📘 Control Simulator - Admin Guide
📌 Overview
The Control Simulator is Control Core's flagship testing tool, providing instant feedback on control decisions with full OPA evaluation, trace visualization, and comprehensive audit logging.
As an administrator, you can monitor team usage, review test history across the organization, and ensure testing workflows align with your compliance requirements.
📌 Key Capabilities
| Feature | Description | Value for Admins |
|---|---|---|
| Real OPA Evaluation | Tests execute with actual OPA engine, not mocks | Confidence in test accuracy |
| Automatic Attribute Extraction | Rego code is parsed to auto-generate test forms | Reduced training requirements |
| Full Audit Trail | Every simulation is logged with complete context | Compliance and accountability |
| Test History | Per-policy simulation history with full details | Team activity monitoring |
| Export Functionality | JSON, CSV, and PDF exports for sharing | Documentation and reporting |
| Environment Isolation | Sandbox and Production test separately | Safe testing workflows |
📌 Monitoring Team Usage
Accessing Simulation Audit Logs
All control simulations are logged to the central audit trail for compliance tracking.
To view simulation logs:
- Navigate to Audit Logs from the Operations menu
- Filter by event type: POLICY_SIMULATION_RUN (technical name)
- View details including:
- Control tested
- User who ran the test
- Decision result (ALLOW/DENY/MASK)
- Input summary
- Execution time
- Environment (Sandbox/Production)
Audit events tracked:
POLICY_SIMULATION_RUN: Every test executionPOLICY_SIMULATION_EXPORTED: Result exportsTEST_SCENARIO_CREATED: Saved test scenariosTEST_SCENARIO_UPDATED: Scenario modificationsTEST_SCENARIO_DELETED: Scenario deletions
Test History Analytics
Monitor control testing activity:
- Total simulations per control: Understand which controls are being tested most
- Average execution time: Track control complexity and performance
- Decision breakdown: See ALLOW vs DENY ratios
- User activity: Identify which team members are testing controls
Best Practices for Admins
-
Review Production Tests Regularly
- Production control tests are logged but read-only
- Monitor for unusual testing patterns
- Ensure tests align with change management processes
-
Encourage Scenario Saving
- Saved scenarios enable regression testing
- Build a library of test cases for critical controls
- Share scenarios across teams for consistency
-
Monitor Export Activity
- Exports are logged for compliance
- Review who is exporting simulation data
- Ensure sensitive data is handled appropriately
-
Environment Governance
- Enforce Sandbox → Production promotion workflow
- Require testing before production deployment
- Use simulation history as approval evidence
🔌 Integration with Policy Lifecycle
Testing Workflow
Draft Control (Sandbox)
↓
Test with Control Simulator (Automated attribute extraction)
↓
Review trace and results
↓
Save test scenario for regression
↓
Enable in Sandbox
↓
Production testing (read-only)
↓
Promote to Production
Compliance and Governance
- All simulations are logged to
policy_simulation_logstable - Linked to main audit trail via
POLICY_SIMULATION_RUNevents - Test history provides evidence of due diligence
- Exports can be attached to change requests
🛠️ Troubleshooting
Common Issues
"No controls available for testing"
- Check environment filter (Sandbox vs Production)
- Ensure controls have logic defined
- Verify user permissions
"Failed to extract attributes"
- OPA is bundled with Control Core - check deployment
- Verify control logic is syntactically valid
- Check control-plane-api logs for details
"Simulation timed out"
- Complex controls may take longer to evaluate
- Review control logic for infinite loops or expensive operations
- Contact support if issue persists
🔒 Security Considerations
Data Protection
- Simulation inputs may contain sensitive test data
- Inputs are stored in
policy_simulation_logstable - Consider data retention policies for simulation history
- Use export carefully with compliance requirements
Access Control
- Only authenticated users can run simulations
- Production testing requires appropriate permissions
- Scenario saving is per-user (no sharing by default)
- Export actions are audit-logged
📌 System Requirements
The Control Simulator requires:
- OPA: Bundled with control-plane-api Docker container
- Regal: Optional (for enhanced linting)
- Database: PostgreSQL or SQLite for simulation logs
- Browser: Modern browser with JavaScript enabled
All components are pre-installed in Control Core deployments.
📞 Support and Feedback
For issues or enhancement requests related to the Control Simulator:
- Check the Troubleshooting section above
- Review test history and audit logs for error details
- Contact Control Core support with simulation ID for faster resolution
- Use the Feedback dialog in the PAP interface
📌 Related Documentation
- Control Manager Guide - End-user testing guide
- API Reference - Developer documentation
- Audit Log Guide - Understanding audit trail
- Environment Management - Sandbox vs Production workflows