ECC tenant setup

Tenant Setup Intake Console

Configure SSO, role taxonomy, source-system entitlements, process ownership, proof requirements, security levels, readiness exercises, and command-view routing before a tenant goes live.

Identity
SSO claims resolve tenant and user profile.
Entitlement
Role, function, domain, source, action, and security level are governed.
Evidence
Raw data becomes finished proof before it reaches a role.
Activation
Readiness proof or logged override unlocks full functionality.
Go-live validation

ECC blocks unsafe setup before activation

A role has approval rights but no proof requirement.
A source system is mapped but no source owner is assigned.
A user has finance data access without finance entitlement.
A governor can view proof but cannot block unsafe claims.
A delivery owner owns blocked work but has no delivery source.
An executive view has value claims but no finance proof source.
Guided setup sections
tenant-profile

Tenant profile

Identify the governed organization, environment, tenant administrators, and activation approvers.

Required inputs
  • - organizationName
  • - tenantId
  • - environment
  • - primaryAdmin
  • - governorApprover
Validation checks
  • - tenantId is unique
  • - primary admin is assigned
  • - governor approver is assigned
sso-identity

SSO and identity

Map Okta, Entra ID, Google Workspace, or SAML/OIDC claims into tenant membership and role profiles.

Required inputs
  • - ssoProvider
  • - issuer
  • - groupClaim
  • - emailClaim
  • - tenantClaim
  • - roleClaim
Validation checks
  • - provider selected
  • - tenant claim mapped
  • - role/group claim mapped
  • - break-glass admin defined
role-taxonomy

Role taxonomy

Break broad personas into function, domain, and decision-rights profiles.

Required inputs
  • - persona
  • - function
  • - domain
  • - primaryRole
  • - secondaryRoles
  • - defaultRole
Validation checks
  • - normal users do not self-select role
  • - multi-role default is assigned
  • - role switch requires entitlement
source-entitlements

Source-system entitlements

Define which systems each role/domain may use as governed evidence inputs.

Required inputs
  • - sourceSystem
  • - sourceOwner
  • - accessScope
  • - freshnessExpectation
  • - dataClassification
Validation checks
  • - source owner assigned
  • - security level set
  • - restricted data requires restricted role entitlement
process-ownership

Process ownership

Tie users and role profiles to the workflows, decisions, and exceptions they actually own.

Required inputs
  • - processName
  • - ownerRole
  • - backupOwnerRole
  • - escalationRole
  • - serviceLevel
Validation checks
  • - owner assigned
  • - backup assigned
  • - escalation role assigned
  • - process has proof requirement
action-permissions

Action permissions

Control who can view, validate, approve, block, escalate, assign, certify, or export.

Required inputs
  • - roleProfile
  • - permissionVerb
  • - scope
  • - approvalThreshold
  • - expiration
Validation checks
  • - approval requires proof
  • - export requires entitlement
  • - override requires reason and approver
readiness

Readiness activation

Assign the 60-second role briefing and 3-minute readiness exercise required before full functionality.

Required inputs
  • - roleProfile
  • - briefingId
  • - exerciseId
  • - maxDurationMinutes
  • - overrideApprover
Validation checks
  • - exercise duration <= 3
  • - unlock requires proof
  • - override is logged with reason
Role evidence routing examples
executiveExecutive leadershiprestricted

Enterprise performance

executive reality, decision, proof, owner, improve

Source entitlements
erpforecastbudgetbenefits-trackergrcproject-scheduleaudit-log
Allowed actions
viewapproveescalate
Finished evidence
  • - compress raw metrics into decision-ready enterprise reality
  • - surface value movement and risk pressure
  • - attach proof confidence
finance-ownerFinanceconfidential

Benefits realization

value-risk command view

Source entitlements
erpforecastbudgetbenefits-trackercontractsaudit-log
Allowed actions
viewvalidateescalateblock
Finished evidence
  • - trace value claims to financial proof
  • - flag unsupported benefit realization
  • - route forecast risk to accountable owners
delivery-ownerIT deliveryinternal

Release delivery

blocked delivery and release-readiness view

Source entitlements
jiraservicenowgithubci-cdproject-schedule
Allowed actions
viewassignescalatevalidate
Finished evidence
  • - convert tickets and commits into delivery proof
  • - detect blockers and stale owners
  • - surface release risk
governorGovernancerestricted

Proof and claim safety

proof exceptions and claim safety view

Source entitlements
grcaudit-logdocument-repositorylineagedata-quality
Allowed actions
viewblockcertifyescalate
Finished evidence
  • - detect stale proof
  • - bind claim to evidence
  • - flag unsafe or overbroad access
operatorOperationsinternal

Governed work movement

work-ready action queue

Source entitlements
servicenowjiradocument-repositoryaudit-log
Allowed actions
viewassignescalate
Finished evidence
  • - turn work queues into governed next moves
  • - preserve proof attachment
  • - flag escalation thresholds