Compliance Reporting¶
Section: Operations | Article 44
Audience: System Administrators, Compliance Officers
Last Updated: 2026-04-07
Overview¶
RP-PAM includes built-in compliance reporting that maps PAM controls to common regulatory frameworks. You can generate compliance packages on demand via the REST API or on a schedule. Each package is a ZIP file containing reports tailored to the selected framework.
Supported Frameworks¶
| Framework | Config Value | Description |
|---|---|---|
| SOC 2 Type II | soc2 |
Service Organization Control — Trust Services Criteria (Security, Availability, Confidentiality) |
| ISO 27001 | iso27001 |
Information Security Management System — Annex A controls |
| SOX | sox |
Sarbanes-Oxley Act — IT General Controls (ITGC) for access management |
| PCI DSS v4.0 | pcidss |
Payment Card Industry Data Security Standard — Requirements 7 and 8 |
Generating a Compliance Package¶
Via REST API — PowerShell¶
$body = @{
framework = "soc2"
fromDate = "2026-01-01"
toDate = "2026-03-31"
includeEvidence = $true
} | ConvertTo-Json
$response = Invoke-RestMethod `
-Uri "https://rppam.corp.local:7101/api/v1/compliance/reports" `
-Method POST `
-Headers @{ Authorization = "Bearer $adminJwt" } `
-ContentType "application/json" `
-Body $body
# The response contains a download URL
$downloadUrl = $response.downloadUrl
Write-Host "Report ready: $downloadUrl"
# Download the ZIP
Invoke-WebRequest -Uri "https://rppam.corp.local:7101$downloadUrl" `
-Headers @{ Authorization = "Bearer $adminJwt" } `
-OutFile "C:\Reports\rppam-soc2-q1-2026.zip"
Via REST API — curl¶
# Generate the report
RESPONSE=$(curl -s -X POST "https://rppam.corp.local:7101/api/v1/compliance/reports" \
-H "Authorization: Bearer $ADMIN_JWT" \
-H "Content-Type: application/json" \
-d '{
"framework": "soc2",
"fromDate": "2026-01-01",
"toDate": "2026-03-31",
"includeEvidence": true
}')
echo "$RESPONSE" | jq .
# Extract the download URL and download
DOWNLOAD_URL=$(echo "$RESPONSE" | jq -r '.downloadUrl')
curl -s "https://rppam.corp.local:7101$DOWNLOAD_URL" \
-H "Authorization: Bearer $ADMIN_JWT" \
-o /tmp/rppam-soc2-q1-2026.zip
Request Parameters¶
| Field | Type | Required | Description |
|---|---|---|---|
framework |
string | Yes | Framework identifier: soc2, iso27001, sox, pcidss |
fromDate |
string | Yes | Report period start (ISO 8601 date) |
toDate |
string | Yes | Report period end (ISO 8601 date) |
includeEvidence |
boolean | No | Include raw evidence (audit log excerpts) — default: true |
tenantId |
string | No | MSP only — generate report for a specific tenant |
What Is in the ZIP¶
Each compliance package contains 6 reports:
| File | Description |
|---|---|
01-executive-summary.pdf |
High-level overview: scope, period, control status, risk summary |
02-control-mapping.pdf |
Maps each RP-PAM control to the selected framework's requirements |
03-access-review.pdf |
Who has access to what, including current grants and historical grants |
04-privilege-activity.pdf |
All privileged actions during the period (grants, revocations, admin changes) |
05-configuration-audit.pdf |
Configuration changes, module changes, and policy changes |
06-evidence-bundle.pdf |
Raw audit log excerpts supporting each control (if includeEvidence is true) |
Control Mapping Examples¶
SOC 2 (CC6.1 — Logical Access Security): | RP-PAM Control | SOC 2 Criteria | Evidence | |---|---|---| | Just-in-time access grants | CC6.1 | Grant creation/expiry logs | | MFA enforcement | CC6.1 | MFA challenge success/failure logs | | Break-glass audit trail | CC6.1 | Emergency access activation logs |
PCI DSS (Req 7 — Restrict Access, Req 8 — Identify Users): | RP-PAM Control | PCI DSS Requirement | Evidence | |---|---|---| | Role-based access | 7.1 | User-role mapping report | | Unique user identification | 8.1 | No shared accounts; per-user grants | | Session time limits | 8.6 | Grant TTL enforcement logs |
Attestation Endpoint¶
For automated compliance checks (e.g., from a GRC platform), RP-PAM provides an attestation endpoint that returns a signed JSON attestation of the current control status.
PowerShell¶
$attestation = Invoke-RestMethod `
-Uri "https://rppam.corp.local:7101/api/v1/compliance/attestation" `
-Headers @{ Authorization = "Bearer $adminJwt" }
$attestation | ConvertTo-Json -Depth 3
curl¶
curl -s "https://rppam.corp.local:7101/api/v1/compliance/attestation" \
-H "Authorization: Bearer $ADMIN_JWT" | jq .
Example response:
{
"attestationId": "att-2026-04-07-001",
"generatedUtc": "2026-04-07T14:30:00Z",
"controls": {
"jitAccess": { "status": "passing", "lastVerified": "2026-04-07T14:00:00Z" },
"mfaEnforced": { "status": "passing", "lastVerified": "2026-04-07T14:00:00Z" },
"auditLogging": { "status": "passing", "lastVerified": "2026-04-07T14:00:00Z" },
"encryptionAtRest": { "status": "passing", "lastVerified": "2026-04-07T14:00:00Z" },
"encryptionInTransit": { "status": "passing", "lastVerified": "2026-04-07T14:00:00Z" },
"breakGlassAudit": { "status": "passing", "lastVerified": "2026-04-07T14:00:00Z" }
},
"signature": "base64-encoded-signature"
}
The signature field is a detached signature using the RP-PAM instance's signing key, allowing your GRC platform to verify authenticity.
Scheduling Automated Reports¶
You can schedule compliance reports to be generated automatically using the admin API:
PowerShell:
$schedule = @{
framework = "soc2"
cronExpression = "0 0 1 * *" # First day of each month
includeEvidence = $true
deliveryEmail = "compliance@corp.local"
} | ConvertTo-Json
Invoke-RestMethod `
-Uri "https://rppam.corp.local:7101/api/v1/compliance/schedules" `
-Method POST `
-Headers @{ Authorization = "Bearer $adminJwt" } `
-ContentType "application/json" `
-Body $schedule
curl:
curl -s -X POST "https://rppam.corp.local:7101/api/v1/compliance/schedules" \
-H "Authorization: Bearer $ADMIN_JWT" \
-H "Content-Type: application/json" \
-d '{
"framework": "soc2",
"cronExpression": "0 0 1 * *",
"includeEvidence": true,
"deliveryEmail": "compliance@corp.local"
}' | jq .
Troubleshooting¶
| Problem | Cause | Solution |
|---|---|---|
| Report generation takes too long | Large date range with many events | Narrow the date range or set includeEvidence: false |
| "Insufficient permissions" | Caller does not have admin or compliance-officer role |
Verify the JWT belongs to a user with the required role |
| ZIP file is empty | No events in the specified date range | Check the date range and verify audit logging is enabled |
| Attestation shows "failing" | A control is not configured (e.g., MFA not enforced) | Review the failing control and enable the required feature |
| Download URL expired | Links expire after 1 hour | Re-generate the report |
Next Steps¶
- SIEM Integration — Forward events to your SIEM in real time
- Log Collection and Submission — Understand the raw log data
- REST API Reference — Full API endpoint list
RP-PAM v1.0.0 — Copyright 2026 Ravenphyre. All rights reserved.