mode
- Map each policy to its corresponding control(s)
- Schedule an initial policy evaluation
- Display the framework on your compliance dashboard
Important: Policies are created in Detection mode by default. They will identify and log violations but will not take automated enforcement actions. This allows you to review results before enabling enforcement.
What Happens During Activation
Activate Framework
├── Create policy definitions
├── Assign default severity levels
├── Configure evaluation conditions
├── Map policies to framework controls
├── Schedule initial evaluation
└── Update compliance dashboard
The initial evaluation typically runs within minutes for environments with fewer than 10,000 objects. Larger environments may take longer depending on the number of policies and objects.
Step 5: Review Initial Violations
After the first evaluation completes, navigate to the framework detail view to review the results:
- Compliance Score - Percentage of controls with zero violations
- Open Violations - Total number of active violations across all policies
- Violations by Severity - Breakdown by Critical, High, Medium, Low, and Info
Review violations carefully before taking action. Common initial findings include:
| Common Finding | Typical Cause | Recommended Action |
|---|---|---|
| Large number of stale accounts | Accounts never cleaned up | Validate threshold, plan remediation |
| Many missing managers | Manager attribute not populated in AD | Update AD data or adjust policy |
| Segregation of duties violations | Legacy role assignments | Review each case individually |
| Excessive permissions alerts | Broad group memberships | Assess if groups are overly permissive |
Mapping Custom Policies to Framework Controls
You can extend a framework by mapping your own custom policies to its controls. This is useful when the built-in policies do not cover a specific requirement.
To map a custom policy to a framework control:
- Navigate to the policy in Policies or the Compliance Center
- Open the policy detail view
- In the Framework Mappings section, click Add Mapping
- Select the framework and control
- Save the mapping
The custom policy will now contribute to the framework's compliance score, and its violations will appear under the mapped control.
Built-in vs Custom Policies
| Aspect | Built-in Policies | Custom Policies |
|---|---|---|
| Creation | Automatically generated during activation | Manually created by administrators |
| Conditions | Pre-configured based on framework requirements | Defined by the administrator |
| Updates | May receive updates with product upgrades | Maintained by your organization |
| Deletion | Removed when framework is deactivated | Persist independently of frameworks |
| Framework Mapping | Automatically mapped to controls | Must be manually mapped |
Policy Evaluation Scheduling
Framework policies follow the global policy evaluation schedule by default. You can configure the schedule at several levels:
| Schedule Level | Scope | How to Configure |
|---|---|---|
| Global | All policies across all frameworks | Administration > Schedule > Policy Evaluation |
| Framework | All policies in a specific framework | Compliance Center > Framework > Schedule |
| Policy | Individual policy override | Policy detail > Evaluation Schedule |
Common scheduling patterns:
| Pattern | Frequency | Best For |
|---|---|---|
| Daily | Once per day, typically overnight | Most detection policies |
| Hourly | Every 1-4 hours | Critical security policies |
| Post-Sync | After each synchronization completes | Policies dependent on fresh data |
| Weekly | Once per week | Low-priority informational policies |
Compliance Posture Dashboard
Once a framework is active, the Compliance Center dashboard provides an at-a-glance view of your posture:
- Compliance Score - Overall percentage, trended over time
- Control Status - Pass/fail status for each control
- Top Violations - Most frequent or most severe violations
- Remediation Progress - Open vs. resolved violations over time
- Framework Comparison - Side-by-side scores when multiple frameworks are active
Deactivating a Framework
If you need to deactivate a framework:
- Navigate to the framework in the Compliance Center
- Click Deactivate Framework
- Choose whether to retain or delete the associated policies
- Confirm the deactivation
When you retain policies, they continue to evaluate independently but are no longer mapped to the framework. When you delete policies, all associated violations are also removed.
Warning: Deactivating a framework removes its compliance score history from the dashboard. Export your compliance reports before deactivating if you need to retain historical data.
Best Practices
Start with one framework - Activating multiple frameworks simultaneously can generate a large volume of violations that are difficult to triage. Master one framework before expanding.
Review before enforcing - Always run policies in Detection mode first. Review the generated violations to confirm accuracy and eliminate false positives before switching to Enforcement.
Involve stakeholders - Share initial compliance reports with audit, security, and business stakeholders to align on priorities and remediation timelines.
Document exceptions - When legitimate business needs require policy exceptions, document the justification and set expiration dates for periodic review.
Schedule regular reviews - Revisit framework compliance monthly. Trend your compliance score to demonstrate continuous improvement.
Keep sync data fresh - Policy accuracy depends on up-to-date directory data. Ensure synchronization runs regularly before policy evaluation.
Next Steps
- Compliance Reporting - Generate audit-ready reports from framework data
- Compliance Frameworks Overview - Review all supported frameworks
- Creating Policies - Build custom policies to extend framework coverage
- Scheduling Overview - Configure evaluation schedules
- Access Reviews Overview - Run access review campaigns tied to compliance controls