Map PaCE policy to a control objective

  • Release version: Australia
  • Updated March 12, 2026
  • 2 minutes to read

    • Use the Policy as Code Engine (PaCE) policy related list in the Compliance Workspace to map the control objective with a PaCE policy. Compliance managers have the ability to map the control objectives with PaCE policies.

    Before you begin

    Role required: sn_compliance.manager

    About this task

    When a PaCE policy is mapped to a deployable instance and if the PaCE policy is already associated to a control objective, then when the association of the policy to the deployable instance occurs a trigger is initiated from Configuration Data Management (CDM) to create an entity and controls.

    When a PaCE policy is mapped to a deployable instance, and if the policy is not associated to any control objective, then when the PaCE policy is mapped to the control objective the entity and controls are auto-generated since the deployable instance is already mapped to the policy.

    Procedure

    1. Navigate to All > Policy and Compliance > Compliance Workspace.
    2. In the Compliance Workspace, click the List icon ().
    3. Navigate to Compliance library > Control objectives.
    4. Click open a control objective or create a control objective.
    5. Click the Details related list.
    6. To automatically generate the controls for the control objective, select the Creates controls automatically option.
      Whenever an entity type is added to the control objective, controls are automatically generated if the Creates controls automatically option is selected.
    7. Click Save button.
    8. To view the controls generated for the control objective, click the Controls related list.
    9. Select the Active option in the Details related list.
      Note:
      The control objective must be active to add a PaCE policy to it. Or, the Add and Remove buttons in the PaCE policies related list are available only when the control objective is active.
    10. To add the PaCE policy to the control objective, click the PaCE policies related list.
    11. Click the Add button.
    12. Select a PaCE policy from the list of policies that are mapped to the deployable instance in the PaCE policies pop-up.
      Note:
      The PaCE policies that are inactive are listed in the pop-up.

      If the PaCE policy does not have a deployable instance mapped to it at the time of this association, then the entity and the controls are generated whenever the deployable instance is associated to the PaCE policy.

    13. Click Add.
      The corresponding entities and controls for the configuration items associated to PaCE policy are created if the Creates controls automatically option is selected. Existing retired controls are activated if they were not manually retired.

      If an entity has already been added to the control objective as an additional entity, then a control is not created but is updated with a different status. This is to fulfill the condition that only one control can exist per entity. If the control has been generated by the item generation process, then the source of the control is updated. If the control has multiple sources then such control is not retired.

    14. To remove a PaCE policy from a deployable instance, click the PaCE policies related list.
    15. Click the Remove button.
      When the PaCE policy is disassociated from the deployable instance, or when the PaCE policy related to the control objective is removed, then all the entities and controls that were generated earlier from this association are moved to Retired state. They are not deleted but continue to exist in retired state.
    16. To view the PaCE policy execution results on controls and engagements, click the DevOps Config results related item by navigating to the control record.